You’ve Been Hacked…

Before I go any further, let us understand that no computer on the planet is absolutely “hack-proof.” Every time a software vulnerability is patched, there is always some malicious hacker just a little bit smarter, or a little more determined. Having said that, there are a number of things you can do to make life more difficult for the malefactors.

All of the attacks of late on my friend’s sites have been through the use of PHP software, mostly open-source. I do not want to speak negatively of this type of software because it has almost single-handedly made the Internet “interactive.” Most PHP software stores its data in a MySQL Database, which must also be secured. Being open-source means that its source code is open to the world - that’s the downside. The beauty is that anyone can modify the code for their own use. And remember, non open-sourced software gets hit all the time as well. How many times does your Windows, Outlook and Internet Explorer (just to name a few) have to be updated.

Now, there have been two major types of attacks of late: the deleting and/or defacing of files; and the uploading of malicious scripts, particularly spam scripts.  I have investigated some of these attacks and found that a few basic things could have been done to prevent the attacks.

1. Update your software with EVERY security patch. Anytime your software package is updated, you need to update it on your server. At lot of times folks think, “If it ain’t broke, why fix it?” This does not apply to Internet software. When a software vulnerability is discovered and a security patch is made --- you can easily protect your site from that particular attack. If you ignore the patches (like most folks do) then you are vulnerable. If you are nervous about upgrading, ask for a friend’s help or hire someone to do it for you. The cost is usually negligible. BTW, do not display the version number of your software on your pages. If you are not up-to-date then it is a dead giveaway to a hacker what vulnerability to exploit.
2. Rename your administrative directory. Most software packages use “admin” by default. This makes it easy for malicious probes. The scripts only have to focus on one particular directory. Some packages allow you to rename your administrative directory even after you have installed the software. This will normally require a change in your configuration file (normally in the “includes” directory).
3. If your software allows it, use a different username than the ubiquitous “Admin” for your administrative login.
4. Make sure your administrative directory is password-protected with an .htaccess file. You can do this easily from most server control panels. Make sure your password is different from the software login password. I know that sounds like a lot of extra work just to get into your control panel but which is worse - extra typing or getting hacked? I know of at least one friend whose site was hacked because the admin login and the protected directory login were the same. The malicious script found a vulnerability in the software that exposed the password so it was not a difficult thing to get past the .htaccess file.
5. Use a “statistically safe” password. In other words, quit using the name of your dawg, your son or daughter, Forrest / Lee / Jackson, or ANY word found in a dictionary. These can easily be compromised with simple brute-force software. Use a MINIMUM seven string password made up of upper and lower case alpha characters, numbers and --- if your software supports it --- extended characters (@#$% etc.). If you do not do this - you are an easy target.
6. Make sure your passwords are secure on your local computer. This can be done with the use of password managers. For those of you using Firefox, there is a very handy password manager built in to the software. However, you must activate it. It is also important to have a good firewall and anti-spyware software on your local computer --- updated regularly, of course.
7. Another important security function is setting file permissions. This is easily done on Linux servers. Some of the really cool features of the interactive software packages come from allowing some files to be “writable” by the web server. However, letting an application have write access to your files is a dangerous thing, particularly in a public environment. It is best, from a security perspective, to lock down your file permissions as much as possible and to loosen those restrictions on the occasions that you need to allow write access, or to create special folders with more lax restrictions for the purpose of doing things like uploading images.

Now, these steps will not prevent all malicious hacks. But they would have prevented the hacks on the sites I investigated.

There are other vulnerabilities as well:

1. Server Level: a good hosting company keeps the operating system, control panel software, PHP, MySQL, etc. up-to-date. If not, you need to change hosting companies. There are additional steps that a hosting company can take, but are rarely done --- and it is not their fault. There is good security software available that stops malicious scripts from operating. However, customers complain ad nauseum when such software is installed because it requires special configuration and/or plug-ins that customers seem unwilling to pursue. Also, some common programs such as Menalto Gallery (at least certain versions) have to be completely re-installed when the security software is activated. I suppose there is a balance between security and convenience that becomes the compromise.
2. Network Security: of course the network is a two-way street. The host should ensure that the network is not contaminated with malicious hacks and the user must ensure that his firewall rules are up-to-date and not compromised. Users must also be careful when they connect to wireless networks in Internet Cafes, motels and such “public” places. Passwords can be intercepted via sniffers and you become open to numerous types of attacks.
3. MySQL Security: If you administer MySQL yourself, ensure that you understand your MySQL configuration and that unneeded features (such as accepting remote TCP connections) are disabled.

Again, no web site is absolutely free from malicious hacks but following these steps will go a long way in securing your site. I am currently being attacked at the rate of nine attempts per minute. This has been going on since the middle of December. I am fairly confident of my setup and yet I am still backing up more frequently.