Website and Server Security


As a website owner, it’s important to pay close attention to the health of your website and server to limit your risk of “getting hacked”. The number of website hacking incidents increases each year and even the industry’s best are having a tough time combating the issue.

This post was created as a plain-English resource for both website owners and web designers. It’ll outline a few threats you should be aware of and address some other concerns pertaining to the health of your website.

If you haven’t experienced a website attack, hack or breach of some sort, consider yourself lucky – but don’t let your guard down. Do not get used to that feeling of invincibility.

Why websites get hacked:

Every website contains something a hacker wants, including a platform to spread a message, a group of visitors/users to infect, a page to takeover, people to spam, or data to steal.

In one way or another, it’s estimated that over 30,000 websites are hacked per day, 80% of which are small business websites. *

How websites get hacked:

There are dozens of ways to hack a website, but here are 5 common vectors:

1) FTP: Most websites have an “FTP account” which is used to access all files within it. Weak usernames (ie: the actual domain name itself) and passwords (ie: passwords without a combination of letters, numbers and special characters) are, over time, quite easy to crack.

2) Injection: HTTP and database injection methods (including SQL Injection) allow hackers, malware and spam bots to do their worst and once they gain momentum, they’re hard to stop.

3) Exploitation: Many hackers take advantage of vulnerabilities referred to as exploits. Exploits can be found in weak coding of websites/applications, 3rd party tools plugged into a website, or outdated web servers.

4) Targeting the domain name registrar: Each website has a domain name registrar which is responsible for managing nameservers. The nameservers are one of a few devices that tell browsers where to find and load any given website. The administrative management consoles for every domain name on the web can be accessed via a domain name registrars website via username and password authentication. Hackers have been known to target a domain registrar vs the website itself, and in some cases might have better luck gaining control of a website by hacking the registrar username/password and proceeding to redirect the website to another source by altering its nameservers.

5) DOS Attacks: DOS (Denial of Service) attacks are a different type of breach. The end-game of a DOS attack is usually to crash a website or server by “virtual” force. Methods include delivery of too much automated traffic for a website to serve, or deploying scripts that repeatedly run without end thus consuming too many resources for the server to handle causing it to stall or crash. Even a fail-safe server reboot due to excessive load is considered a victory to DOS attackers as reboots result in necessary downtime.

According to the Web Application Security Consortium, the most common types of hacks include denial of service, SQL injection, cross-site scripting, brute force, predictable resource location and stolen username/password credentials. No website is immune. In fact, most websites are susceptible to each and every type attack. The impacts/outcomes of such attacks are typically leakage of information, downtime, defacement, malware, monetary loss and disinformation. **

What the heck are “bots” and “scripts”?

Bots and/or scripts are software programs that run on servers. Their goal is to gain unauthorized access to websites, servers, computers, bank accounts, email accounts and more.

For example:

“One of cybercrime’s most important products is the botnet, short for robotic network, software programs that run on servers. The person in charge of the botnet is called a cracker. The goal of the botnet servers is to install malicious software on computers and turn them into zombie computers. Zombies take orders from the botnet servers. They may be commanded to send out spam, engage in denial of service attacks, or install software on other people’s computers that enables them to track keystrokes. By tracking keystrokes, zombie computers can get access to user names and passwords linked to online bank accounts.”

- Bill Davidow

Talk about hacking

Many companies enlist a creative agency to design and develop a website. They talk about everything including shades of blue, pictures and text. What about website security? What about the safeguarding of personal and/or sensitive data collected by the website?

Perhaps the biggest challenge that most firms face is the lack of security knowledge in the agencies who they contract their websites out to. Most of them don’t run their own servers (although claim they do) and instead opt to rent them them through a 3rd party. The hosting provider will provide some level of security for the hardware, but rarely at a software level. Open source tools such as WordPress are adopted due to their flexibility and community base, but often even the most basic security measures are not adopted such as locking down access to admin modules and FTP. Factor that in with people using easy passwords because clients lose the hard ones and you’ve got a recipe for disaster. Culturally agencies don’t like to talk about security for fear of worrying clients about hacking.“- Charles Meaden re: Forbes.com article by James Lyne

Are all hackers thieves?

