Is this a hijack?

Forum Moderators: phranque

Message Too Old, No Replies

Is this a hijack?

how to locate the hijacker?

stu2

5:44 am on Jul 23, 2005 (gmt 0)

I posted this here since I'm running on an apache server and I'm going to post a line from the log file.

I came across something really interesting just now. I was running phpSitemapNG with the intention of creating a sitemap.xml file for google. Unfortunately the programmed bombed out (probably too many pages). So I was looking in the log file and came across this...

xx.xx.#*$!.xxx - - [21/Jul/2005:23:31:55 -0500] "GET /satelliteUS.shtml HTTP/1.1" 302 299 "http://www.mysite.com/satelliteUS.shtml" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; phpSitemapNG 1.4.5d)"

Well I have no such satelliteUS.shtml page on mysite.com and it returned a 302 code (isn't that usually a hijack?).

How should I go about finding out more about who this hijacker is?

Also, I noticed some of my own pages returned a 302 code when I have nothing in my .htaccess file related to that page. Is this also something to worry about?

jatar_k

5:48 am on Jul 23, 2005 (gmt 0)

I don't believe it is something to worry about, that is actually your server returning a 302, not that you are getting 302'ed from someone else.

May be worth watching but will probably turn out to be nothing.

stu2

10:12 am on Jul 23, 2005 (gmt 0)

Why would my server return a 302? Shouldn't it be returning a 200? (i'm not an expert in those matters).

I presume your comment was related to my last sentence and not the question about the /satteliteUS.shtml file?

jdMorgan

2:34 pm on Jul 23, 2005 (gmt 0)

It appears that your server is acting as a proxy for this request. This happens fairly often on loosely-configured commercial hosting. However, you might want to telnet into your server, and try typing in that request to see where the 302 leads. It may lead to a "go away" page provided by your host.

I block such requests:


# BLOCK attempts to use our server as a proxy, but allow absolute URI requests to our site
RewriteCond %{THE_REQUEST} ^[A-Z]+\ /?http:// [NC]
RewriteCond %{THE_REQUEST} !^(GET�HEAD�POST�OPTIONS�PROPFIND�TRACE)\ /?http://([^.]+\.)?mydomain\.com/
RewriteRule .* - [F]

Jim

stu2

10:13 pm on Jul 23, 2005 (gmt 0)

I'm on a shared host with a dedicated ip address. Telnet didn't work (as I suspected).

RewriteCond %{THE_REQUEST}!^(GET�HEAD�POST�OPTIONS�PROPFIND�TRACE)\

What is that character between GET/HEAD/POST/OPTIONS/PROPFIND/TRACE?

Presumably I can just copy this code into my .htaccess file changing only the domain name?

added: should it go in any particular position (before/after anything) in the .htaccess file (I'm no expert on that).

[edited by: stu2 at 10:19 pm (utc) on July 23, 2005]

stu2

10:15 pm on Jul 23, 2005 (gmt 0)

RewriteCond %{THE_REQUEST}!^(GET�HEAD�POST�OPTIONS�PROPFIND�TRACE)\

Aha! It's now displaying correctly. It's the "¦" character, yes?

jdMorgan

10:52 pm on Jul 23, 2005 (gmt 0)

Yes, posting on this board modifies that character. Edit the code and replace those characters with pipe characters from your keyboard (Shift-\ on U.S. 101-key keyboard).

Jim

stu2

8:34 pm on Jul 24, 2005 (gmt 0)

Thanks. Do i need to put www in there somewhere?

jdMorgan

8:41 pm on Jul 24, 2005 (gmt 0)

No, the code as posted should work with any subdomain, including www.

Jim

Is this a hijack?

how to locate the hijacker?

stu2

jatar_k

stu2

jdMorgan

stu2

stu2

jdMorgan

stu2

jdMorgan

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week