Well, I have a WordPress site. Today when I checked the Google traffic reports, I caught a backlink from a different URL. After I checked the URL, I was shocked: somebody copied my web site!
I think "it" used curl or file_get_contents(). And after getting page, it changed my URL to its URL.
Already, Google created indexes of this URL.
How can I block this access from this "bot"?
Note: I checked db access and file permissions, it is fine.
When I closed server, clone site closed.
When I add publish new content, clone site also does it.
When I change theme file codes, clone site changes.
I don't have any experience with wordpress, but, it seems like that this 'bot' copied your front-end and then using your API to function in the same way.
This below is guessing on what the other site's owner is trying to do:
If you have a login site, then I think the copy site's owner tries to phishing on the login data, then try to use it to get sensitive information from other sites with the same login data - since a lot of people has the same user-password pairs on every site.
If this is the case, the first thing you should do is to make sure that this site wont show up in any search engines.
In the same situation I would try to figure out what is the IP/domain of the copy site and then put set up firewall rules to block all of the request from there. With this you can't really prevent the users to enter their login info to that site, but hacking is done by programmers, so if you are lucky then your clients/users data wont be saved in the phishing database. This only happens if the phishing layer is putting the user-pwd into the database only if the login is successful. But it's more likely that there is a successful and IP field in the phishing DB too, so the spams can be filtered.
If the "phisher" is not saving IP field then the last thing you can do is to ruin the phishing database. For this you need to get the IP of the other site, and filter your incoming request. If the sender of the request has the other site's IP address, then instead of checking the login permission you should just send back a similar response, that you used to send, when one successfully logs in to your site. With this each successful and unsuccessful login will look the same in the phishing database. This still belongs to the defense category. Spamming the phishing database counts as attacking, so I don't recommend that.
By default the user's should be able to realize if their data is being phished, but as we know it's not used to happen, however you can't help much on the realization skills.
If you don't have any login page, then the situations is not that bad.
Copying a website is illegal, so you can do a lot more
Related
Is it at all possible to retrieve user information that can be used as a unique identifier between domains?
As a quick example of what I am trying to do (not exactly this but the theory is the same) say you had a main website at UK-news.com. You also had three other sites - England-news.com, Scotland-news.com and Wales-news.com, all hosted on the same server.
All 4 sites will share the same database and each would just pull the relevant info out of it. If a user becomes a member of one of the sites, they will also be given the option to become a member of any or all of the others. If a user signs-in to one of the sites he is a member of, and then goes to another how can I get that site to recognise him from the one he signed-in on so he is automatically logged in?
My theory was to store some user information (IP, USER_AGENT, browser, screen resolution, computer name, OS) in the database via PhP and then check against all of those as the user moves between sites. however, even checking against all of these, I am sure it will be possible for two different people to have exactly the same details.
Are there any truly unique identifiers that will guarantee that a person is recognised between domains?
Thanks
Steve
I dont know what is the configuration of your server, but. If one site is under something.domain.com, and another something2.domain.com, and the domains England-news.com and Scotland-news.com are only links to those sites, you can use url overwrite, and cookies sharing over subdomains option in php. But I think that this is not the case. So...
There is no 100% sure user recognition. And this is great, imagine what will happen if there would be. You can NEVER trust user data, and headers data, while sometime you can not even trust $_SERVER array. So there is no option to recognize the same user over few domains.
1) The only answer that is useful is to suggest you to share the user mysql table, and make all the logins and passwords same for each site. IN that case someone can login into another site using the same data.
2) You can try to rely on second hand services like google acount or facebook acount to verify users on your site. But you must remember that there are people without gmail and facebook, and availability of such a site will be reduced.
3) Use a serrvice like forever cookie, or something like that, but this is also not 100% sure. It is using html5 storage, flash objects, and everything to verify if this is the same user. But as far as I know, everything can be ommited, if you are patient enough.
Best regards!
What I'm trying to do is creating a page to show my accounts balance. I got a bit sick of logging into my bank accounts using username and password since I've got two different with (luckily) very long/twisted password. So I want to code this self-login and then show the balance. That's it. No money transfer, nor payments.. Just the balance! But I thought it was a bit easier.. I mean, I know it's a bank website so it must be secure, but if I login remotely (let's say I'm able to make it) giving you my credentials, why don't you work? Why you just work on your own server? I know ssl, https, verisign, etc. But do you think there's any way I can do this? Of course there are no API's for third party developers, I have to find a way myself.
