By:
Filters
What's new
Carbonite

South Africa's Top Online Tech Classifieds!
Register a free account today to become a member! (No Under 18's)
Home of C.U.D.

Has the web dev messed up?

souljazk

souljazk

VIP
VIP Supporter
Rating - 100%
122   0   0
Joined
Jul 4, 2014
Messages
5,270
Reaction score
1,650
Points
7,855
A clients web dev company (not me) recently did a site for them, when clicking a specific button, porn / crap pops up (Edge) , this then also happens on Chrome etc. If you 1st left click the button on Chrome / FF using another machine on the same network, all is fine and then Edge is also fine.

If you use Edge and the porn / crap pops up, then go back to the button (still using Edge) and right click it -> "Open in new tab" , the resulting tab is as it should be.

Any idea's? Dev thinks the clients network has an issue but this happens on my end too / gets blocked by Eset if not right clicking. I suspect the dev has not secured something and a link / page has become infected by some bot. Seems as if something gets cached (my n00b assumption).

PM me if you want the URL. I saw some logs in the FTP :

"
[client {removed}] ModSecurity: Access denied with code 403 (phase 2). Matched phrase "MJ12bot" at REQUEST_HEADERS:User-Agent. [file "/usr/share/modsecurity-crs/activated_rules/modsecurity_hetzner.conf"] [line "2"] [id "350001"] [rev "1"] [msg "BAD BOT - Detected and Rejected/Blocked."] [severity "CRITICAL"] [hostname "{removed}"] [uri "/robots.txt"] [unique_id "{removed}"]

"





 
Where does "/robots.txt" exists? Look there first?


You probably have a lot of cleaning ahead of you friend. No idea where something was injected. Any idea how they got into the machine? A url that executes some php left open to the public?
 
Hetzner? Didn't they get hacked a few times last year. We had to change passwords a few times, if one didn't do that then well....
 
PandaAttack1 said:
Where does "/robots.txt" exists? Look there first?


You probably have a lot of cleaning ahead of you friend. No idea where something was injected. Any idea how they got into the machine? A url that executes some php left open to the public?
Click to expand...

I'm not sure, its a Dev company in SA. I'll ask them. Client is running AV scan right now but nothing that popped up after clicking the link was clicked, they know better. When I googled "Mj12bot" I foudn this article -
https://www.reddit.com/r/SEO/comments/7jqocf

Which said "
Blocking the Majestic bot would stop Majestic from crawling and indexing links pointing from your website to other websites.

I'm not sure that they wanted to achieve with this. Maybe they used your website to link to other (hacked) domains and didn't want their webmasters to find out.
"

Don't know how much truth there is to this. The Dev has done other work for my client but this has been a bit of a mess up, even before this (around communication).

Am I correct in assuming that before pushing live (there is a CRM involved) that one would usually setup test.domain.com and make the client has access to test and make sure all links / pages / CRM are working 100% over say the span of a few weeks, before actually pushing live?
 
SCHUMI4EVER said:
Hetzner? Didn't they get hacked a few times last year. We had to change passwords a few times, if one didn't do that then well....
Click to expand...
The dev's get unique access (non admin level) each time they need access. I then purge the details and stop access as soon as they're done.
 
souljazk said:
\snip

Am I correct in assuming that before pushing live (there is a CRM involved) that one would usually setup test.domain.com and make the client has access to test and make sure all links / pages / CRM are working 100% over say the span of a few weeks, before actually pushing live?
Click to expand...

Definitely.
 
souljazk said:
The dev's get unique access (non admin level) each time they need access. I then purge the details and stop access as soon as they're done.
Click to expand...

Ah ok. Then that part probably isn't worrysome. I've leave now as the rest of the convo soars far above my head regrettably.
 
souljazk said:
I generate unique complex passwords. I'v begged Hetzner for 2FA but they say "If we get enough requests"...eish.
Click to expand...
Our passwords rely on length, rather than complexity. IamTiredofCreatingNewPasswordstodayisnotalekkerday083cellphonesomething
 
Thanx again @PandaAttack1 , I deeply appreciate you taking some time to look at this. In my VERY limited knolwdge, it seems the dev failed to mention they ONLY design & have pretty much f all security in place, bar what comes out the box...

