Recently I was looking to obtain a couple specific DNS record ID’s for domains with DNS hosted in the RackSpace Cloud so I could use the information to interact with RackSpace Instances through RightScale. Various RightScale ServerTemplates such as the MySQL Cluster ServerTemplates require you to enter the exact DNS record ID as RightScale Inputs for the ServerTemplate. I am not sure why the record ID’s are not listed in a column in the RackSpace Cloud DNS management interface but regardless the below method of querying the RackSpace API make it fairly easy to obtain them regardless.
So earlier today I noticed a discrepancy in traffic to question-defense.com and because of a previous incident I knew exactly where to look. Sure enough a similar attack had been performed which we are coining Search Engine Click Jacking. In this case we are sure that a single files permissions were left open and the attackers were able to write PHP into the file which caused traffic being referred to our site from many of the major search engines to be redirected to tenderloin.osa.pl. Our site is built using WordPress however any site built in PHP with incorrect permissions on any files are vulnerable to this type of attack. Below is more information about the attack, how to search for the attack, and a simple bash script that will remove the infected code from PHP files on your web site.
When testing websites it may be beneficial to spoof the referer URL. I have used these methods in the past to locate bugs in code or files that have been infected with forms of search engine click jacking. The two easiest methods that I have found are using the Google Chrome extension called Spoofy or just using curl from the Linux CLI. Typically using curl is the easiest but if you are not familiar with curl then Spoofy also provides similar results. Below I describe both methods in detail.
Every now and then you will probably install an application that has a certain amount of prerequisites that you should verify on your server before beginning installation. Today I needed to verify that PHP was compiled with curl and/or libcurl support to install an application on a CentOS Linux server. I also needed to verify that PHP safe_mode was set to off and PHP register_globals was also set to off. The easiest way to verify PHP settings is to create a temporary PHP file that calls the phpinfo function and displays the results on a web page. Use the information below to verify that PHP is compiled with curl support on CentOS Linux or any other Linux server.