This post is driven partly by curiosity and partly by need. I have done quite a bit of research on the issue and it’s not a present problem, but one I’d like to prevent in the future.
So I’d like to ask those with more experience in the matter to help me figure this out:
I exclusively develop using well known open source scripts.
In the past 15 years (yes that long) and 5 years of building exclusively dynamic website I have had only 2 sites that were hacked (with a third possible but through a different method).
In almost every case the main reason was that the owner of the site had not agreed to my very reasonable “maintenance” agreement and therefore the script or an added component had gone unpatched, creating a security hole. (By the way, I do patch most of my sites for free, but after a year or so without hearing from the client or when the client hires someone else, I usually do not continue patching their sites but I do send them instructions on how to do it themselves).
I did have occasion to work on about another 10 or so websites that had been hacked badly. My job mostly consisted of either trying to repair the damage or move the content to a fresh new website via a selective DB dump. (Meaning, moving just the content and no other tables that may contain malicious code)
In any event, some these exploits were done by using an hidden Iframe full of links to pharmaceuticals websites. I have learned this is quite common.
The fact is that over the years I have built or participated in building well over 300 websites and manage at any one time at least 20 to 50 but only 2 have ever been hacked, makes me think that the security hole was, hopefully, not due to my own computer, local virus or bad procedures on my part.
Very likely the unpatched scripts are at fault and/or the fact that some clients, even after being warned repeatedly, insist on using passwords such as “iam2cool” or even “george” or “fluffy” (made those up, but you know what I mean).
My questions are as follows:
What is the entry procedure or where can I learn it. I figure that if I want to avoid becoming a victim again, I should test my own sites or at least a clone of the site on the same server. I manage some sites that are going to be juicy targets for hackers and general vandals.
Since I work mainly either off dedicated servers or shared hosting accounts, where can I learn better tricks to keep them safe, beyond what their techs already do or what I can read on this pages. I already know and use the basics, but I feel I could learn a bit more on securing and testing my sites.
Finally, and this has been bugging me for a long time, what the hell are these people gaining from their hacks? What does an Iframe full of link do for them financially or otherwise? Is it pagerank they are after?
To me (or my clients, I should specify) the result is just a royal pain and a nasty mail from Google saying that the site is going to be taken off the directory.
What do they gain. and is their effort justifiable given teh amount of time they had to dedicate to learning and implementing these hacks (I also assume not all of them work at the first crack)).
For instance, once I worked on a site where a malicious script was installed utilizing a Frontpage vulnerability. Since the owner did not even use frontpage I deleted it, check the other directories and changed all passwords and the site was fixed. But the script was obviously a mailer and I think I am correct in assuming they wanted to use the server as a spambot.
But in the case of the Iframe I would not think there really is a search engine out there that can be fooled by a tactic like that. Or am I being naive? What loophole are they exploiting?
Here I am assuming they are not doing it for fun, of course. I really doubt that’s the reason.
Can someone with more experience illuminate this issue for me?
Thank you kindly.