Today I was looking for my cached page of my website then I find that Google indexed lot of spammy pages which I cannot find in my website.
My website is a college website but in Google there are pages of "nike air max 95 at jd sports" and all my url's are rewrite but in Google it showing a new url (this is similar like my URL: http://example.com/?nike-max-air-343.html).
When I try to find this page in my website I didn't find any of these pages. Kindly provide me any possible solutions so the Google can't list a
"This site maybe Hacked"
message on SERP.
Whenever this happended to me I started the lookforbadguys.php script, you can find here
https://gist.github.com/jasperf/3191259
Copy this file into the DOCUMENT_ROOT of your page and then call in browser
http://example.com/lookforbadguys.php
It then scans your file-system under document root for suscpicious file names and code
It may create a long list of hits, and you have to check every single one (if you don't know exactly that you made it yourself). This is tedious, but I works.
One little hint: Save the output of the scan as html file and open that file in browser. This prevents the script to scan on reload.
After that you must identify the security holes of your server.
You may have to update installed software and/or your scripts.
I don't think you have to do anything. I had a similar warning today.
"Hacked by Andreas Rehm 2006..." seems to be part of the source code for the file on line# 353
Source for file OLERead.php on grad.clemson.edu
Related
For comedic purposes, I took a Wikipedia article, downloaded it, and edited the HTML so as to get the page to say particular amusing things I wanted it to. I want to link the page to other people, so I made an account on 000webhost where I uploaded it.
I made sure to upload the folder with all the resources. I checked the reference in the html and it seems to be going to the right place,
<link rel="stylesheet" href="./index_files/load.php">
but opening the page, I just get it unformatted, like the way it might look on a old phone or when dealing with extremely slow internet speeds.
I assume the error has something to do with the filepath. I tried moving the resources folder (it is, in fact, called index_files) to a couple of different locations (inside "temp", inside "public_html", and also inside the highest level of the directory, "/", which is where "temp" and "public_html" reside. None of them worked.
Just to be clear, when I try opening the webpage from the identical html file on my desktop, it works just fine (except that most of the images won't load).
Any suggestions?
Thanks a ton (I need to have figured this out by Wednesday, preferably)
Disclaimer: I know very little about HTML or CSS
Update: Some of the images (which wouldn't load from the file on my hard drive) are in fact loading when I use the link
In Imgur, you can input an image URL and a few seconds later, there's a thumbnail of the image. Or in Bing Search, you can (or used to) be able to view a thumbnail of the website in the search results before visiting it.
I would love to implement something similar for my website, but I can't wrap my head around on how it is done. Moreover, are there not security concerns? I'd imagine the servers have to at least download the website, render it and take a screenshot. What if it's a malicious website, and you download something malicious on your server?
A headless Web browser engine like PhantomJS can be used for this. See example on their wiki. Yes, it would be prudent to run this in some sort of a sandbox, feeding a queue of URLs into it, then taking the generated thumbnails from the file system.
While I don't know the internal workings of any of the aforementioned services, I'd guess that they download/create a local copy of the images and generate a thumbnail from that.
Imgur, as an image hosting service, definitely needs a copy of the image prior to being able to generate thumbnails or anything else from it. The image may be stored locally or just in memory, but either way, it must be downloaded.
The search engines displaying screenshots of the sites likely have services that periodically take a screenshot of the viewable area when the content is getting indexed, and then serve those screenshots (or derivatives) along with the search results. Taking a screenshot really isn't dangerous, so there's nothing to worry about there, and whatever tools are used to load/parse/index the websites will obviously be written with security considerations in mind.
Of course, there are security concerns about the data you're downloading, too; the images can easily contain executable code (such as PHP) in their EXIF data, so you need to be careful about what you do with the images and how.
Hi I am currently observing a few sites for potential ideas. One thing I came across on one of the sites is how the source url of a video includes the timestamp in it. So for example, if I click on the link to view the video, the time that the server acknowledges the request is put into the actual video url (this can be seen when looking at the source code) - eg nameOfVideo_17062013_192145.mp4. Also this link is only valid for a short time before a new request and a new link is required. My question is, obviously the video only has one real source, but how is the website able to cover up the real source by one with a timestamp (which shouldnt be the real source as the time will always change and the location wont always change). This is assuming there is a cover up. Secondly, is it possible to find out the true location of a video? Unfortunatley I dont want to give links to these websites and discuss them here without the owners permission. As a programmer, I am interested in how this concept works. Thanks
how is the website able to cover up the real source by one with a timestamp
HTTP URLs are mapped on to resources by software. The resources could be files on the file system, or they could be generated on the fly. The mapping could be done by the HTTP server itself or it could be a program called by the HTTP server. There are many options for both.
An Apache configuration might look something like:
FastCgiServer /opt/bin/video_fastcgi.pl -processes 3 -initial-env VIDEO_CONFIG=/opt/etc/video/production
Alias /videos/ /opt/bin/video_fastcgi.pl/
Secondly, is it possible to find out the true location of a video?
The true location is a file on a disk somewhere. To access it you either need to be using the computer that is running the HTTP server or you need something to make it available over the network. There is no reason to assume that the HTTP server will make it available other than through the dynamic URL (and no way to find out what other URLs it is available at given a single example).
Before I begin, I must warn you that I'm not much of a web programmer so my methods may seem somewhat roundabout and the terminology I use may be awkward.
Here's the situation. I'm developing a website for users to visualize data.
I have a public php page sitting in /var/www/thepage/index.php path (yes, Linux server + apache). This is the main page of the site and is also where users make selections in a form.
Upon form submission, a second php page will be called and this is where the form selections from the first php page are passed to the javascript that creates the visualization. In order for that to happen, csv files are first written into this directory using a php script that queries from a MySQL database.
Thing is, I want users to be able to see the visualizations but not be able to download the csv files (unless they are admin). How I allow admin to download the files is to create a protected (.htaccess) subdirectory /var/www/thepage/secure/ which has an index html that runs a cgi script once an admin logs in (prompted when a download link is clicked). This script copies the latest files (with dynamic names) from the /var/www/thepage/ directory and moves them to the secure/ directory with static filenames. Download links pointing to these files with static names are on the protected index.html. However, if a user looks at the source code of the 2nd php page, they can also download the files as they know the paths and they are not protected.
If remove file permissions, the php script won't be able to read the files either, causing the visualization to fail (I want normal users to be able to see the visualizations). It is also important to have the files because I have a cgi script (bash + awk) running a mathematical function on the files which also requires permission
Obscuring the filenames doesn't really work either since the files are written on the fly and the source code of the html page will reveal the obscured csv filenames being written.
How can I get around this problem? I would prefer not to have to create sessions and log-ins for normal users, etc...
As previously said, it's hard to hide anything on the net, especially if you need to send it to javascript. You could try hacking it a bit, could cost you a bit of performance, but would be a deterrent against people who aren't web savvy... But could also be seen as a challenge by others :)
A rough example would be something like..
$csv = fgetcsv("/var/www/thepage/secure/file.csv");
echo "<script type'text/javascript'>";
echo json_encode($csv);
echo "</script>";
Bit rusty here, but javascript should interpret the json as an object, that you can use in your code. You could go a step further and break the php array into sections before sending it off, making it harder to know what's going on.
Like I said. It's rough, but it could be a solution.
I would have imagined the best way is to store the files in a secure directory that isn't accessible in a web browser (outside of the web root). You could then show a list of the available files to authenticated users with a download link. When they click the link you could check they are logged in and if so then begin the file download.
PHP readfile - May help
Is there anyway to hide .swf path showing up from webpage?
you can use a php script something like getswf.php?name=flash.swf in your flash tags. Then create getswf.php script to respond with output of flash.swf file, and keep flash.swf file in a directory outside of public directory.
There may be ways to make it difficult to view. However, nothing you do can stop an intelligent adversary from using a tool like Fiddler to monitor web traffic and undo all your obfuscation.
I think this is a fairly pointless exercise. Any resource that gets sent to a browser, be it an image, sound, flash movie, even flv files loaded by the YouTube player, can all be saved to disk fairly easily.
As Justin mentions, Fiddler can achieve this easily.
As others answered it there are ways to do it using your script. If you are looking for a paid option check this out Media Vault.
Hiding the URL to the swf file might be quite a challenge but there are other things you can do if you're wanting to more closely protect the video/data being displayed by the swf.
I'll run through a couple of ideas in the order I think them most obfuscated with the least first. Bare in mind that most of these techniques merely make it harder to get to the information/video rather than making it impossible to obtain.
The main idea most sites tend to follow is that of having the swf as a player and the content in another file somewhere else, usually an flv or mp4 etc.
Add flv location through Javascript
This technique is as basic as it sounds. You have your swf player on the page and pass a new variable too it (such as 'file') with the location to the flv file using Javascript. If you're already loading your content with some kind of JS flash module then all the easier to begin implimenting.
Obfuscating flv location through XML
Another techniqe I've seen used quite recently is that of having an XML document as a paremeter to the swf player and then the flash player itself resolves the URL of the flv from a node in the XML. It's easy to get to the flv URL if you want to but it does make it that little bit harder.
Token access
This technique can be used in conjunction with any of the above two. You basically ensure that your flv files can only be accessed with the use of a special token otherwise the page returns a HTTP error. The token would be understood by the flash player and the server and upon the player making a request for the flv, a token must be included (usuallu the token itself is obfuscated in some way that it cannot be easily mimmicked through a simple GET request).
Domain access
Very similar to the above however in this case, the flv file will only be loaded when the requesting URL is a specific site. All other requests will be denied (such as directly hitting the flv location in your browser.
As stated above, none of these methods make it impossible to get hold of your flash material. If it's on the web (or any network for that matter), it's possibly a target. You'll usually find for most things that making it harder to obtain will deter a lot of those who would otherwise have been privy to downloading your content.
Completely hiding the URL to the swf
If your only criteria is to hide the URL then hiding it behind a URL rewrite is the best option I can think of.
Your swf might be at /location/flash/player.swf?file=summer.flv and then you could do a URL rewrite to something like /vacations/summer2011/.
This way the URL to the swf is completely hidden away and this should satisfy your desire to hide the swf path.
The answer is NO.
You may not want to believe it. but it is a fact. you can do all you like to obfuscate it. but the browser needs to find it. if the browser can find it so can anyone else.
A server side script that acts as a loader will hide the real path to the file, but to what purpose. the end result is the file is still available.
If you want a simple answer, so simple people can't find it then the people here have given you some suggestions. obfuscation is the best you can hope to achieve.
Alternately only allow approved users access to the file. that way they need to log in to get access to it. but if you want it available publicly then its well, public!
DC