Osclass forums

Support forums => General help => 3.6.x => Topic started by: nootkan on October 15, 2016, 09:03:34 pm

Title: Why Does Osclass Try to Connect with outside ip address?
Post by: nootkan on October 15, 2016, 09:03:34 pm

This is a fresh install of osclass and everytime I login to the admin section I see a steady stream of attempts to connect with an irish ip address.  Is this normal with osclass?  Because this is a fresh install right from the download page I am confused as to why this is occurring? Any ideas? 

Below is some of the log:

Quote

Time:    Sat Oct 15 09:47:25 2016 -0700 PID:     10869 (Parent PID:8756) Account: mysite/ Uptime:  107 seconds Executable: /usr/bin/php Command Line (often faked in exploits): /usr/bin/php /home/mysite//public_html/oc-admin/index.php Network connections by the process (if any): tcp: my ip address:35509 -> 54.217.201.242:80 Files open by the process (if any): /tmp/sess_c1691135523fd07dda2f21a87b11a620 /home/mysite//public_html/oc-content/languages/en_US/core.mo /home/mysite//public_html/oc-content/languages/en_US/messages.mo /home/mysite//public_html/oc-content/themes/cartagena/languages/en_US/theme.mo /home/mysite//public_html/oc-content/plugins/moreedit/languages/en_US/messages.mo /home/mysite//public_html/oc-content/plugins/fb_page_plugin/languages/en_US/messages.mo /home/mysite//public_html/oc-content/plugins/location_required/languages/en_US/messages.mo /home/mysite//public_html/oc-content/plugins/paypal_advanced/languages/en_US/messages.mo /home/mysite//public_html/oc-content/plugins/republish_pro/languages/en_US/messages.mo /home/mysite//public_html/oc-content/plugins/requiredreg/languages/en_US/messages.mo /home/mysite/public_html/oc-content/plugins/seo_wiz/languages/en_US/messages.mo /home/mysite/public_html/oc-content/plugins/spam_solution/languages/en_US/messages.mo Memory maps by the process (if any): 00400000-00b28000 r-xp 00000000 08:03 134614007 /usr/bin/php 00d27000-00dae000 rw-p 00727000 08:03 134614007 /usr/bin/php 00dae000-00dcf000 rw-p 00000000 00:00 0 01108000-02437000 rw-p 00000000 00:00 0 [heap] 7f038eebc000-7f038f03f000 rw-p 00000000 00:00 0 7f038f03f000-7f038f04c000 r-xp 00000000 08:03 52428831 /lib64/libnss_files-2.12.so 7f038f04c000-7f038f24b000 ---p 0000d000 08:03 52428831 /lib64/libnss_files-2.12.so 7f038f24b000-7f038f24c000 r--p 0000c000 08:03 52428831 /lib64/libnss_files-2.12.so 7f038f24c000-7f038f24d000 rw-p 0000d000 08:03 52428831 /lib64/libnss_files-2.12.so 7f038f24d000-7f038f29f000 r-xp 00000000 08:03 137494755 /usr/local/lib/php/extensions/no-debug-non-zts-20090626/sqlite.so 7f038f29f000-7f038f49e000 ---p 00052000 08:03 137494755 /usr/local/lib/php/extensions/no-debug-non-zts-20090626/sqlite.so 7f038f49e000-7f038f4a4000 rw-p 00051000 08:03 137494755 /usr/local/lib/php/extensions/no-debug-non-zts-20090626/sqlite.so 7f038f4a4000-7f038f4ab000 r-xp 00000000 08:03 137494751 /usr/local/lib/php/extensions/no-debug-non-zts-20090626/pdo_mysql.so 7f038f4ab000-7f038f6ab000 ---p 00007000 08:03 137494751 /usr/local/lib/php/extensions/no-debug-non-zts-20090626/pdo_mysql.so 7f038f6ab000-7f038f6ac000 rw-p 00007000 08:03 137494751 /usr/local/lib/php/extensions/no-debug-non-zts-20090626/pdo_mysql.so 7f038f6ac000-7f038f744000 r-xp 00000000 08:03 137494754 /usr/local/lib/php/extensions/no-debug-non-zts-20090626/pdo_sqlite.so 7f038f744000-7f038f943000 ---p 00098000 08:03 137494754 /usr/local/lib/php/extensions/no-debug-non-zts-20090626/pdo_sqlite.so 7f038f943000-7f038f947000 rw-p 00097000 08:03 137494754 /usr/local/lib/php/extensions/no-debug-non-zts-20090626/pdo_sqlite.so 7f038f947000-7f038f95d000 r-xp 00000000 08:03 137494749 /usr/local/lib/php/extensions/no-debug-non-zts-20090626/pdo.so 7f038f95d000-7f038fb5d000 ---p 00016000 08:03 137494749 /usr/local/lib/php/extensions/no-debug-non-zts-20090626/pdo.so 7f038fb5d000-7f038fb60000 rw-p 00016000 08:03 137494749 /usr/local/lib/php/extensions/no-debug-non-zts-20090626/pdo.so 7f038fb60000-7f038fb7f000 r-xp 00000000 08:03 137494762 /usr/local/lib/php/extensions/no-debug-non-zts-20090626/suhosin.so 7f038fb7f000-7f038fd7e000 ---p 0001f000 08:03 137494762 /usr/local/lib/php/extensions/no-debug-non-zts-20090626/suhosin.so 7f038fd7e000-7f038fd84000 rw-p 0001e000 08:03 137494762 /usr/local/lib/php/extensions/no-debug-non-zts-20090626/suhosin.so

