SitePoint Sponsor

User Tag List

Results 1 to 7 of 7
  1. #1
    Life is not a malfunction gold trophysilver trophybronze trophy
    TechnoBear's Avatar
    Join Date
    Jun 2011
    Location
    Argyll, Scotland
    Posts
    5,325
    Mentioned
    214 Post(s)
    Tagged
    5 Thread(s)

    Trying to learn about Web security

    Three of my sites were hacked a few weeks ago, and I'm trying to learn as much as I can to prevent it happening again. I'm a complete beginner at these things, so I apologise if this is a daft question.

    I've been checking the 404 error logs for all my sites, and on the three that were hacked, there are requests for back-up copies of legitimate pages e.g. index.html.bak, index.html.~, index.html.sav etc. - same pattern for every page on the site. None of my other (unhacked) sites have this.

    I understand that a .php back-up file with an altered extension can allow a hacker to read the content, but why would they want an old .html or .css file? There are no backup copies of anything on any of my sites, but why is somebody looking for them? All three sites are very small, static html sites, with nothing more interactive than a Google map.

    I'd really just like to understand what's going on here, as I'm feeling generally very bemused by the whole thing. Thank you.

  2. #2
    SitePoint Enthusiast
    Join Date
    May 2011
    Posts
    35
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi,

    What is the user agent and IP of the requests generating these 404s?
    This can just be a scanner looking for backup resources. Sometimes these include developer comments or additional information that can help an attacker to find a way into the application.

    What was the result of the hack? Are you sure your site is clean?

    Eldad

  3. #3
    Life is not a malfunction gold trophysilver trophybronze trophy
    TechnoBear's Avatar
    Join Date
    Jun 2011
    Location
    Argyll, Scotland
    Posts
    5,325
    Mentioned
    214 Post(s)
    Tagged
    5 Thread(s)
    Hi Eldad,

    Thanks for your reply. I don't have user agent/IP information for the 404 requests.

    The three hacked sites are on shared hosting, all with the same company but on two different servers. Two of them (on different servers) had directories added and the .htaccess file amended and its file permissions altered. The third site had files added to the cgi-bin. One site was hacked using FTP, so I have an exact date and IP for that; the other one with an additional directory could only have been a couple of weeks earlier or I'd have spotted it sooner and the third one (the cgi-bin) I have no idea about.

    One hack appeared to be using the domain name without the www. to host stuff. The other extra directory was presumably intended to do the same thing, but I caught it the day after it was posted. I couldn't read the cgi-bin files and have no idea what they were doing or trying to do.

    I removed all files from the sites, carried out a virus scan, uploaded clean copies from my computer, re-ran the virus scan, changed all the passwords and changed file permissions to 404 and directory permissions to 505. I asked Google to re-evaluate the one site that was flagged up and they found no problems with it. I'm as sure as I can be that the sites are clean now.

    TechnoBear

  4. #4
    secure webapps for all Aleksejs's Avatar
    Join Date
    Apr 2008
    Location
    Riga, Latvia
    Posts
    755
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Setting permissions to 404 or 505 in effect means that you are giving write permissions to everyone (others)! Did you mean 440 and 550?

  5. #5
    Life is not a malfunction gold trophysilver trophybronze trophy
    TechnoBear's Avatar
    Join Date
    Jun 2011
    Location
    Argyll, Scotland
    Posts
    5,325
    Mentioned
    214 Post(s)
    Tagged
    5 Thread(s)
    No, I meant 404 and 505. Unless I'm much mistaken, those are read-only permissions. Certainly, I can't upload anything to the image folder without first changing the permissions to 705, so I'm pretty sure that's right.

  6. #6
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    16,439
    Mentioned
    160 Post(s)
    Tagged
    1 Thread(s)
    "5" is read and execute

    I'm guessing Aleksejs meant to say "everyone instead of group"

  7. #7
    secure webapps for all Aleksejs's Avatar
    Join Date
    Apr 2008
    Location
    Riga, Latvia
    Posts
    755
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes - sorry. End of day, posting via phone...
    2,3,6,7 is for write.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •