As a major hosting provider, we deal with compromised sites on a daily basis, so we’ve seen just about every site compromise scenario. If your site is compromised you may wonder, “Why me? What is the benefit to the hacker?”
Chances are it’s not your site specifically that’s being targeted, but rather any site that can be compromised. You just happen to fall into that category. In general, hackers compromise websites for one of the following reasons:
- To get access to a well-connected web server to launch an attack on another network.
- To steal sensitive files or data, e.g. a database containing personal information and credit card numbers.
- To use your site to host spyware, malware or phishing pages.
- To use your site to send out spam.
How do they get through?
Based on our experience, hackers typically compromise sites in the following ways.
Through known security holes in your application
For example, if you are using a wordpress plugin that has security issue and you’ve neglected to update it, hackers can seek out your site using search engines like Google and perform an automated bot attack that will compromise your site. Last month over 50,000 WordPress site were hacked through plugin vulnerability. It can happen to anyone.
Weak Password on your third-party application
Every day we see bots coming into our network scanning for well known applications. Once one of those applications is identified, the bot attempts a brute force dictionary attack to crack the administrator password.
Insecure upload form
This is a very common problem we see virtually every day. Many websites have a photo/document upload mechanism for their users. If the upload application is not secure, hackers can easily upload a webshell. Once the webshell is uploaded, the hacker can upload more files to further compromise your site.
Compromised FTP account
If your local PC is compromised, a hacker can easily install a key logger to capture all your traffic, including email and FTP usernames and passwords. Once they have your account credentials, they can upload anything to your site. If you delete the malicious files but aren’t aware that your credentials have been compromised, they will likely upload the files again every time you delete them.
What we are doing to help
We started noticing a rapid increase in the number of compromised sites about a year ago. We also found that most of our customers needed help fixing and securing their sites. That’s not surprising, considering the lengths many hackers will go to in order to cover their tracks. So we have taken a number of steps in order to help alleviate the problem.
Regular scans for known compromises
We scan every web server looking for known exploits, and we will notify you if we find anything.
SiteLock Partnership
SiteLock is a third-party company that provides a daily scanning service that can automatically remove malware and alert you to weaknesses.
Site Cleaning Service
As I mentioned, a lot of people receive a notice from us that their site has been compromised and aren’t really sure what their next step should be. We recently began offering a site cleaning service that will remove malware and compromises, try to identify how they happened, and provide a 30 day follow up to make sure you aren’t compromised again. If we identify a compromise on your site we will provide details about the service.
What you can do to avoid being hacked
There are a number of things you can do to secure your web applications.
Keep your applications up to date
We have seen some customers running third-party applications that are several years old and several major versions behind. If your application doesn’t notify you of updates, make it a point to check for updates yourself every few months. This is the easiest, most effective way to keep your site secure. If you use an application that is no longer being developed or updated, find a replacement that is actively developed! It may be a pain to make that change, but it is worth the effort.
Change the default password
There are bots on the Internet that scan for software that is still using the default password, or administrative user name. WordPress, for example, creates the user “Admin” when it is installed. You should change that username, or create a different admin user and delete the default.
Install Anti-virus software on your computer, and keep it up to date
A free antivirus is better than no antivirus. There are a number of decent programs out there that you can use at no cost. Though a paid version of one of the big antivirus programs is usually going to afford more up to date and comprehensive protection.
Configure FTP to allow only your IP address to connect
You can do this in Control Panel with the ISS Tools FTP Manager. Look for the FTP IP RESTRICTION section.
Use complex password for your web applications, FTP and email (actually for everything!)
We recommend at least 8 characters with at least one upper case letter, one digit and one symbol. The longer it takes to crack your password, the more likely it is that a bot will give up and leave for greener pastures.
If you site has any upload functionality, do the following:
1) Your code should block users from uploading executable file extensions like .asp, .aspx, .php, .exe, etc.
2) Execute permissions should be disabled on the folder where you allow users to upload files. To disable execute permissions, create a web.config file in the folder and include the following:
<configuration> <system.webServer> <handlers accessPolicy="Read" /> </system.webServer> </configuration>
Protecting your site from malicious bots and hackers is more important than ever. Times have changed and a “small” site is no longer safe. They are looking for any site, anywhere, and if you don’t make it difficult for the bad guys to get in, they are going to hit you. It’s not a question of if, but when.
I have a question about this comment above. It states, “Configure FTP to allow only your IP address to connect.”
I’m not a website or a network guru so I’m curious if this is as secure as I’d like it to be but I do have a concern. When I read that, I immediately thought about Mac Address Spoofing. As I’m sure you know, it’s a technique that someone can use to get on WiFi devices that utilize MAC address restriction tables…a well known security feature that’s useless. Is this IP address restriction feature equally as “spoofable”?
IP addresses are spoofable, yes. Every computer on the Internet is vulnerable to intrusion. The only way to make a server 100% secure is to unplug it from the network and lock it in a vault.
That being said, if you take steps to restrict entry you can dramatically reduce your chances of being compromised, that’s what we are encouraging everyone to aim for. Every – and I mean every – compromise we’ve ever seen is done on low hanging fruit – in other words, a site that’s easy to penetrate. With a little effort you can close those holes and make yourself an unappealing target.
So, like MAC address restriction lists, this IP address list should be used in conjunction with other tools/protocols. That makes sense. Thanks for the explanation.
FYI, majority of the compromises we see are from vulnerable web application. Maybe 1 out of a 100 hacked site are through FTP.
With that said, it doesn’t hurt to restrict IP for FTP.
Thanks for the info, Frank!