Title: Re: Why Does Osclass Try to Connect with outside ip address?
Post by: teseo on October 16, 2016, 10:31:04 pm

Hi,

I'd guess the installation is communicating with one of the Osclass domains (54.217.201.242 (https://who.godaddy.com/whoisstd.aspx?domain=osclass.com&prog_id=GoDaddy)) to know if there available updates for you (themes, plugins, languages).

Regards

Title: Re: Why Does Osclass Try to Connect with outside ip address?
Post by: _CONEJO on October 17, 2016, 01:22:22 am

To check for updates (once per day), also, some of the information of the dashboard (the market widget).
Locations are also downloaded from an external location (this happens on installation and on admin panel, but not on the dashboard).
Market too, but I guess that was clear.

Title: Re: Why Does Osclass Try to Connect with outside ip address?
Post by: nootkan on October 18, 2016, 02:59:40 am

Thanks guys for the replies.  Glad to see it isn't a hacker.  Although the ip address changes once in a while to other ips.  I used to block them in my ip tables but was getting overwhelmed by the continuous tcp out connection attempts.  My server is blocking all tcp out port connections except for a few that I have allowed.  These are using port 80 so I can't block that port.


Is there a way to stop the script from sending out these requests?  I am seeing upward of 700 packets in a day when I leave my admin open for a while.

Title: Re: Why Does Osclass Try to Connect with outside ip address?
Post by: nootkan on October 21, 2016, 08:34:19 pm

I haven't been able to resolve this and hope that someone can tell me how to stop the script that is sending out requests for updates.  It has to be checking for updates every minute as I am still seeing hundreds of packets being sent out to this ip address per day.  Surely that is not normal.


It actually slows down the backend when I am trying to do administration work.  What should only take seconds to do is taking minutes while this script is trying to connect with your ip address.  It is quicker to make changes inside the database than wait for the website to respond to my requests in the admin section.


The only box that is checked in the settings is the cron all update checks are blank.  I tried to uncheck the cron also but that didn't stop the update requests either.



Any ideas?

Title: Re: Why Does Osclass Try to Connect with outside ip address?
Post by: Aficionado on October 21, 2016, 08:57:11 pm

I don't think Osclass does that every minute as you say.  I don' see that in any of my site.