The majority of hacks are actually quite harmless. For example, a hacker can expose vulnerability in a website contact form, and exploit it to repeatedly send spam to the website owner/host. Take a business directory website as another example: a dedicated hacker can find a weakness in how that website transmits messages and use it as a platform to send more spam to more users. Other hacks include “DOS” (Denial of Service) attacks in where the hacker simply attempts to distrupt a users experience on a website. For example, a typical DOS attack is simply bringing a website “down” without actually breaching any security protocols used to protect sensitive information. Not all hackers are thieves – however they expose security flaws in your website or application. More serious types of hacks include exploiting not only a website but the web server itself, in which case a hacker can gain access to sensitive database information, user accounts, passwords, etc, and cause some pretty serious damage

How can you prevent your website from getting hacked?

Start with a trusted web host with a reputation of reliability and security – we recommend Rackspace. Choose a host that’s best-positioned to host the specific requirements of your website as determined by your website designer/developer. Ensure your website is created using best-practice coding techniques. If you require the use of 3rd party tools, ensure they are up-to-date and trusted components. Each host, website and application can use several layers of security to filter out malicious content that could result in the exploitation of your website. Website hardware and software firewalls are essential to filtering traffic as are FTP firewalls. FTP firewalls should always be used to ensure only those accessing your FTP have been granted explicit permission to do so.

What to do with a hacked website?

You could restore a backup of your website, but that will only buy you time before it happens again. If a website is hacked, there are several ways to detect the intrusion method, patch the leak, “clean” the infected/altered files, and then restore the website as a whole. This work should be performed by your website designer and website host. If your website has been hacked more than once it’s time to reconsider your web hosting options and/or switch hosts. Note that many web hosts do not perform what they refer to as “forensic application” services, meaning a lot of the investigation and fixing/cleaning work falls on your web designers lap. If hacking issues persist, decommission your web server and request a new one, or reconsider your hosting options all together. Why? The end-game of many hacks is to install a virus on the web server itself. Once this is done, it’s VERY difficult to clean 100%. It’s often quicker, cheaper, and ultimately safer to decommission the server.

Who’s responsible for a hacked website?

If your website has been hacked, a childish finger-pointing game can start if you question who’s responsible and demand compensation. It’s a futile argument, considering the many factors that could be responsible for a breach. Since the source of the intrusion is difficult to prove, one has to be open to considering any/all sources, such as:

  • You may have a trojan virus on your computer that’s responsible for stealing your website or FTP login information.
  • You may have accessed sensitive website files from a shared computer infected with a keystoke recorder or virus.
  • Your web designer may have built an insecure application that’s easy to “crack”.
  • You may have outsourced your website or SEO services and inadvertantly given authentication information to an untrusted 3rd part.
  • Your website may have been infected with malware by another website within the same hosting environment.
  • Your weak username/password combinations may have been compromised.
  • There may have been issues with your SSL vendors product or encryption resulting.
  • A 3rd party tool or widget may have been exploited allowing unauthorized access to your website files.
  • Your website may have been targeted by a determined individual/intruder
  • Your website may have been been targeted by the latest strain of malware

The simple fact is, sh*t happens. Even websites like ebay.com, paypal.com and amazon.com (who invest millions in IT infrastructure and security) have been hacked in one way or another – so venting frustrations and questioning how this could have possibly happened isn’t going to help moving forward.

The Ponemon Institute, an independent company conducting research on privacy, data protection and information security policies, calls the chances of an organization being hacked in a 12-month period a “statistical certainty”. **** Juniper Networks backs this report and adds that 90 percent of businesses had been hit by at least one IT security breach in the past 12 months, with more than half, or 59 percent, citing two or more breaches in that period. ***** The one hack you may experience may be the single successful attack out of potentially millions of threats your website has been faced with. Your service providers (including ISP’s, website hosts and web designers) are amongst many IT professionals throughout the world working to thwart website attacks on a daily basis, and their efforts are often taken for granted.

Common-sense precautions:

Website issues, like computer problems, are bound to happen at some point. Use common sense and consider WHEN, not IF, website problems occur – what could you have done to limit the fallout?

1) Don’t retain personal information within a CMS or database. If you collect customer data via your website, put an off-site storage plan in place and frequently purge any online, temporary data.

