Msg#: 3252983 posted 2:07 am on Feb 15, 2007 (gmt 0)
I maintain a political blog w a small readership. I just wrote & published a post. Within minutes, I visited my stat service & found someone had accessed the published post's pg. A little unusual but not terribly so. What was unusual, in fact scary is the referral URL. It was my blog's internal pg. for the post in the editor interface.
Looking over the visitor's IP address & geographical location I have a pretty good hunch that it's someone who's been a comment troll at my site for some time.
First, I'd like to know if this person somehow has breached my login data to gain access to my site internally. Second, how would they have known within minutes that I published a post? Would it be possible having such internal access that they might've have planted some code that would automatically notify them when a new pg. was created? Or can they do this w. software w/o needing internal access?
If someone can help me interpret what might be happening I'd be grateful. I have the pg. from my stat service which I'd like to share w. someone who can help me figure out more of what might be going on. Send me a PM & I'll share the stuff w. you & be very grateful for yr help.
Msg#: 3252983 posted 4:11 am on Feb 15, 2007 (gmt 0)
I'm not sure I follow your problem exactly, but most blog CMS programs do publish RSS feeds which are pinged by a number of services the minute you make a new post. It would not be odd at all for someone to see a new post via their aggregator and visit the site if they were subscribed.
Msg#: 3252983 posted 4:23 am on Feb 15, 2007 (gmt 0)
bill makes a good point, that may be the case.
Another tact...I use "honeypots" for this sort of situation. Add a link to the admin page you mentioned (where you think that user may have unauthorized access)...call the link "List of User Passwords" or something you may think would attract the hacker.
The link sends them to a page that automatically sends you an email with as much info as possible--their IP, cookie info, browser info etc.
Msg#: 3252983 posted 4:58 am on Feb 15, 2007 (gmt 0)
Bill: Thanks for answering the question about how he might've discovered the new post immediately on its publication.
But I'm even more concerned why this guy's visit would've shown my internal site page as his URL referral. How would he have even gotten there unless he had logged into my site? Wouldn't that have meant that he had to have been inside my site when he accessed the public blog page?
Msg#: 3252983 posted 8:40 am on Feb 15, 2007 (gmt 0)
If you're certain your referrer data is correct then that might be possible. However, if you have logs that show these referrers then why don't you simply look at the logs that show access to your CMS admin pages? You can see what IP addresses are accessing that area of your site can't you?
You could limit access to that area of your site via IP address (eg. Limit access to your known IP addresses)
I like superpower's idea for a honeypot. That would be another alternative to see if your assumption is correct.