Help with 404 errors **Not sure if this is the right place**

[James1987]

ok i have this site adn i have added a nice custom 404 that also emails me where the person was and were they were trying to get to. its all working great appart from im getting 100's of emails with this:-

Requested Page: /404.php
Referred By: page removed so as not to advertise
Remote Addr: 197.15.81.160 ()
Request URI: /404.php

and i dont know why the 404 is causing this error any help or suggestions would be lovely!

[Mittineague]

And what does your nice 404 page do? Redirect them to another page perhaps?

[James1987]

Yes, the home page.

<?php require_once("910363_Connections/loveit.php"); ?>
<?php include("header.php"); ?>
<head>

<meta http-equiv="refresh" content="10;url=http://www.xxxxxxxxxxxx.co.uk/">
<title>404 Error Page</title>
</head>

<body>
<br />
<br />
<br />
<br />
<div align="center" style="color:White"><h1>404 Error</h1></div>
<div align="center" style="color:White"><p>Whoops looks like you've turn too many pages! Or that theres been a mistake. Lets get you back on track our home page will load shortly.</p>

</div>
<?php
$url = $_SERVER[ "REQUEST_URI" ];
$referrer = $_SERVER[ "HTTP_REFERER" ];
if ( $referrer == "" )
$referrer = "Unknown";
if ($url!= "/sitemap.rdf"
&& stristr($url, '/_vti_bin/') == FALSE
&& stristr($url, '/siteinfo.xml') == FALSE
&& stristr($url, '/MSOffice/clt') == FALSE
){
mail("webmaster@xxxxxxe.co.uk", "Page Not Found",
"Requested Page: " . $url
. "\r\nReferred By: " . $referrer
. "\r\nRemote Addr: " . $_SERVER["REMOTE_ADDR"] . " (" . $_SERVER["REMOTE_HOST"] . ")"
. "\r\n"
. "Cookies: \r\n"
. implode(",", $_COOKIE)
. "\r\nRequest URI: " . $_SERVER["REQUEST_URI"]
. "\r\n"
,"From: webmaster@xxxxxxxxxxxx.co.uk" );
}
?>
</body>
</html>

[Mittineague]

Hmmm. that looks safe enough. I have seen some custom 404s that took the ?page and redirected to that. Not the safest, eg. a request for
404.php?database_config_vals.php
would show a sensitive file.

Maybe it's just script kiddies hoping yours does that and are trying to exploit it?

[dklynn]

What does 910363_Connections/loveit.php do?

Regards,

DK

[James1987]

It holds the connection data for the back end MySQL for the site.... which i suppose i don't need or the 404 page thinking about... just loaded my emails had 4000 from this over night... need to track this down its bugging me.


<?php # xxx.php

//This file contains the database access information. This file also establishes
//a connection to MySQL and selects the database.

//Set the database access information as constants.

define ('DB_USER', 'xxxxxx');
define ('DB_PASSWORD', 'xxxxx');
define ('DB_HOST', 'xxxxxxxx');
define ('DB_NAME', 'xxxxxxx');
//Make the connection and then select the database...
$loveit = @mysql_connect (DB_HOST, DB_USER, DB_PASSWORD);
@mysql_select_db (DB_NAME);
?>

[dklynn]

James1987,

Try changing the $url assignment to $_SERVER['THE_REQUEST']; and see if that makes a difference. After all, any time the 404 is served, the URI is changed to the specified 404 page. At least that will tell you the actual script the visitor had requested.

Regards,

DK

[James1987]

ok, change it here?

<?php
$url = $_SERVER[ "THE_REQUEST" ];
$referrer = $_SERVER[ "HTTP_REFERER" ];
if ( $referrer == "" )
$referrer = "Unknown";
if ($url!= "/sitemap.rdf"
&& stristr($url, '/_vti_bin/') == FALSE
&& stristr($url, '/siteinfo.xml') == FALSE
&& stristr($url, '/MSOffice/clt') == FALSE
){
mail("webmaster@xxx.co.uk", "Page Not Found",
"Requested Page: " . $url
. "\r\nReferred By: " . $referrer
. "\r\nRemote Addr: " . $_SERVER["REMOTE_ADDR"] . " (" . $_SERVER["REMOTE_HOST"] . ")"
. "\r\n"
. "Cookies: \r\n"
. implode(",", $_COOKIE)
. "\r\nRequest URI: " . $_SERVER["REQUEST_URI"]
. "\r\n"

[James1987]

made that change though nothing has change still getting 100 emails an hour.. should i give up and try it a different way? is there a different way?

