Hey Guys & Gals,
This is something that is bound to happen to everyone at some stage, some may find it, some may never know it even happened to them, but I can guarantee that your sites would have had a hacking attempt on them at some stage.
So this is the second time we have been hacked and malicous code has been placed on all of our index type pages. So what does this mean? By targeting the index pages it means that the hackers can put their code in the most prominent places where users are most likely to access a site through (the index pages are usually the first a user will hit), whilst also disguising themselves as index pages are also the most commonly modified by site owners.
After the first case we went and set extremely strong passwords, the chances of cracking these without a super computer are nil to zero, you have a better chance of winning lottery, we will show you some services that you can use shortly that are free for this.
But we fell apart with a poor system to back it up. That system was maintaining security throughout all access points.
After the first attack we locked down all ftp access to the site, from then we only issued access to those that needed it, and created a new limited ftp account for those to use.
The problem was the new accounts we did not set as strong as the main account, and gave it too many rights, and did not change or remove it when the programmers had finished.
This led to a simple dictionary attack on our ftp server, one which was then successful and gave them full root access to our files.
This was done on August the 17th, only a few days ago.
They got a little trickier this time by limiting our IP address’s and blocking them so that when we visited the page our IP would not activate the evil virus spamming code. Certain other IP’s would activate it.
All files are now clear and even further things have been put into place to limit this again.
So let me outline 10 steps that can help you protect yourself.
1. Do not use simple passwords (come on its the first rule!!)
We know you make simple passwords like, evenmydogcouldguessthis or imso1337 (trust me leet or 1337 speak does not keep you secure despite how often you wish it would).
Instead use a random password generator that even you cannot remember, two such sites that are very good are these two.
http://www.pctools.com/guides/password/
“The PC Tools Password Generator allows you to create random passwords that are highly secure and extremely difficult to crack or guess due to an optional combination of lower and upper case letters, numbers and punctuation symbols.”
https://www.grc.com/passwords.htm
“Every time this page is displayed, our server generates a unique set of custom, high quality, cryptographic-strength password strings which are safe for you to use:”
2. Keep your site software up to date
Something we are now doing is going through all of our sites (yes even including this WP install) and updating any scripts that have updates out for them to make sure they are secure and not providing a simple hack for people to exploit.
3. Create unique accounts to access your server
If you need to give access to your server for an outsource agent, a server technician, or even someone in your office. Go to the trouble of setting up extra ftp accounts and access accounts per person, using the same secure measure as step 1. Trust me you will thank yourself for it. At least we were able to instantly see which account was compromised.
This may also lead you to knowing if a particular computer within your network is compromised. If a worker only ever uses that computer and his or her accounts are compromised then you may want to check that computer for key loggers and other nasty bugs.
4. Try not to use 777 permissions
At max you should only use 755, on an apache server you can have phpsuexec installed that will make it impossible for a script to use 777 permissions and runs all php files as site owner. So I hear you say, but I own my own dedicated server so there are no other site owners?
Two great simple explanations of phpsuexec are:
http://forums.hostgator.com/showthread.php?t=8822
http://support.pakhost.com/Default.aspx?op=faq&id=133
Do you have multiple sites on the server? Multiple accounts for those sites?
If so then this just gives you another avenue to track and find out exactly which site is causing exploits and issues for your server whilst also providing a more secure environment.
5. Lock down FTP access
If you are super security aware and you have a dedicated IP at your place of business then you may want to consider limiting your server so that it will only accept ftp connections from your IP address or any other IP that you add to it.
You can temporarily add in IP’s when needed and remove them when not needed. A good explanation on setting up FTP configuration files in Apache can be found at.
https://www.covalent.net/resource/documentation/ftp/3/html/ch03s02.html
6. Limit general site access via IP
This is the reverse of step 5, If you know a particular IP address or range to be causing you a lot of issues then you can just permanently deny them from accessing your site/server. This is also a benefit in that it blocks total access to your server if you wish, not just blocking off ftp access.
A basic how to guide for the slightly technically minded (aka you can get around a linux/unix based system)
http://www.howtoforge.com/linux_iptables_sarge
7. Custom 404 page.
So how can a custom 404 page help you?
You would be amazed at how many attempts are made to do sql injections and other nasty script exploits through searching your site for certain file combinations. Especially if you have many sites you will start to see a pattern that wannabe hackers are looking for. This tip was from Dewald from our forums.
Of course good old wordpress gives a simple way to implement this, you can take this code and also implement it in non wordpress sites.
http://codex.wordpress.org/Creating_an_Error_404_Page
8. Make sure your server is updated with latest security patches.
Seems simple doesn’t it. Fact is not all hosting companies will do this, or it is a low priority for them. If they are not showing any interest then find a different host, your data is important.
9. Use an automated testing service.
Hacker Safe jumps to mind as an automated testing service, whilst not needed on most sites, if your site is anything more then a hobby site and you do not have your own security guys to do this, then you may want to look at using their services.
Their service description page is below:
http://www.scanalert.com/site/en/security/service/
10. Did I mention strong passwords!!!
Seriously first line of security and one of the most important. Most hackers are looking for easy attacks, that means brute force dictionary attacks using common words and passwords. Limit this and you have just cut away most of your issues.
Now there are heaps of other things you can do to secure your servers, this is mainly from a website point of view. Security is one of the largest topics discussed in the server admin community. Here is another resource on 20 ways to secure your apache server
Thanks for reading
Marc, Daniel & The PLRPro Team
Popularity: 21% [?]
[…] read more | digg story […]
[…] Site Security 10 steps that can make your site… [ Digg!] Hey Guys & Gals, This is something that is bound to happen to everyone at some stage, some may find it, some may never know it even happened to them, but I can guarantee that your sites would have had a hacking attempt on them at some stagePosted in PLRPro - The Best PLR Membership ( 2 links from 1 site) […]
I received your e-mail this morning on ten steps to protect your site and I wanted you to know that you have probably saved our business. I have forwarded the e-mail to our webmaster.
Again many thanks.
For most new Internet marketers and web publishers, I recommend the best line of defense: Outsource. As the owners here have found, it is better to assign responsibility of security issues to people who do nothing but handle these concerns.
Let’s face it, Internet Security is already a four year university diploma and then there are the several years of actual experience to learn from on top of this.
The way to leverage your time and get better results is to outsource this need within a “already built for you service.” One of them is called, Managed Web Hosting.
An example would be http://www.hostgator.com/ There are several others, but this is an example of how you can gain all the expertise in security related issues without ever having to address it.
Large hosting companies already employ the above services as part of their infrastructure. Using the above business principle of outsourcing is also the reason you subscribe to this website.
Expert writers and content researchers is what you are outsourcing to and their end results are what you are paying for. It’s the same for website security.
For a mere six dollars or so, you get all the security you will ever need. You get this price, because there are several thousands of customers all paying a small decimal percentage collectively for this service.
If you would like to gain even more leverage, a search for business practices will give you more insight on how to protect you Internet business from other sources of intellectual theft and financial ruin.
[…] read more | digg story hacked, hackers, Web SecurityIf you’re new here, you may want to subscribe to my RSS feed. Thanks for visiting! (No Ratings Yet) Loading … […]
Thanks for the tips. My site has been hacked and a strange index page appeared when I went to my site instead of my own index page.