2) Don’t retain financial information within a CMS or database. If you run an e-commerce store, ensure credit card numbers are purged from your system after the credit card processing procedures are completed.

3) Keep your website under lock and key. If you need your website updated, do not outsource the work to someone you’ve never met. Use local, trusted designers whom you’re confident can keep access to your website, files, databases, etc safe and protected. Remember that in order to have your website updated, you need to give your web designer top-secret usernames and passwords required to access your website files.

4) Use anti-virus programs religiously. Every device within your network or office environment, including shared computers, handheld devices, servers, etc should be protected with an anti-virus application such as Avast.

Redundancy:

Recovering from a breach of any kind warrants the use of a trusted, dedicated back up system. Managed backup services ensure website files and data are backed up automatically – preferably to an off-site location and data integrity checks should also be implemented. If you suspect your website has been hacked, it’s necessary to change each and every password associated with your entire hosting network. This process of challenging passwords should be performed regardless as least once a month.

Use SSL security:

SSL encryption has long been the industry standard protocol for protecting sensitive information (including order information and personal or financial information) while in transit over the web. It’s relatively easy to setup, comes at a minimal cost, and protects data from prying eyes.

Why your website host matters:

1) Some web hosts pack hundreds of websites on a single web server, which we consider pollution. Hosts that operate this way are typically high-volume hosts who charge a minimal amount for monthly hosting. While the deal may be great, your website is now on a congested “block” and you are at risk if/when any of your “neighbors” websites become affected in any way. Since all websites reside on a single server, it only takes one website breach to potentially affect all which are connected – as they all share the same operating system. While the cost is high, it is always a good idea to have an exclusive, dedicated hosting solution to limit the number of potential breaches you could face.

2) Some hosts do not use firewalls, specifically hardware firewalls. Why? Nobody forces them to and it’s expensive. The truth is, any web server that resides behind a hardware and software firewall is much more safe and protected than one that isn’t.

3) Hardware and software matters. You’d be surprised to know that your website may be hosted on a network that is over a decade old. A lot changes in a decade, especially technology. Choose a host that keeps their web hosting infrastructure up to date using the latest hardware and software solutions available from companies like Microsoft. Who’s the best host? We say Rackspace, hands down.

4) Support is everything. If your website has been hacked, your web designer can only do so much before requiring the assistance of your web host. That assistance is typically desktop or root-level server access required to diagnose the web server as well as the website itself. Many web hosts do NOT offer telephone support, while others like Rackspace Hosting offer 24/7 live phone support. The more accessible your web host, the better chance your web designer will have in identifying and fixing issues.

Useful 3rd Party Tools:

Websites and web servers must be supported by 3rd party tools and used as additional security layers to protect your applications.

Pingdom: A website uptime monitoring tool that will alert you within 1 minute of a website issue being detected.
http://pingdom.com

Google webmaster tools: A monitoring resource from Google available to all webmasters to help improve website performance.
https://www.google.com/webmasters/tools/home

Software firewalls: Software specifically used at the server level to filter out malicious traffic. There are dozens of options. Consult your web designer or host to find the option that best suits your hosting application.

Hardware firewalls: Hardware specifically used at the server level to filter our malicious traffic and impose restrictions for server and FTP access. Like software firewalls, there are dozens of options. Consult your web designer or host to find the option that best suits your hosting application.

Malware bytes: Popular anti-malware software ran at the server-level to help detect malicious content and prevent spreading of such content.
http://www.malwarebytes.org/

Sophos anti-virus: One of the industry’s most trusted anti-virus software applications used to monitor web servers and detect intrusions.
http://www.sophos.com/en-us/

Sucuri: A web monitoring and malware clean up service.
http://sucuri.net/

Tips for Scanning Websites on Windows Servers:

Below are a few commands that a web host can follow to scan for potential website security flaws on a Windows hosting platform.

Icacls: If an arbitrary file has been injected within your a website, it’s agenda may be to install a trojan virus or compromise the website and/or web server itself. In order to do so, many malicious scripts attempt to alter the folder permissions of a website directory, particularly in older Windows server systems. Use the DOS icacls function to quickly search the web server for instances of “everyone” permissions, which pose a high risk for further intrusion methods.

