Skip navigation

2 posts from June 2007

Stop that

From my error logs today:

/tag/security/protection.php?action=logout &siteurl=hackyfile.txt
/protection.php?action=logout &siteurl=hackyfile.txt
/protection.php?action=logout &siteurl=hackyfile.txt
/protection.php?action=logout &siteurl=hackyfile.txt
/protection.php?action=logout &siteurl=hackyfile.txt
/tag/protection.php?action=logout &siteurl=hackyfile.txt
/tag/phpaskit/page/2/protection.php?action=logout &siteurl=hackyfile.txt
/tag/phpaskit/page/protection.php?action=logout &siteurl=hackyfile.txt
/tag/php/page/2/protection.php?action=logout &siteurl=hackyfile.txt
/tag/php/page/2/protection.php?action=logout &siteurl=hackyfile.txt
/tag/php/page/2/protection.php?action=logout &siteurl=hackyfile.txt

(etc., etc... Each page was done about 4 times, and in total 200 hacky attempts were made)

Dear hackers,

I would have thought that with all the 404s you're getting that you would at least give up. I don't have anything to do with any files called protection.php on my site and scouring every single link trying to hack me is a waste of time.

Go away.

No love,

What not to do on the internet

Inspired by Jem's latest entry, I've come up with a quick and easy list of what not to do on the internet, or, more specifically, when you own a website.

  1. Do not steal.

    Sounds obvious, right? Don't take things that aren't yours. Seen a lovely image on some site and think it would look great on yours? Too bad. Yes, you can ask the author's permission but in all likelihood their answer will be negative. In some cases, the creator might feel insulted that you want their image when they've spent a long time making it and/or require payment or whatever.

    This goes for more than images though - it goes for scripts, fonts, text... Basically anything you see on another site. Unless the owner has specifically stated that you may take their work (and even then this should be investigated - some people are distributing stolen works), you can't have it. This is the concept of Copyright and Intellectual Property, something that if you are not familiar with, I suggest you educate yourself about as a matter of urgency.

  2. Do not redistribute things you did not create.

    A lot of people have scripts such as Wak's Ask&Answer on their sites for download because the original site doesn't exist any more and they want to share the script. It's fine because they don't claim they made it, and they always give credit, right? Wrong.
    Most scripts (including the Wak's one mentioned above) prohibit redistribution without the author's permission. I highly doubt the number of sites offering that script for download have contacted its creator regarding their offering it at their site. I definitely wasn't contacted when PHPAskIt was put up for download on a few people's sites, yet my site and script are still publicly available, so it's not like anyone needs to share it because it's not around any more.

    Even if a script does not state that it should not be redistributed, that doesn't mean you can do what you want with it (and yes, redistribution does mean editing the script and giving out/putting your edited version up for download). Under the Copyright law, the Copyright holder (the creator) retains the right to redistribute unless they have specifically stated otherwise. That is, if the script author hasn't said you can redistribute it, then you can't do it.

    Again, this isn't just to do with scripts (though it's one of the most common). Fonts, smilies and celebrity imagery are among those affected by this too.

  3. Do not remove credits.

    If you obtained the right to use something (e.g. a script, font, article, etc.) which requires a link back to the creator's site (also known as linkware), then you mustn't remove the credit. Doing so voids your right to use said item. However, I have ranted about this before so I'm not going to do it again.

  4. Do not direct link.

    Direct-linking is linking to an image on somebody else's server. When you post an image somewhere, you might use this sort of code:

    <img src="" alt="An image">

    Notice the part in the src - do you have permission to link the image from Direct-linking is theft of bandwidth (data transfer) which most webmasters pay for. It's a bit like if you're using your neighbour's wireless internet that they are paying for (and you're not) - it doesn't belong to you, you don't have permission to use it, so don't do it.

    Some sites might set their images up so that you can't direct-link to them; others might change the image to something of their choosing (not always a good thing). Others still might take advantage of the fact that you're direct-linking to do malicious things with their image - Jem got me to direct-link an image off her site and she was successfully able to steal cookies from me. ...But then Jem is evil so she would do that. :P

Um, that's all I can think of. Basically don't do things you wouldn't like done to you. I'm guilty of most of what I've said above... In my n00b days I took a few images from a site that I didn't pay for and made layouts out of them. I also removed credits and direct-linked from some sites, though I don't believe I have ever redistributed a script that I did not write or at the very least co-write.

On a slightly different note, if you are still using unpatched versions of PHPFanBase, PHPCurrently, PHPCalendar, PHPQuotes, PHPClique or FA-PHPHosting then you will find yourself hacked in a matter of seconds. Even though I have nothing to do with any of those scripts on my site, I've got bot after bot scouring every single link on my site looking for protection.php to exploit nasty code with, and I'm far from being the only site they're doing this to.
If you've been living under an e-rock for the past two years (that's how long this exploit has been around for) then you really need to read this as soon as you possibly can, and either patch your scripts or even better, stop using them at all and switch to safer alternatives.