This post initially began as a post about securing WordPress but since it got so big I broke it into this one about website security & hacking prevention in general and I’ll put the wordpress specific information in a separate post. (coming soon). This post is just a quick overview of basic website security concepts and practices. I realize this is incomplete, there are books , blogs and entire businesses focused on this issue but I’m hoping it might help some folks. Here goes;
Background
I’ve been running a small web hosting & design business with some other geeky friends for over 15 years. Since day one we’ve been working on keeping server secure and it’s an ongoing challenge. Also, In my day job I am a Unix System Adminstrator at a research lab and thus I deal with network security as well as problems users encounter on the internet. Basically a big part of my job is thinking about and implementing access control, security, disaster recovery and troubleshooting… so I’m a paranoid kinda guy when it comes to the internet since I’m kind of on the front lines for various nasty internet stuff.
“Why keep your website software up to date? If it ain’t broke don’t fix it, right?”
I have been using WordPress for websites for about 5 years now and I love it and swear by it as one of the best free tools for small websites available. However, I’ve also seen more than my share of hacked installs. Almost always these are from people who have an old install of some website software they’ve left sitting around.. after all “it runs fine, if it ain’t broke don’t fix it right?” Wrong. I’ve seen this with phpBB , SMF, MediaWiki, AWStats and other common website applications too. So I cannot stress enough how important it is to keep all your website software up to date and also have OFF SITE backups. My friend Dan, who is a professional IT Security expert suggested this analogy for this topic “Do you wait to change your oil until your engine seizes up?”
If you don’t care about that old web site anymore, TAKE IT DOWN. Even if you don’t care about what happens to it a single hacked site can cause huge problems on a shared server, not to mention be used to send tens of thousands of spam messages, virii etc. You know the old saying ‘Idle hands are the devils playground’ … well an unmaintained website is a hackers / spammers paradise.
“Why would hackers attack little ‘ol me? Why do bad things happen to good websites?”
Also, and I’ve heard this dozens of times from folks who think I’m too paranoid, it doesn’t matter if your blog or site is something so innocent, small, innocuous or obscure that you think no hacker in the world would ever attack you. They will find you and attack your site. Why? Well hell if I know, I can’t understand the motive on wanting to damage someones site randomly, but really what it boils down to is BECAUSE THEY CAN. They have programs that crawl the net looking for vulnerable sites 24/7/365. This doesn’t cost them anything or take any time, they just let it rip, probably on someone else’s hacked machine and it sends them nice reports of all the juicy sites it’s found and then they run other scripts to hack into and infect those sites.
Once again my security expert friend Dan had a great comment on this issue:
The answer to “Why would hackers attack little ol’ me?” is “Because you run your shit on a computer, and they want to use that computer to run their shit.” Part of the problem is that people think of their content as their only asset, and don’t realize that the system itself is an attractive asset. You’d (well, maybe not you) be surprised by how many of these attacks originate on PCs in kindergarten classrooms across the world because someone figured “Why bother maintaining a PC in a kindergarten? Who could possibly want anything on it?”
“Who are these people?”
I heard the saying once that sites are usually hacked by ‘Script Kiddies’. Imagine some 13 year old who really knows very little about computers but they have a nice program & instruction book telling them what to do so they follow recipe and boom, they are in. They didn’t write this software, some very smart and very ethically challenged person wrote it and did a great job at it.. and then they sent it out into the public where eager teens, apparently often in Brazil and China, happily use them and make your life hell.
“Well my server doesn’t get attacked”
So suffice to say, be afraid; your website and your web hosts server(s) are under attack EVERY DAY. No really. Ask them. Most web hosts use a variety of techniques to monitor and prevent this including firewalls, brute force detection, and just plain old watching logs and traffic. No one is perfect and no one is completely secure.
“Assess Your Risks”
Mind you, I’m guilty of not updating and securing things as diligently as I should for some of my own sites, but usually these are ones that I wouldn’t be heartbroken about losing, so as my friend Dan talks about in ‘The Defense Rests‘, his excellent (but sadly not-recently-updated) blog about security, I’ve assessed the value of my data vs the potential risks and made decisions based on that. Really though there’s no excuse for not locking things down, I do ‘know better’ after all.
The overall message here is that you should be paranoid about anything you have hosted out on the internet.
“Well I don’t use web applications so I’m safe, right?”
Even if you just have a plain old HTML site, don’t be cocky. Here’s a list of questions for you to consider;
- Passwords
- How complex is your account password? Gone are the days where there was an 8 character limit for passwords, see this recent article about “Super Passwords” on CNN. Oh and when was the last time you changed it? Do other family members/co-workers know it? Passwords should be like toothbrushes, only used by you and changed often.
- Do you use that same password on other websites (facebook, ebay, paypal?) Is your e-mail password the same as your account/FTP password? If it is, it shouldn’t be. Ask your webhost about how to have your e-mail come into a separate account if possible
- Wireless / Network Security
- Do you check your mail or login to update your site from a laptop / iPhone / etc. over public wireless spots? How secure are your connections to your server (do you use SSL for e-mail, SFTP or SCP for file transfers)? Sad fact of life, there are jerks out there with programs that ‘sniff packets’ and can monitor & record wireless traffic. I’ve been to geeky conferences where people have posted a list of names and e-mail addresses of peoples accounts that have been sniffed during the conference… and it’s usually a long list, and this is a conference consisting of geeky people who should know better. Imagine how much one jerk in a Starbucks could collect in a few hours?
- Along the same lines as the above, if your web host allows Telnet or FTP connections (as opposed to just SSH and SFTP) then that login information is exposed on networks too.
