When I wrote the PHP scripts that support my Roman cult of Mithras site, I incorporated some code to tell me if anyone was looking at the pages. Specifically it tells me which pages are popular; information that is useful to me when deciding what to work on.
Each page is accessed using an address like this:
where XXXX is the name of one of the pages. So I display the page names and counts like this:
As you may imagine, I was somewhat surprised to find entries appearing that were most certainly not pages on my site. No link anywhere will produce these.
Here is one example:
Any database programmer will recognise that these are fragments of the database language, SQL. What’s going on here?
This is — can only be — an attempt to hack my website. The hacker has theorised that the pages, as in Wikipedia, are actually stored in a database. He is trying to guess how my site works.
What if, he thinks, the “display.php” script, in the address above, takes the page name, creates an SQL query, and retrieves the page data from this hypothetical database? Then perhaps the SQL is this:
select * from database_table where pagename = 'PAGE'
where PAGE is the text in “display.php?page=PAGE“? If so, he thinks, let’s stick a quote in the address box, and add extra code! Let’s see, he thinks, if we can get somewhere with this! It failed, however.
A few days ago he must have realised that he wasn’t getting anywhere with the SQL injection attack (as it is called). Here’s what he did next:
The hacker has tried again. He’s now guessing that perhaps the website uses files on the disk, rather than a database. He thinks that it is perhaps running on the Linux operating system, as most commercial websites do. And he is guessing that my code perhaps does something like this:
File Open("PAGE"); File Read; Display file to screen;
So he thought that perhaps he could get the display.php to display the password file from the Linux machine. Indeed he tried various permutations of the same idea:
The %2F is an HTML encoding for a slash character; so he is still trying to get at the passwd file. None of it worked, thankfully.
Now there is one obvious conclusion here. This is not an automatic attack, run by machine. This sort of tinkering requires human input. No doubt there are hacking engines, built and sold to attack common software packages used to write websites. But my site doesn’t use these; it’s all hand-made code.
So, somewhere out there, there is a human being, who is trying to gain control of my website.
Who is this person? Well, I do know a little about him. Back in 2006, when I last created a website using PHP scripting, such people didn’t exist. So when I started the site, in December 2012, I didn’t bother with security. The first version of the new site was promptly hacked. And what did he do, once he could edit the content? Well, he deleted it. The page content was replaced with spam and links to spam sites. It’s undoubtedly the same person, since he has kept up various attacks ever since.
The only person who could find advantage in that is someone who works for a spammer. He’s out there, with some knowledge of programming, trying — for money, I presume — to break my site in order to delete it and replace it with rubbish, because someone else pays him to do it.
Nor is he giving up. The attempts to hack me, using the attack that worked initially, have gone on unceasingly for months. Indeed he tried the same hack again, two days ago at 22:42 hours. It’s usually in the middle of the night that the attacks come. Is he an Australian, perhaps? Or some low-paid oriental?
It is sobering to see such determination to do harm. He has put in months and months of effort – far more effort than I have spent to create the site in the first place. And he keeps right on going.
Possibly all of our websites are under such daily attack. The quantities of spam “comments” to this blog run into thousands every day; which, thankfully, WordPress deal with. Most of the time we just don’t even know it is happening.
How many website authors check their logs regularly? How many of us would recognise an attack if we saw one? It is pure coincidence that I chose a format for this site, and a reporting method for it, that highlight the attacks very clearly.
I hope, therefore, that this post may assist my fellow web-authors. It goes to show that these attacks are real.
Yes, it is sobering, and also rather sad. For this was not how things were in 2006. I ran the translation project for Jerome’s Chronicle without any security at all. And I had no trouble.
But now the criminal classes are on the web. The criminal is he who will wreck anything for any shred of personal convenience, regardless of the harm to others.
Sadly we may have to accept a police force for the web also, in response.