Is "POST /?fgko=vkma" a valid post request? - php

I have found lots of single requests in my access logs, that is, a "POST" request followed by "/", then a question mark ("?") followed by a few random characters which then equal to more random characters..
For example:
ps485115.dreamhost.com - - [31/Dec/2018:09:53:28 -0600] "POST /?fgko=vkma HTTP/1.1" 403 308 "http://example.com/?fgko=vkma" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
Sometimes that's the only request to the server that I can see from the ip address who's accessing my site (probably because just like in the example above, according to the access log, the visitor was already blocked).

Related

is there a reason to not put my admin directory in robots.txt?

This may have been asked and answered, since I'm not sure what is the best way to phrase this.
I want to ensure that search spiders don't index the admin side of my website. Unfortunately, if I put the path into my robots.txt file, I'm handing over the cookie jar. Thankfully it's locked, though.
I've already had quite a few "visitors" who start by grabbing robots.txt. Obviously, non-legit spiders will ignore robots.txt, but I want to prevent Google and Bing from plastering my admin directory in search results.
My admin directory is not called "admin" (the most common SBO tactic)
Directory browsing is already blocked
Any IP who connects to my admin directory without logging in first with appropriate permissions is blacklisted. I have been monitoring, and have only had a couple of legit spiders get blacklisted by this manner
I'm using .htaccess (merging several public blacklists) and PHP blacklisting based on behaviors (some automatic, but still Mark-I eyeball as well)
All actions on the admin side are auth-based
The only links to the admin side are presented to authorized users with the appropriate permissions.
I'm not sure if I should put the admin directory in robots.txt - On one hand, legit spiders will ignore that directory, but on the other, I'm telling those who want to do harm that directory exists, and I don't want prying eyes...
I want to ensure that search spiders don't index the admin side of my website. Unfortunately, if I put the path into my robots.txt file, I'm handing over the cookie jar. Thankfully it's locked, though.
You rightly recognize the conundrum. If you put the admin url in the robots.txt, then well-behaved bots will stay away. On the other hand, you are basically telegraphing to bad folks where the soft spots are.
If you inspect your web server's access log, you will most likely see a LOT of requests for admin-type pages. For instance, looking at the apache log on one of my servers, I see opportunistic script kiddies searching for wordpress, phpmyadmin, etc:
109.98.109.101 - - [24/Jan/2019:08:48:36 -0600] "GET /wpc.php HTTP/1.1" 404 229 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)"
109.98.109.101 - - [24/Jan/2019:08:48:36 -0600] "GET /wpo.php HTTP/1.1" 404 229 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)"
109.98.109.101 - - [24/Jan/2019:08:48:37 -0600] "GET /wp-config.php HTTP/1.1" 404 229 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)"
109.98.109.101 - - [24/Jan/2019:08:48:43 -0600] "POST /wp-admins.php HTTP/1.1" 404 229 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
109.98.109.101 - - [24/Jan/2019:08:50:01 -0600] "GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php HTTP/1.1" 404 229 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.108 Safari/537.36
109.98.109.101 - - [24/Jan/2019:08:48:39 -0600] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 229 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)"
109.98.109.101 - - [24/Jan/2019:08:48:39 -0600] "GET /phpmyadmin/scripts/db___.init.php HTTP/1.1" 404 229 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)"
109.98.109.101 - - [24/Jan/2019:08:49:35 -0600] "GET /phpmyadmin/index.php HTTP/1.1" 404 229 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.108 Safari/537.36"
109.98.109.101 - - [24/Jan/2019:08:49:47 -0600] "GET /admin/phpmyadmin/index.php HTTP/1.1" 404 229 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.108 Safari/537.36"
109.98.109.101 - - [24/Jan/2019:08:49:47 -0600] "GET /admin/phpmyadmin2/index.php HTTP/1.1" 404 229 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.108 Safari/537.36"
My access log has thousands upon thousands of these. Bots search for them all the time and none of these files are listed in my robots.txt file. As you might guess, unless you have an admin url that is really randomly named, the bad guys could very well guess its name is /admin.
I've already had quite a few "visitors" who start by grabbing robots.txt. Obviously, non-legit spiders will ignore robots.txt, but I want to prevent Google and Bing from plastering my admin directory in search results.
I'd strongly recommend spending some time banning bad bots or basically any bots that you have no use for. AHrefsBot & SemRushBot come to mind. It shouldn't be too hard to find bad bot lists but you'll need to evaluate any list you find to make sure it isn't blocking bots you want to serve. In addition to adding an exclusion rule to your robots.txt file, you should probably configure your application to ban bad bots by sending a 403 forbidden or 404 gone or other HTTP response code of your choice.
In the end, it's critical to remember the maxim that "security by obscurity is not security". One of the most important principles of encryption and security is Kerckhoff's Principle -- i.e., "the enemy knows the system." Your site should not not just rely on the location of your admin urls being obscure or secret. You must require authentication and use sound best practices in your authentication code. I would not rely on apache authentication but would instead code my web application to accept user login/password in a securely-hosted form (use HTTPS) and I would store only the hashed form of those passwords. Do not store cleartext passwords ever.
In the end, the security of your system is only as good as the weakest link. There is some value to having a unique or unusual admin because you might be exposed to fewer attacks, but this in itself doesn't provide any real security. If you still have reservations about broadcasting this url in your robots.txt file, perhaps weigh that against the problems you might expect if GoogleBot or BingBot or some other friendly bot starts stomping around in your admin urls. Would it bother you if these urls ended up in the google search index?

