homepage Welcome to WebmasterWorld Guest from 54.161.155.142
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque

Webmaster General Forum

    
Site Security
need help determining whether someone has breached site security
richards1052




msg:3252985
 2:07 am on Feb 15, 2007 (gmt 0)

I maintain a political blog w a small readership. I just wrote & published a post. Within minutes, I visited my stat service & found someone had accessed the published post's pg. A little unusual but not terribly so. What was unusual, in fact scary is the referral URL. It was my blog's internal pg. for the post in the editor interface.

Looking over the visitor's IP address & geographical location I have a pretty good hunch that it's someone who's been a comment troll at my site for some time.

First, I'd like to know if this person somehow has breached my login data to gain access to my site internally. Second, how would they have known within minutes that I published a post? Would it be possible having such internal access that they might've have planted some code that would automatically notify them when a new pg. was created? Or can they do this w. software w/o needing internal access?

If someone can help me interpret what might be happening I'd be grateful. I have the pg. from my stat service which I'd like to share w. someone who can help me figure out more of what might be going on. Send me a PM & I'll share the stuff w. you & be very grateful for yr help.

 

bill




msg:3253035
 4:11 am on Feb 15, 2007 (gmt 0)

I'm not sure I follow your problem exactly, but most blog CMS programs do publish RSS feeds which are pinged by a number of services the minute you make a new post. It would not be odd at all for someone to see a new post via their aggregator and visit the site if they were subscribed.

superpower




msg:3253043
 4:23 am on Feb 15, 2007 (gmt 0)

bill makes a good point, that may be the case.

Another tact...I use "honeypots" for this sort of situation. Add a link to the admin page you mentioned (where you think that user may have unauthorized access)...call the link "List of User Passwords" or something you may think would attract the hacker.

The link sends them to a page that automatically sends you an email with as much info as possible--their IP, cookie info, browser info etc.

richards1052




msg:3253060
 4:58 am on Feb 15, 2007 (gmt 0)

Bill: Thanks for answering the question about how he might've discovered the new post immediately on its publication.

But I'm even more concerned why this guy's visit would've shown my internal site page as his URL referral. How would he have even gotten there unless he had logged into my site? Wouldn't that have meant that he had to have been inside my site when he accessed the public blog page?

bill




msg:3253119
 8:40 am on Feb 15, 2007 (gmt 0)

If you're certain your referrer data is correct then that might be possible. However, if you have logs that show these referrers then why don't you simply look at the logs that show access to your CMS admin pages? You can see what IP addresses are accessing that area of your site can't you?

You could limit access to that area of your site via IP address (eg. Limit access to your known IP addresses)

I like superpower's idea for a honeypot. That would be another alternative to see if your assumption is correct.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved