page_not_found now instead of seeing nefarious urls hackers are trying to manipulate

[shrimp-gumbo-mmmhhh]

157c

It looks like we are seeing page_not_found now on who's online when a hacker tries to exploit our system? I guess this is good because the search engines are going here too.... but there is some value in knowing what the hackers are looking at....

[DrByte]

Moderator note: Relocated this post by moving it out of the Bug Reports area.

[DrByte]

I don't recall anything changing in this regard in any of the v1.5.x releases.


When your site jumps to main_page=page_not_found it is a result of the combination of two factors:

a. your configuration setting for Admin->Configuration->My Store->Missing Page Check

b. any .htaccess rules you've configured to redirect invalid incoming requests (for files that don't exist on your site and for which no rewrite/redirect rule has been established), such as via the example redirect rule found in the /extras/htaccess_for_page_not_found_redirects.htaccess file


Your webserver's apache access_log and error_log can give you insights into the actual URLs it receives requests for, including the ones it actively rejects.

It is indeed best that the webserver reject the attempt before it ever hits PHP, since that both blocks any bad side-effects and also stops your store from having to waste CPU cycles processing fake requests and running database queries thus slowing down shopping for legitimate users. Of course the side-effect of this is that PHP will never know about those hits and therefore is entirely unable to display any such activity to your PHP application in real-time. That's why the logs exist. It's also why 3rd party services for log-analysis exist.

[shrimp-gumbo-mmmhhh]

When your site jumps to main_page=page_not_found it is a result of the combination of two factors:

a. your configuration setting for Admin->Configuration->Missing Page Check

b. any .htaccess rules you've configured to redirect invalid incoming requests (for files that don't exist on your site and for which no rewrite/redirect rule has been established), such as via the example redirect rule found in the /extras/htaccess_for_page_not_found_redirects.htaccess file


Your webserver's apache access_log and error_log can give you insights into the actual URLs it receives requests for, including the ones it actively rejects.

It is indeed best that the webserver reject the attempt before it ever hits PHP, since that both blocks any bad side-effects and also stops your store from having to waste CPU cycles processing fake requests and running database queries thus slowing down shopping for legitimate users. Of course the side-effect of this is that PHP will never know about those hits and therefore is entirely unable to display any such activity to your PHP application in real-time. That's why the logs exist. It's also why 3rd party services for log-analysis exist.

Thank you!

Is this a mod? a. your configuration setting for Admin->Configuration->Missing Page Check I don't see it.

[Design75]

Thank you!

Is this a mod? a. your configuration setting for Admin->Configuration->Missing Page Check I don't see it.

No it is not a mod. You can find it in Admin->Configuration->My Store->Missing Page Check (at around 3/4 of the page).

[mc12345678]

Also can start using the developer's tool kit to search for some things such as the configuration settings (second row down in the tool kit) using the word "missing", the portion that was missing in the description of where to go was "My Store" (as identified by Design75) so that the path should have been: admin -> configuration -> My Store -> Missing Page Check