Attempts to hack the new Mithras pages

When I wrote the PHP scripts that support my Roman cult of Mithras site, I incorporated some code to tell me if anyone was looking at the pages.  Specifically it tells me which pages are popular; information that is useful to me when deciding what to work on.

Each page is accessed using an address like this:

where XXXX is the name of one of the pages.  So I display the page names and counts like this:

As you may imagine, I was somewhat surprised to find entries appearing that were most certainly not pages on my site.  No link anywhere will produce these.

Here is one example:

Any database programmer will recognise that these are fragments of the database language, SQL.  What’s going on here?

This is — can only be — an attempt to hack my website.  The hacker has theorised that the pages, as in Wikipedia, are actually stored in a database.  He is trying to guess how my site works.

What if, he thinks, the “display.php” script, in the address above, takes the page name, creates an SQL query, and retrieves the page data from this hypothetical database?  Then perhaps the SQL is this:

select * from database_table where pagename = 'PAGE'

where PAGE is the text in “display.php?page=PAGE“?  If so, he thinks, let’s stick a quote in the address box, and add extra code!  Let’s see, he thinks, if we can get somewhere with this!  It failed, however.

A few days ago he must have realised that he wasn’t getting anywhere with the SQL injection attack (as it is called).  Here’s what he did next:

The hacker has tried again.  He’s now guessing that perhaps the website uses files on the disk, rather than a database.  He thinks that it is perhaps running on the Linux operating system, as most commercial websites do.  And he is guessing that my code perhaps does something like this:

File Open("PAGE");
File Read;
Display file to screen;

So he thought that perhaps he could get the display.php to display the password file from the Linux machine.  Indeed he tried various permutations of the same idea:

The %2F is an HTML encoding for a slash character; so he is still trying to get at the passwd file.  None of it worked, thankfully.

Now there is one obvious conclusion here.  This is not an automatic attack, run by machine.  This sort of tinkering requires human input.  No doubt there are hacking engines, built and sold to attack common software packages used to write websites.  But my site doesn’t use these; it’s all hand-made code.

So, somewhere out there, there is a human being, who is trying to gain control of my website.

Who is this person?  Well, I do know a little about him.  Back in 2006, when I last created a website using PHP scripting, such people didn’t exist.  So when I started the site, in December 2012, I didn’t bother with security.  The first version of the new site was promptly hacked.  And what did he do, once he could edit the content?  Well, he deleted it.  The page content was replaced with spam and links to spam sites.  It’s undoubtedly the same person, since he has kept up various attacks ever since.

The only person who could find advantage in that is someone who works for a spammer.  He’s out there, with some knowledge of programming, trying — for money, I presume — to break my site in order to delete it and replace it with rubbish, because someone else pays him to do it.

Nor is he giving up.  The attempts to hack me, using the attack that worked initially, have gone on unceasingly for months.  Indeed he tried the same hack again, two days ago at 22:42 hours.  It’s usually in the middle of the night that the attacks come.  Is he an Australian, perhaps?  Or some low-paid oriental?

It is sobering to see such determination to do harm.  He has put in months and months of effort – far more effort than I have spent to create the site in the first place.  And he keeps right on going.

Possibly all of our websites are under such daily attack.  The quantities of spam “comments” to this blog run into thousands every day; which, thankfully, WordPress deal with.  Most of the time we just don’t even know it is happening.

How many website authors check their logs regularly?  How many of us would recognise an attack if we saw one?  It is pure coincidence that I chose a format for this site, and a reporting method for it, that highlight the attacks very clearly.

I hope, therefore, that this post may assist my fellow web-authors.  It goes to show that these attacks are real.

Yes, it is sobering, and also rather sad.  For this was not how things were in 2006.  I ran the translation project for Jerome’s Chronicle without any security at all.  And I had no trouble.

But now the criminal classes are on the web.  The criminal is he who will wreck anything for any shred of personal convenience, regardless of the harm to others.

Sadly we may have to accept a police force for the web also, in response.


7 thoughts on “Attempts to hack the new Mithras pages

  1. You cant blame me for trying Roger! ! Joking of course. . No laughing matter. Scum.

  2. One thing is to define every character in a URL or in search boxes that isn’t allowed in your search mechanism. For example, if ‘/’ is not allowed as part of a legitimate search you put the offending IP directly on the .htaccess list. I’ll send you the code if you like. I treat every input from my search box as an array of characters and I scan each character in the array. If any character turns out not to be allowed then they go straight to .htaccess That’ll take care of a lot of it. These hacks are not directed at you. They happen to everyone on the internet that uses ‘post’ or who has a search box. Don’t be paranoid but do be careful.

  3. I have been involved with a computer oriented group on campus and I have learned a few things. Your hacker is most likely a low paid Chinese. He was attracted to your site because of its traffic, not necessarily its content. There a student site on campus that made a wiki a few years ago and had problems with people posting spam rather than content, sort of like you oriental literature wiki site. The solution turned out simple: they put a 24 hour waiting period between registration and being allowed to post. Automatic attacks immediately ceased. So long there are advertising links that pay more per 1000 clicks that the cost for a programmer to hack your site you will keep on getting attacked

Leave a Reply