2 independent companies have been brought in to do a short review & quickly found the rogue code , which I happened to stumble apon 2 days back using a free tool, but agreed with the client that we withhold this code and see if the "developers" could find it.. Client is giving these guys til Monday to sort their shit out before legal action is taken. All this for > R50k ... and 2 other sites were in the pipeline... I'v basically Googled "basic WP security" ; "secure htaccess" ; "secure wp-config" ; etc etc etc and been sending the developers links...

Told the developer in writing that it if was me I'd be demanding ALL my money back, old site restored & sue for loss of some income etc etc if I was the client.

At one point they blamed old code, when the site is ment to be brand new, from scratch & only have some legal documents inported.
 
souljazk said:
Thanx again @PandaAttack1 , I deeply appreciate you taking some time to look at this. In my VERY limited knolwdge, it seems the dev failed to mention they ONLY design & have pretty much f all security in place, bar what comes out the box...

2 independent companies have been brought in to do a short review & quickly found the rogue code , which I happened to stumble apon 2 days back using a free tool, but agreed with the client that we withhold this code and see if the "developers" could find it.. Client is giving these guys til Monday to sort their shit out before legal action is taken. All this for > R50k ... and 2 other sites were in the pipeline... I'v basically Googled "basic WP security" ; "secure htaccess" ; "secure wp-config" ; etc etc etc and been sending the developers links...

Told the developer in writing that it if was me I'd be demanding ALL my money back, old site restored & sue for loss of some income etc etc if I was the client.

At one point they blamed old code, when the site is ment to be brand new, from scratch & only have some legal documents inported.
Click to expand...
I'm really glad you got it sorted bud. Only so much I can do without looking at the actual config, installation and code.

Scary how incompetent some of these devs/companies are. You would expect that when you buy a website you get at least some form of security with it... I don't think that is an unreasonable expectation at all.

I do hope that it gets sorted before Monday, would make things a lot simpler. Just do what you are payed to do ffs.
 
PandaAttack1 said:
I'm really glad you got it sorted bud. Only so much I can do without looking at the actual config, installation and code.

Scary how incompetent some of these devs/companies are. You would expect that when you buy a website you get at least some form of security with it... I don't think that is an unreasonable expectation at all.

I do hope that it gets sorted before Monday, would make things a lot simpler. Just do what you are payed to do ffs.
Click to expand...
Thanx! The scariest thing is I know NOOOOOOOOOOOOTHING about coding / website sec etc but with BASIC googling I could find stuff , see that they had no implemented it and then suggested it... Their reply - "We only do what the client asks" ... Well brightspark, how is the client going to know to ask to secure their site from XXSS / SQL inj / whatever else. It's beyond pathetic... I did some scans against websites I think they've done and another came back with different malware & the other 2 has XXSS and some other vulnerabilities in the theme..

One of the many cherries on the top - When I asked about what security plugin was installed, they said "Plugins make the site slow"... I told them security.>.speed.every.day... It's like they watched 1 vid on Youtube, and designed "I'm a developer"...

Its like buying a AMG and after a test drive etc the guy says "The car is in excellent condition but the immobilizer doesn't work, but its all good, know one will know."
 
Last edited:
souljazk said:
Thanx again @PandaAttack1 , I deeply appreciate you taking some time to look at this. In my VERY limited knolwdge, it seems the dev failed to mention they ONLY design & have pretty much f all security in place, bar what comes out the box...

2 independent companies have been brought in to do a short review & quickly found the rogue code , which I happened to stumble apon 2 days back using a free tool, but agreed with the client that we withhold this code and see if the "developers" could find it.. Client is giving these guys til Monday to sort their shit out before legal action is taken. All this for > R50k ... and 2 other sites were in the pipeline... I'v basically Googled "basic WP security" ; "secure htaccess" ; "secure wp-config" ; etc etc etc and been sending the developers links...

Told the developer in writing that it if was me I'd be demanding ALL my money back, old site restored & sue for loss of some income etc etc if I was the client.

At one point they blamed old code, when the site is ment to be brand new, from scratch & only have some legal documents inported.
Click to expand...

Aaah gotta love the copy and paste Wordpress "developers" which anyone with a bit of free time and Google can do.

If you can't actually code it by hand then you aren't a fucking developer.

And I say this full well knowing I'm not a developer....because I can't code most things by hand from memory, but then I'm not pretending that's my job title like these clowns.

