This is my first topic post, so please be gentle with me.
A few days ago I noticed that a folder on my website structure seemed to have been deactivated by my web host. They don’t say why of course (that would be much too helpful), but they do show a stat that says they blocked 13 hacker attempts in the past week. So my guess is that the hacker was aiming at the contents of my cgi folder.
My first question is whether there is a way of determining which bit of script the hacker was targeting. Do I suspect everything in that folder, or are there some obvious scripts that I really shouldn’t have been using?
To keep it brief, the folder contained my search engine (Fluid Dynamics Search Engine, 2003), my feed2js gadget (used in its most basic form to provide a list of hyperlinks from the site’s RSS feed), and the ‘email a friend’ tool. I have these all working in a different folder now, but I think should investigate further.
Well, I do not think that is a very easy question to answer. But, taking it from the hacker’s viewpoint, one way they get into sites usually to mine email addresses, credit card numbers, etc, is to get into a weakly secured search engine and attempt to hack into the database. Lots of ways to try that. Most involve inserting commands into the search text. Most can not get thru a few simple standard security functions in PHP. You just do not except the inputs raw. They must be filtered before touching them.
Another issue on newer servers is that your code in those folders may be going out to other sites in the wrong manner. The errors would indicate more info on the cause of the issues. If you have a standard server, meaning one with a full control panel and full access to all sections of the server, you will have a lot of hidden logs which would indicate more info. These logs are usually cryptic, but, they give you a lot of insight into the errors that are happening. In your case, it could be something as simple as folder permissions. You might have to alter the settings for that folder to be less “open”.
Logs are quite often just stuck in a standard place in the server. For instance, the access log for an Apache server might be at " /var/log/apache2/access.log " which is easy to access. You basically view the log with any text editor. I usually copy it to my local computer to review. But, of course, I have a standard server with a way to access this file. It is located in a different place in another Windows based server I access. In this log, it usually shows the folder access errors along with the IP address of the computer trying to get to your data.
If you want to read about this further, here is a link where the author set up an Apache server and hacked into it from a networked system. It discusses a lot of issues and may interest you. It is most likely a bit over your experience level, but, you can get some ideas from it in the “Analyzing the logs” section. This page has an annoying pop-up, just X out of it to be able to read it: http://resources.infosecinstitute.com/log-analysis-web-attacks-beginners-guide/ In most cases in your server, you want the folder permissions to be set at the lowest-access levels that will keep the site working. For public upload files, of course, you have to set them to higher-access levels so that most users can upload data. This data needs to be validated before using in your site, though.
Now, usually the server has logs that tell the reason they blocked the access to the folder. It is hidden in the error logs and sometimes very hard to locate. You mentioned error messages. Can you post one for us?
Well, I feel that I have not helped you much, but, tried to get you started thinking about security and hackers. Post a few of the error messages and maybe we can help further. Good luck!
Peter,
Also, I checked into the search engine you mentioned. It has several know loopholes that hackers are aware of.
If you go to Google and use these words " fluid dynamics search engine exploit ", you will find a ton of sites that discuss
it at various levels. You might want to spend a little time reading some of these sites. They give you a lot of info on that
search engine’s weak spots.
To take all your wonderful hints and tips in no particular order, the version of FDSE I’m running is v2.0.0.0067, which seems to take it past some of the vulnerabilities listed in a search for FDSE exploits. But, as this version alone is thirteen years old, I’d imagine that it’s still highly vulnerable.
The search database contains nothing worth stealing. It indexes the contents of the site’s 2000+ pages which are filled entirely with history research and articles. I have no worries about anything vital being stolen from there but I do worry that any future attempt to hack it will result in my unhelpful web host simply ‘switching off’ that entire folder, without even telling me and without telling me why. Relaunching it in a freshly named folder means an upload of every single page that has the common header. That takes a while!
What you’ve said so far, though, really highlights how little I know about any of this. I can manage some very nice html and css, but the programming side of it just seems to switch off my brain. My eyes glaze over very quickly!
My guess is that my web host is running the equivalent of a newer server. They’ve recently forced all users to upgrade the PHP on their accounts and have also upgraded the online mail accounts and other elements. They’re one of the big web hosting companies, but their user help and communication is appalling.
I do have the logs, but I might as well be reading Chinese when I open the ftp.log file. I didn’t have any error messages though. When the original cgi folder was deactivated by the web host, and I tried to use the search engine, or the ‘email a friend’, my Error 500 page kicked in.
