10 days of perpetual issues with hackers. 10 DAYS. 100+ sites bombed randomly between every 5 minutes and 5 hours and that’s only after proper detection, who knows how far it had gone before. But from the relentless irritation some positives developed, if you are in the (precarious) position of hosting LOTS of websites on a shared hosting account or you run a shared hosting service then read on, the value of maintaining limit pushing amounts of sites on a single account really should be considered – if the loss of earnings for all the hacker downtime doesn’t wipe out the savings then the cost of repair, security hole identification and eradication probably will, not to mention the loss of face to the search engines.
The following is a half vent, half information dump spawned from the irritation of being hacked, again. I have written a piece of monitoring/reconciliation software (Windows based works with your ftp account) to deal with detection/fixing. If you’re in the same boat and all you want is the alpha release, skip to the bottom and
drop me a comment.
Website hacker entrance vectors (have any security holes?)
Common CMS, E-Commerce systems and forums (out of date or zero day, they all have or have had vulnerabilities) – WordPress, Drupal, OSCommerce, Gallery, PHPBB, VBulletin etc. etc. Particularly relevant here are the open source systems, but they are all susceptible – how many of these do you have installed where? For me these could of been answered with “a lot” and “some places”, clarity has now been restored but more on that later.
CMS Plugins (^^) – Often overlooked (especially by me), installed plugins can in themselves be entry vectors, often CMS’s push their communities to develop additional functionality for their system, which is a good thing, however if the system itself doesn’t deal particularly well with the security of folder structures or indeed how plugins are accessed they can offer ways in. Be careful with plugins which deal with file management and code execution (e.g. file attachers/uploaders etc.) Try to use late version highly rated plugins from reputable sources, with things like WordPress, plugins are low risk though as it has an excellent security model.
Bespoke server-side code and CMS’s – in my experience these is often LESS likely to get hacked, firstly “hackers” in this case are more likely to be script kiddies sitting in web cafes in some of the poorer world nations, they often use known exploits on common systems rather than trawl the web, searching for one off programmer mistakes. If you are behind the bespoke stuff leave out as many foot prints as possible and triple check everything. For bespoke stuff the most likely point of entry is simple SQL Injection, use SQL parameters.
FTP/WebDav – This really comes down to passwords as next indicated.
Passwords – Acquired by trojans or traffic sniffers, it becomes irrelevant what security you have in place across the whole setup if you don’t look after them properly. Avoid connecting to anything unencrypted (or at all if possible) on any network you don’t 100% trust, WIFI and wired, even if it’s a friends they could have a network sniffing Trojan on an idle machine. Install good anti-virus and protection software. Use Avast (free for private use) and Spybot Search and Destroy (these two are plenty.) Be careful with providing access to other users, whether it FTP, CMS, SSH, whatever – you may trust them but do you trust their computers?