As a major hosting provider, we deal with compromised sites on a daily basis, so we’ve seen just about every site compromise scenario. If your site is compromised you may wonder, “Why me? What is the benefit to the hacker?”
Chances are it’s not your site specifically that’s being targeted, but rather any site that can be compromised. You just happen to fall into that category. In general, hackers compromise websites for one of the following reasons:
- To get access to a well-connected web server to launch an attack on another network.
- To steal sensitive files or data, e.g. a database containing personal information and credit card numbers.
- To use your site to host spyware, malware or phishing pages.
- To use your site to send out spam.
How do they get through?
Based on our experience, hackers typically compromise sites in the following ways.
Through known security holes in your application
For example, if you are using a wordpress plugin that has security issue and you’ve neglected to update it, hackers can seek out your site using search engines like Google and perform an automated bot attack that will compromise your site. Last month over 50,000 WordPress site were hacked through plugin vulnerability. It can happen to anyone.
Weak Password on your third-party application
Every day we see bots coming into our network scanning for well known applications. Once one of those applications is identified, the bot attempts a brute force dictionary attack to crack the administrator password.
Insecure upload form
This is a very common problem we see virtually every day. Many websites have a photo/document upload mechanism for their users. If the upload application is not secure, hackers can easily upload a webshell. Once the webshell is uploaded, the hacker can upload more files to further compromise your site.
Compromised FTP account
If your local PC is compromised, a hacker can easily install a key logger to capture all your traffic, including email and FTP usernames and passwords. Once they have your account credentials, they can upload anything to your site. If you delete the malicious files but aren’t aware that your credentials have been compromised, they will likely upload the files again every time you delete them.
What we are doing to help
We started noticing a rapid increase in the number of compromised sites about a year ago. We also found that most of our customers needed help fixing and securing their sites. That’s not surprising, considering the lengths many hackers will go to in order to cover their tracks. So we have taken a number of steps in order to help alleviate the problem.
Regular scans for known compromises
We scan every web server looking for known exploits, and we will notify you if we find anything.
SiteLock is a third-party company that provides a daily scanning service that can automatically remove malware and alert you to weaknesses.
Site Cleaning Service
As I mentioned, a lot of people receive a notice from us that their site has been compromised and aren’t really sure what their next step should be. We recently began offering a site cleaning service that will remove malware and compromises, try to identify how they happened, and provide a 30 day follow up to make sure you aren’t compromised again. If we identify a compromise on your site we will provide details about the service.
What you can do to avoid being hacked
There are a number of things you can do to secure your web applications.
Keep your applications up to date
We have seen some customers running third-party applications that are several years old and several major versions behind. If your application doesn’t notify you of updates, make it a point to check for updates yourself every few months. This is the easiest, most effective way to keep your site secure. If you use an application that is no longer being developed or updated, find a replacement that is actively developed! It may be a pain to make that change, but it is worth the effort.
Change the default password
There are bots on the Internet that scan for software that is still using the default password, or administrative user name. WordPress, for example, creates the user “Admin” when it is installed. You should change that username, or create a different admin user and delete the default.
Install Anti-virus software on your computer, and keep it up to date
A free antivirus is better than no antivirus. There are a number of decent programs out there that you can use at no cost. Though a paid version of one of the big antivirus programs is usually going to afford more up to date and comprehensive protection.
Configure FTP to allow only your IP address to connect
You can do this in Control Panel with the ISS Tools FTP Manager. Look for the FTP IP RESTRICTION section.
Use complex password for your web applications, FTP and email (actually for everything!)
We recommend at least 8 characters with at least one upper case letter, one digit and one symbol. The longer it takes to crack your password, the more likely it is that a bot will give up and leave for greener pastures.
If you site has any upload functionality, do the following:
1) Your code should block users from uploading executable file extensions like .asp, .aspx, .php, .exe, etc.
