Forum Moderators: phranque
php_flag output_buffering on
The reason I want to do this is my website is returning 302 when it should return a 301 error with certain URLs.
I also get a 500 server error when using this:
ErrorDocument 404 /index.php
With the intention of directing all 404 errors to my homepage.
I also suspect a spammer is using Googlebot to crawl through a proxy to my site and using a 302 error somehow ot redirect to his site.... I found this out by using a web sniffer. So how do I block IPs of bots that aren't coming from a certain IP range?
Here's my .htaccess file right now (just using mod rewrite for search engines). Thanks.
RewriteEngine On
RewriteBase /
# You could need to un-comment the following line
# Options +FollowSymlinks
# FORUM INDEX (un-comment if used)
# RewriteRule ^index\.html$ /index.php [QSA,L,NC]
# FORUM PROTECTION RULE
# RewriteRule ^[a-z0-9_-]+/([^/]+\.html)$ /index.php [R=301,L,NC]
# CATEGORIES
RewriteRule ^[a-z0-9_-]*-c([0-9]+)\.html$ /index.php?c=$1 [QSA,L,NC]
# PAGINATED FORUM
RewriteRule ^[a-z0-9_-]*-f([0-9]+)-([0-9]+)\.html$ /viewforum.php?f=$1&start=$2 [QSA,L,NC]
# FORUM
RewriteRule ^[a-z0-9_-]*-f([0-9]+)\.html$ /viewforum.php?f=$1 [QSA,L,NC]
# PAGINATED TOPIC
RewriteRule ^[a-z0-9_-]*-t([0-9]+)-([0-9]+)\.html$ /viewtopic.php?t=$1&start=$2 [QSA,L,NC]
# TOPIC
RewriteRule ^[a-z0-9_-]*-t([0-9]+)\.html$ /viewtopic.php?t=$1 [QSA,L,NC]
# POST
RewriteRule ^post([0-9]+)\.html$ /viewtopic.php?p=$1 [QSA,L,NC]
#PROFILES
RewriteRule ^member([0-9]+)\.html$ /profile.php?mode=viewprofile&u=$1 [QSA,L,NC]
I also get a 500 server error when using this:ErrorDocument 404 /index.php
With the intention of directing all 404 errors to my homepage.
There is nothing wrong with your ErrorDocument directive, except for your "intention." Directing all missing pages to your home page may give you serious duplicate-content problems. Instead, put up a page that says, "We're sorry, but the page you requested is no longer available." Then provide text links to your home page, site map, categories, forums, etc. as applicable.
In order to help with this problem, we'll need to see the contents of your server error log after one of these 500-Server Error events. To assist in getting valid results, completely flush your browser cache before testing.
I also suspect a spammer is using Googlebot to crawl through a proxy to my site and using a 302 error somehow to redirect to his site.
Please post the contents of your server error log, cleaned-up in compliance with our Terms of Service and the Apache forum charter.
Thanks,
Jim
As for my server logs I have to wait awhile before they are updated with the 500 server error, once that's done I'll include them as well.
On the web sniffer, I ran a HTTP header query on a link that should return a 301 error. This is what leads me to think a scammer is present. Here are the results:
HTTP(S)-URL: (IDN allowed)HTTP version: HTTP/1.1 HTTP/1.0 (with Host header) HTTP/1.0 (without Host header)
Raw HTML view Accept-Encoding: gzip • Request type:GET POST HEAD TRACE
User agent:
HTTP Request Header
Connect to "THE IP ADDRESS" on port 80 ... okGET /index.php?c=1 HTTP/1.1[CRLF]
Host: www.MY DOMAIN NAME.com[CRLF]
Connection: close[CRLF]
Accept-Encoding: gzip[CRLF]
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/vnd.xfdl; version="6.5.0", */*[CRLF]
Accept-Language: en-us[CRLF]
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727) WEB SNIFFER SOFTWARE VERSION/1.0.24[CRLF]
Referer: [THE...] WEB SNIFFER.net/[CRLF]
[CRLF]
HTTP Response Header
Name Value Delim
HTTP Status Code: HTTP/1.1 302 Object moved
Connection: close CRLF
Date: Sat, 11 Aug 2007 11:10:47 GMT CRLF
Server: Microsoft-IIS/6.0 CRLF
X-Powered-By: ASP.NET CRLF
X-AspNet-Version: 1.1.4322 CRLF
Location: [NOT...] MY DOMAIN.com/index.php?c=1 CRLF
Cache-Control: private CRLF
Content-Type: text/html CRLF
Content-Length: 159 CRLFContent (0.16 KiB)
<head><title>Object moved</title></head><body><h1>Object Moved</h1>This object may be found <a HREF="http://www.NOT MY DOMAIN.com/index.php?c=1">here</a>.</body>
Note that the "not my domain" has so many advertisements on the page it's ridiculous.
Your server has been hacked, or your DNS has been poisoned.
The diversion via 302 redirect must be as a result of a 302 redirect being present on your server, or as a result of the DNS request for "yourdomain" returning an IP address other than your own. If the request IP address you see in the sniffer log is indeed that of your own server, then I'm afraid you've been hacked.
Also, I note that you're (apparently) on an IIS server, so while we may be able to help a bit more with diagnosis, it's likely you'll get better detailed advice for solutions over in our IIS forum.
I would take a very careful look at any .asp code that is involved with serving this requested page. If it's been modified to invoke a 302 redirect, then you need to see to your server security configuration first, then remove the hacker's code -- No use signaling that you're on to his tricks before a solid security fix is in place...
We had some discussion here recently about some hosts leaving other users' accounts accessible via FTP. In other words, it may be possible to log into your server FTP account and then go up-up-up a few levels until you can see a directory of all users sharing the server. It may then be possible to descend into another Web site's file space. Given that that is already a serious security problem, it's not a complete surprise that in some cases, you can even modify the files on these other sites. :(
Alternatively, your server may have been compromised via any one of many script injection techniques. In general, all scripts should filter input based upon what is needed and 'safe' to accept, rather than trying to look for and reject 'dangerous' input. The difference in mind-set between these approaches, though somewhat subtle, is critical to a secure computing environment.
Jim
