Jump to content

Strange URL's appearing on my CubeCart

Fandango

By Fandango
in General Discussion

 Share

Recommended Posts

Fandango Newbie

Fandango

Posted
Posted

Hi all, on one of the domains I have on my hosting package I have a CubeCart installation, every now and again and without any input from me some strange URL's appear on the website front end instead of what the actual store product category URL's should be (example as below), however once I clear the cache in the Admin the URL's disappear from the front end and they go back to how they should be.
For Example E.G. The real store URL for Category "Next Game" should be: https://www.aceairsoft.co.uk/next-game.html
Yet I get strange URL's like this one that appear now and again: https://www.aceairsoft.co.uk/online-store-122/books/american-christian-education/literature/benjamin-west/next-game.html
The strange URL's just give a "404 Page Not Found" error on the front end of my website which can be a pain for my customers.
I was just wondering if this could be due to a shared hosting issue, a CubeCart issue or could it even be a targeted attack on my website?
Look forward to hearing any thoughts.
Cheers Carl

Link to comment
Share on other sites

Fandango Newbie

Fandango

Posted
  • Author
Posted

I have been in touch with my hosting company support and they say it's an issue with CubeCart.

We see the following error in your error log file : No callback method defined. in /home/webcarsa/public_html/aceairsoft.co.uk/classes/cubecart.class.php on line 311

In addition, we have scanned the content of your account using Imunify360 scanner and have not found any malware or malicious content/scripts.
We assume that the problem may be related to both the site content and CubeCart.

Any thoughts would be most welcome.
Thanks in advance.

Link to comment
Share on other sites
bsmither Mentor

bsmither

Posted
Posted

Does your host keep logs of page requests (web access)?

If so, scanning through them looking for these weird URI's might provide a clue, such as there might be only one IP address doing this.

Please also check the contents of the ,htaccess file. There should be these directives: 

### Rewrite rules for SEO functionality ###
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteBase /

The RewriteBase is the important directive.

Link to comment
Share on other sites
Fandango Newbie

Fandango

Posted
  • Author
Posted
On 12/21/2023 at 5:36 PM, bsmither said:

Does your host keep logs of page requests (web access)?

If so, scanning through them looking for these weird URI's might provide a clue, such as there might be only one IP address doing this.

Please also check the contents of the ,htaccess file. There should be these directives: 

### Rewrite rules for SEO functionality ###
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteBase /

The RewriteBase is the important directive.

Hi Brian, thanks I'll have a look at the logs if I can find them.
the htaccess file on mine shows the RewriteBase but also has all of the below on it too as I believe it's to do with the SSL Certificate from Let's Encrypt. 

##### START CubeCart .htaccess #####

## File Security
<FilesMatch "\.(htaccess)$">
 Order Allow,Deny
 Deny from all
</FilesMatch>

#### Apache directory listing rules ####
DirectoryIndex index.php index.htm index.html
IndexIgnore *

#### Rewrite rules for SEO functionality ####
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteBase /
  
  ######## START v4 SEO URL BACKWARD COMPATIBILITY ########
  RewriteCond %{QUERY_STRING} (.*)$
  RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
  RewriteRule cat_([0-9]+)(\.[a-z]{3,4})?(.*)$ index.php?_a=category&cat_id=$1&%1 [NC]

  RewriteCond %{QUERY_STRING} (.*)$
  RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
  RewriteRule prod_([0-9]+)(\.[a-z]{3,4})?$ index.php?_a=product&product_id=$1&%1 [NC]

  RewriteCond %{QUERY_STRING} (.*)$
  RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
  RewriteRule info_([0-9]+)(\.[a-z]{3,4})?$ index.php?_a=document&doc_id=$1&%1 [NC]

  RewriteCond %{QUERY_STRING} (.*)$
  RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
  RewriteRule tell_([0-9]+)(\.[a-z]{3,4})?$ index.php?_a=product&product_id=$1&%1 [NC]

  RewriteCond %{QUERY_STRING} (.*)$
  RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
  RewriteRule _saleItems(\.[a-z]+)?(\?.*)?$ index.php?_a=saleitems&%1 [NC,L]
  ######## END v4 SEO URL BACKWARD COMPATIBILITY ########

  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteCond %{REQUEST_URI} !=/favicon.ico
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
  RewriteRule ^(.*)?$ index.php?seo_path=$1 [L,QSA]
</IfModule>

## Default store 404 page
ErrorDocument 404 /index.php

##### END CubeCart .htaccess #####
Link to comment
Share on other sites
Fandango Newbie

Fandango

Posted
  • Author
Posted
17 hours ago, bsmither said:

I am going to ignore the lines that appear to come from an SSL Cert manager.

I just wanted to make sure there is an appropriate RewriteBase directive.

It will be interesting as to what would be found in the web access logs.

 

I've downloaded the access logs for the past month, wow there's a lot of data to go through and try to understand what is legit and what is looking suspect lol.
Having imported it into a spreadsheet so that it's easier to read and checking IP addresses against an IP lookup it looks like there is a lot of suspicious IP's that access my website just prior to the weird URL's appearing, these IP's are all associated with Dmytro Ahrefs Pte Ltd which according to abuseipdb.com is an ISP and there are literally thousands of abuse reports on there of varying nature for lots of different IP's associated with it.

I think the above is the culprit so I'm now starting to block all of the IP's associated with that through the IP blocker on CPanel.
Thanks for your help, much appreciated :)

Link to comment
Share on other sites
  • 2 weeks later...
Fandango Newbie

Fandango

Posted
  • Author
Posted

Well I've blocked the entire IP range associated with Dmytro Ahrefs Pte Ltd and it looks like it has worked, no strange URL's have appeared since, unless they are just on holiday for the festive period that is lol.

Thanks for your help bsmither

Link to comment
Share on other sites
  • 2 months later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...