Possible Security Compromise?

By fat-mossie on Feb 11, 2009 at 5:58 AM 5 Vote 0 Votes

Hello.

In my backend, i noticed there were heaps of search queries in my activity log

Search: query for 'world vision' 65.208.151.115 1 day ago
Search: query for 'sponsor' 65.208.151.117 1 day ago
Search: query for 'pet TV' 65.208.151.112 1 day ago

I noticed this a while back ago and disable the search box.

How did the searches appeared in the backend when I have no search box on the website?

In this something that I should worry about?

please help

thanks

Reported on Movable Type 4.2

5 Replies

| Add a Reply

Mihai Bocsaru | February 11, 2009 6:24 AM | Reply

Hi,

You should not worry about that!

Have you checked who is behind those IP addresses?

Well, go here and check:

http://whois.domaintools.com/65.208.151.115

There is no security issue at all!

You can endup having people do searches on your Web site from orphan pages that still contain the old search box etc.

Cheers,
Mihai
fat-mossie | February 11, 2009 7:32 AM | Reply

hello Mihai,

Thanks you for your reply.

There are a lot of it possibly hundreds everyday that have the same IP address right down to C block. ie 65.208.151.11x

Can it be hacker trying to probe for vulnerabilities? what is this person doing?

And how do I completely turn of off the search button (our blog is still new, search would probably worth turned off completely)..How do I find these orphan pages?

thanks
- Mike T replied to fat-mossie | February 11, 2009 8:52 AM | Reply
  
  Usually it is just a search engine or some robot indexing your site. If you want to know who they are, look them up.
  
  And how do I completely turn of off the search button (our blog is still new, search would probably worth turned off completely)..How do I find these orphan pages?
  
  There is a search widget in your widget listing. Just remove it and rebuild. Then log into your server and either rename mt-search.cgi or just run "chmod -x mt-search.cgi" to mark the file as non-executable on your host. That way, they can ping it all day long and it won't run.
tima [typekey.com] | February 11, 2009 9:39 PM | Reply

Hiding the search box isn't enough to stop searching since the URL of the MT search script can be easily guessed. I suggest doing one of the following if it worries you:

* Turn off execution permission to the search script: mt-search.cgi
* Rename the script: mt-search.cgi.bak
* Delete it entirely.

This will truly shut down search if you are not using it.
fat-mossie | February 11, 2009 10:35 PM | Reply

Thanks for all the answers.

If I removed off all of the seach, I am assuming it will not affect any of the search engine coming in for indexing.

Secondly why is this happening in the first place? Is someone have too much time and probing for holes?