Okay, so even if I can’t so anything else, I can at least read through some FDSE exploit links and see if anything covers my version or later…
The host should definitely notice you when action is taken against your account, for this reason I’d consider switching.
You need someone experienced to have a look at what’s going on. I’d also expect to get some kind of response if I asked the web host what the site was shut down for.
That would be fair to assume, I’d be very impressed of any web script of that age which has an acceptable level of security.
If I were the host I would suspend the account if you just moved the problem to a new directory. Note that I still think the host should definitely notice you when action is taken against the account, but they have to take some action.
You seem to fall into the normal trap of thinking “I have nothing worth hacking”, but you definitely do. I assume you rent a shared hosting solution at some web host. Meaning you probably share the server with 1000 different sites. While there of course lies quite a big responsibility in the hands of the host to properly secure their systems, having your site as an open entry for anyone wanting to “snoop around” is an uneccessary risk. Since we do not know what kind of security issue your site has we must assume the attacker may get control of your web server user (way too common). This hopefully means that he only has access to your isolated space on the server, but anyone who knows computers know that such boundries are often possible to break through. One error or bug in their server may allow the attacker to easily access any other user account that is on that server.
Even if the attacker is confined to your private space on the server he can do all kinds of malicious activity there, like including the server in a DDoS network to attack other sites/services. Since you share the processing power, memory and bandwitdh with a lot of other users this can mean cancellation of your hosting service as you’d be exceeding the max usage stated in the hosting plan terms (leading to a degraded service for potentially thousands of other users). The amount of users on the same server, and the usually very low cost of these services means that hosting providers can’t afford (time/money) to give a good enough service level for these customers. If they did they would simply not make a profit on it.
Great!
Then change
The ftp log file is probably just for the activity on the FTP service on the server. I’d be more interested in actual server logs etc.
[hr]
The general consensus these days is that if you have a break in it’s much easier to tear down the server and redeploy to a new one. You simply can not trust a server that has been compromised.
[hr]
I would suggest you try to get more information from the host on the issue.
[hr]
There are other hosting options available as well, though none will have any guarantee of keeping such a site online.
Shared hosting
Will get taken down quickly to minimize problems for other users of the same resources
Dedicated hosting
Will get taken down to protect the infrastructure of the host
Virtual Private Server
Will get taken down to protect the infrastructure of the host
Private server
Will get taken down to protect the infrastructure of the host
Host it yourself
Your ISP may cancel your internet connection if it’s abused
Well, many times hackers are from the same IP address. Usually, you just set up your server to lock out the offending IP address or addresses and no more trouble. Most all newer servers have a way to ban IP addresses from using the server.
It is seldom a FTP attack though as you mentioned. Normally it is done thru the browser and Javascript. Of course, lots of other ways to hack a site. Did you actually call your hosting company to talk about this with a tech? You might want to do so. But, to ban an IP, you need to see the actual error message that was posted.
I would suggest calling them and ask why the folder was disabled. If you own the rights to a server, they should not care about what you house inside the server. It should mean nothing to them at all. Unless it is a “shared-Host” system where not all of your system is your own. In this case, your CGI folder would exist “inside” their larger CGI folder and therefore, they would not want hackers in it. Did that make sense? Who is your server provider and is it a shared server or a dedicated one?
Guessing you will have to call them to get more info on why this is happening or it will just happen again! Sorry could not be any further help…
That’s not so simple, as this site is run on the free web space that is left over from my business site (as the site space is in theory unlimited, that’s more space than I’ll ever need anyway).
You end up going around in circles on the web host interface when trying to find out anything. Speaking to their advisers in person is similar to attempting to purée your brain while still using it to think with. They want more money before they will show me the details of the attack, including the attacker’s IP address.
I have what I assume are server logs, with names beginning: access.log…gz
I don’t know how an IP address might be banned from using the server itself, but I can certainly ban IP addresses from accessing the site by entering the address in the site’s main htaccess file. Anyone who spams my sites gets an instant block. But the web host isn’t releasing information of this hacker’s IP address. If he was attacking the site via the search engine then he probably wouldn’t actually carry out a search (or would he?). That’s the only way I might have a log of a possible IP address short of unscrambling the gobbledegook of the web host’s log files.