Title: Re: Why Does Osclass Try to Connect with outside ip address?
Post by: nootkan on October 22, 2016, 02:50:23 am

Here are some more of my access logs:

Quote

my ip address - - [21/Oct/2016:13:55:05 -0700] "POST / HTTP/1.1" 200 - "Osclass (v.361)" "-"
my ip address - - [21/Oct/2016:14:06:06 -0700] "POST / HTTP/1.1" 200 - "Osclass (v.361)" "-"
my ip address - - [21/Oct/2016:14:06:34 -0700] "POST / HTTP/1.1" 200 - "Osclass (v.361)" "-"
my ip address - - [21/Oct/2016:14:07:01 -0700] "POST / HTTP/1.1" 200 - "Osclass (v.361)" "-"
my ip address - - [21/Oct/2016:14:09:14 -0700] "POST / HTTP/1.1" 200 - "Osclass (v.361)" "-"
my ip address - - [21/Oct/2016:14:09:36 -0700] "POST / HTTP/1.1" 200 - "Osclass (v.361)" "-"
my ip address - - [21/Oct/2016:14:09:45 -0700] "POST / HTTP/1.1" 200 - "Osclass (v.361)" "-"
my ip address - - [21/Oct/2016:14:13:35 -0700] "POST / HTTP/1.1" 200 - "Osclass (v.361)" "-"
my ip address - - [21/Oct/2016:14:16:03 -0700] "POST / HTTP/1.1" 200 - "Osclass (v.361)" "-"
my ip address - - [21/Oct/2016:14:26:42 -0700] "POST / HTTP/1.1" 200 - "Osclass (v.361)" "-"
my ip address - - [21/Oct/2016:14:26:42 -0700] "POST / HTTP/1.1" 200 - "Osclass (v.361)" "-"
my ip address - - [21/Oct/2016:14:26:59 -0700] "POST / HTTP/1.1" 200 - "Osclass (v.361)" "-"
my ip address - - [21/Oct/2016:14:43:44 -0700] "POST / HTTP/1.1" 200 - "Osclass (v.361)" "-"
my ip address - - [21/Oct/2016:14:48:12 -0700] "POST / HTTP/1.1" 200 - "Osclass (v.361)" "-"
my ip address - - [21/Oct/2016:14:48:15 -0700] "POST / HTTP/1.1" 200 - "Osclass (v.361)" "-"
my ip address - - [21/Oct/2016:14:49:54 -0700] "POST / HTTP/1.1" 200 - "Osclass (v.361)" "-"
my ip address - - [21/Oct/2016:14:50:27 -0700] "POST / HTTP/1.1" 200 - "Osclass (v.361)" "-"
my ip address - - [21/Oct/2016:14:52:35 -0700] "POST / HTTP/1.1" 200 - "Osclass (v.361)" "-"
my ip address - - [21/Oct/2016:14:52:39 -0700] "POST / HTTP/1.1" 200 - "Osclass (v.361)" "-"
my ip address - - [21/Oct/2016:14:53:46 -0700] "POST / HTTP/1.1" 200 - "Osclass (v.361)" "-"
my ip address - - [21/Oct/2016:14:53:47 -0700] "POST / HTTP/1.1" 200 - "Osclass (v.361)" "-"
my ip address - - [21/Oct/2016:14:54:49 -0700] "POST / HTTP/1.1" 200 - "Osclass (v.361)" "-"
my ip address - - [21/Oct/2016:14:56:59 -0700] "POST / HTTP/1.1" 200 - "Osclass (v.361)" "-"
my ip address - - [21/Oct/2016:14:57:24 -0700] "POST / HTTP/1.1" 200 - "Osclass (v.361)" "-"
my ip address - - [21/Oct/2016:14:58:12 -0700] "POST / HTTP/1.1" 200 - "Osclass (v.361)" "-"

I also just observed the same thing being done for one of my clients who logged in and republished his ad.  There was a request sent to the ip (54.217.201.242) mentioned in this thread immediately after my client republished his ad.

Title: Re: Why Does Osclass Try to Connect with outside ip address?
Post by: _CONEJO on October 22, 2016, 02:29:17 pm

If it's your IP, means that someone is making a request TO YOU... right?
Do you have a log with more information ??

Title: Re: Why Does Osclass Try to Connect with outside ip address?
Post by: nootkan on November 16, 2016, 05:35:05 am

Sorry for the late reply.  Actually it is my ip trying to send something out to various ips that keep changing.  I'm thinking that the osclass sites are compromised somehow but cannot for the life of me figure it out as it doesn't happen with any other sites like WP or basic html/css sites on the server. 


There are 5 osclass sites on the server and all but one have this happen now and again.  When it happens it seems to last a few days and then disappears for a while. For now I am using this command to block the ips that my ip is trying to send out to.



iptables -A OUTPUT -d 46.8.35.0/24 -j DROP
/sbin/service iptables save


I'll keep trying to resolve this and hopefully be able to provide a solution in case it happens to someone else.

Title: Re: Why Does Osclass Try to Connect with outside ip address?
Post by: nootkan on November 16, 2016, 07:41:00 pm

Well that is not working either.  Here is the most recent logs and it seem this ip address is a popular one:

Quote

Time:    Wed Nov 16 02:17:11 2016 -0800
PID:     32434 (Parent PID:28965)
Account: mysite
Uptime:  125 seconds




Executable:


/usr/bin/php




Command Line (often faked in exploits):


/usr/bin/php /home/mysite/public_html/index.php




Network connections by the process (if any):


tcp: 71.19.244.97:40201 -> 91.134.29.33:80




Files open by the process (if any):


/tmp/sess_0186e010f86c76ad2c5acdbf43e85208
/home/mysite/public_html/oc-content/languages/en_US/core.mo
/home/mysite/public_html/oc-content/languages/en_US/messages.mo
/home/mysite/public_html/oc-content/themes/ctg_classifieds_cvclassifieds/languages/en_US/theme.mo
/home/mysite/public_html/oc-content/plugins/ads4osc/languages/en_US/messages.mo
/home/mysite/public_html/oc-content/plugins/products_attributes/languages/en_US/messages.mo
/home/mysite/public_html/oc-content/plugins/realestate_attributes/languages/en_US/messages.mo
/home/mysite/public_html/oc-content/plugins/location_required/languages/en_US/messages.mo
/home/mysite/public_html/oc-content/plugins/spam_solution/languages/en_US/messages.mo
/home/mysite/public_html/oc-content/plugins/fb_page_plugin/languages/en_US/messages.mo
/home/mysite/public_html/oc-content/plugins/seo_wiz/languages/en_US/messages.mo
/home/mysite/public_html/oc-content/plugins/paypal_advanced/languages/en_US/messages.mo
/home/mysite/public_html/oc-content/plugins/requiredreg/languages/en_US/messages.mo
/home/mysite/public_html/oc-content/plugins/republish_pro/languages/en_US/messages.mo
/home/mysite/public_html/oc-content/plugins/moreedit/languages/en_US/messages.mo
/home/mysite/public_html/oc-content/plugins/ghost_fix/languages/en_US/messages.mo




Memory maps by the process (if any):