Example: icacls c:\websites\*.* /t /c | findstr Everyone > c:\permissions.txt

This command will create a text file at c:\permissions.txt containing a list of all websites found to include “everyone” permissions within file/folder attributes.

Search: A thorough scan for strings within web pages and files may be useful in revealing malicious files that have been injected in an attempt to compromise your website.

Example: findstr /n /i /c:\websites\”server.createobject” *

CMS Upgrades:

CMS websites that use 3rd party tools have become targets for hackers. Some of the 3rd party tools include HTML editors and file-upload components. The HTML editor tools are commonly used to style HTML text when editing pages. The file-upload components are commonly used in photo galleries and resume-upload functions on online applications systems. These tools become outdated and vulnerable over time. Since most of these tools are so widely used, hackers target them in order to exploit applications on a massive scale and use bots and/or scripts to scour the internet and sniff out victims. It is necessary to upgrade these CMS tools and ensure other up-to-date security measures are in place to protect websites from being hacked.

Database-Driven Content:

Websites that utilize a database to produce content are also a target for hackers. Organizations have been known to hire hackers to “steal” content from websites, such as business directory listings, product databases, etc. In other cases, “bots” are enlisted to obtain the same results. This process is basically automated data-mining on a massive scale. Database-driven websites require constant upgrading to thwart off such attacks/breaches and ensure the security and integrity of your website and data.

Monitor Sign in Pages and Record User Access

If you have a CMS login, or any other password-protected area of your website, you can easily monitor access. For example, whether the login forms username/password combination is authenticated or not, you can utilize email scripts to notify you of the attempt. Most brute-force attacks include repeated login attempts by an automated source. If you are monitoring the login attempts, your emails will notify you if a login fails validation. When used in conjunction with session or server variables, you can obtain the IP address of the attacking source.

I have the IP Address of an Attacking Source, What Do I Do?

You can forward it to your local authorities. Cyber crime is taken very seriously nowadays and the authorities will act accordingly. You may also write code within your login structure to disallow access to the login or password-protected area by the problematic IP. If you are running a software or hardware firewall, you can add the problematic IP to a ban list thus preventing future access to your website or server all together. Note that banning an IP address is not 100% foolproof and it is advised that you still work to secure your application. Attacker IP’s can change if the source operates from a dynamic IP location (vs static IP), or if the attacker is using an IP-spoofing tool used to mask their true IP.

HTML Injection:

Many HTML injections are not necessarily done to bring down a website or steal any content/data. A common HTML injection includes the placement of 3rd party links hidden within your website and used to springboard SEO efforts of another website by establishing a mass network of back-linking. Many HTML injections go undetected, unless you’re specifically hunting for them. A common HTML injection string includes the placement of 3rd party links hidden within a div tag. The contents of this tag are often hidden as they’re placed within a div set off-page.

For example:

links

Most HTML injection attacks are harmless and while relatively easy to correct it is a time consuming task. Perhaps one of the biggest nuisances with these types of attacks is that Google can detect the injection and publicly mark the website as “compromised” in the search engine results page. If you spot this under your website URL when searching your domain name in Google contact your web designer and have them clean the website. Once clean, you can re-verify the website in Google’s index. The “compromised” notice will be removed at the discretion of Google – as quickly as same-day.

Suggestions in the Interest of Security:

- Limit CMS access
– Remove 3rd party tools
– Closely monitor access and start/update a website “ban-list”
– Subscribe to webmaster tools monitoring services
– Subscribe to pingdom.com monitoring services
– Limit retantion and amount of personal or finiancial records kept online
– Implement a local website/data backup procedure
– Avoid handing data in a way that invites XSS attacks
– Use captcha and strong form-validation techniques
– Secure your email. …password resets to inbox…

Signs that someone – or something – is trying to hack your website:

1) Spam: Spam is a nuisance, and with the help of junk mail filtering by email software like Outlook, it can easily be ignored and/or filtered out of sight. However, spam doesn’t just affect your inbox. Each instance of spam exposes an underlying issue with website security. If the spam is originating from your website, it identifies a requirement to secure your website forms to protect them from robots (aka scripts or spam-bots) scouring the internet looking for flawed websites or those with specific vulnerabilities.