I’ve had a little experience before now of how they - and let’s name the beast: 1&1 - deal with problems. The last time, three or four years ago, it was someone riding on the ‘emailafriend’ script to send out a mass of spam emails. They simply shut down my entire account for two days, business site included. They did email me, but it didn’t make much sense until I tried to visit one of my sites.
I think a far more productive approach would be to attempt to plug security holes myself (!) or replace what I have with newer, better resources. That’s going to be a huge step though.
I’d also like to replace the emailer resource with one that requests a captcha for each send. I tried to do it myself once and after several days of trying had to give up.
Well, post some of the access log here, if it is private info such as your business connections, then send in a private
message, but, since you have no data on it you are worried about, post some of the last part of the log here.
The *.gz means it is a ZIPPED file and you can use 7-zip or other utility to un-zip it. Then, look at the file and see if you can
guess where the IP of the hacker is. Then, ban then…
Check the dates around the time your account was suspended.
I would find a new host, oh wait, I did and took the account of the company I was working for at the time with me as well. That was $1500 a month they lost
It was on Friday 24 June that I noticed the lack of a working cgi folder. So the best bet is to start there and work backwards by a few days.
Luckily I have 7-zip, which opened the archive, ‘access.log.24.gz’. Inside was a file named ‘access.log.24’, but what do you open that with? I tried notepad but it became non-responsive.
Well, most likely, the file is too large for Windows notepad… Try Notepad++ It is free and works well with larger text files. I bet it would open it for you. https://notepad-plus-plus.org/download/v6.9.2.html
In that list, locate the date/time about when you had the problem and most likely you will find more info to help with this…
Peter, 1&1 is a low-cost (Low-Budget) hosting company. They usually put you onto a “shared” server, not a real server where you have full control over everything. But, as you say, you can ban IP’s using your htaccess file. But, only if you can identify them.
In that log file, around the time you were hit, you can find the IP address and then do a reverse check on them (Who-Is) and see where they are and ban them if you need to. Quite often, you can find their server online and ban the entire server range of IP’s.
I had to do that once for a forum I set up for a site. A few days after setting up the site, it was loaded with about 7,000 adverts from China and Russia… Once the IP’s were banned, no further issues… It was an interesting process! Good luck!
It does work well for me, thanks. I’m scrolling through page after page after page of log material but I haven’t come across anything remarkable yet.
The trouble is that I don’t know when the trouble occurred other than that it was definitely after the weekend and before Friday evening. Most of the time I research and write material for the site and upload it via ftp without actually visiting the site itself that often. I just have to keep going back through the logs until something stands out.
One thing I have noticed though is that I’m blocking Yahoo and Bing from showing my site’s images in their searches. I’ve already let Google through but most other sites were blocked to prevent leeching. So that’s one more bit of progress…
The first thing to stand out is this block. It looks very different from the normal GET commands. The bot.php bit at the end probably means something automated, right? (www.mysite.co.uk is my own web site but renamed to protect its identity from casual observers.)
They’re not great now, that much is certainly true, but when I joined them back in 2003 they were much, much better and probably a much smaller company.
That’s the big question. When was I hit? I may have days of logs to work through. Yikes!
I guess I’ve been lucky so far. Just the one hijacking of my emailer two or three years ago. And that emailer is something that I want to replace so I’m hoping I can do that with the help of this forum.
Well, most programmers here suggest using PHPmailer. It is free, is fairly quick and easy to use.
It is a library, not a full mailing system, but, it is easy to set up. Depends on what you have for one now…
It can be found herel: https://sourceforge.net/projects/phpmailer/
That looks a bit complicated for my beginner’s-level skills. I can see it taking several days to set up, test, and scratch my head over. But it’s probably a good idea to give it a try anyway.
At the moment I’m using a simple Perl scrip from 2010. All it does is prompt the user for the recipient’s email address (one or more, separated by a comma), and the recipient’s name and email address. Then it sends a notification to the recipient along the lines of ‘so-and-so thought you’d like this page’, plus a page link. That’s all I need, but with the added safety of a captcha to prevent anyone hijacking the script and carrying out a mass spamming.
Well, adding the Captcha should help with the spammers…
PHPmailer is easy, especially if you do not need anything fancy. But, don’t try fixing what works. LOL
If the current system works and is secure, then, just leave it as it. My two cents! Good luck with your logs…
