SitePoint Sponsor

User Tag List

Results 1 to 18 of 18
  1. #1
    SitePoint Enthusiast
    Join Date
    Jul 2012
    Posts
    31
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Help with 404 errors **Not sure if this is the right place**

    ok i have this site adn i have added a nice custom 404 that also emails me where the person was and were they were trying to get to. its all working great appart from im getting 100's of emails with this:-

    Requested Page: /404.php
    Referred By: page removed so as not to advertise
    Remote Addr: 197.15.81.160 ()
    Request URI: /404.php

    and i dont know why the 404 is causing this error any help or suggestions would be lovely!

  2. #2
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    16,454
    Mentioned
    160 Post(s)
    Tagged
    1 Thread(s)
    And what does your nice 404 page do? Redirect them to another page perhaps?

  3. #3
    SitePoint Enthusiast
    Join Date
    Jul 2012
    Posts
    31
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes, the home page.

    <?php require_once("910363_Connections/loveit.php"); ?>
    <?php include("header.php"); ?>
    <head>

    <meta http-equiv="refresh" content="10;url=http://www.xxxxxxxxxxxx.co.uk/">
    <title>404 Error Page</title>
    </head>

    <body>
    <br />
    <br />
    <br />
    <br />
    <div align="center" style="color:White"><h1>404 Error</h1></div>
    <div align="center" style="color:White"><p>Whoops looks like you've turn too many pages! Or that theres been a mistake. Lets get you back on track our home page will load shortly.</p>

    </div>
    <?php
    $url = $_SERVER[ "REQUEST_URI" ];
    $referrer = $_SERVER[ "HTTP_REFERER" ];
    if ( $referrer == "" )
    $referrer = "Unknown";
    if ($url!= "/sitemap.rdf"
    && stristr($url, '/_vti_bin/') == FALSE
    && stristr($url, '/siteinfo.xml') == FALSE
    && stristr($url, '/MSOffice/clt') == FALSE
    ){
    mail("webmaster@xxxxxxe.co.uk", "Page Not Found",
    "Requested Page: " . $url
    . "\r\nReferred By: " . $referrer
    . "\r\nRemote Addr: " . $_SERVER["REMOTE_ADDR"] . " (" . $_SERVER["REMOTE_HOST"] . ")"
    . "\r\n"
    . "Cookies: \r\n"
    . implode(",", $_COOKIE)
    . "\r\nRequest URI: " . $_SERVER["REQUEST_URI"]
    . "\r\n"
    ,"From: webmaster@xxxxxxxxxxxx.co.uk" );
    }
    ?>
    </body>
    </html>

  4. #4
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    16,454
    Mentioned
    160 Post(s)
    Tagged
    1 Thread(s)
    Hmmm. that looks safe enough. I have seen some custom 404s that took the ?page and redirected to that. Not the safest, eg. a request for
    404.php?database_config_vals.php
    would show a sensitive file.

    Maybe it's just script kiddies hoping yours does that and are trying to exploit it?

  5. #5
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,605
    Mentioned
    19 Post(s)
    Tagged
    2 Thread(s)
    What does 910363_Connections/loveit.php do?

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  6. #6
    SitePoint Enthusiast
    Join Date
    Jul 2012
    Posts
    31
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It holds the connection data for the back end MySQL for the site.... which i suppose i don't need or the 404 page thinking about... just loaded my emails had 4000 from this over night... need to track this down its bugging me.


    <?php # xxx.php

    //This file contains the database access information. This file also establishes
    //a connection to MySQL and selects the database.

    //Set the database access information as constants.

    define ('DB_USER', 'xxxxxx');
    define ('DB_PASSWORD', 'xxxxx');
    define ('DB_HOST', 'xxxxxxxx');
    define ('DB_NAME', 'xxxxxxx');
    //Make the connection and then select the database...
    $loveit = @mysql_connect (DB_HOST, DB_USER, DB_PASSWORD);
    @mysql_select_db (DB_NAME);
    ?>

  7. #7
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,605
    Mentioned
    19 Post(s)
    Tagged
    2 Thread(s)
    James1987,

    Try changing the $url assignment to $_SERVER['THE_REQUEST']; and see if that makes a difference. After all, any time the 404 is served, the URI is changed to the specified 404 page. At least that will tell you the actual script the visitor had requested.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  8. #8
    SitePoint Enthusiast
    Join Date
    Jul 2012
    Posts
    31
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    ok, change it here?

    <?php
    $url = $_SERVER[ "THE_REQUEST" ];
    $referrer = $_SERVER[ "HTTP_REFERER" ];
    if ( $referrer == "" )
    $referrer = "Unknown";
    if ($url!= "/sitemap.rdf"
    && stristr($url, '/_vti_bin/') == FALSE
    && stristr($url, '/siteinfo.xml') == FALSE
    && stristr($url, '/MSOffice/clt') == FALSE
    ){
    mail("webmaster@xxx.co.uk", "Page Not Found",
    "Requested Page: " . $url
    . "\r\nReferred By: " . $referrer
    . "\r\nRemote Addr: " . $_SERVER["REMOTE_ADDR"] . " (" . $_SERVER["REMOTE_HOST"] . ")"
    . "\r\n"
    . "Cookies: \r\n"
    . implode(",", $_COOKIE)
    . "\r\nRequest URI: " . $_SERVER["REQUEST_URI"]
    . "\r\n"

  9. #9
    SitePoint Enthusiast
    Join Date
    Jul 2012
    Posts
    31
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    made that change though nothing has change still getting 100 emails an hour.. should i give up and try it a different way? is there a different way?