2) Injection: Look for arbitrary/questionable files throughout your website. If your website has been targeted by a hacker, one of the first intrusion attempts will be a cross-site scripting or HTML injection attack whereby the hacker aims to plant arbitrary pages/files within your website.

3) Spike in website traffic: If you’re on average receiving 100 hits per day, then spot a 1,000-hit day, odds are you didn’t have a lucky day of popularity. Instead, you were likely targeted by a single source. You can verify this by viewing your website logs.

4) Spike in FTP traffic: This may be hard to detect, but your FTP server will retain a log. When your website is being attacked via FTP (aka, brute-force FTP attack), your FTP server logs will be huge, indicated a higher-than-normal amount of traffic – each instance in your logs is likely a report of a failed username/password attempt.

5) You haven’t been hacked (yet): Yes, the fact that you have not yet been hacked could is a sign that an impending hack is en route – because hacking has become a statistical certainty. No website is immune or free of vulnerabilities. Start a discussion about the health and safety of your website and hosting environment with your IT personnel and web design team.

A Quick Tip for Monitoring Website Health:

Websites that utilize a database, WordPress or other CMS solutions are typically targeted more than others, and require database connections. Upon each connection to your database is a chance to have a look at who is accessing your website or application. Use visitor-data collection methods such as session and server variables that trigger an email-script to have this information emailed to you. You’ll be able to spot-check each instance of a user visiting your website. Some visits will stand out to you as quite obviously malicious and your website designer and host can respond accordingly.

How to look closer if you suspect website hacking:

Note: it is easier to perform these checks if you have a dedicated server in which you have root-level access to work from the server operating system vs your FTP. If you do not have root-level access, your web host can perform these tasks for you.

1. Look for what doesn’t belong: For example, if your website is comprised of only HTML pages, look for instances of ASP, .net, PHP, JSP, etc files. These types of files and programming languages are designed to execute server-side scripts and will pose a risk if they don’t belong on your website in the first place.

2. View change logs: Each change made to your website is recorded, and includes at least the page title/file, date and method of modification. If the logs do not match your service/update records it’s a sign that unauthorized users have access to your website files.

3. Search for common injection keywords: Many HTTP injection attacks result in the creation of arbitrary files on your website. While these files can be anything, they are usually associated with websites or products related to cialis, viagra, nike, gucci, louis vuitton, replica watches, handbags, etc. Running a keyword search for any/all of these commonly-injected files may reveal exploits.

4. Monitor uploaded files: It’s quite common to have functionality within your website to have a user upload a file. This may be to upload a resume as part of an online job application system, or an upload form to share photos, videos or other files. A common intrusion vector is to upload a script disguised as a safe file – such as hackthiswebsite.php.pdf. Your web designers upload scripts may allow this file to be uploaded as it appears to be a friendly PDF file. However, it’s quite simple at this point for a 3rd party to trim the .pdf extension and run/execute the page as a PHP file, triggering a potentially harmful script within. This type of vector is quite common on Windows hosting platforms. While there are security checks to be placed at the application level, another important update requires setting all “upload” folders/destinations to be read-only, thus preventing them from being able to “run/execute” any files.

5. Search for strings like “createobject” as word/phrase in your website files: Regardless of which vector is used for a hacker to do some damage, the end-game usually includes the execution of a page/script containing a “createobject” command. These commands are used to arbitrarily create files and/or overwrite existing ones on a server. If home/index files are overwritten a hacker has effectively brought your website down.

Calling Cards

A lot of hackers leave tags or calling cards as signatures on the work they have performed. A simple search for “hacked by” may reveal an exploit that you were previously unaware of. Remember that many hacks do not produce an immediate result – they may result in alternation of files that remain undetected on your website for months.

******************

How Common are Hacks and Other Website Security Breaches?

