Re: Website Hijacked
Re: Website Hijacked
- Subject: Re: Website Hijacked
- From: Daniele Corti <email@hidden>
- Date: Fri, 13 Apr 2012 14:18:06 +0200
Nothing strange in this url: just a ddns, probably, from a cracked PC.
Do you check if someone have broken in you web server? Maybe someone change the html directly into the .wo components, or alter the apache configuration.
2012/4/13 Gino Pacitti
<email@hidden>
Take a look at this URL - see attached...
The link pointed to a regular Component Action with correct domain name etc.. but then once clicked turned into this?
G
On 13 Apr 2012, at 09:06, Daniele Corti wrote:
Hi Gino,
look, I was thinking, yesterday, how to hack a WO site and, IMHO, if you have excluded the injection in the DB (eg. someone push a iframe or script in the HTML saved in the DB), the only other way is to gain access to the repository of the site (throught SSH, FTP, SFTP).
Can you access to the machine and check for the lasted connections?
2012/4/13 Gino Pacitti <email@hidden>
Hi Daniel
I will try with JS disabled to see if I can repeat the problem.
The URL I see in the source and in the status are correct - it is once the form button or link is clicked that the issue occurs. Its like the URL clicked is pointing to the Adult or Virus website.
The URL is something like:
http://www.mydomain.co.uk/cgi-bin/WebObjects/Appt.woa/2/wo/imCcv2b2suMZqLswRhNV50/8.16.14.0
Once clicked it then becomes a completely different URL and the browser goes to that page with the malware???
Its almost like a redirect or something is occuring....
Gino
On 13 Apr 2012, at 08:39, Daniele Corti wrote:
Hi Gino,
can I suggest you to inspect you site with firebug or something similar? Try to trace the urls the browser calls and see if there are some strange url.
Another thing you can try is to disable JS in the browser and see if the redirection still occurs. If there aren't redirections, the problem is, probably, some injection in the HTML.
One last thing: the Jon message makes me think if I miss something. You say you have redirection on another site, but when you are seeing the Adult site the url in the browser's address bar has changed?
2012/4/13 Gino Pacitti <email@hidden>
yes.. I can look at the form in the source of the page and action points to : /cgi-bin/WebObjects... etc... with the component numbers after the /wo
It seems that for some reason the POST is causing a redirection off to another site.
It just does not happen at every attempt though which is even more puzzling..
Gino
On 12 Apr 2012, at 20:39, Daniele Corti wrote:
the url of the form or the link are correctly formed? I mean, do you have the HREF and ACTION attribute pointing to /cgi-bin/WebObejcts/YourApp.woa/wo/SESSION_ID/Num.ber.Pro.Gre.ssi.ve ?
2012/4/12 Gino Pacitti <email@hidden>
No .. completely just form submits and links...
It is weird. A normal link to a Component Action results in the URL changing and a Adult site appearing. It looks a bit like DNSSwapping which I looked into but I have ran scans on this with no results...
Gino
On 12 Apr 2012, at 19:52, Daniele Corti wrote:
Hi,
Just one thing that I was thinking: do you use AJAX in the form or link where the redirection occurs?
2012/4/12 Gino Pacitti <email@hidden>
I will have to give that a try...
Gino
On 12 Apr 2012, at 19:47, Daniele Corti wrote:
Hi,
That's strange, can you download the .woa packages (the Application and the WebResources) and install them on a test site and see if the redirection happens?
2012/4/12 Gino Pacitti <email@hidden>
no database seems clean - tried to search for a 'script' word in any fields and nothing came back - its like the whole site gets redirected when you click a form to go to a Direct Action?
Gino
On 12 Apr 2012, at 16:25, Daniele Corti wrote:
Hi Gino,
is the Direct Action, actually, generating the HTML from content fetched from the DB? If so, can you check the records that are fetched in the DA, if they have some script injections?
Regards,
2012/4/12 Gino Pacitti <email@hidden>
I have been hijacked...
Its redirecting and also spreading virus to PC - not everyone but a percentage of users have had warnings and alert screen concerning the site.
What should i look for in the logs?
Gino
On 12 Apr 2012, at 16:02, Pascal Robert wrote:
You are hijacked or you are seeing hacks attempts? What do you see in the Apache logs?
Hi
Anyone had any experience of how a site can be hijacked?
I mean that a normal link to a Direct Action gets redirected to a new site (Adult Content)
I cannot see how this is being done - Components does not contain any scripts except for Google Ananlytics yet clicking on a submit button or links causes this.
It is also not on every attempt - it seems to happen randomly??
Any help appreciated
Gino
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden.com)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden.com)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden.com)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
--
Daniele Corti
--
I DON'T DoubleClick
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden.com)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
--
Daniele Corti
--
I DON'T DoubleClick
--
Daniele Corti
--
I DON'T DoubleClick
--
Daniele Corti
--
I DON'T DoubleClick
--
Daniele Corti
--
I DON'T DoubleClick
--
Daniele Corti
--
I DON'T DoubleClick
--
Daniele Corti
--
I DON'T DoubleClick
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden