• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Website Hijacked
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Website Hijacked

  • Subject: Re: Website Hijacked
  • From: Daniele Corti <email@hidden>
  • Date: Fri, 13 Apr 2012 09:39:37 +0200
Hi Gino,
can I suggest you to inspect you site with firebug or something similar? Try to trace the urls the browser calls and see if there are some strange url.

Another thing you can try is to disable JS in the browser and see if the redirection still occurs. If there aren't redirections, the problem is, probably, some injection in the HTML.

One last thing: the Jon message makes me think if I miss something. You say you have redirection on another site, but when you are seeing the Adult site the url in the browser's address bar has changed?


2012/4/13 Gino Pacitti <email@hidden>
yes.. I can look at the form in the source of the page and action points to : /cgi-bin/WebObjects... etc... with the component numbers after the /wo
It seems that for some reason the POST is causing a redirection off to another site.

It just does not happen at every attempt though which is even more puzzling..

Gino

On 12 Apr 2012, at 20:39, Daniele Corti wrote:

the url of the form or the link are correctly formed? I mean, do you have the HREF and ACTION attribute pointing to /cgi-bin/WebObejcts/YourApp.woa/wo/SESSION_ID/Num.ber.Pro.Gre.ssi.ve ?

2012/4/12 Gino Pacitti <email@hidden>
No .. completely just form submits and links...

It is weird. A normal link to a Component Action results in the URL changing and a Adult site appearing. It looks a bit like DNSSwapping which I looked into but I have ran scans on this with no results...


Gino

On 12 Apr 2012, at 19:52, Daniele Corti wrote:

Hi,
Just one thing that I was thinking: do you use AJAX in the form or link where the redirection occurs?

2012/4/12 Gino Pacitti <email@hidden>
I will have to give that a try...

Gino

On 12 Apr 2012, at 19:47, Daniele Corti wrote:

Hi,
That's strange, can you download the .woa packages (the Application and the WebResources) and install them on a test site and see if the redirection happens?


2012/4/12 Gino Pacitti <email@hidden>
no database seems clean - tried to search for a 'script' word in any fields and nothing came back - its like the whole site gets redirected when you click a form to go to a Direct Action?

Gino

On 12 Apr 2012, at 16:25, Daniele Corti wrote:

Hi Gino,
is the Direct Action, actually, generating the HTML from content fetched from the DB? If so, can you check the records that are fetched in the DA, if they have some script injections?

Regards,

2012/4/12 Gino Pacitti <email@hidden>
I have been hijacked...
Its redirecting and also spreading virus to PC - not everyone but a percentage of users have had warnings and alert screen concerning the site.

What should i look for in the logs?

Gino

On 12 Apr 2012, at 16:02, Pascal Robert wrote:

You are hijacked or you are seeing hacks attempts? What do you see in the Apache logs?

Hi
Anyone had any experience of how a site can be hijacked?

I mean that a normal link to a Direct Action gets redirected to a new site (Adult Content)

I cannot see how this is being done - Components does not contain any scripts except for Google Ananlytics yet clicking on a submit button or links causes this.

It is also not on every attempt - it seems to happen randomly??

Any help appreciated

Gino
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden.com)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden


_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden.com)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden.com)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden



--
Daniele Corti
--
I DON'T DoubleClick

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden.com)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden




--
Daniele Corti
--
I DON'T DoubleClick





--
Daniele Corti
--
I DON'T DoubleClick





--
Daniele Corti
--
I DON'T DoubleClick





--
Daniele Corti
--
I DON'T DoubleClick

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: Website Hijacked
      • From: Gino Pacitti <email@hidden>
References: 
 >Website Hijacked (From: Gino Pacitti <email@hidden>)
 >Re: Website Hijacked (From: Pascal Robert <email@hidden>)
 >Re: Website Hijacked (From: Gino Pacitti <email@hidden>)
 >Re: Website Hijacked (From: Daniele Corti <email@hidden>)
 >Re: Website Hijacked (From: Daniele Corti <email@hidden>)
 >Re: Website Hijacked (From: Daniele Corti <email@hidden>)
 >Re: Website Hijacked (From: Daniele Corti <email@hidden>)

  • Prev by Date: WO 2012 by Apple?
  • Next by Date: Re: Website Hijacked
  • Previous by thread: Re: Website Hijacked
  • Next by thread: Re: Website Hijacked
  • Index(es):
    • Date
    • Thread