By

The main difference – between those that do and those that don’t

We are the ones who do malware removal. We work in the trenches

We are the ones who do malware removal. We work in the trenches

The main difference – between those that do and those that don’t.

This is something I’ve been toiling over for some time now and it’s reached a full boil.

I continually read blog posts and articles about what “you” should do to protect your website from hackers.

I read it, then read the bio at the end and it all makes sense – these people are not living in the world of website security. They’re not even vacationing here.

One article I read actually focused on one main actionable item for website owners looking to increase their website security – add a section in your agreement with your web developer that makes it their responsibility for all website security issues.

Really?

How many of you web devs out there, think that’s justified?

And more to the point, does it really make your website more secure?

Today I read a blog post about what you can do about website security. It started off with keeping software updated. Which is totally sound advice. However, after that the author talked about SQL injection and cross-site scripting. Not what you should do to prevent it, but what it is.

Does awareness make you more secure by itself?

Knowing one way that SQL injection can be successful does nothing to the majority of website owner’s website security.

Nothing!

That’s like saying that since I know it’s illegal to drive 60 miles per hour in a 45 mile per hour zone, that I’m qualified to be a lawyer. Does that little bit of knowledge make me qualified to practice law? I think not.

To turn this around and not have this just be my rant, here are some things you can do to increase your website security. This is advice from someone “in the trenches” (someone that “does”).

  1. First, make certain that someone is responsible for updating your software and your plugins. Don’t even think this is the same as that blog post referenced above about making it your web developer’s responsibility.

    I want you to be certain that it’s someone’s responsibility to login to your WordPress, Joomla, etc… and check for any core updates or any plugins, components, modules, etc. updates at least once every two days.

    You check your Facebook, Twitter, (insert other social media sites here) numerous times a day and that does nothing for your website security. So why not login to your website and see if there are any updates?

  2. Next, activate your log files. If you’re on a hosting account with cPanel, most hosting providers will have the Access logs off by default. They know that storage costs can sky rocket and drives their prices up and they know that probably nobody ever, other than us, ever reads them so they have access logs deactivated. However, that is the first thing we do when we log into your cPanel account is to activate them.

    In your main cPanel window, look for the section titled, “Statistics”. You’ll see an icon for “Access Logs”. Click on that and put a check in the top two boxes. This activates the logs and “flushes” the previous months logs at the end of each month. This prevents your local storage from going through the roof and having your account deactivated for performance issues.

    As much as I hate to admit it, nobody can guarantee your website will never get infected. However, with a forensic audit trail, we can at least determine how it happened so we can take steps to insure that the possibility of your website getting infected again, is less.

  3. Consider your circle of trust. Shameless plug: https://www.youtube.com/watch?v=oCLRaonXf8M

    We created this video to help you understand the concept of trust. If you use a web developer, an SEO expert, a blogger, an administrator, or a security company, you must realize that you’re trusting people they trust – without even knowing them. You should start analyzing your circle of trust.

    Watch the above video. Start thinking about who you trust.

  4. Create a separate FTP account for each user.

    If you have a web developer, an SEO expert and yourself all accessing your files, create a separate FTP account for each of you. That way if your website is infected via FTP, you (or us) can see in the FTP logs which user account was compromised and used to upload infectious/infected files to your website.

    Without that, you’ll only see one account and now you have no idea who’s computer was used to steal the FTP password.

    Often times, we see websites infected due to stolen passwords. These passwords are stolen by a virus/trojan on someone’s local computer and when that person logs into the website, either through FTP, CMS login, cPanel, etc., the virus/trojan steals the login URL, the username and password, sends it to the hacker’s server where it logs in as a valid user and uploads or injects malicious code.

  5. If you are using cPanel, create a separate cPanel account for each website.

    Then, if one website gets infected, the chances are the other sites will not due to the separation of accounts.

    You can suspend the infected website (cPanel account), get the malware removed and the website secured, then reactivate it – all without disrupting the other websites.

  6. Monitor your files.

    No, this is not another shameless plug. But the fact is that hackers are constantly changing their tactics. The only sure way to detect when your website has been infected is to monitor the files constantly. Not just once a day. Not from the outside like a browser. But actually monitor all the files and folders frequently to see if any file or folder has been added or changed.

Notice the slant above?

It presumes that your website will get re-infected.

That’s right!

Nobody can guarantee that your website will not get infected – NOBODY!

Understand the hackers are making money off of their work. They will not stop. All you can do is to follow advice from someone “in the trenches” and take the necessary steps to make your site less prone to being infected, setup a strategy for early detection and remediation and get back to doing what it is you do.