[dklynn]

James,

Did all the e-mail continue to show {THE_REQUEST} to be for the 404 script? If so, someone must be attacking your system using the 404.php script. Download it and compare it with your master copy - I expect they will not be identical (look for a JavaScript at the start of the file which is a long eval() statement).

Regards,

DK

[James1987]

No, now for some reason that is no blank.
Requested Page:
Referred By: xxxxxxxxxxxx
Remote Addr: 90.210.78.237 ()
Cookies:
1.2103272747.1343728820.1343728820.1343728820.1,1.17.10.1343728820,1,1.1343728820.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=love it magazine,default
Request URI: /404.php

[dklynn]

James,

When referrers are blank, it's because it's a direct request. Since noone in their right mind would request a 404 script (unless it carries a "payload" as discussed in post #10). In other words, I'll double my bet that you've been hacked and 404.php is their gateway!

Regards,

DK

[James1987]

Awesome ! umm and how would i sort this? ( my first hacked site EVER) any tips ?

[dklynn]

James,

First, run a WinMerge compare of your master file against the 404.php which is online (download to a different directory, of course). That will show exactly where any and all differences are.

Okay, your 404 is simple enough that all you need to do is LOOK at the code of the 404.php script you download. The <script> at the beginning does not belong there and is a hack which is using your website to send SPAM around the world (your host should have picked-up on this already and disabled your account).

Anyway, if you find evidence of a hack (like scripts which you did not put in the files),

1. Immediatly delete all FTP access except one (master for the account).

2. Change the master password (cPanel and FTP) to a VERY STRONG one using an http://strongpasswordgenerator.com password of sufficient length.

3. Use maldet scans (on an Apache server) which find and report all forms of malware (viruses, worms and SCRIPTS which can cause problems). This will enable you to find and remove scripts which can be embedded in html, php and js scripts. Repeat the maldet scans until there are no files detected then add a CRON to run maldet scans on a regular basis. Be aware that recovery will primarily consist of DELETING all html, php and js files and replacing them with originals (from your master copies).

4. Additionally, I use a CRON to SHA1 hash verify that files have remain unchanged over the last xx hours for "peace of mind."

5. Database: If you are running WordPress or the like (database verification for admin accounts), create a new admin and delete all other admin records.

6. Uploaded files: Be sure to do a thorough check of any file uploaded to your website (I limit uploaded files to images and they are resized by GD before being saved to my "webspace").

7. Update all "canned scripts" (e.g., WP, Zencart, etc.) and be sure that they're kept updated in order to prevent further attacks via security problems discovered in those scripts.


There is a place for penetration testing (with a tool like BackTrack) but it is something best left to the sysadmins of your host (or a security professional if you own your server). In fact, you must not use those tools or techniques on others' servers because you will be identified as a hacker, your IP address will be blocked and you will be reported to authorities for prosecution. The anti-hacking laws are beginning to be enforced and you will (and should) be harshly punished.

The important point, though, is to get on it as soon as you see something amiss (like all your 404 requests).

Regards,

DK

[James1987]

ok tried all these nothing comes back as "bugged" i like the sound of point 4 but wouldn't now were the start with this unfortunately i have to use 1and1hosting.

[dklynn]

unfortunately i have to use 1and1hosting.

You don't know better? 1&1 has been panned by members here for many years.

If you're looking for a new host (and you should be), may I recommend WebHostingBuzz. I've just upgraded to a dedi and their staff moved a large VPS from another host without any problem - and that's been my experience with shared accounts on WHB for several years, too! Have a look at other threads (in Web Hosting and Domains) for my "Search Process" (what I do when looking for a new host).

Regards,

DK

[James1987]

ok tried all these nothing comes back as "bugged" i like the sound of point 4 but wouldn't now were the start with this unfortunately i have to use 1and1hosting, due to just starting at the company at this it what they have paid and signed up with for now - would love to change - WEbHositingBuzz do look good i have 4 domains 3 website and about 120 emails to host not sure whether to go hosted or to set it up in house.

[dklynn]

j87,

All you need to do is ask for a copy of the code (to use with #4 - which is only useful to detect CHANGES so you'd better confirm that a file is okay before hashing to your database).

If the company is forcing 1&1, then make a case that they're worthless - better to have them walk from whatever investment they have with them than to suffer horrible service. FWIW, WHB just moved a rather sizeable VPS to a dedicated server without incident - they get top marks! While their transfer appears to be a standard service for shared through dedi, be sure that you get their managed service if you're not an experienced sysadmin on VPS & dedis.

Regards,

DK