- Website Scripts
- Do you have any CGI scripts for e-mail forms or perform any other tasks for your site? If yes, when’s the last time you checked that you have the latest version? If a vulnerability was found for it, how would you find out?
- Backups
- Does your webhost have backups? How often? Are they stored offsite? What I mean here is are they stored on a different server, ideally in a different data center so in the event of a server wide hack or catastrophic event where the entire server and all it’s contents are lost, how screwed would you be? Also, are these backups just for their own use in case of a server-wide emergency, or can you get things restored just for your account? Can you do this restore yourself? How much will it cost you to restore just your files?
Basically… Either be sure you are aware and comfortable with what your webhost’s backup policies are or make regular backups yourself and store them offsite, or hire someone else to be paranoid and maintain your site on your behalf if you can’t do this or don’t want to. You know the quote “If you’re not angry you’re not paying attention”. Well.. in this case, if you’re not paranoid then you’re not paying attention.
What do hackers do when they get control of a site?
The first thing I’ve seen happen when someone gets into a site is they install other back doors. The vulnerability that got them in often just lets them do one minor thing, like use a mysql buffer overflow to issue a single command on the server
I’ve seen 4 different uses of hacked websites over the years;
- 1) Spam Relay – They setup the site to run mass e-mail scripts using a random from address, random message body with various keyword hotlinks like viagra, cialis etc and a random destination address. They can push out thousands of messages an hour this way and you wont know until you notice that your site is slow and/or your webhost calls you or sends you a scary letter. This type of hack, if not caught quickly will cause your IP address to be blacklisted by a number of mail hosts including comcast, verizon, earthlink, AOL and even gmail. Getting unblocked is tedious and can often take days/weeks. In fact right now it’s been more than 3 months since one client’s site was hacked and used for spam relay and complaints about those messages from May are still causing problems for our server.
- 2) Large File Transfer – There have been a few times that all the hackers did is put one or many HUGE files in the website and then shared the link to it so hundreds of people were downloading it. These large files are most often porn or pirated software (warez), though it could be any number of other unsavory things that you really don’t want your website associated with (list of spam e-mail addresses, hacking software, credit card numbers, etc.)
- 3) Link Farming – The most recent hack I discovered was this type, they had left the existing site alone but had created hundreds of directories with files in them that contained various random keywords and hyperlinks to places, I’m guessing in an effort to increase search engine rank. Other hacks have involved editing the site itself to hide these links in the content so a human wouldn’t notice them but search engine would.
- 4) Malice / Graffiti – Curiously in recent years this is the rarest type of hack but sometimes they’ll zap your entire website and replace it with photos and logos and often non-english text boasting about what great hackers they are.
- 5) Remote Attack /BotNet – I haven’t seen this recently myself on any site I manage but I know this happens often. In this scenario they use your server to attack other systems, making it look like you’re the bad guy and shielding themselves from any repercussions. Using your server to hack other sites may cause your ISP to take your entire site offline if they get a call from a remote site or the police.
“Have you been hacked?”
Here’s a slap of reality, You may have been hacked months ago and not know it. There have been many times I’ve gone to help someone with their site only to find it’s been compromised sometime months before. Sometimes hackers blow up the site they’ve hijacked, other times they hardly touch it and do things behind the scenes.
Quick Checks to see if you’ve been hacked:
- View HTML Source – Does your site seem to take a really long time to load or seems really slow? Even if it doesn’t load your main page and then choose (if in Firefox VIEW and then PAGE SOURCE) and just skim through and see if anything looks like a long list of links to strange external websites). If HTML scares you, ask a geeky friend to skim your source for you.
- Check for strange links or unexpected traffic increases– Try doing a google search for any pages hosted under your domain i.e. search for site:yourdomainname.com and see if you see any pages that aren’t content you’d expect on your site. You might also see these strange pages in your website traffic statistics reports (Webalizer, AWstats, Google Analytics)
- Mail Problems – Is mail from your server bouncing from places like earthlink, comcast, AOL ? If so it could be that your site is spamming and your IP address is blocked because of it. Check your IP address against real-time blacklists (See links for 2 of these below, as suggested by Earthlink). You will probably need to figure out your server’s IP address to do this lookup. The best way to get the correct information here is to contact your web host and ask them. If that doesn’t work you can try doing a lookup on your domain via http://www.kloth.net/services/nslookup.php . Searching for your domain here will tell you what IP address is associated with it, however this may not give you the IP that your server is using for outgoing e-mail. The only way to find this out is to check the headers of an outgoing message or, as I mention above, just ask your host what IP addresses are used for what.
- The CBL – This is a list of IPs that may be currently infected and sending spam unknowingly.
- Spamhaus – From their website you will be able to query your IP to see if it listed in any of their 3 lists that track dynamic IPs, zombied IPs, and IPs that are known to purposely send spam. A number of major e-mail providers, including EarthLink, block IPs known to be dynamic, zombied, and purposely sending spam.
This post is really just the tip of the iceberg but I wanted to write it out since I find myself explaining these ideas fairly often. If there’s one thing you take away from this let it be that having a full backup of your site, including any databases associated with it, ‘off site’ (as in stored outside of the server where your site is hosted) is very important. Everything after that is secondary since so long as you have a backup you can recover from even a fatal hack or system crash. I’m willing to bet that for most of you you are ASSUMING that someone else is doing this for you. Are you sure? Perhaps you should check, like… right now.
More Coming Soon – I have another big followup post about what I do in regards to WordPress, including securing and repairing after a hack but I’m still working on that. I’ll post a link to it here when it’s ready.
Comments for suggested edits for this are welcome. Thanks for reading this far, I hope it helped.