Post a comment about your thoughts on this.

By

How hackers use your website

Due to our work in website security, quite often we’re asked “Why?”

As in, “why do hackers want my website?”

From this article by Webroot: http://www.webroot.com/blog/2013/07/11/new-commercially-available-mass-ftp-based-proxy-supporting-doorwaymalicious-script-uploading-application-spotted-in-the-wild/

you can see that sometimes hackers use your website as a proxy. A proxy is a buffer to their real location. Some of you ask if we can tell you exactly where the hacker is. Unfortunately we can’t. Not for any legal reason, but because hackers hide behind multiple layers of these proxies.

The website security industry would love to be able to track down hackers, but it’s rarely possible.

For instance, they might be in one country. Their computer connects to a server in South America (that they’ve already compromised), from there to a server in Switzerland, then to a compromised server in North America. The last IP address is all that will appear in your log files. In our example here, the last IP address would be from the compromised server in North America.

When we have access to the log files, we mine the IP addresses out of the log files and report them to the proper abuse department. This is a small step toward making the Internet safer, and is some what time consuming, but we do it to help notify others that they have an infected website or server.

The tool mentioned in that article also shows one of the tools used by hackers to upload infectious content to your site – automatically. Many of you believe that someone is sitting behind a computer and attacking your website, or uploading malicious files to your site.

Not at all.

Most, if not all, of today’s website infections are the result of an automated tool.

After one of the screen captures this caught my attention:

The tool works in a fairly simple way. It requires a list of user names and passwords, which it will then use to automatically upload any given set of files/scripts through the use of automatically syndicated fresh lists of proxies.

So, when the hackers have a list of compromised FTP users, they load it up in this tool and then they can send the same infectious code to hundreds or thousands of websites.

With the log files activated, we can see the FTP account used and the IP address of where the connection originated (the last proxy IP address).

Here’s our Website Security Best Practices for FTP accounts:

  • Create a separate FTP account for each user. Not all hosting providers allow this. Many only allow one. But if you’re with a hosting provider who provides cPanel, then you can create separate FTP accounts. Also make certain they have good strong passwords.
  • Activate the logs. Most hosting providers have the logs turned off by default. They know that nobody other than us, ever read the logs so why consume so much disk space? Again, if you’re on a cPanel account, scroll down to the section labeled “Statistics” and select the “Access Logs” icon. It might be different on various hosts, but that should get you in the general area. You can check both boxes. If you’re not on a cPanel account, then ask your hosting provider.
  • If you provide access to a web developer or anyone else, ask them what anti-virus program they use on their local computers. Every potential point of entry needs to be accounted for. If they have a virus on their computer and it steals the login credentials for the FTP account you provided them, guess what? You could have the best website security team in the world (yes – us!) and your website will still get infected.
  • Be diligent about the FTP accounts. If someone that you’ve provided FTP access to no longer needs that access, then delete their FTP account. Remember, hackers only need one way in. Yes, this is a pain, but so is getting your website infected.

You’ll notice that we didn’t recommend SFTP as many do.

Why?

We understand how hackers work. While SFTP sounds more secure, the reality of it is – that it really isn’t.

All SFTP does is encrypt the traffic between your computer and the destination – your website. However, a few things to mention.

Most hosting providers will only allow you to create one SFTP account and frequently it’s the same account used to login to your hosting account. If you want to provide access to someone who will be making changes to your website – legitimate changes, you have to give them access to your hosting account. If you have 3 or 4 people who need access to your website files, now you have 3 or 4 more potential points of entry for hackers.

With only one account, you have lost the advantage of FTP logging. There will only be one account listed in there. If your website security is compromised, looking in your log files will tell you how it happened, but you have no idea who has the virus that is stealing the account information.

Which brings me to the last reason we don’t recommend SFTP.

We’ve seen the way the viruses/trojans work. They steal the login URL, username and password from your computer. It doesn’t matter if you you’re using SFTP or FTP, it steals the login address and protocol. The hackers will login and upload their malicious files using an encrypted channel (SFTP). They can thank you later for thinking of their need for security.

This is the same reason we don’t recommend changing the login URL and username for WordPress. When hackers steal the information you may have changed your login URL to http://(yoursite.com)/Supercalifragilisticexpialidocious and your admin user to: rumpelstiltskin, but when the hackers steal the information, they steal that as well.

Let me know your thoughts about this. Post a comment. Ask a question.

Thank you for your time.