Site Hacked? Very confussing
So I figure that someone got a look at my servers file structure and saw them under the phpMailer subdirectory and fetched the file thereby sending a ton of embarrassing emails.
But when I looked at my servers access logs it was my own ipaddress that accessed those scripts at that time. But all three accesses where done at a time when I wasn't even at my desk and I'm not drunk or crazy (I hope). So I'm thinking that some intruder changed the access.log for those domains. Is that possible?
I changed my server password but I'm still freaked out. Don't know what's going on.
6 Replies
As an alternative to malicious activity, it's possible that an automated process ran at a time you weren't expecting.
@Vance:
What do you mean by your own IP address? The IP address of your Linode, of your home machine, or somewhere else?
As an alternative to malicious activity, it's possible that an automated process ran at a time you weren't expecting.
The ipaddress in the access log was that of my home computer. And, the access time for three different files on different Apache virtual domains was within seconds of each other. Now I'm wondering if my Google Chrome browser decided to take a tour of pages in it's page history???
In 7 years of using php to write mail merged bulk emails from a mysql database I've never had the scripts fire off on their own before. Looks like they didn't fire off on there own this time either but I'm real unsure what happened. I'm waiting for the other shoe to drop.
PROTIP: Never, ever, ever use a HTTP GET request to do something.
Or, put another way
> There are four basic methods in HTTP: GET, POST, PUT, and DELETE. GET is used most of the time. It is used for anything that's safe, that doesn't cause any side effects. GET is able to be bookmarked, cached, linked to, passed through a proxy server. It is a very powerful operation, a very useful operation.
POST by contrast is perhaps the most powerful operation. It can do anything. There are no limits as to what can happen, and as a result, you have to be very careful with it. You don't bookmark it. You don't cache it. You don't pre-fetch it. You don't do anything with a POST without asking the user. Do you want to do this? If the user presses the button, you can POST some content. But you're not going to look at all the buttons on a page, and start randomly pressing them. By contrast browsers might look at all the links on the page and pre-fetch them, or pre-fetch the ones they think are most likely to be followed next. And in fact some browsers and Firefox extensions and various other tools have tried to do that at one point or another.
So, yes, I need to stop my bad habits surrounding the naked get calls for my admin tasks. I should throw a login class on top of them and require a current session before they start working.
Thanks.
It had a list of things you needed to do, and a link next to them to mark them as done, and removed them from your todo list.
One day, web browsers, or a web browser plugin, started following links on a page in the background to put them in cache, so if you clicked on a link, it would display the next page very quickly, well, peoples todo lists started disappearing, as browsers would follow the "done" link to cache them.
Another real world example of why get requests shouldn't modify data.