Whoops, I see what happened now. It was a reply to the OP's question. The URL shared by the offending member is CLEARLY malicious. In addition this member has zero posts so it was a VERY easy decision to ban and delete his account and report him to stopforumspam.com without any hesitation.
I'd like to share what to learn from this.
So the link contained within the post OOPs deleted was formed in the following fashion:
http://--site_name--/--specific_site_file--/--additional_characters--Whenever you see an actual file NOT at the end of a standard address, this is a malformed address (does not comply to internet standards) and is more than likely a malicious address. There might be some ASP.NET exception, I'd need to look into it, but it is safe to say that you should question the origin of such a link. A real directory could be named "file.php" but seriously.... no one does this and it should throw a red flag for you to at least consider if the domain is a trusted domain or not.
The virus link posted was something like, "sitename.com/
file.php/gotcha".
How to know when it is fakeIf you compare this with the address of this thread, board.marlincrawler.com/
index.php?topic=75967, you can see both have an actual file with extension .php. PHP is a programming language which stands for Hypertext Preprocessor (recursive backronym) meaning it processes and prepares information for hypertext use (basic browser language), and is one of the most common server side programming languages which happens to also be my strongest language
. Both this forum and our store websites are built on PHP.
What's important is the
QUERY MARKER which in URL standards is the Question Mark "
?".
What is a Query MarkerWhat this means is that the browser is told to access "
http://board.marlincrawler.com/index.php", which is an actual, physical file named "index.php" and located in the root public directory of our server. Then, because there is a query attached to this address, the browser passes the query which is to say instruction or set of instructions "topic=75967" to the file. This file, "index.php", is programmed in a way to listen for and handle the instruction(s) whereby the topic identification number "75967" is checked for and discovered in our database, and all associated information (OP, date, body, is it a poll, is it locked, what board does it belong to, how many replies, ....) is processed behind the scenes by the server which prepares the final HTML code which is returned to and parsed by your browser culminating in what you see on your screen after the page loads.
How the malicious address worksWhat is happening with a malicious address, such as "somesite.com/file.php/gotcha", is that the file "file.php" is accessed but because there is no query marker --
no ? mark -- whatever is after the file extension (in this case .php)
is ignored by the browser!! For instance try to load
http://board.marlincrawler.com/index.php/bigmike-is/one-cool-d00d/hello/world.hairyballsack/ This should simply load our Forum Index page as if you had simply gone to
http://board.marlincrawler.com/index.php.
THEREFORE, I could create a carefully created address, such as mysite.com/i.php/cool-pictures-of-my-3RZ.html, and you'd be like "Wow cool a hyper text markup language file (HTML) containing cool pictures of a 3RZ!" and click it.............BUT..............you'd actually be loading the file "i.php" NOT the file "cool-pictures-of-my-3RZ.html"! Did you see that? And Lord only knows what file i.php is programmed to do.
Of course browsers have plenty of safety and security features so ultimately the end user must be deceived in a manner to click on or launch some javascript (take advantage of weak browsers) or flash (in hopes you're using an old, vulnerable version) or download a file and actually launch the file, et cetera. Once the user sends a command, the browser is no more the wiser and will proceed with the request. Green light means go for viruses too.
Sorry, I think I went a bit overboard. Just felt it necessary to explain to help keep the community safe.
Regards,
BigMike
