The following is an excerpt from a forum post from a small business forum which I frequent. A website owner has had their website hacked and I provide my advice on how to correct the situation and how to prevent it in the future.
Bill Benson Asked, Wanted to see if anybody has any ideas how this is happening. James, you know a lot about security. I’d be interested in your opinion. I have a site on a shared server. About a year ago that server got hacked and all index pages on the server were replaced by an Islamic page. In november my site (oscommerce) got hacked looking for credit card numbers. At that time I had a very simplistic password. An email for sending an extra order confirmation was also placed in the configuration section (yahoo email). I did save credit cards, but I deleted them as soon as I processed them. I don’t save credit cards anymore, but they did get a few. In November I got an order using a bad address and the same yahoo email. The order IP traced to Arabia. I think it was a dummy order testing the email. I also found a virus on the site. The zipped backups didn’t show the virus, but when I unzipped the file Norton caught it. Over a week ago the configuration table in the database got deleted taking the site down. I replaced it. Several days later it happened again. Sunday every directory in the db was trunkated including ones that weren’t standard oscommerce tables. About a month ago, I changed all passwords to complicated ones using punctuation etc. When this happened last Sunday, I said screw it, deleted the entire site (not db) and installed zen cart. I modified the database to match zen cart which is very similar to oscommerce. Yesterday, after having done a new install of Zen Cart, the configuration table in my database was deleted just like in one of the prior hacks. I’m now moving the site to a different server; same host. My conclusion is that the problem is somewhere else on the server, although I appear to be the only client with this problem. The server did get hacked with a Saddam page on all sites and the hack I have is from Arabia? Anybody have any ideas what might be happening here. I don’t need any comments on not keeping oscommerce up to date, I know that part. Oh, and if anybody has a list of ip’s to block including china, the old USSR area, Poland, Arab countries, I’d appreciate it. I do business in Central and South America, Canada and the Caribbean, so I don’t want to block those. James Weisbrod ( Site By James ) said, If I were a marketing agent looking for a good distribution channel I’m not exactly sure how I would go about finding one... but if I needed a distribution channel for my malicious intent... then I would choose open source software first... Preferably an open source package whose development was "managed" by the people for the people... then I’d contribute my own little security flaw and snicker to myself realizing that in just a few short months my security flaw would be distributed across hundreds of thousand of websites... If I was really cocky... I would build a robot to crawl the web and actively seek out websites using the software with my secret vulnerability... and harvest whatever opportunity which presented itself... I see robots crawling my sites everyday looking for exploits... they usually inject weird variables into my site... variables I have never used in the code... Imagine governments which are using open source ERP solutions... the kind that have a 20MB+ distribution file size... can you even audit a 20MB software package without throwing an entire year or two of your like away? I would think if I were to audit a program that size I could literally kiss my entire life goodbye... Also... I work on one website which has some serious enemies... when I started on the project they were getting hacked every few days... Even after we cleared out all "known" possible problems with the php code... they got in some other way at the server level... and the server guys began restricting access so tightly that I was getting locked out every few hours just for working on the files on the server... Wish I could tell you the exact reason why it’s happening... but... there are so many possibilities... M Girl said, Sounds like another reason not to use OS [ OS-Commerce ]. I wonder if ASP.NET gets hacked as much?! Bill Benson said, I wouldn’t make that assumption. Since the entire server got hacked some time ago, I suspect its elsewhere on the server. I have also been negligent in doing updates. That’s my fault, not the fault of open source in general. I also used simple passwords. Again, my fault, not the fault of OS. Since it got hacked again within days with complicated passwords and a completely different and latest version of a OS cart, I’d say the problem is on the server. I did know someone who took a hard look at all the free carts about a year ago and he was a strong supporter of zen. He would have looked at it strongly from the SEO side. He passed away, so I can’t really ask for his current position. Thanks for your input James. The curious thing is that this is strictly malicious. I don’t see a competitor doing this. Its a small niche market. I do sell to the military though. That might make the arabia connection. James Weisbrod ( Site By James ) said, The simplest way to lock down security on otherwise weakly secured systems is to restrict ip access to the administration areas of the site using htaccess or something similar... If your the only one updating the website... or if there are only a few people accessing it... then why allow the entire world access to your admin areas? deny from all allow from 128.2. allow from .cmu.edu If your still getting hacked after that point you can pretty much rest assured it’s a software vulnerability... The general vibe I get from watching the webmaster forums is that there are some serious security flaws with the IIS microsoft servers in general as those sites very often are reported as going down... when I do hear stories about thos servers getting hacked it’s usually at the server level and it usually wipes out or takes out more than just one website... usually the entire server gets breached which is a serious security issue... When Opne source gets hacked it is usually traceable to an widely popular and not so secure open source software website... individual websites go down but the actual server itself remains secure... IN most cases anyways... this is just the vibe I get... I have no research or statistics to back it up... Bill Benson said, That makes sense as long as I’m not traveling. Thanks. Cart software has config files which contain passwords. Is it possible to put a path to a password above the root directory in the config file? They have to be getting the db password to delete or truncate tables. That takes more than admin access. I did block the one known bad IP, but that won’t stop proxys. James Weisbrod ( Site By James ) said, If they had access to your config file then they would have access to your filesystem... and they would be doing more damage than what your seeing... Deleting or trunicating tables is completely doable without any "special" database priviledges... if they were adding and or removing databases then that would hint at a server level breach... Your most likely getting SQL injection attacks... download your php files... and then file search for mysql_query( and start patching all the holes... you might want to read up on register globals as well... http://ca3.php.net/register_globals
|
