SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    Life is not a malfunction gold trophysilver trophybronze trophy
    TechnoBear's Avatar
    Join Date
    Jun 2011
    Location
    Argyll, Scotland
    Posts
    5,349
    Mentioned
    214 Post(s)
    Tagged
    5 Thread(s)

    Strange log entries

    I have a couple of questions which are probably very stupid, but I'll go ahead and ask them anyway.

    My server logs (on shared hosting) show a large number of requests, from various IPs, which take the form /home/my_username/public_html/directory/subdirectory/file.php . Am I right in thinking that there is no legitimate reason for anyone to be trying to access my site using that path? The directory is blocked in the robots.txt file, and files within it are not linked from the main site. The username is the standard cPanel first-eight-letters-of-the-domain version (which I can't change) and the site was hacked some months back, so I'm not too surprised to find it being used.

    As far as I can tell, all these requests have been blocked with a 403 or 404 error. Is there anything else I can do about them? The vast majority of these requests seem to have come via Google translate, if I'm reading the logs correctly.

  2. #2
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    8,900
    Mentioned
    138 Post(s)
    Tagged
    2 Thread(s)
    Sounds like an incorrect redirect using mod_rewrite or something like that. That can sometimes spit out complete paths like the one you have there. But indeed, you shouldn't be seeing requests like that in your log; people should not even know what your user name is, let alone try and access it.
    Rémon - Hosting Advisor

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy

  3. #3
    Life is not a malfunction gold trophysilver trophybronze trophy
    TechnoBear's Avatar
    Join Date
    Jun 2011
    Location
    Argyll, Scotland
    Posts
    5,349
    Mentioned
    214 Post(s)
    Tagged
    5 Thread(s)
    Thank you. I have various rewrite rules (produced by a script) and now I've looked at them, I find they do use that path. e.g.
    Code:
    RewriteRule (.*) /home/my_domain/public_html/directory/subdirectory/file.php
    I confess I have no idea if that is correctly written. Can I change the first part to http: //www .my_domain/directory etc., or is that incorrect syntax? (Without the spaces, of course - I couldn't work out how else to stop it automatically being tagged as a URL.) I don't think that can be the whole answer, though, because I have the exact same rule on twelve separate domains, and only three of them have this pathway in the log entries. (The other two only have a handful of occurrences, which I hadn't noticed before.)

    I now promise to go and study the tutorials in the Apache forum.

  4. #4
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    8,900
    Mentioned
    138 Post(s)
    Tagged
    2 Thread(s)
    Just use this instead:

    Code:
    RewriteRule (.*) directory/subdirectory/file.php
    what you have should in theory also work, but it's not very nice code, and as you've just found out not all servers like it
    What is it supposed to do btw? That line looks a bit odd...
    Rémon - Hosting Advisor

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy

  5. #5
    Life is not a malfunction gold trophysilver trophybronze trophy
    TechnoBear's Avatar
    Join Date
    Jun 2011
    Location
    Argyll, Scotland
    Posts
    5,349
    Mentioned
    214 Post(s)
    Tagged
    5 Thread(s)
    Thank you - I'll change that. It's from a set of rules supposed to block code injection or SQL injection attempts.

  6. #6
    Life is not a malfunction gold trophysilver trophybronze trophy
    TechnoBear's Avatar
    Join Date
    Jun 2011
    Location
    Argyll, Scotland
    Posts
    5,349
    Mentioned
    214 Post(s)
    Tagged
    5 Thread(s)
    @ScallioXTX: To reply to your next post, which seems to have got lost in transit somewhere, it's the last line of a block of rules:
    Code:
    RewriteCond %{REQUEST_METHOD} (GET) [NC]
    #Avoid any blocage for yourself (for admin access)
    RewriteCond %{REMOTE_ADDR} !^***.***.**.***
    #--------------------------------------------------------------------------------
    #the following rules can block some off your url, in case of problem try to suppress them one per one until you solve it
    RewriteCond %{QUERY_STRING} ^(.*)(%3D|=|%3A|%09)(h|%68|%48)(t|%74|%54)(t|%74|%54)(p|%70|%50)(s|%73|%53)(%3A|:)(/|%2F){2}(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)(%3D|=|%3A|%09)(h|%68|%48)(t|%74|%54)(t|%74|%54)(p|%70|%50)(s|%73|%53)%3a(%3A|:)(/|%2F){2}(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)(%3D|=|%3A|%09)(h|%68|%48)(t|%74|%54)(t|%74|%54)(p|%70|%50)(%3A|:)(/|%2F){2}(.*)$ [NC]
    RewriteCond %{QUERY_STRING} ^(.*)(%3D|=|%3A|%09)(h|%68|%48)(t|%74|%54)(t|%74|%54)(p|%70|%50)%3a(%3A|:)(/|%2F){2}(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)(%3D|=|%3A|%09)(f|%66|%46)(t|%74|%54)(p|%70|%50)(%3A|:)(/|%2F){2}(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)(%3D|=|%3A|%09)(h|%68|%48)(t|%74|%54)%20(t|%74|%54)(p|%70|%50)(%3A|:)(/|%2F){2}(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)(%3D|=|%3A|%09)(h|%68|%48)(t|%74|%54)(t|%74|%54)%20(p|%70|%50)(%3A|:)(/|%2F){2}(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)(%3D|=|%3A|%09)(h|%68|%48)(t|%74|%54)(t|%74|%54)(p|%70|%50)%20(%3A|:)(/|%2F){2}(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)(%3D|=|%3A|%09)(h|%68|%48)%20(t|%74|%54)(t|%74|%54)(p|%70|%50)(%3A|:)(/|%2F){2}(.*)$ [NC,OR]
    #end of potential issue rules
    RewriteRule (.*) directory/subdirectory/file.php   [L]
    You're quite right to assume I'm clueless when it comes to this stuff. I naively thought I only needed to worry about security on my local machine, not the server, until three of my sites were hacked. Since then, I've been trying to learn as much as I can, and I'm grateful for any assistance. My hosting company didn't want to know, so I'm pretty much floundering about on my own.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •