You said you've checked the DB for script injections, but you search also for iframe?
2012/4/13 Gino Pacitti <ginok...@mac.com> > No just see my access and my root access when I logged in. > > G > > On 13 Apr 2012, at 13:35, Daniele Corti wrote: > > Hi Gino, >> did you check access to the server? Exec # last | more as root from an >> ssh shell and check for last access. >> >> 2012/4/13 Gino Pacitti <ginok...@mac.com> >> checked the apache config and nothing unusual there.. WO Components are >> all newly updated from devel machine... and contain no script ?? >> >> I am still checking more and more possibilities >> >> G >> >> On 13 Apr 2012, at 13:18, Daniele Corti wrote: >> >> Nothing strange in this url: just a ddns, probably, from a cracked PC. >> >> Do you check if someone have broken in you web server? Maybe someone >> change the html directly into the .wo components, or alter the apache >> configuration. >> >> 2012/4/13 Gino Pacitti <ginok...@mac.com> >> Take a look at this URL - see attached... >> >> The link pointed to a regular Component Action with correct domain name >> etc.. but then once clicked turned into this? >> >> G >> >> >> On 13 Apr 2012, at 09:06, Daniele Corti wrote: >> >> Hi Gino, >> look, I was thinking, yesterday, how to hack a WO site and, IMHO, if you >> have excluded the injection in the DB (eg. someone push a iframe or script >> in the HTML saved in the DB), the only other way is to gain access to the >> repository of the site (throught SSH, FTP, SFTP). >> >> Can you access to the machine and check for the lasted connections? >> >> >> 2012/4/13 Gino Pacitti <ginok...@mac.com> >> Hi Daniel >> I will try with JS disabled to see if I can repeat the problem. >> >> The URL I see in the source and in the status are correct - it is once >> the form button or link is clicked that the issue occurs. Its like the URL >> clicked is pointing to the Adult or Virus website. >> >> The URL is something like: >> >> http://www.mydomain.co.uk/cgi-**bin/WebObjects/Appt.woa/2/wo/** >> imCcv2b2suMZqLswRhNV50/8.16.**14.0<http://www.mydomain.co.uk/cgi-bin/WebObjects/Appt.woa/2/wo/imCcv2b2suMZqLswRhNV50/8.16.14.0> >> >> Once clicked it then becomes a completely different URL and the browser >> goes to that page with the malware??? >> >> Its almost like a redirect or something is occuring.... >> >> Gino >> >> >> On 13 Apr 2012, at 08:39, Daniele Corti wrote: >> >> Hi Gino, >> can I suggest you to inspect you site with firebug or something similar? >> Try to trace the urls the browser calls and see if there are some strange >> url. >> >> Another thing you can try is to disable JS in the browser and see if the >> redirection still occurs. If there aren't redirections, the problem is, >> probably, some injection in the HTML. >> >> One last thing: the Jon message makes me think if I miss something. You >> say you have redirection on another site, but when you are seeing the Adult >> site the url in the browser's address bar has changed? >> >> >> 2012/4/13 Gino Pacitti <ginok...@mac.com> >> yes.. I can look at the form in the source of the page and action points >> to : /cgi-bin/WebObjects... etc... with the component numbers after the /wo >> It seems that for some reason the POST is causing a redirection off to >> another site. >> >> It just does not happen at every attempt though which is even more >> puzzling.. >> >> Gino >> >> On 12 Apr 2012, at 20:39, Daniele Corti wrote: >> >> the url of the form or the link are correctly formed? I mean, do you have >> the HREF and ACTION attribute pointing to /cgi-bin/WebObejcts/YourApp.** >> woa/wo/SESSION_ID/Num.ber.Pro.**Gre.ssi.ve<http://Num.ber.Pro.Gre.ssi.ve>? >> >> 2012/4/12 Gino Pacitti <ginok...@mac.com> >> No .. completely just form submits and links... >> >> It is weird. A normal link to a Component Action results in the URL >> changing and a Adult site appearing. It looks a bit like DNSSwapping which >> I looked into but I have ran scans on this with no results... >> >> >> Gino >> >> On 12 Apr 2012, at 19:52, Daniele Corti wrote: >> >> Hi, >> Just one thing that I was thinking: do you use AJAX in the form or link >> where the redirection occurs? >> >> 2012/4/12 Gino Pacitti <ginok...@mac.com> >> I will have to give that a try... >> >> Gino >> >> On 12 Apr 2012, at 19:47, Daniele Corti wrote: >> >> Hi, >> That's strange, can you download the .woa packages (the Application and >> the WebResources) and install them on a test site and see if the >> redirection happens? >> >> >> 2012/4/12 Gino Pacitti <ginok...@mac.com> >> no database seems clean - tried to search for a 'script' word in any >> fields and nothing came back - its like the whole site gets redirected when >> you click a form to go to a Direct Action? >> >> Gino >> >> On 12 Apr 2012, at 16:25, Daniele Corti wrote: >> >> Hi Gino, >> is the Direct Action, actually, generating the HTML from content fetched >> from the DB? If so, can you check the records that are fetched in the DA, >> if they have some script injections? >> >> Regards, >> >> 2012/4/12 Gino Pacitti <ginok...@mac.com> >> I have been hijacked... >> Its redirecting and also spreading virus to PC - not everyone but a >> percentage of users have had warnings and alert screen concerning the site. >> >> What should i look for in the logs? >> >> Gino >> >> On 12 Apr 2012, at 16:02, Pascal Robert wrote: >> >> You are hijacked or you are seeing hacks attempts? What do you see in the >> Apache logs? >> >> Hi >> Anyone had any experience of how a site can be hijacked? >> >> I mean that a normal link to a Direct Action gets redirected to a new >> site (Adult Content) >> >> I cannot see how this is being done - Components does not contain any >> scripts except for Google Ananlytics yet clicking on a submit button or >> links causes this. >> >> It is also not on every attempt - it seems to happen randomly?? >> >> Any help appreciated >> >> Gino >> ______________________________**_________________ >> Do not post admin requests to the list. They will be ignored. >> Webobjects-dev mailing list >> (Webobjects-dev@lists.apple.**com<Webobjects-dev@lists.apple.com> >> ) >> Help/Unsubscribe/Update your Subscription: >> https://lists.apple.com/**mailman/options/webobjects-** >> dev/probert%40macti.ca<https://lists.apple.com/mailman/options/webobjects-dev/probert%40macti.ca> >> >> This email sent to prob...@macti.ca >> >> >> ______________________________**_________________ >> Do not post admin requests to the list. They will be ignored. >> Webobjects-dev mailing list >> (Webobjects-dev@lists.apple.**com<Webobjects-dev@lists.apple.com> >> ) >> Help/Unsubscribe/Update your Subscription: >> https://lists.apple.com/**mailman/options/webobjects-** >> dev/ginokris%40me.com<https://lists.apple.com/mailman/options/webobjects-dev/ginokris%40me.com> >> >> This email sent to ginok...@me.com >> >> ______________________________**_________________ >> Do not post admin requests to the list. They will be ignored. >> Webobjects-dev mailing list >> (Webobjects-dev@lists.apple.**com<Webobjects-dev@lists.apple.com> >> ) >> Help/Unsubscribe/Update your Subscription: >> https://lists.apple.com/**mailman/options/webobjects-** >> dev/ildenae%40gmail.com<https://lists.apple.com/mailman/options/webobjects-dev/ildenae%40gmail.com> >> >> This email sent to ilde...@gmail.com >> >> >> >> -- >> Daniele Corti >> -- >> I DON'T DoubleClick >> >> ______________________________**_________________ >> Do not post admin requests to the list. They will be ignored. >> Webobjects-dev mailing list >> (Webobjects-dev@lists.apple.**com<Webobjects-dev@lists.apple.com> >> ) >> Help/Unsubscribe/Update your Subscription: >> https://lists.apple.com/**mailman/options/webobjects-** >> dev/ginokris%40me.com<https://lists.apple.com/mailman/options/webobjects-dev/ginokris%40me.com> >> >> This email sent to ginok...@me.com >> >> >> >> >> -- >> Daniele Corti >> -- >> I DON'T DoubleClick >> >> >> >> >> >> -- >> Daniele Corti >> -- >> I DON'T DoubleClick >> >> >> >> >> >> -- >> Daniele Corti >> -- >> I DON'T DoubleClick >> >> >> >> >> >> -- >> Daniele Corti >> -- >> I DON'T DoubleClick >> >> >> >> >> >> -- >> Daniele Corti >> -- >> I DON'T DoubleClick >> >> >> >> >> >> >> -- >> Daniele Corti >> -- >> I DON'T DoubleClick >> >> ______________________________**_________________ >> Do not post admin requests to the list. They will be ignored. >> Webobjects-dev mailing list >> (Webobjects-dev@lists.apple.**com<Webobjects-dev@lists.apple.com> >> ) >> Help/Unsubscribe/Update your Subscription: >> https://lists.apple.com/**mailman/options/webobjects-** >> dev/ginokris%40me.com<https://lists.apple.com/mailman/options/webobjects-dev/ginokris%40me.com> >> >> This email sent to ginok...@me.com >> >> >> >> >> -- >> Daniele Corti >> -- >> I DON'T DoubleClick >> >> > -- Daniele Corti -- I DON'T DoubleClick
_______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