2) Execute permissions should be disabled on the folder where you allow users to upload files. To disable execute permissions, create a web.config file in the folder and include the following:
<configuration> <system.webServer> <handlers accessPolicy="Read" /> </system.webServer> </configuration>
Protecting your site from malicious bots and hackers is more important than ever. Times have changed and a “small” site is no longer safe. They are looking for any site, anywhere, and if you don’t make it difficult for the bad guys to get in, they are going to hit you. It’s not a question of if, but when.
Acquia Drupal 7.30.35
DotNetNuke 7.3.1 Community Edition
Gallery Server Pro 3.2.1
SilverStripe CMS 3.1.5
Umbraco CMS 7.1.4
We’ve been talking about Everleap a lot lately, and understandably we’ve had a few of you ask questions about how it might affect DiscountASP.NET. The short answer is, it won’t.
Everleap is modern cloud hosting and DiscountASP.NET is traditional shared hosting. While the end result of both is your site on the web, the route to get there is quite different. There are advantages to both methods, of course, and if you prefer the traditional DiscountASP.NET service, it is always going to be here for you.
Technological advances happen so quickly these days that sometimes you can find yourself thinking, “Whoa, slow down, everything is working fine, let’s not touch it right now.” We get that. We know everyone isn’t going to flock to Everleap. If it ain’t broke…
But don’t worry, DiscountASP.NET will not be frozen in amber like an apartment building on Fringe. We’ll continue to keep everything up to date, provide the best support in the business and invest in infrastructure. That’s the way we’ve always approached the service and that isn’t going to change.
The landscape will definitely be changing more quickly though over at Everleap. Building the service on top of the Windows Azure Pack ensures that we’ll always have the latest modern cloud technology, and we’ve expanded the service significantly from the out-of-the-box WAP offering, so we’re always busy building something cool to enhance the fundamental cloud server hosting.
If that kind of thing gets you out of bed in the morning, by all means, check out Everleap! It really is the next generation of website hosting, and where all website hosting is likely headed.
But if you love DiscountASP.NET (like we do!) you can rest assured that isn’t going anywhere. It still gets the same attention we’ve always given it – and will keep giving it – for as long as you want to use it. Nothing’s changed there. We were one the very first specialized .NET hosts, and as you’ve made very clear over the past decade, the best .NET host!
And if I may be so bold, we always will be.
With all of the excitement over the launch of our new cloud hosting solution over at Everleap, I overlooked announcing that we have successfully renewed our Microsoft Partner Gold Hosting Competency for 2014! We are going into our 9th year of maintaining our Microsoft Gold Partner status.
Even though we’ve been announcing our Microsoft Gold Partner renewal annually, it is no small feat to continue keeping this status. Microsoft has raised the bar significantly to attain the Gold level status over the last few years.
To earn a Microsoft Gold Competency, organizations must employ more Microsoft Certified Professionals who must pass various up-to-date certification exams related to the competency, submit multiple customer references and demonstrate their commitment to customer satisfaction by participating in an annual survey and score well. There are Cloud marketing assessment tests to pass as well.
Achieving the Gold level status is an investment that we make every year because it truly shows our commitment to stay on top of Microsoft-related technologies, helps us maintain a strong relationship with Microsoft, and serves as a big differentiator among all the other hosts.
As an example of our commitment, it is through this strong relationship with Microsoft that we were able to be the first host to launch a production scalable cloud hosting solution for websites and web applications using Windows Azure Pack.
I went to HostingCon last week which took place in Miami Beach, Florida. I picked up my badge and found this yellow tag on it.
Turns out it’s HostingCon’s 10th year anniversary and I’ve been going to this event every year since it started. I was honored and felt like an old geek at the same time! I saw a handful of like geeks walking around and commiserated with some of them.
So why do I travel all the way across the U.S. to hang out with hosting competitors? It may sound strange but I like going to this event just because it’s great to check in with all the other hosting companies.
While we are all in the same hosting business, there are many different technology niches and customer segments, so all of us approach hosting at different angles. There is plenty of room for everyone and we can all learn from each other.
But what’s more important is that we all share the same issues too – be it dealing with spam, software licensing, hardware, DDoS attacks, abuse issues, and regulatory issues. Many of these issues are bigger than one host and it takes many hosts working together with other vendors to help improve things for the entire hosting segment – which also translates to making hosting work better for all customers.
