Welcome to WebmasterWorld Guest from 54.161.187.250

Forum Moderators: phranque

Message Too Old, No Replies

Site Security

need help determining whether someone has breached site security

   
2:07 am on Feb 15, 2007 (gmt 0)

10+ Year Member



I maintain a political blog w a small readership. I just wrote & published a post. Within minutes, I visited my stat service & found someone had accessed the published post's pg. A little unusual but not terribly so. What was unusual, in fact scary is the referral URL. It was my blog's internal pg. for the post in the editor interface.

Looking over the visitor's IP address & geographical location I have a pretty good hunch that it's someone who's been a comment troll at my site for some time.

First, I'd like to know if this person somehow has breached my login data to gain access to my site internally. Second, how would they have known within minutes that I published a post? Would it be possible having such internal access that they might've have planted some code that would automatically notify them when a new pg. was created? Or can they do this w. software w/o needing internal access?

If someone can help me interpret what might be happening I'd be grateful. I have the pg. from my stat service which I'd like to share w. someone who can help me figure out more of what might be going on. Send me a PM & I'll share the stuff w. you & be very grateful for yr help.

4:11 am on Feb 15, 2007 (gmt 0)

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



I'm not sure I follow your problem exactly, but most blog CMS programs do publish RSS feeds which are pinged by a number of services the minute you make a new post. It would not be odd at all for someone to see a new post via their aggregator and visit the site if they were subscribed.
4:23 am on Feb 15, 2007 (gmt 0)

10+ Year Member



bill makes a good point, that may be the case.

Another tact...I use "honeypots" for this sort of situation. Add a link to the admin page you mentioned (where you think that user may have unauthorized access)...call the link "List of User Passwords" or something you may think would attract the hacker.

The link sends them to a page that automatically sends you an email with as much info as possible--their IP, cookie info, browser info etc.

4:58 am on Feb 15, 2007 (gmt 0)

10+ Year Member



Bill: Thanks for answering the question about how he might've discovered the new post immediately on its publication.

But I'm even more concerned why this guy's visit would've shown my internal site page as his URL referral. How would he have even gotten there unless he had logged into my site? Wouldn't that have meant that he had to have been inside my site when he accessed the public blog page?

8:40 am on Feb 15, 2007 (gmt 0)

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



If you're certain your referrer data is correct then that might be possible. However, if you have logs that show these referrers then why don't you simply look at the logs that show access to your CMS admin pages? You can see what IP addresses are accessing that area of your site can't you?

You could limit access to that area of your site via IP address (eg. Limit access to your known IP addresses)

I like superpower's idea for a honeypot. That would be another alternative to see if your assumption is correct.