There honestly is nothing wrong with Wordpress, but then go to the source and have your site hosted with them directly and make that compromise.
 
souljazk said:
I generate unique complex passwords. I'v begged Hetzner for 2FA but they say "If we get enough requests"...eish.
Click to expand...
Eish that doesnt sound good especially since they were hacked a few times last year
 
@SauRoN Same boat, I can copy & paste from (PC) memory.. One of the emails from them said "Please don't assume we use inspect element or other such tools" ... WTF...

Some gems from their emails:

"
  • Tests were done, as we have been doing with all our clients’ for the past 11 years and the developer on this project has done since 2003."
  • An SSL Certificate is installed by the host, that should prohibit outside factors from infiltrating files/coding on your website.
  • Furthermore, an FTP password is of course also implemented, in order to protect the htaccess file.
  • Have you performed an anti-malware/adware scan on your systems, as well as clearing your cache and re-installing Edge, to see whether your PCs might be infiltrated?
@Oj0 you & me both...

@nagapie exactly my thinking...
 
SauRoN said:
Aaah gotta love the copy and paste Wordpress "developers" which anyone with a bit of free time and Google can do.

If you can't actually code it by hand then you aren't a fucking developer.

And I say this full well knowing I'm not a developer....because I can't code most things by hand from memory, but then I'm not pretending that's my job title like these clowns.

There honestly is nothing wrong with Wordpress, but then go to the source and have your site hosted with them directly and make that compromise.
Click to expand...
It's these okes that NEVER want to do peer programming... Always some excuse.

2minute
souljazk said:
@SauRoN Same boat, I can copy & paste from (PC) memory.. One of the emails from them said "Please don't assume we use inspect element or other such tools" ... WTF...

Some gems from their emails:

"
  • Tests were done, as we have been doing with all our clients’ for the past 11 years and the developer on this project has done since 2003."
  • An SSL Certificate is installed by the host, that should prohibit outside factors from infiltrating files/coding on your website.
  • Furthermore, an FTP password is of course also implemented, in order to protect the htaccess file.
  • Have you performed an anti-malware/adware scan on your systems, as well as clearing your cache and re-installing Edge, to see whether your PCs might be infiltrated?
@Oj0 you & me both...

@nagapie exactly my thinking...
Click to expand...
As a dev myself, I don't see why you would not use inspect element??

I mostly do back end stuff, but whenever I do some css or such my browser lives with that inspect element clicked... 🤷‍♀️
 
PandaAttack1 said:
It's these okes that NEVER want to do peer programming... Always some excuse.

2minute

As a dev myself, I don't see why you would not use inspect element??

I mostly do back end stuff, but whenever I do some css or such my browser lives with that inspect element clicked... 🤷‍♀️
Click to expand...

Exactly... As a non-dev, I used it & some tools to find their rogue code... As @SauRoN said if you don't go in with the ability to ACTUALLY code, not copy/paste, then you're not a dev & shouldn't be offering such services... R65k... and the client was going to do 2 other sites with them for 2 of their other ~10x businesses..... When they're done come Monday, my client is going to have the other 2 companies do a code review etc & if its not 95% upto scratch, then shits going to get real.... Already told the client they need to take my cost + cost of 2x external entities & subtract it from the remaining $, at the very least. If it was me, I'd have demanded my money + bank fees + customer cost and and and , back by now.

Its unacceptable that a n00b like me can spend ~15hrs googling and then "checking" their work and seeing SERIOUS security flaws.. On the bright side this made me pull finger & get some better security implemented on my side :p
 
souljazk said:
Exactly... As a non-dev, I used it & some tools to find their rogue code... As @SauRoN said if you don't go in with the ability to ACTUALLY code, not copy/paste, then you're not a dev & shouldn't be offering such services... R65k... and the client was going to do 2 other sites with them for 2 of their other ~10x businesses..... When they're done come Monday, my client is going to have the other 2 companies do a code review etc & if its not 95% upto scratch, then shits going to get real.... Already told the client they need to take my cost + cost of 2x external entities & subtract it from the remaining $, at the very least. If it was me, I'd have demanded my money + bank fees + customer cost and and and , back by now.

Its unacceptable that a n00b like me can spend ~15hrs googling and then "checking" their work and seeing SERIOUS security flaws.. On the bright side this made me pull finger & get some better security implemented on my side :p
Click to expand...
And so the security cycle continues... :p

Even I went through all our servers and made sure everything is in place. PS: Implement port knocking on your hertzner server, or ask them to set it up for you.Then setup some obscure ports to knock before you can ssh.
 
