Hey, i dont know if this is the correct forum this is kinda XOOPS related, let me explain what I am talking about.

I was just searching google to see how my site was placed, etc and i did a search for my xcgal module to see how many people linked to it, i found alot of mentions of the URL of my xcgal module listed all over the place, and on some dodgy looking sites, but the thing was at the end they all had filenames for cracks, porn passwords, etc, for example http://mysite.com/home/modules/xcgal/albums/somealbum/porno-password-cracker.shtml, the list goes on from downloads of exe files and software password cracks.

I checked my logs and there is an absolute ton of requests for these URL's, i checked inside xcgal directories and of course none of these files that are on google are there, so there requests just bring up 404 errors, my question is why would people post links to these dodgy files that arent even on my site? Is there a name for this phenomenon and is there a way to stop it, has anyone else had a similar experiance with these fake URL's?

Cheers.

I think it's more than people making up fake URLs. I'm not sure what's going on in your case but page hijacking comes to mind. I did an allinurl of your site on Google - allinurl:www.yourdomain.com/home/modules/xcgal/albums/
and when your site came up (if the site I found is your site) I clicked on Google's cache and it immediately redirects to a scraper/fake search engine site. When I clicked on the actual Google link - which should have brought me to your site, it took me to the same site (not yours) as well. That tells me it's been hijacked. I think it's a 302 redirect or something like that. Frankly, I don't know much about it but have read a little here and there. Try reading a few of these links about it and see if any of this applies.

302 Redirect Google Search

Good luck.

Hi, thanks for your reply, I dont think i have been hijacked though, my site is mjtkop.com is that what you tried? I couldnt get anything to show in google for allinurl:http://mjtkop.com/home/modules/xcgal/albums

heres the google search results for pages containing the terms http://mjtkop.com/home/modules/xcgal/ http://www.google.co.uk/search?hl=en&lr=&q=%22mjtkop.com/home/modules/xcgal/%22

If you scroll down a bit youll see what i mean with the fake URLs, they seem to be coming from crack, or porn seach sites or something.

I think i will contact google and see if they can remove these results as it just doenst look good to legitimate people doing a search for my gallery.

Thanks for your help

Actually you are correct i just found the sites on google.

A while back i was compromised and there where loads of php files placed inot xcgal album directories, these files where called base.php, includes.php, time.php and otehr names there was also a htaccess file which is probably what is redirecting to the crap search site.

I will need to go through every directory and remove all these files.

I'm sorry to hear your site was compromised. Do you know how they did it?

I would definitely remove the files ASAP and if you don't have Protector, try using that.

Good luck.

Hi, actually my site was compromised last year, what happened is they managed to alter files in templates_c or cache which allowed them to place links to various porn sites/crack downloads on my site it was simply fixed just delete cache and templates_c files. The thing is I didnt notice these other php files in the xcgal/albums directories because i have no need to check those folders once pics are uploaded.

As was said before the files usulaly 4 php files named different things and a htaccess file are placed in the directories ive read about this today happening with phpnuke and other CMS it makes your site or the albums URL redirect to carious Russian search sites.

This is the content of the htaccess file that is in the directories:


Each one differes with the php filename I looked in the php file and its just php code i dont understand.

I have protector installed and it was installed when this attack took place, but protector just isnt the protector i dont think, it might protect against some sql injections or high loading bots but it simple boils down to the fact that some folders within XOOPS have to be writable chmod 777 which is just not secure.

Quote:

That's odd... I was under the impression that Protector was supposed protect against file uploads. From the Protector preferences:

Quote:

Thanks for the information. It's a bit unnerving what these people can actually achieve.

Quote:

I could be completely wrong, but i have a feeling that is only applicable if someone tries to upload from within your XOOPS site, for example someone tries to upload a bad file into the wfdownloads module or a public gallery module, etc.

To be honest I am not sure exactly what good protector can be it seems to have its faults, it kept banning alot of my members and forum moderators saying that they where bad bots or they where launching a DOS attack, members where getting banned every day, it got to the piont I had to change the settings and disable IP bans, I dont really know exactly how protector works or what it classes as a bad bot or DOS attack but I dont think my members where falling into this category.