So this is what I did: I tried to log into the first bank account "remotely" (let's call bank.com the bank website). So if the page bank.com/login has a form with username and password, I made a localhost/login page that looks exactly the same. In fact, the action is the same as well, so after logging in I will be redirected anyway to my bank account (i.e. bank.com/dashboard). Simple? Not really.. There's a hidden field, a token, which changes every x time. So apart from what I did already, I should be able to add to my form this field as well. I should simulate this process from localhost: go to the bank website, enter the login area, browse the form, find the hidden field (token) and take note of it. Then add it to my localhost form and, eventually, log in from there. Well, the login area on bank.com is under https protocol so I can't access its content. My plan epically failed. Or not? I tried using file_get_contents to flush the bank.com/login content into localhost/login page, but it doesn't work. It looks like it's protected (verisign) cause the page is loaded completely, but part of its content is not available as it shows Error 500: java.lang.NullPointerException. I guess it's part of the verisign handshake, so the content is available just after this process. Do you have any idea? Should I give up instead? :)
I have a big security problem with my program, and I need to make parts of my URL's hidden. I have searched on the net for a solution, with no luck. In my program I have admin and user accounts - the program is simply a database for workers dosie. Admins can see all dosies but the other users can only see dosies that are in their work group. So my problem is, when a user comes to see the dosie, the URL to access the information looks like this: "viewdosje.php?album=108. The problem being that the user can simply change album id and he can see other dosies, which is not good. For example:
"viewdosje.php?album=109"
By changing the number in the URL he can see other dosies. It would be great to hide that part of URL, or am I wrong? Please help me with an idea of some kind. I don't know where to start.
You should not hide the url, but validate the access to the resource in the application instead. When you receive the ID, before displaying content, perform a DB query to see if the current logged in user has access to that resource or not.
Relying on "hiding" URLs is a terrible solution - anyone who can get access to the URL can get access to your private data. URLs can be accessed in all sorts of ways - sniffing web traffic (e.g. at insecure WIFI points), through JavaScript, through guessing, through getting access to browser history, and through all kinds of even scarier routes like trojans, keyboard loggers etc.
If the data in these employee records is sensitive/private, in most countries you are legally obliged to protect it adequately; even if there's no legal requirement, your company probably wants to avoid putting everyone's salary into the public domain.
The correct solution is to design a login mechanism, and assign user rights; when a user tries to access a page to which they don't have access, you send them an appropriate error message. There are numerous solutions for this in PHP - PEAR has a good implementation.
I've no real experience with PHP so I can't help there, but if I was tackling this problem with JSP, or Rails I might do the following:
Perhaps store user identifiable information in a cookie, once authenticated, compare this information to the user database ? Prevent the page being served to unauthorised users if they manually edit the url.
I'm looking at a domain registration site that looks like it uses jquery to process users data inputed and to register domains.
What I was wondering is if it's possible for users to be able to fill in data on a form on my website and then when the user is ready to complete payment, be taken to the actually domain registration site where all the data they typed in on my site will be posted to the domain reg site.
So basically, the users fills in a load of info on my site, AND attempts to check for domain availability on my site. Once the users has found the domain they want, they will be redirected over to the actual domain reg site where all their info will be posted.
Now I know if the domain reg site used PHP to process all the stuff, it wouldn't be a problem. But they don't use PHP.
Do you guys reckon this could be possible?
I'm not sure this would be possible in any amount of time that would make it worth it to you. Without knowing any of their back-end code, it's going to be extraordinarily difficult. Edit: I should add that I did look through some of their jQuery code and it looks as though they're using ajax .post() to submit data. Where this data goes and what responses are expected is anyone's guess, though...
That said... there are quite a few domain registrars that offer real APIs to let you do what you want... or even let you go one step further and offer the ability to register domains directly through your website. Sometimes you can set your own price, as well.
Here are links to some of these APIs:
Namecheap: http://developer.namecheap.com/docs/
GoDaddy: http://www.godaddy.com/reseller/domain-reseller-api.aspx
eNom: http://www.enom.com/resellers/Interfaceinfo.asp
I'd personally recommend NameCheap, but for the purposes of your question, any of these should do.
I can't make any promises but say you used jquery ajax to pull in the form the would have to fill out. Said form would then be on your client side so in theory I think you could use their input ids to fill out the form using javascript/jquery. All this would technically be client side. To bad that other site does not have an api for purchases.
Do you have control over the domain registration site? There are many ways you can send the user's input over to that site, but of course it has to be looking for this posted data and know how to handle it. PHP is not necessary to handle the data that is passed in. For example, if you send your info to the domain registration site via a form GET method, the info will become part of the URL, which can be accessed and parsed via javascripts window.location property.
Is it possible to get remote username when I get a referral link without involving any server side code from the referral link?
Do you mean like if I clicked a link to your site on Stack Overflow, you would want to be able to see that my username is "Agent Conundrum"? No, you can't do that without the help of the referring site. The only information you should be able to get is the (permanently misspelled) HTTP_REFERER in the $_SERVER superglobal array, which tells you the page the user came from. Even then, there are ways to block or change this so you shouldn't count on it being set (especially since it wouldn't be set if the user navigated directly to your page via the address bar).
Frankly, I wouldn't want to use a site that leaked personal information (and for some sites, even the username qualifies as personal information), and I wouldn't want to use a site that tries to harvest such leaked information without my knowledge.
Generally, any site where you have a legitimate reason to broadcast this information would have some sort of API built in, like FacebookConnect. Even then, it should be strictly opt-in for the user.
As a general thing: no. The HTTP protocol does not involve the transmission of a remote user name.
Hey, it could help to answer if you would be a little more specific on which kind of service are you trying to fetch the data from.
Large/Public services tend to have somekind of an accessible API that you can fork on your referrer, but other than that its mostly that you need to regexp the site and know the structure of the HTML pretty much.