Fandango Posted December 21, 2023 Share Posted December 21, 2023 Hi all, on one of the domains I have on my hosting package I have a CubeCart installation, every now and again and without any input from me some strange URL's appear on the website front end instead of what the actual store product category URL's should be (example as below), however once I clear the cache in the Admin the URL's disappear from the front end and they go back to how they should be. For Example E.G. The real store URL for Category "Next Game" should be: https://www.aceairsoft.co.uk/next-game.html Yet I get strange URL's like this one that appear now and again: https://www.aceairsoft.co.uk/online-store-122/books/american-christian-education/literature/benjamin-west/next-game.html The strange URL's just give a "404 Page Not Found" error on the front end of my website which can be a pain for my customers. I was just wondering if this could be due to a shared hosting issue, a CubeCart issue or could it even be a targeted attack on my website? Look forward to hearing any thoughts. Cheers Carl Quote Link to comment Share on other sites More sharing options...
Fandango Posted December 21, 2023 Author Share Posted December 21, 2023 I have been in touch with my hosting company support and they say it's an issue with CubeCart. We see the following error in your error log file : No callback method defined. in /home/webcarsa/public_html/aceairsoft.co.uk/classes/cubecart.class.php on line 311 In addition, we have scanned the content of your account using Imunify360 scanner and have not found any malware or malicious content/scripts. We assume that the problem may be related to both the site content and CubeCart. Any thoughts would be most welcome. Thanks in advance. Quote Link to comment Share on other sites More sharing options...
bsmither Posted December 21, 2023 Share Posted December 21, 2023 Does your host keep logs of page requests (web access)? If so, scanning through them looking for these weird URI's might provide a clue, such as there might be only one IP address doing this. Please also check the contents of the ,htaccess file. There should be these directives: ### Rewrite rules for SEO functionality ### <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / The RewriteBase is the important directive. Quote Link to comment Share on other sites More sharing options...
Fandango Posted December 22, 2023 Author Share Posted December 22, 2023 On 12/21/2023 at 5:36 PM, bsmither said: Does your host keep logs of page requests (web access)? If so, scanning through them looking for these weird URI's might provide a clue, such as there might be only one IP address doing this. Please also check the contents of the ,htaccess file. There should be these directives: ### Rewrite rules for SEO functionality ### <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / The RewriteBase is the important directive. Hi Brian, thanks I'll have a look at the logs if I can find them. the htaccess file on mine shows the RewriteBase but also has all of the below on it too as I believe it's to do with the SSL Certificate from Let's Encrypt. ##### START CubeCart .htaccess ##### ## File Security <FilesMatch "\.(htaccess)$"> Order Allow,Deny Deny from all </FilesMatch> #### Apache directory listing rules #### DirectoryIndex index.php index.htm index.html IndexIgnore * #### Rewrite rules for SEO functionality #### <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / ######## START v4 SEO URL BACKWARD COMPATIBILITY ######## RewriteCond %{QUERY_STRING} (.*)$ RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$ RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$ RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$ RewriteRule cat_([0-9]+)(\.[a-z]{3,4})?(.*)$ index.php?_a=category&cat_id=$1&%1 [NC] RewriteCond %{QUERY_STRING} (.*)$ RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$ RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$ RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$ RewriteRule prod_([0-9]+)(\.[a-z]{3,4})?$ index.php?_a=product&product_id=$1&%1 [NC] RewriteCond %{QUERY_STRING} (.*)$ RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$ RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$ RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$ RewriteRule info_([0-9]+)(\.[a-z]{3,4})?$ index.php?_a=document&doc_id=$1&%1 [NC] RewriteCond %{QUERY_STRING} (.*)$ RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$ RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$ RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$ RewriteRule tell_([0-9]+)(\.[a-z]{3,4})?$ index.php?_a=product&product_id=$1&%1 [NC] RewriteCond %{QUERY_STRING} (.*)$ RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$ RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$ RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$ RewriteRule _saleItems(\.[a-z]+)?(\?.*)?$ index.php?_a=saleitems&%1 [NC,L] ######## END v4 SEO URL BACKWARD COMPATIBILITY ######## RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_URI} !=/favicon.ico RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$ RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$ RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$ RewriteRule ^(.*)?$ index.php?seo_path=$1 [L,QSA] </IfModule> ## Default store 404 page ErrorDocument 404 /index.php ##### END CubeCart .htaccess ##### Quote Link to comment Share on other sites More sharing options...
bsmither Posted December 22, 2023 Share Posted December 22, 2023 I am going to ignore the lines that appear to come from an SSL Cert manager. I just wanted to make sure there is an appropriate RewriteBase directive. It will be interesting as to what would be found in the web access logs. 1 Quote Link to comment Share on other sites More sharing options...
Fandango Posted December 23, 2023 Author Share Posted December 23, 2023 17 hours ago, bsmither said: I am going to ignore the lines that appear to come from an SSL Cert manager. I just wanted to make sure there is an appropriate RewriteBase directive. It will be interesting as to what would be found in the web access logs. I've downloaded the access logs for the past month, wow there's a lot of data to go through and try to understand what is legit and what is looking suspect lol. Having imported it into a spreadsheet so that it's easier to read and checking IP addresses against an IP lookup it looks like there is a lot of suspicious IP's that access my website just prior to the weird URL's appearing, these IP's are all associated with Dmytro Ahrefs Pte Ltd which according to abuseipdb.com is an ISP and there are literally thousands of abuse reports on there of varying nature for lots of different IP's associated with it. I think the above is the culprit so I'm now starting to block all of the IP's associated with that through the IP blocker on CPanel. Thanks for your help, much appreciated Quote Link to comment Share on other sites More sharing options...
bsmither Posted December 23, 2023 Share Posted December 23, 2023 Good to know where it is probably coming from. Better to know what page requests are being made just prior to when the web addresses go sideways. Quote Link to comment Share on other sites More sharing options...
Fandango Posted January 3 Author Share Posted January 3 Well I've blocked the entire IP range associated with Dmytro Ahrefs Pte Ltd and it looks like it has worked, no strange URL's have appeared since, unless they are just on holiday for the festive period that is lol. Thanks for your help bsmither Quote Link to comment Share on other sites More sharing options...
John_74 Posted April 2 Share Posted April 2 (edited) I really appreciate your support. Valero Credit Card Thank you for lending a hand! Edited April 4 by John_74 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.