  10. #10
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,605
    Mentioned
    19 Post(s)
    Tagged
    2 Thread(s)
    James,

    Did all the e-mail continue to show {THE_REQUEST} to be for the 404 script? If so, someone must be attacking your system using the 404.php script. Download it and compare it with your master copy - I expect they will not be identical (look for a JavaScript at the start of the file which is a long eval() statement).

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  11. #11
    SitePoint Enthusiast
    Join Date
    Jul 2012
    Posts
    31
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    No, now for some reason that is no blank.
    Requested Page:
    Referred By: xxxxxxxxxxxx
    Remote Addr: 90.210.78.237 ()
    Cookies:
    1.2103272747.1343728820.1343728820.1343728820.1,1.17.10.1343728820,1,1.1343728820.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=love it magazine,default
    Request URI: /404.php

  12. #12
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,605
    Mentioned
    19 Post(s)
    Tagged
    2 Thread(s)
    James,

    When referrers are blank, it's because it's a direct request. Since noone in their right mind would request a 404 script (unless it carries a "payload" as discussed in post #10). In other words, I'll double my bet that you've been hacked and 404.php is their gateway!

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  13. #13
    SitePoint Enthusiast
    Join Date
    Jul 2012
    Posts
    31
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Awesome ! umm and how would i sort this? ( my first hacked site EVER) any tips ?

  14. #14
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,605
    Mentioned
    19 Post(s)
    Tagged
    2 Thread(s)
    James,

    First, run a WinMerge compare of your master file against the 404.php which is online (download to a different directory, of course). That will show exactly where any and all differences are.

    Okay, your 404 is simple enough that all you need to do is LOOK at the code of the 404.php script you download. The <script> at the beginning does not belong there and is a hack which is using your website to send SPAM around the world (your host should have picked-up on this already and disabled your account).

    Anyway, if you find evidence of a hack (like scripts which you did not put in the files),

    1. Immediatly delete all FTP access except one (master for the account).

    2. Change the master password (cPanel and FTP) to a VERY STRONG one using an http://strongpasswordgenerator.com password of sufficient length.

    3. Use maldet scans (on an Apache server) which find and report all forms of malware (viruses, worms and SCRIPTS which can cause problems). This will enable you to find and remove scripts which can be embedded in html, php and js scripts. Repeat the maldet scans until there are no files detected then add a CRON to run maldet scans on a regular basis. Be aware that recovery will primarily consist of DELETING all html, php and js files and replacing them with originals (from your master copies).

    4. Additionally, I use a CRON to SHA1 hash verify that files have remain unchanged over the last xx hours for "peace of mind."

    5. Database: If you are running WordPress or the like (database verification for admin accounts), create a new admin and delete all other admin records.

    6. Uploaded files: Be sure to do a thorough check of any file uploaded to your website (I limit uploaded files to images and they are resized by GD before being saved to my "webspace").

    7. Update all "canned scripts" (e.g., WP, Zencart, etc.) and be sure that they're kept updated in order to prevent further attacks via security problems discovered in those scripts.


    There is a place for penetration testing (with a tool like BackTrack) but it is something best left to the sysadmins of your host (or a security professional if you own your server). In fact, you must not use those tools or techniques on others' servers because you will be identified as a hacker, your IP address will be blocked and you will be reported to authorities for prosecution. The anti-hacking laws are beginning to be enforced and you will (and should) be harshly punished.

    The important point, though, is to get on it as soon as you see something amiss (like all your 404 requests).

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  15. #15
    SitePoint Enthusiast
    Join Date
    Jul 2012
    Posts
    31
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    ok tried all these nothing comes back as "bugged" i like the sound of point 4 but wouldn't now were the start with this unfortunately i have to use 1and1hosting.

  16. #16
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,605
    Mentioned
    19 Post(s)
    Tagged
    2 Thread(s)
    Quote Originally Posted by James1987 View Post
    unfortunately i have to use 1and1hosting.
    You don't know better? 1&1 has been panned by members here for many years.

    If you're looking for a new host (and you should be), may I recommend WebHostingBuzz. I've just upgraded to a dedi and their staff moved a large VPS from another host without any problem - and that's been my experience with shared accounts on WHB for several years, too! Have a look at other threads (in Web Hosting and Domains) for my "Search Process" (what I do when looking for a new host).

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  17. #17
    SitePoint Enthusiast
    Join Date
    Jul 2012
    Posts
    31
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    ok tried all these nothing comes back as "bugged" i like the sound of point 4 but wouldn't now were the start with this unfortunately i have to use 1and1hosting, due to just starting at the company at this it what they have paid and signed up with for now - would love to change - WEbHositingBuzz do look good i have 4 domains 3 website and about 120 emails to host not sure whether to go hosted or to set it up in house.

  18. #18
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,605
    Mentioned
    19 Post(s)
    Tagged
    2 Thread(s)
    j87,

    All you need to do is ask for a copy of the code (to use with #4 - which is only useful to detect CHANGES so you'd better confirm that a file is okay before hashing to your database).

    If the company is forcing 1&1, then make a case that they're worthless - better to have them walk from whatever investment they have with them than to suffer horrible service. FWIW, WHB just moved a rather sizeable VPS to a dedicated server without incident - they get top marks! While their transfer appears to be a standard service for shared through dedi, be sure that you get their managed service if you're not an experienced sysadmin on VPS & dedis.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator


Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •