Server Security - any ideas? | Warrior Forum - The #1 Digital Marketing Forum & Marketplace

16 years ago

You need to speak with the server techs at inmotion. They can give you all the information you need on when, how, where the breaches happened. I can't believe they charge for a dedicated server, and then give you second rate support there mate. Not good at all.

The obvious solution would be to take your business elsewhere, as the hosts are clearly not too bothered about hackers running around their servers. Rackspace have always ticked the boxes when it comes to security, based on my personal past experience in large and medium corporate situations. if you want to go low on budget, then there are the usual suspects like Host Gator - and another very reliable one is Heart Internet.

If you really want to stay with them mate, then they need to pull their finger out and give you some proper answers. These guys will be trusted with all your data when you go full-on live. Not sure I'd take the risk.

Whatever you decide, the best of luck Michael

Thanks
1 reply

Signature

Want a stable business in the craft niche? Get started with our MYLAR stencils! UK seller, and made in the UK!

http://ebay.eu/1WQv9W3

{{ DiscussionBoard.errors[1711944].message }}

Michael Badger 16 years ago

Thanks Mark. I will certainly be taking this to hosting support to see what they can do - and if it is not satisfactory then I will move on to someplace else.

Rackspace looks great, but wow they are expensive - although this application does make a lot of DB queries so maybe that's what I need!

So far I have not had luck with servers in the sub-$350 range. Do you think that Hostgator or Heart Internet may give me a better experience?
- Thanks
{{ DiscussionBoard.errors[1712029].message }}

theIMgeek

16 years ago

It's not necessarily coming "from the inside"... so they may not have access to your server. It could be a vulnerability of the script. If it's custom developed it may not be thoroughly tested against this sort of thing.

Perhaps there are scripts with open permissions (chmod 777), or if you're running on a CMS it could be a database injection problem.

I'm not expert enough to know how to reliably track the source, unfortunately.

-Ryan

Thanks

Signature

FREE WSO: Protect and Automatically Deliver Your Digital Products

Ask the Internet Marketing Geek <-- Happy to help with technical challenges
MiniSiteMaker.org <-- Free software to make your mini-sites fast and easy

{{ DiscussionBoard.errors[1712025].message }}

markbyrne

16 years ago

If I had to choose based on the above - Heart Internet, every time

Hope you get sorted!

Thanks
1 reply

Signature

Want a stable business in the craft niche? Get started with our MYLAR stencils! UK seller, and made in the UK!

http://ebay.eu/1WQv9W3

{{ DiscussionBoard.errors[1712069].message }}

Michael Badger

16 years ago

I would like to look for a specialist to help me with this problem. Does
anyone know exactly what kind of specialist I am looking for? I just want to
know what this person would be called so I can post for it in elance, etc. am
I looking for someone who is a network administrator?

Thanks
1 reply

{{ DiscussionBoard.errors[1713877].message }}

DanPE

16 years ago

Originally Posted by Michael Badger

I would like to look for a specialist to help me with this problem. Does
anyone know exactly what kind of specialist I am looking for? I just want to
know what this person would be called so I can post for it in elance, etc. am
I looking for someone who is a network administrator?

Site security specialist, probably. Off hand, maybe your PC or one of your team's PCs have a keylogger installed. Another possibility is a vulnerability on the hosting end (outdated server software etc.). The scripts you are running may also have vulnerabilities that could possiblity be exploited.

First step is to make sure you and your team have anti-virus software and know how to use them. Other than that, there's vulnerability testing for the site, where someone deliberately tries to break in. Did you change both your cpanel and FTP passwords? are they both different? what about server logs, do they show anything?

Thanks
1 reply

{{ DiscussionBoard.errors[1714014].message }}

Michael Badger 16 years ago

Hi Dan,

Thanks for the reply! I did change all the passwords, yes - and we are using antivirus software everywhere. I just launched some of the online scans available at Online Vulnerability Scanning, includes Nessus, Nmap, Nikto, Joomla, DNS, OpenVas and SQLiX - it'll be interesting to see what they show.

I have a feeling that the problem is due to vulnerabilities in the script itself, and will be working out a plan (maybe with a site security specialist!) to patch up the holes.

I guess its better to find this out now at least - before I launch the service and have actual customers that this could be affecting!
- Thanks
{{ DiscussionBoard.errors[1714238].message }}

theIMgeek

16 years ago

Another thing you can look for is "server hardening". There are many places that offer a flat rate for testing and closing security holes. Average cost seems to be $50 to $100 bucks.

-Ryan

Thanks
1 reply

Signature

FREE WSO: Protect and Automatically Deliver Your Digital Products

Ask the Internet Marketing Geek <-- Happy to help with technical challenges
MiniSiteMaker.org <-- Free software to make your mini-sites fast and easy

{{ DiscussionBoard.errors[1714309].message }}

Michael Badger

16 years ago

Thanks Ryan - I'll look into that too.

Thanks
1 reply

{{ DiscussionBoard.errors[1714551].message }}

Michael Badger

16 years ago

So, I can now confirm that the breach was due to an FTP exploit which
was the result of harvesting of my FTP passwords from a local computer.

It is not so hard to deal with... I am just restoring from a backup and then
re-uploading files that had been modified since that backup was done.

But, moral of the story...

Always have recent backups, and keep all your computers virus-free.
Also, keep your Adobe products up-to-date. Here's a page from Inmotion
with some details: InMotion Hosting - Getting Started Guide

I also figured out that it was NOT my own computer that was
compromised. It was someone on the programming team that I am
working with to develop the site. So needless to say, you should make
sure that your entire team's computers are virus-free and all software
up-to-date!

Thanks for the moral support while I was figuring this out!

Thanks
1 reply

{{ DiscussionBoard.errors[1718938].message }}

hostsdepot

16 years ago

Originally Posted by Michael Badger

So, I can now confirm that the breach was due to an FTP exploit which
was the result of harvesting of my FTP passwords from a local computer.

Thanks for the moral support while I was figuring this out!

Thanks for sharing this. FTPs is very important these days.

Thanks

Signature

Webmaster Forum | Hosting Directory

{{ DiscussionBoard.errors[1738486].message }}

Last_Knight

16 years ago

Originally Posted by Michael Badger

I am having a big problem with security on one of my sites. The site is a
pretty large custom-built application on a dedicated server. It is not
launched yet, as we are still ironing out some bugs.

Did you designed it yourself or did you pay some company to design it for you?

Originally Posted by Michael Badger

Over the last couple of months we've been facing some security breaches
where code has been getting inserted to all of the pages of the site. The
code that is inserted runs a script that downloads a trojan to the visitor's
computer. Needless to say Google started listing it as an attack site.

We are talking about php+mysql injection? if yes, Have you tried https protocol?

Originally Posted by Michael Badger

The first time this happened, we went through and removed all the
offending code from the site. I changed all the passwords, and we were
good for about a month.

Thats not much of a good thing to do, because you will get blacklisted sooner or later from all search engines.

Originally Posted by Michael Badger

Now, I have just noticed the same thing happening again. One line of bad
code is showing up before the body tag on every page.

Have you checked your source code for statements that might be prone to code execution?

Originally Posted by Michael Badger

We can remove it all again, but I am more interested in stopping this from
happening in the future. Hosting support at Inmotionhosting has not
been all that helpful, and suggested that perhaps someone had gotten my
FTP password.

They ought to be supporting you and giving some tips or even solutions since its their server, that you pay them to rent.

Originally Posted by Michael Badger

Does anyone know the steps I need to take to stop this from happening in
the future?If anyone is an expert on server security, I would gladly pay for your time
to work with me to secure the site!

Before asking for public help have you tried testing your server for bugs? + upgrading to the newest kernel distribution?
That might help!

Thanks
2 replies

Signature

Borjomi Mineral Water
Online Financial Influencers

{{ DiscussionBoard.errors[1739038].message }}

Michael Badger

16 years ago

Thanks for the above replies. My situation is all set now.

It turned out that it was the Gumblar Virus, and it is indeed from FTP
passwords having been harvested from a local computer that had the virus
on it. In my case, it was the programmers that I outsource to that had an
infected machine. So I really can't blame the hosting company. I will
suggest to them that they provide better suggestions for how to remove
the virus though because they didn't give me much in the way of
directions of what to do. I had to figure it all out myself.

If you do a search on ScanSafe STAT Blog - ScanSafe STAT Blog
for gumblar you'll find all the info you need to know in order to get the
virus off your system.

It mostly affects your .js files and some .php files. It also adds new files
to your server where it will take a filename for an image that you already
have and use that file name and add .php to it. So it is trying to hide itself
from you. It also seems to delete a bunch of your images.

Doing a few greps can weed out all the pages that have been infected.

A good practice right now is to update your FTP passwords often, like once
or twice a week. The virus first harvests your password, and then at a
later date attacks your site, so if you are constantly changing your FTP
password then you should be pretty safe.

Once you know what you are looking for it is not all that hard to deal with,
bit it sure isn't fun getting listed as an attack site in google!

One other thing I thought was interesting was that the virus only affected
folders with very common names - like images, javascript, includes. I
even have a folder called Images and that one was clean. So, that
suggests that using non-conventional naming for your folders could be
some level of protection too. I'm not sure about that but thought it was
interesting.

Thanks
1 reply

{{ DiscussionBoard.errors[1739380].message }}

AllanWM

16 years ago

Michael,

Thanks for this info. What did you use to clean your PC of the Gumblar?

Thanks.

Originally Posted by Michael Badger

Thanks for the above replies. My situation is all set now.

It turned out that it was the Gumblar Virus, and it is indeed from FTP
passwords having been harvested from a local computer that had the virus
on it. In my case, it was the programmers that I outsource to that had an
infected machine. So I really can't blame the hosting company. I will
suggest to them that they provide better suggestions for how to remove
the virus though because they didn't give me much in the way of
directions of what to do. I had to figure it all out myself.

If you do a search on ScanSafe STAT Blog - ScanSafe STAT Blog
for gumblar you'll find all the info you need to know in order to get the
virus off your system.

It mostly affects your .js files and some .php files. It also adds new files
to your server where it will take a filename for an image that you already
have and use that file name and add .php to it. So it is trying to hide itself
from you. It also seems to delete a bunch of your images.

Doing a few greps can weed out all the pages that have been infected.

A good practice right now is to update your FTP passwords often, like once
or twice a week. The virus first harvests your password, and then at a
later date attacks your site, so if you are constantly changing your FTP
password then you should be pretty safe.

Once you know what you are looking for it is not all that hard to deal with,
bit it sure isn't fun getting listed as an attack site in google!

One other thing I thought was interesting was that the virus only affected
folders with very common names - like images, javascript, includes. I
even have a folder called Images and that one was clean. So, that
suggests that using non-conventional naming for your folders could be
some level of protection too. I'm not sure about that but thought it was
interesting.

Thanks

Signature

FINALLY! THE TRUTH...

Go Funnel Yourself!

{{ DiscussionBoard.errors[1878774].message }}

jminkler 16 years ago

Originally Posted by Last_Knight

We are talking about php+mysql injection? if yes, Have you tried https protocol?

SSL will not prevent SQL injections
- Thanks
- 1 reply
{{ DiscussionBoard.errors[1878876].message }}
- cpaul 16 years ago
  
  Hi,
  
  It happened to me also, and in order to prevent hacking, i have denied ftp access for the public, i only allow access from my home and office.
  
  In proftpd.conf (if you are using proftpd)
  
  <Limit Login>
  Order allow,deny
  Allow from 127.0.0.1,127.0.0.2,x.x.x.x
  Deny all
  </Limit>
  
  Replace x.x.x.x with your ip's.
  
  Of course, the home computer must remain secure, dont ever use internet explorer coz is VERY buggy, use latest version of mozilla instead, close all unwanted services, use an antivirus/firewall, turn on the updates. That will save you from some big troubles.
  
  Thanks
  
  {{ DiscussionBoard.errors[1880264].message }}

jminkler

16 years ago

Originally Posted by Michael Badger

I am having a big problem with security on one of my sites. The site is a
pretty large custom-built application on a dedicated server. It is not
launched yet, as we are still ironing out some bugs.

Over the last couple of months we've been facing some security breaches
where code has been getting inserted to all of the pages of the site. The
code that is inserted runs a script that downloads a trojan to the visitor's
computer. Needless to say Google started listing it as an attack site.

The first time this happened, we went through and removed all the
offending code from the site. I changed all the passwords, and we were
good for about a month.

Now, I have just noticed the same thing happening again. One line of bad
code is showing up before the body tag on every page.

We can remove it all again, but I am more interested in stopping this from
happening in the future. Hosting support at Inmotionhosting has not
been all that helpful, and suggested that perhaps someone had gotten my
FTP password.

Does anyone know the steps I need to take to stop this from happening in
the future?

If anyone is an expert on server security, I would gladly pay for your time
to work with me to secure the site!

Your getting hit from the INSIDE ... check all your machines for Trojans .. Designer friend of mine got hit from a PDF vulnerability. They took over servers same way through his dreamweaver IDE, and took over his twitter accounts.

Whoops .. late to the party, yeah this is pretty serious .. best to use SFTP or WINSCP to transfer files maybe? Seems it knows about where dreamweaver puts it's passwords ..

Thanks

{{ DiscussionBoard.errors[1878871].message }}

Server Security - any ideas?

Trending Topics

i appreciate all ya'll...

Clients Ghosting: Advice please!

The Winter Olympics....

Best SEO strategy for wedding venue websites

Browser-based CPL games -- has anyone come across these?