How can I make more secure in my system? I can see some intruder trying to hack my web application [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 4 years ago.
Improve this question
I can see in my application log some 404 error message like below
ERROR - 2018-09-07 05:31:50 --> 404 Page Not Found: Robotstxt/index
ERROR - 2018-09-07 05:31:51 --> 404 Page Not Found: Xmlrpcphp/index
ERROR - 2018-09-07 05:31:51 --> 404 Page Not Found: Blog/robots.txt
ERROR - 2018-09-07 05:31:52 --> 404 Page Not Found: Blog/index
ERROR - 2018-09-07 05:31:52 --> 404 Page Not Found: Wordpress/index
ERROR - 2018-09-07 05:31:52 --> 404 Page Not Found: Wp/index
ERROR - 2018-09-07 05:31:52 --> 404 Page Not Found: Robotstxt/index
ERROR - 2018-09-07 05:31:53 --> 404 Page Not Found: Administrator/index.php
This happening every day. I have doubt somebody trying to hack my system. because I am sure, we are not using open source library or system.
Even I checked server log also, I can see some IP address but this address keep on changing every time, so i am not able to choose IP blocker
Server Log:
194.79.31.99 - - [07/Sep/2018:05:31:50 +0400] "GET /robots.txt HTTP/1.1" 404 1130 "-"
"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32"
194.79.31.99 - - [07/Sep/2018:05:31:50 +0400] "GET / HTTP/1.1" 307 - "-" "Mozilla/5.0 (Windows NT 10.0; WOW64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32"
194.79.31.99 - - [07/Sep/2018:05:31:51 +0400] "GET /xmlrpc.php?rsd HTTP/1.1" 404 1130 "-"
"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32"
194.79.31.99 - - [07/Sep/2018:05:31:51 +0400]
"GET /blog/robots.txt HTTP/1.1" 404 1130 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32"
194.79.31.99 - - [07/Sep/2018:05:31:51 +0400]
Platform: PHP/Mysql
Server : linux
Already I protect my directory listing by htaccess.
How can I make more secure in my system. please help me...
It is normal your system gets attacked when it comes online. Intruders are running scripts to test for known vulnerabilities. It has nothing to do with open source or closed source libraries, both can be safe or vulnerable.
What you must do when you go on the internet with a machine is having a good professional system-admin check and maintain your machine. This is not something that someone with no deep knowledge of system-security can do.

Android browser issues HEAD request then GET, but PHP session is lost

A PHP application loses session data only in Android browser and only when logs show a HEAD request was issued immediately prior to the GET request.
Success ...
99.123.321.99 - - [05/Oct/2016:11:12:46 -0500] "GET /Success.php?response=Y HTTP/1.1" 200 6772
No session ...
98.12.21.89 - - [04/Oct/2016:22:17:15 -0500] "HEAD /Success.php?response=Y HTTP/1.1" 200 -
98.12.21.89 - - [04/Oct/2016:22:17:15 -0500] "GET /Success.php?response=Y HTTP/1.1" 200 3007
User agents are comparable, except on requests which lose the session data (returning Apache-HttpClient/UNAVAILABLE (java 1.4) ...
99.123.321.99 Mozilla/5.0 (Linux; Android 6.0; LG-H901 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.124 Mobile Safari/537.36
98.12.21.89 Mozilla/5.0 (Linux; Android 6.0.1; SM-G925T Build/MMB29K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.124 Mobile Safari/537.36
98.12.21.89 Apache-HttpClient/UNAVAILABLE (java 1.4)
What causes the Android browser to act in this manner?
What steps can be taken to 'work around' the behavior (and preserve session data)?
It is likely that the application will be rewritten with application defined session data instead of relying upon native PHP sessions, but an immediate work around would be helpful.
Thanks in advance!

Can someone please explain me what does this log statement mean?

I've a website developed using PHP.
I encountered one major issue on my website, a security breach. So I checked the access logs of apache present at location "/var/log/apache2/access.log" on server.
I got following log which caused the error but I'm not able to understand what does each part of this log means. Can some one please give me step-by-step explanation of the below log?
70.39.61.42 - - [12/Jul/2015:17:05:12 +0000] "POST /user/register/javascript.void(0)/index.php?do=/user/register/ HTTP/1.1" 302 398 "http://www.mywebsite.com/user/register/javascript.void(0)" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36"
Actually this is the request which has created a major issue on my website. But I'm not able to figure out what parameters that request contained and what was the response, etc., etc.
Thanks in advance.
70.39.61.42
This is a IP address of someone who sent a request to your server
[12/Jul/2015:17:05:12 +0000]
This is a date when perpetrator did it
"POST /user/register/javascript.void(0)/index.php?do=/user/register/ HTTP/1.1"
This explains POST request was sent to your server to given URL
302 - This is a status code of the response - HTTP 302
398 - Indicates the size of the response sent
"http://www.mywebsite.com/user/register/javascript.void(0)"
This is a URL address of where the perpetrator came from
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36"
This is the user agent of the visitor.

Flash object makes MySQL increment by 2

I have a page with a flash object on it, and I would like to count the pageviews by incrementing a field by 1 in my database.
The query works fine (tested it in phpMyAdmin) and the function gets executed only once, but still the field gets incremented by 2 every time I reload the page.
When I remove the flash object from the page, the field is incremented only by 1.
Can someone explain why this is the case, and how I can prevent this behaviour?
Thanks a lot!
PS: This guy seems to have the same problem, but no solution is posted...
mysql wrong column increment
EDIT:
My logs show the following:
::1 - - [24/Aug/2013:13:42:16 +0200] "GET /page HTTP/1.1" 200 8008 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.57 Safari/537.36"
::1 - - [24/Aug/2013:13:42:17 +0200] "GET /page HTTP/1.1" 200 8008 "http://localhost/page" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.57 Safari/537.36"
I am quite sure, the relevant page is loaded twice in many instances, which makes for two increments. A page loading twice is what happens in at least two cases:
My flash block extension, if I chose to activate flash
Some AV/SmartScreen or whatever, that preloads the page elsewhere to check it for Flash threats
Check your webserver logs to verify!

Categories