This post is driven partly by curiosity and partly by need. I have done quite a bit of research on the issue and it's not a present problem, but one I'd like to prevent in the future.
So I'd like to ask those with more experience in the matter to help me figure this out:
I exclusively develop using well known open source scripts.
In the past 15 years (yes that long) and 5 years of building exclusively dynamic website I have had only 2 sites that were hacked (with a third possible but through a different method).
In almost every case the main reason was that the owner of the site had not agreed to my very reasonable "maintenance" agreement and therefore the script or an added component had gone unpatched, creating a security hole. (By the way, I do patch most of my sites for free, but after a year or so without hearing from the client or when the client hires someone else, I usually do not continue patching their sites but I do send them instructions on how to do it themselves).
I did have occasion to work on about another 10 or so websites that had been hacked badly. My job mostly consisted of either trying to repair the damage or move the content to a fresh new website via a selective DB dump. (Meaning, moving just the content and no other tables that may contain malicious code)
In any event, some these exploits were done by using an hidden Iframe full of links to pharmaceuticals websites. I have learned this is quite common.
The fact is that over the years I have built or participated in building well over 300 websites and manage at any one time at least 20 to 50 but only 2 have ever been hacked, makes me think that the security hole was, hopefully, not due to my own computer, local virus or bad procedures on my part.
Very likely the unpatched scripts are at fault and/or the fact that some clients, even after being warned repeatedly, insist on using passwords such as "iam2cool" or even "george" or "fluffy" (made those up, but you know what I mean).
My questions are as follows:
What is the entry procedure or where can I learn it. I figure that if I want to avoid becoming a victim again, I should test my own sites or at least a clone of the site on the same server. I manage some sites that are going to be juicy targets for hackers and general vandals.
Since I work mainly either off dedicated servers or shared hosting accounts, where can I learn better tricks to keep them safe, beyond what their techs already do or what I can read on this pages. I already know and use the basics, but I feel I could learn a bit more on securing and testing my sites.
Finally, and this has been bugging me for a long time, what the hell are these people gaining from their hacks? What does an Iframe full of link do for them financially or otherwise? Is it pagerank they are after?
To me (or my clients, I should specify) the result is just a royal pain and a nasty mail from Google saying that the site is going to be taken off the directory.
What do they gain. and is their effort justifiable given teh amount of time they had to dedicate to learning and implementing these hacks (I also assume not all of them work at the first crack)).
For instance, once I worked on a site where a malicious script was installed utilizing a Frontpage vulnerability. Since the owner did not even use frontpage I deleted it, check the other directories and changed all passwords and the site was fixed. But the script was obviously a mailer and I think I am correct in assuming they wanted to use the server as a spambot.
But in the case of the Iframe I would not think there really is a search engine out there that can be fooled by a tactic like that. Or am I being naive? What loophole are they exploiting?
Here I am assuming they are not doing it for fun, of course. I really doubt that's the reason.
Can someone with more experience illuminate this issue for me?
Thank you kindly.
The links here in my signature will take you to two articles, which link to several more (that are more detailed and advanced than their titles imply), that will provide you with at least several hours of reading and study, and that will answer almost all the questions you posed.
Thank you very much. The "several hours" part is a bit intimidating. But it's time to bite the bullet and add this knowledge to the one already rattling my brain.
Thanks a lot.
The most helpful single piece of advice i've ever recieved on security is:
NEVER trust anything from the client.
Validate form data.
Never offer secure content because someone has formed a correct URL - Re-validate to make sure querystring data makes sense and the logged in user has access to that content.
Use web standards so you're not mis-using the web technologies.
Hello thank you very much.. I'll bookmark your site.. sometime some hacker attack my site and put a malware on my website..it's really frustrating
In addition to server side validation, I also add filters to all url & form variables to strip certain stop words (like title,script,js,--,declare,char,exec). This effectively disables malicious strings. For my site, I have to approve / deny content submissions, so this allowed me to handle the people even if they registered on the site and then tried to submit attacks through the forms. The altered (disabled) script shows up in a que when logged in as an admin, and I trim the spam from the site with no concern about the malicious code it once contained.. there is a bunch of garbage and links in there (easy to spot), but no iframes/scripts or other bad code.
Im sure my list is incomplete (and its also a little longer than what I posted.. based on some specifics I learned analyzing the attack).. I compiled it after I had a hacker insert tons of junk into the database. Took a lot of scripting to recover the data.
Thanks for the link.I always thought wat hackers gain from hacking sites.Actually each site is made secure by different method so they are just challenging themselves.It is mainly for fun.60-40 ratio is there.:x
I am a total newbie about web security for your sites. I only use open source products like Joomla and WordPress. I already know it is important to patch and upgrade whenever a new version comes along. What other things should I be looking into to keep my sites and my visitors safe on the web.