How hackers use your website

Due to our work in website security, quite often we’re asked “Why?”

As in, “why do hackers want my website?”

From this article by Webroot: http://www.webroot.com/blog/2013/07/11/new-commercially-available-mass-ftp-based-proxy-supporting-doorwaymalicious-script-uploading-application-spotted-in-the-wild/

you can see that sometimes hackers use your website as a proxy. A proxy is a buffer to their real location. Some of you ask if we can tell you exactly where the hacker is. Unfortunately we can’t. Not for any legal reason, but because hackers hide behind multiple layers of these proxies.

The website security industry would love to be able to track down hackers, but it’s rarely possible.

For instance, they might be in one country. Their computer connects to a server in South America (that they’ve already compromised), from there to a server in Switzerland, then to a compromised server in North America. The last IP address is all that will appear in your log files. In our example here, the last IP address would be from the compromised server in North America.

When we have access to the log files, we mine the IP addresses out of the log files and report them to the proper abuse department. This is a small step toward making the Internet safer, and is some what time consuming, but we do it to help notify others that they have an infected website or server.

The tool mentioned in that article also shows one of the tools used by hackers to upload infectious content to your site – automatically. Many of you believe that someone is sitting behind a computer and attacking your website, or uploading malicious files to your site.

Not at all.

Most, if not all, of today’s website infections are the result of an automated tool.

After one of the screen captures this caught my attention:

The tool works in a fairly simple way. It requires a list of user names and passwords, which it will then use to automatically upload any given set of files/scripts through the use of automatically syndicated fresh lists of proxies.

So, when the hackers have a list of compromised FTP users, they load it up in this tool and then they can send the same infectious code to hundreds or thousands of websites.

With the log files activated, we can see the FTP account used and the IP address of where the connection originated (the last proxy IP address).

Here’s our Website Security Best Practices for FTP accounts:

  • Create a separate FTP account for each user. Not all hosting providers allow this. Many only allow one. But if you’re with a hosting provider who provides cPanel, then you can create separate FTP accounts. Also make certain they have good strong passwords.
  • Activate the logs. Most hosting providers have the logs turned off by default. They know that nobody other than us, ever read the logs so why consume so much disk space? Again, if you’re on a cPanel account, scroll down to the section labeled “Statistics” and select the “Access Logs” icon. It might be different on various hosts, but that should get you in the general area. You can check both boxes. If you’re not on a cPanel account, then ask your hosting provider.
  • If you provide access to a web developer or anyone else, ask them what anti-virus program they use on their local computers. Every potential point of entry needs to be accounted for. If they have a virus on their computer and it steals the login credentials for the FTP account you provided them, guess what? You could have the best website security team in the world (yes – us!) and your website will still get infected.
  • Be diligent about the FTP accounts. If someone that you’ve provided FTP access to no longer needs that access, then delete their FTP account. Remember, hackers only need one way in. Yes, this is a pain, but so is getting your website infected.

You’ll notice that we didn’t recommend SFTP as many do.

Why?

We understand how hackers work. While SFTP sounds more secure, the reality of it is – that it really isn’t.

All SFTP does is encrypt the traffic between your computer and the destination – your website. However, a few things to mention.

Most hosting providers will only allow you to create one SFTP account and frequently it’s the same account used to login to your hosting account. If you want to provide access to someone who will be making changes to your website – legitimate changes, you have to give them access to your hosting account. If you have 3 or 4 people who need access to your website files, now you have 3 or 4 more potential points of entry for hackers.

With only one account, you have lost the advantage of FTP logging. There will only be one account listed in there. If your website security is compromised, looking in your log files will tell you how it happened, but you have no idea who has the virus that is stealing the account information.

Which brings me to the last reason we don’t recommend SFTP.

We’ve seen the way the viruses/trojans work. They steal the login URL, username and password from your computer. It doesn’t matter if you you’re using SFTP or FTP, it steals the login address and protocol. The hackers will login and upload their malicious files using an encrypted channel (SFTP). They can thank you later for thinking of their need for security.

This is the same reason we don’t recommend changing the login URL and username for WordPress. When hackers steal the information you may have changed your login URL to http://(yoursite.com)/Supercalifragilisticexpialidocious and your admin user to: rumpelstiltskin, but when the hackers steal the information, they steal that as well.

Let me know your thoughts about this. Post a comment. Ask a question.

Thank you for your time.