Gang,

We have recently been hacked by someone who thought it would be fun to click each and every "Report a Dead Link" link in our list of 1900 links. We received over 1500 deadlink reports before we could get it stopped. My solution was to eliminate the link in the link.shtml page in templates. I did this by commenting it out rather than a direct removal. I rebuilt all the pages and verified that all the "Report a Dead Link" references were removed.

Well, here we are a few weeks later and we're getting them again. So I completely removed the commented text from links.shtml and I removed the linkdead.cgi from the admin directory. Hopefully this will stop them permanently. We will no longer use this module.

However....

Has anyone heard of someone that might have created some sort of robot that could have done this? Is there a way to do this to someone's site automatically? I can't imagine why and I can't imagine anyone wanting to spend the time to report 1500 deadlinks considering they would have to click each one, wait for the confirmation page, hit their back button then continue. That would take way too much time.

Also, in case the hacker is here listening and learning...we have your IP addresses.


Richard Bilger
RBilger@MERGInet.com
MERGInet Medical Resources
http://www.merginet.com

There are hacker programs that can emulate user interactivity in terms of continually executing interactive scripts on someone else's web site. However, the tricky thing is going through different records from a database driven script, like "deadlink.cgi". But hacker programs today are much more "intelligent" than a few years ago...I wouldn't be surprised if there are hacker scripts out there.

Or, of course, there could be a completely bored individual who likes playing around with people's web sites.

Regards,

Eliot Lee

Thanks Eliot. I leave this as a warning to all who might be using the linkdead.cgi mod. I know it doesn't hurt the database because it doesn't really do anything except report a deadlink to the admin by email but it sure is irritating that someone would do that. So we will NOT be using this script.

I understand there is another version of this type of thing available (404 mod??) but cannot find it. I suspose someone can hack that too.

Thanks again.

Richard Bilger
RBilger@MERGInet.com
MERGInet Medical Resources
http://www.merginet.com

Search for glennu 404 using the SEARCH TIPS and SUGGESTIONS I provided in the Discussion Forum about a month ago and you will find links within Threads to the Mod.

Everything in the computer world can be hacked...nothing is 100% secure. Computer Science 101! Yet with the 404 Mod, it does not rely on end-users submitting a form to notify the admin about deadlinks. All it does is if someone comes across a problem link, a 404 message is printed and an email is automatically sent to the Administrator. It is less intensive in terms of mail server use and also gives accurate responses to the Administrator.

I added a similar Mod for LINKS SQL and it actually sends me the exact error message (like 302, 300, 400, 500, etc.). I also have a Cron driven mail script that sends out Link Owners messages on a weekly basis based on error messages in the built-in Status field used in LINKS SQL. So, basically, if there is a problem link based on 404, 300, 302, 403, or 500 errors, then a message is automatically sent to Link Owners asking them to update their link posting. If the link is not modified within a month after sending the message, then the link is automatically deleted from the table/database. This mod would not work well with Links 2.0, but the reason I mentioned it is that there are other code hacks that could be applied to address the end goal of more automatic notifications to the admin about problem links.


Regards,

Eliot Lee

Could you not just modify the code to only accept deadlink reports if the link is clicked from your site...ie. set the referer to prevent unauthorized referers executing deadlink.cgi


Paul Wilson.
(Dont blame me if I'm wrong!)

Paul, that might work but still wouldn't prevent the hacker with nothing better to do than sit there and click links all day. Besides, I wouldn't know how to modify the script. Thanks though.

Richard Bilger
RBilger@MERGInet.com
MERGInet Medical Resources
http://www.merginet.com

Eliot,

I searched and couldn't find it but that's OK. We are about to change servers where we will have MySQL set up. We are planning to upgrade to the SQL version of Links. Maybe we can use your version of the mod that you describe here or is that not available?

Thanks.


Richard Bilger
RBilger@MERGInet.com
MERGInet Medical Resources
http://www.merginet.com

Add the following code to the top of deadlink.cgi

if (@db_referers) {
$found = 0;
foreach (@db_referers) {
$ENV{'HTTP_REFERER'} =~ /$_/i and $found++ and last;
}
if (!$found) {
&site_html_add_failure ("Please don't try to spam the directory with deadlink submissions.");
return;
}
}


...then above that code add...

@db_referers = ('yoursite.com','www.yoursite.com','222.222.222.222','www.yousite.com/cgi-bin/search.cgi');

...and which ever other referers you want to allow.

That should work.

Paul Wilson.
(Dont blame me if I'm wrong!)

Thanks for this code, Paul

Did it work for you?

Paul Wilson.
new - http://www.wiredon.net

Works fine so far. I'm even going to stick it in search.cgi and others. Why not? In fact, I think I might apply it to most if not all my cgi scripts. I'll spend some time during the week trying it out.

Thanks, again!

DT

To make it even more secure you could set a cookie on the users browser when they report the first dead link and then get the script to check for the cookie from then on......so if they try to submit again it will be rejected.

Paul Wilson.
new - http://www.wiredon.net

I wouldn't apply the codes in the search.cgi or scripts like extrate.cgi (external rate) since users will not be able to use your search engine in your site (which BTW is a wonderful "tool" for co-branding sites and also increasing visibility of your site).

Regards,

Eliot Lee

Yep, you're right, AnthroRules. I don't have external access stuff set up. I wasn't thinking of those applications. Thank you for pointing out that issue.

DT

Hello,

How can I create a cookies to stop cheater ?

Steph

I've written a dead link mod that actually checks if the URL is dead or not before it is reported. If it isn't dead then an error will be shown and the links won't be reported. This will stop abuse.

Download:
http://www.wiredon.net/gt/mods/Report1.2a.zip


Paul
Installations:http://wiredon.net/gt/
Support: http://wiredon.net/forum/

Ok,

Thank you, but if links are not dead but have move or have change, your MOD can run, right ?

It won't report moved or changed sites - only dead links.

Paul
Installations:http://wiredon.net/gt/
Support: http://wiredon.net/forum/

Hello,

I can't use this mod...
When I load deadlink.cgi I have this :
"Tag unknow : Title"
Can you help me to install this mod for protect to spam.

Thanks,

Laurent

what country are you from?

France

Could it have been a robot spider for a search engine?