Re: Website Hijacked
Re: Website Hijacked
- Subject: Re: Website Hijacked
- From: Gino Pacitti <email@hidden>
- Date: Fri, 13 Apr 2012 08:47:33 +0100
Hi Daniel
I will try with JS disabled to see if I can repeat the problem.
The URL I see in the source and in the status are correct - it is once
the form button or link is clicked that the issue occurs. Its like the
URL clicked is pointing to the Adult or Virus website.
The URL is something like:
http://www.mydomain.co.uk/cgi-bin/WebObjects/Appt.woa/2/wo/imCcv2b2suMZqLswRhNV50/8.16.14.0
Once clicked it then becomes a completely different URL and the
browser goes to that page with the malware???
Its almost like a redirect or something is occuring....
Gino
On 13 Apr 2012, at 08:39, Daniele Corti wrote:
Hi Gino,
can I suggest you to inspect you site with firebug or something
similar? Try to trace the urls the browser calls and see if there
are some strange url.
Another thing you can try is to disable JS in the browser and see if
the redirection still occurs. If there aren't redirections, the
problem is, probably, some injection in the HTML.
One last thing: the Jon message makes me think if I miss something.
You say you have redirection on another site, but when you are
seeing the Adult site the url in the browser's address bar has
changed?
2012/4/13 Gino Pacitti <email@hidden>
yes.. I can look at the form in the source of the page and action
points to : /cgi-bin/WebObjects... etc... with the component numbers
after the /wo
It seems that for some reason the POST is causing a redirection off
to another site.
It just does not happen at every attempt though which is even more
puzzling..
Gino
On 12 Apr 2012, at 20:39, Daniele Corti wrote:
the url of the form or the link are correctly formed? I mean, do you
have the HREF and ACTION attribute pointing to /cgi-bin/WebObejcts/
YourApp.woa/wo/SESSION_ID/Num.ber.Pro.Gre.ssi.ve ?
2012/4/12 Gino Pacitti <email@hidden>
No .. completely just form submits and links...
It is weird. A normal link to a Component Action results in the URL
changing and a Adult site appearing. It looks a bit like DNSSwapping
which I looked into but I have ran scans on this with no results...
Gino
On 12 Apr 2012, at 19:52, Daniele Corti wrote:
Hi,
Just one thing that I was thinking: do you use AJAX in the form or
link where the redirection occurs?
2012/4/12 Gino Pacitti <email@hidden>
I will have to give that a try...
Gino
On 12 Apr 2012, at 19:47, Daniele Corti wrote:
Hi,
That's strange, can you download the .woa packages (the Application
and the WebResources) and install them on a test site and see if the
redirection happens?
2012/4/12 Gino Pacitti <email@hidden>
no database seems clean - tried to search for a 'script' word in any
fields and nothing came back - its like the whole site gets
redirected when you click a form to go to a Direct Action?
Gino
On 12 Apr 2012, at 16:25, Daniele Corti wrote:
Hi Gino,
is the Direct Action, actually, generating the HTML from content
fetched from the DB? If so, can you check the records that are
fetched in the DA, if they have some script injections?
Regards,
2012/4/12 Gino Pacitti <email@hidden>
I have been hijacked...
Its redirecting and also spreading virus to PC - not everyone but a
percentage of users have had warnings and alert screen concerning
the site.
What should i look for in the logs?
Gino
On 12 Apr 2012, at 16:02, Pascal Robert wrote:
You are hijacked or you are seeing hacks attempts? What do you see
in the Apache logs?
Hi
Anyone had any experience of how a site can be hijacked?
I mean that a normal link to a Direct Action gets redirected to a
new site (Adult Content)
I cannot see how this is being done - Components does not contain
any scripts except for Google Ananlytics yet clicking on a submit
button or links causes this.
It is also not on every attempt - it seems to happen randomly??
Any help appreciated
Gino
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
--
Daniele Corti
--
I DON'T DoubleClick
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
--
Daniele Corti
--
I DON'T DoubleClick
--
Daniele Corti
--
I DON'T DoubleClick
--
Daniele Corti
--
I DON'T DoubleClick
--
Daniele Corti
--
I DON'T DoubleClick
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden