Server Security - any ideas?

by 17 replies
19
I am having a big problem with security on one of my sites. The site is a
pretty large custom-built application on a dedicated server. It is not
launched yet, as we are still ironing out some bugs.


Over the last couple of months we've been facing some security breaches
where code has been getting inserted to all of the pages of the site. The
code that is inserted runs a script that downloads a trojan to the visitor's
computer. Needless to say Google started listing it as an attack site.


The first time this happened, we went through and removed all the
offending code from the site. I changed all the passwords, and we were
good for about a month.


Now, I have just noticed the same thing happening again. One line of bad
code is showing up before the body tag on every page.


We can remove it all again, but I am more interested in stopping this from
happening in the future. Hosting support at Inmotionhosting has not
been all that helpful, and suggested that perhaps someone had gotten my
FTP password.


Does anyone know the steps I need to take to stop this from happening in
the future?

If anyone is an expert on server security, I would gladly pay for your time
to work with me to secure the site!
#programming #ideas #security #server #server security
  • You need to speak with the server techs at inmotion. They can give you all the information you need on when, how, where the breaches happened. I can't believe they charge for a dedicated server, and then give you second rate support there mate. Not good at all.

    The obvious solution would be to take your business elsewhere, as the hosts are clearly not too bothered about hackers running around their servers. Rackspace have always ticked the boxes when it comes to security, based on my personal past experience in large and medium corporate situations. if you want to go low on budget, then there are the usual suspects like Host Gator - and another very reliable one is Heart Internet.

    If you really want to stay with them mate, then they need to pull their finger out and give you some proper answers. These guys will be trusted with all your data when you go full-on live. Not sure I'd take the risk.

    Whatever you decide, the best of luck Michael
    • [1] reply
    • Thanks Mark. I will certainly be taking this to hosting support to see what they can do - and if it is not satisfactory then I will move on to someplace else.

      Rackspace looks great, but wow they are expensive - although this application does make a lot of DB queries so maybe that's what I need!

      So far I have not had luck with servers in the sub-$350 range. Do you think that Hostgator or Heart Internet may give me a better experience?
  • It's not necessarily coming "from the inside"... so they may not have access to your server. It could be a vulnerability of the script. If it's custom developed it may not be thoroughly tested against this sort of thing.

    Perhaps there are scripts with open permissions (chmod 777), or if you're running on a CMS it could be a database injection problem.

    I'm not expert enough to know how to reliably track the source, unfortunately.

    -Ryan
  • If I had to choose based on the above - Heart Internet, every time

    Hope you get sorted!
    • [1] reply
    • I would like to look for a specialist to help me with this problem. Does
      anyone know exactly what kind of specialist I am looking for? I just want to
      know what this person would be called so I can post for it in elance, etc. am
      I looking for someone who is a network administrator?
      • [1] reply
  • Another thing you can look for is "server hardening". There are many places that offer a flat rate for testing and closing security holes. Average cost seems to be $50 to $100 bucks.

    -Ryan
    • [1] reply
  • Did you designed it yourself or did you pay some company to design it for you?

    We are talking about php+mysql injection? if yes, Have you tried https protocol?

    Thats not much of a good thing to do, because you will get blacklisted sooner or later from all search engines.

    Have you checked your source code for statements that might be prone to code execution?

    They ought to be supporting you and giving some tips or even solutions since its their server, that you pay them to rent.


    Before asking for public help have you tried testing your server for bugs? + upgrading to the newest kernel distribution?
    That might help!
    • [2] replies
    • Thanks for the above replies. My situation is all set now.

      It turned out that it was the Gumblar Virus, and it is indeed from FTP
      passwords having been harvested from a local computer that had the virus
      on it. In my case, it was the programmers that I outsource to that had an
      infected machine. So I really can't blame the hosting company. I will
      suggest to them that they provide better suggestions for how to remove
      the virus though because they didn't give me much in the way of
      directions of what to do. I had to figure it all out myself.

      If you do a search on ScanSafe STAT Blog - ScanSafe STAT Blog
      for gumblar you'll find all the info you need to know in order to get the
      virus off your system.

      It mostly affects your .js files and some .php files. It also adds new files
      to your server where it will take a filename for an image that you already
      have and use that file name and add .php to it. So it is trying to hide itself
      from you. It also seems to delete a bunch of your images.

      Doing a few greps can weed out all the pages that have been infected.

      A good practice right now is to update your FTP passwords often, like once
      or twice a week. The virus first harvests your password, and then at a
      later date attacks your site, so if you are constantly changing your FTP
      password then you should be pretty safe.

      Once you know what you are looking for it is not all that hard to deal with,
      bit it sure isn't fun getting listed as an attack site in google!

      One other thing I thought was interesting was that the virus only affected
      folders with very common names - like images, javascript, includes. I
      even have a folder called Images and that one was clean. So, that
      suggests that using non-conventional naming for your folders could be
      some level of protection too. I'm not sure about that but thought it was
      interesting.
      • [1] reply
    • SSL will not prevent SQL injections
      • [1] reply

  • Your getting hit from the INSIDE ... check all your machines for Trojans .. Designer friend of mine got hit from a PDF vulnerability. They took over servers same way through his dreamweaver IDE, and took over his twitter accounts.

    Whoops .. late to the party, yeah this is pretty serious .. best to use SFTP or WINSCP to transfer files maybe? Seems it knows about where dreamweaver puts it's passwords ..
Join the discussion

Next Topics on Trending Feed