All geek questions in one place

The php file was launched by the alexa crawler and caused problems!

I wrote a script that will be used to automatically release new pages at a specific time. It will just show the countdown timer, and then when it reaches 0, it will rename the specific file in index.php and rename the current index.php to index-modified.php

There is no problem. But at some point, my client said that my site was not suitable. I found that index.php has been renamed index-modified.php and all other pages are working fine. And without index.php, my site showed a 404 error.

Then I analyzed the access log and found that the alexa crawler had access to this version of the script, and this caused a problem

I want to know how the alexa crawler found my internal script file and crawled it? Will this happen with all my destination files for internal admin? I have no links to this script on any of my pages.

I wonder how he could find the files that are present on my server .. ????

+4
source share
4 answers

I wonder how he could find the files that are present on my server?

Perhaps because someone who accessed these files used the Alexa toolbar

This was only possible because the script has two things.

  • It is not protected by authentication / authorization level.

  • This makes significant changes to the server in response to a GET request. The HTTP specification provides GET for "secure" requests and POST for requests that do something.

+11
source

index.php is the default name of the PHP script in the directory. It will be executed when you go to the directory without specifying a file name.

To solve this problem, use POST to invoke the changes. If you cannot do this, at least give the script a name that can hardly be guessed.

+1
source

You should use robots.txt and disable spider scanning:

 User-agent: * Disallow: index.php
+1
source

if you script is in htdocs (for apache), chances are that the scanners will find it and try to crawl. What you can do is:

1) set the rule in the robots.txt file, here you can learn more about this: http://www.javascriptkit.com/howto/robots.shtml

This will report errors not to execute the script, but will not prevent them

2) put the script in a subfolder and password protect it - best of all in your case, REALLY that you do not want it to be random visitors or spiders to disable your website. More on how to do this is: .htaccess:

http://www.javascriptkit.com/howto/htaccess3.shtml

I wish you good luck, Marin

+1
source

Source: https://habr.com/ru/post/1302460/

More articles:


All Articles