In fact, HostingCon was the place that the i2Coalition first started – as an idea during a lunchtime gathering of like-minded hosting professionals a couple of years ago – at first to deal with the SOPA act in a collective way.
We decided to participate as a founding member and the organization is now helping educate our elected officials on what we do as hosting providers and how we contribute to the economy and jobs and is helping guide federal policies that affect all hosts and their customers.
Luckily, next year the event will be in San Diego which will make traveling a little easier.
The SoCal Code Camp San Diego happens June 28th and 29th at the UC San Diego!
DiscountASP.NET has sponsored all the SoCal Code Camps (LA, SD and OC) for many, many years. They’re local events to us. They’re organized by local user groups and attended by local developers, so we’re always happy to offer our support.
This year, we’ll be there on Saturday the 28th sponsoring under the new Everleap banner. If you haven’t heard, Everleap is our new elastic cloud hosting service. We’re very excited to introduce our new platform to everyone attending.
This will be the very first code camp I’m attending. I’m a code camp virgin with a bit of sweaty-palm nerves, but I’m excited to meet members of our local development community. To ensure I don’t run afoul, Everleap has decided to send me with chaperons. Michael Ossou, one of our own developers, and John Meeks, manager of our affiliate programs, will be in attendance with me. Michael will also giving a presentation on JQuery and SignalR.
Michael is an engaging and entertaining presenter, showing off a really cool application. I’ve seen the presentation myself and you don’t want to miss this one.
You have questions about cloud hosting? Do you have a nagging curiosity about the people behind your hosting service? Does your current host suck? Swing on by our table!
See you there!
Acquia Drupal 7.27.32
DotNetNuke 7.2.2 Community Edition
SilverStripe CMS 3.1.4
Umbraco CMS 7.1.1
nopCommerce 3.3 requires the .NET 4.5.1 Framework in order to run, so feel free to open up a support ticket to have your hosting account moved.
If you’re a DiscountASP.NET customer, you’ve probably already heard about this, but for the rest of you, we’re really excited to announce something new: Everleap.
It’s cloud website hosting! Okay, I know what you’re thinking: “Hey man, there’s nothing new about cloud hosting!” Well, that’s not exactly true. There is something new about true cloud hosting. Take a look at how Everleap works.
Think about it, most cloud hosting that you see is sort of a hybrid not-really-cloud-at-all kind of thing that isn’t very far removed from traditional shared hosting. They call it “cloud,” but by their definition we could probably call DiscountASP.NET “cloud,” and as you know, it really isn’t.
Then there are the real cloud services; Azure, Amazon, and the handful of others that aren’t Azure or Amazon. If you have used one of those big cloud services you know that virtually everything that you might consider necessary to run your web site is offered as a separate service, metered and billed separately. And forget about support. If personalized support is available, it likely comes at a hefty additional cost.
With Everleap we set out to provide all the technical benefits of the big cloud providers along with the all-inclusive bundled services of traditional web hosting. So every Everleap site includes things like SQL, MySQL, SQL Reporting Services, SSL support, email and DNS service, and our excellent Technical Support that you know and love from DiscountASP.NET is included. Things you will most definitely pay extra for at the big cloud providers.
When I say Everleap is something new, it really is new. It’s the first hosting service built on Microsoft’s Windows Azure Pack. In the coming months you’re going to see other hosts coming out with Azure Pack offerings, but those will be generic, out-of-the-box plans. It isn’t possible for them to do what we’re doing at Everleap because they don’t have the experience that we do.
We have been up to our elbows in the technology underlying Azure Pack (Antares) for almost two years. We have built a world-class infrastructure to support the load balancing and flexibility available with Azure Pack, but not only that, we’ve also built our own Control Panel that allows us to quickly make adjustments and add features, something those generic guys aren’t going to ever be able to do.
Everleap is a premium service, something many of you have been asking us us to build for a long time. Well, here it is. And if I don’t say so myself, it’s really cool.