00400000-00b28000 r-xp 00000000 08:03 134614007                          /usr/bin/php
00d27000-00dae000 rw-p 00727000 08:03 134614007                          /usr/bin/php
00dae000-00dcf000 rw-p 00000000 00:00 0
023da000-03784000 rw-p 00000000 00:00 0                                  [heap]
7f2356ad8000-7f2356c5b000 rw-p 00000000 00:00 0
7f2356c5b000-7f2356c68000 r-xp 00000000 08:03 52428831                   /lib64/libnss_files-2.12.so
7f2356c68000-7f2356e67000 ---p 0000d000 08:03 52428831                   /lib64/libnss_files-2.12.so
7f2356e67000-7f2356e68000 r--p 0000c000 08:03 52428831                   /lib64/libnss_files-2.12.so
7f2356e68000-7f2356e69000 rw-p 0000d000 08:03 52428831                   /lib64/libnss_files-2.12.so
7f2356e69000-7f2356ebb000 r-xp 00000000 08:03 137494755                  /usr/local/lib/php/extensions/no-debug-non-zts-20090626/sqlite.so
7f2356ebb000-7f23570ba000 ---p 00052000 08:03 137494755                  /usr/local/lib/php/extensions/no-debug-non-zts-20090626/sqlite.so
7f23570ba000-7f23570c0000 rw-p 00051000 08:03 137494755                  /usr/local/lib/php/extensions/no-debug-non-zts-20090626/sqlite.so
7f23570c0000-7f23570c7000 r-xp 00000000 08:03 137494751                  /usr/local/lib/php/extensions/no-debug-non-zts-20090626/pdo_mysql.so
7f23570c7000-7f23572c7000 ---p 00007000 08:03 137494751                  /usr/local/lib/php/extensions/no-debug-non-zts-20090626/pdo_mysql.so
7f23572c7000-7f23572c8000 rw-p 00007000 08:03 137494751                  /usr/local/lib/php/extensions/no-debug-non-zts-20090626/pdo_mysql.so
7f23572c8000-7f2357360000 r-xp 00000000 08:03 137494754                  /usr/local/lib/php/extensions/no-debug-non-zts-20090626/pdo_sqlite.so
7f2357360000-7f235755f000 ---p 00098000 08:03 137494754                  /usr/local/lib/php/extensions/no-debug-non-zts-20090626/pdo_sqlite.so
7f235755f000-7f2357563000 rw-p 00097000 08:03 137494754                  /usr/local/lib/php/extensions/no-debug-non-zts-20090626/pdo_sqlite.so
7f2357563000-7f2357579000 r-xp 00000000 08:03 137494749                  /usr/local/lib/php/extensions/no-debug-non-zts-20090626/pdo.so
7f2357579000-7f2357779000 ---p 00016000 08:03 137494749                  /usr/local/lib/php/extensions/no-debug-non-zts-20090626/pdo.so
7f2357779000-7f235777c000 rw-p 00016000 08:03 137494749                  /usr/local/lib/php/extensions/no-debug-non-zts-20090626/pdo.so
7f235777c000-7f235779b000 r-xp 00000000 08:03 137494762                  /usr/local/lib/php/extensions/no-debug-non-zts-20090626/suhosin.so
7f235779b000-7f235799a000 ---p 0001f000 08:03 137494762                  /usr/local/lib/php/extensions/no-debug-non-zts-20090626/suhosin.so
7f235799a000-7f23579a0000 rw-p 0001e000 08:03 137494762                  /usr/local/lib/php/extensions/no-debug-non-zts-20090626/suhosin.so

Title: Re: Why Does Osclass Try to Connect with outside ip address?
Post by: nootkan on December 13, 2016, 05:54:42 am

Alright I'm not sure whether this is an attack but I am assuming based on my research it is not. I believe it is the many plugins and other scripts that osclass  uses are sending out requests via cron for cleaning, updating etc.  I have since removed all ip blocks from my server and the sites are back to running efficiently again.  I also have added the logs to my ignore file to help mitigate all the emails from my logs.


The part that concerns me is that these developers of the plugins or other scripts have to have different ip addresses in different countries instead of just one.  That is what raises red flags for me as hackers and spammers use the same logic.  When a script sends out a request to more than one ip address for the same purpose it is a little unnerving.


As no one else is seeing anything similar in their logs this also concerns me but since I cannot prove it is an attack related issue I am going to drop it and keep monitoring to see if anything else raises its ugly head.  Thanks to those of you who tried to help me figure this out.

Title: Re: Why Does Osclass Try to Connect with outside ip address?
Post by: Aficionado on December 13, 2016, 01:13:16 pm

While definitely doesn't seem like an attack and it is a CRON log, it is not normal. CRON should not be run every xxx seconds or so.

I see an other user reporting the same the last days using Internal CRON and i wonder if this could be a bug or some buggy plugin ?

Title: Re: Why Does Osclass Try to Connect with outside ip address?
Post by: Aficionado on December 13, 2016, 01:25:42 pm

Maybe it is a good idea @_CONEJO to include the plugin or service name that calls the CRON in the log file.

Near the version of Osclass. So we know what it happening.

Title: Re: Why Does Osclass Try to Connect with outside ip address?
Post by: _CONEJO on December 13, 2016, 05:57:56 pm

The cron is called in oc-load only (if auto-cron enabled), or if you access to the file manually or by CLI. There isn't much mystery there. But it looks like the way that request is made (in background) doesn't fit your server well, so as Aficionado suggested. Disable auto-cron for a few days and check your logs. If the problem is still happening, then I don't have more ideas. If the problem have disappeared, then you should use your system's cron or an external one.

Title: Re: Why Does Osclass Try to Connect with outside ip address?
Post by: Aficionado on December 13, 2016, 09:00:31 pm

Extrenal CRON (within my Cpanel) works great:

Example:

Code: [Select]

wget https://www.website.com/index.php?page=cron -O /dev/null