PandaAttack1 said:
And so the security cycle continues... :p

Even I went through all our servers and made sure everything is in place. PS: Implement port knocking on your hertzner server, or ask them to set it up for you.Then setup some obscure ports to knock before you can ssh.
Click to expand...
Thanx! Reminds me of a joke.. Why do men slap their {....} against a woman before sex.... It's rude to enter without knocking.
 
souljazk said:
@SauRoN Same boat, I can copy & paste from (PC) memory.. One of the emails from them said "Please don't assume we use inspect element or other such tools" ... WTF...

Some gems from their emails:

"
  • Tests were done, as we have been doing with all our clients’ for the past 11 years and the developer on this project has done since 2003."
  • An SSL Certificate is installed by the host, that should prohibit outside factors from infiltrating files/coding on your website.
  • Furthermore, an FTP password is of course also implemented, in order to protect the htaccess file.
  • Have you performed an anti-malware/adware scan on your systems, as well as clearing your cache and re-installing Edge, to see whether your PCs might be infiltrated?
@Oj0 you & me both...

@nagapie exactly my thinking...
Click to expand...

Jirre that statement about the SSL certificate in and of itself shows their complete lack of understanding what security really is and would have had me running for the hills.

These okes would lose themselves just trying to understand my home setup, never mind even trying to get into it.


Sent from my iPhone using Tapatalk Pro
 
Sounds like the developer found a SuperSecurityScan2000 tool back in 2003 and has being running it since, and no-one else in the company has a clue to making it any better...

Sent from my SM-G950F using Tapatalk
 
SauRoN said:
There honestly is nothing wrong with Wordpress
Click to expand...

Nope there isn’t. But in it’s basic form it’s just a blog tool and it’s vulnerable.

Wordpress takes a lot of configuring and optimization if you want to use it to deliver a truly professional website. There’s a reason all these R999 Wordpress website agencies’ work looks like ass, performs terribly and gets hacked so often. They put no effort into the sites.

Most times I find it faster and less of a hassle just developing a site from scratch than using Wordpress.

In the cases that I do use Wordpress (which is mostly on a client request basis) I remove quite a bit of the Wordpress code and I tweak some of it’s base code too.

For that kind of money I would at least have expected them to use iThemes Security which is a very good security plugin for Wordpress.
 
LaidtoRest_ZA said:
Nope there isn’t. But in it’s basic form it’s just a blog tool and it’s vulnerable.

Wordpress takes a lot of configuring and optimization if you want to use it to deliver a truly professional website. There’s a reason all these R999 Wordpress website agencies’ work looks like ass, performs terribly and gets hacked so often. They put no effort into the sites.

Most times I find it faster and less of a hassle just developing a site from scratch than using Wordpress.

In the cases that I do use Wordpress (which is mostly on a client request basis) I remove quite a bit of the Wordpress code and I tweak some of it’s base code too.

For that kind of money I would at least have expected them to use iThemes Security which is a very good security plugin for Wordpress.
Click to expand...

Yeah it generally works best for content sites where the customer is going to constantly have non-dev people updating it.


Sent from my iPhone using Tapatalk Pro
 
You must log in or register to reply here.

Users who are viewing this thread

Total: 2 (members: 0, guests: 2)

Similar threads

KangarooMike
Seagate SRN04D unable to map NAS in windows
Replies
2
Views
110
souljazk
souljazk
SCHUMI4EVER
Review Canyon GM-20 Puncher - Budget King and Clawgripper's Dream
Replies
7
Views
2K
Paul
Paul
merlin3001
Steam Link App - Turning your PC into a console with a Samsung TV
Replies
5
Views
1K
ScuBaLlama
ScuBaLlama
B
A very annoying BSOD that refuses to go away.
Replies
29
Views
921
Blasphetus
B
E
  • Locked
[Give Away] Blade & Soul - H1Z1: King of the Kil
Replies
5
Views
1K
Flex
Flex

Latest posts

Top Donors

IOPS
NI∀ƆOƆ‾⊥ᴚ∩ʞ
eagle2k
Sp3c1al1zed
Confucius
nephilm
Athos
EELeat
Off-The-Chart
McDuncun

Share this page

Back
Top Bottom