Below are some articles related to website hacks, exploits and other security issues for various companies and organizations throughout the world:

US Marines Recruiting Website Hacked and Redirected to Pro-Assad Message
http://www.ctvnews.ca/sci-tech/u-s-marines-recruiting-website-hacked-redirected-to-pro-assad-message-1.1436867

Security of Gov’t Websites Inadequate and Prone to Hacking
http://www.dnaindia.com/india/1886201/report-security-of-govt-websites-inadequate-prone-to-hacking

Mark Zuckerberg’s Facebook Page Hacked
http://www.washingtonpost.com/blogs/the-switch/wp/2013/08/19/mark-zuckerbergs-facebook-page-was-hacked-by-an-unemployed-web-developer/

About Time We Got Hacked
http://www.stanforddaily.com/2013/08/14/hack-me-once/

The Costs of Cybercrime
http://www.business2community.com/tech-gadgets/cost-cybercrime-0608822

New York Times Website Down After Suspected Hacking
http://www.bbc.co.uk/news/business-23859572

Dalai Lama’s Site Hacked, Infecting Others
http://www.iol.co.za/scitech/technology/security/dalai-lama-s-site-hacked-infecting-others-1.1561388

Amazon.com Struggles With Website Troubles
http://www.foxbusiness.com/technology/2013/08/19/amazoncom-goes-down-temporarily-for-us-canada-users/

The Easiest Way to Deface a Website is to Target the Domain Registrar
http://www.darkreading.com/attacks-breaches/the-easiest-way-to-deface-a-website-is-t/240160677

Hackers Put a Bulls-Eye on Small Business Websites
http://www.pcworld.com/article/2046300/hackers-put-a-bulls-eye-on-small-business.html

Hackers Can Take Over Cars and Homes Remotely
http://bits.blogs.nytimes.com/2013/08/11/taking-over-cars-and-homes-remotely/?_r=0

US Dep’t of Energy Hacked Again
http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-302903/

Alberta Gaming Company Hit by Hackers
http://www.torontosun.com/2011/06/17/alberta-gaming-company-hit-by-hackers

******************

Glossary

Here are definitions to help you interpret any geek-speak found in this post.

IP Address:
An IP address identifies the physical address of a visiting source including a visitor to your website.

Website Breach:
An incident where protected, sensitive or confidential data has been viewed or stolen by an unauthorized party.

Website Hack:
The use of computer programming skills to gain illegal accesses to online resources.

Exploit:
A vulnerability taken advantage of to initiate a website breach or hack.

Web server:
The hardware system responsible for hosting website files to the public.

Web host:
A company responsible for configuring and running web servers used to host websites or applications.

Web designer:
An individual responsible for coding/programming each page that makes up your website or application.

******************

Sources

* SOPHOS
** WASC (Web Application Security Consortium)
*** TechTarget.com
**** Eweek.com
***** TeckWeekEurope.co.uk

5 thoughts on “Website and Server Security

  1. Informative & detailed blog but nowadays like you wrote that we need to use antivirus, even that doesn't help a lot since hundreds of new viruses come out everyday, but still there are so many things to keep in mind that you really have to be so careful that its become a lot of work to do all this & because no matter how safely you tread, you still can get hacked if you are out of luck.

    http://www.liquiddigital.net.au
    Liquid Digital Website and Mobile Development Sydney

  2. Hi Kelly, I appreciate your writing. My brother has a political website that is hosted by IWW and a anti-political hacker group has taken the liberty of shutting down our web page. I dont want to post the name of the website in the respect that there potentially will be an criminal investigation but considering these investigations take a lot of time and money, I would like to help him avoid this at all costs… Ultimately I want to help him secure his site and get it back up and running until he switches to a different host… I have confirmed that his password has been changed and it appears that his admin page is too easily accessed (which I will be changing shortly). If anyone can help me please let me know… his HTML code is screwed and I am waiting to see if he or the host has backed up this information for him. Thanks in advance… thanks all!~ •Martha Berry

  3. Good point Tomy. Anti-virus software is only one part of a larger security effort. Anyone using Anti-virus software as a security layer should at least ensure virus definitions are updated daily and on-access scanning of potentially malicious files needs to be enabled. It's also a good idea to run scheduled scans an auto-quarantine anything that looks suspicious – Sophos does a good job of this.

  4. Hi Martha – political websites are a likely target for hackers and I'm sorry to hear your brothers website has been hit. Hopefully your web host does in fact have backups to allow you to restore a working copy of your website to another server. Let me know how to reach you and I will offer some assistance.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s