• Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

test please delete

Collapse
This is a sticky topic.
X
X
  •  
  • Filter
  • Time
  • Show
Clear All
new posts

    I fire up an HTTP debugging proxy so I can inspect the raw traffic, and reload the page

    Comment


      A plethora of illicit requests lead me to a page, hidden in an iframe, which embeds further iframes, which ultimately lead to a page which shows pictures of young ladies in compromising (and rather uncomfortable) positions with their gentlemen friends, and also attempts to download large amounts of malware

      (Good thing I use a Mac )

      Comment


        But although I am safe, others less fortunate (i.e. Windows users) who visit my site - my site - are at risk from this garbage

        Looks like I'm not going straight back to bed

        Comment


          First things first.

          I fire up my FTP client and download a complete copy of the server contents.

          I add this to a new project in Eclipse, and search for the topmost dodgy domain name that load all of the others.

          Not found

          Comment


            Time to examine the database.

            I download a backup of the database, then use the admin tool to examine the relevant post.

            BINGO! The <p><iframe src="..." width=1 height=1></p> is at the bottom of the actual post text in the database...
            Last edited by NickFitz; 23 November 2007, 07:31. Reason: typo

            Comment


              ... to which only I should have access!

              Comment








                But... how has my security been compromised?

                Comment


                  The database tells me when the post was last modified: 10 November... two weeks ago come Saturday.

                  I download the web server logs...

                  Comment


                    There, at around the right time (allowing a second or two here and there for Apache and mySQL having slightly different ideas about the exact time) is what I'm looking for: an HTTP POST to /wp-admin/post.php?action=edit

                    Comment


                      Further examination shows that the evil one who has done this has, apparently, browsed to my site's admin login page, logged in first time, edited the post, and saved the changes

                      All this using Opera 9 with a default language setting of "ru"... this is the HTTP equivalent of having snow on your boots

                      Comment

                      Working...