Welcome Guest - Log In | Register | Resend Validation Email | Lost Password
Share On Facebook Share On Twitter Share On Google Plus Share On Pinterest Distant Web on Facebook Distant Web on Twitter Distant Web on GooglePlus Distant Web on YouTube Distant Web on Pinterest RSS Feed For Distant Web

All Blogs (8)   Books (1)   Internet (3)   Movies (2)   Music (1)   Video Games (2)   Web Coding (4)

Website Software: Protect Yourself from Dangers
Website Software: Protect Yourself from Dangers by Robert Lauer - Distant Web
Robert Lauer
Robert Lauer
More Blogs
3/28/2015

Login | Register
to rate
The Internet has never been the safest place, but it seems like in recent years it's become more and more dangerous, especially for those trying to maintain a personal or professional website. One of the biggest (but far from only) dangers comes from websites that use third party software and the relentless hackers out there trying to exploit them.

Third Party Website Software

For the purposes of this writing, Third Party Website Software refers to any script or program that someone other than yourself (or someone working directly for you) wrote, that you use, typically downloaded from the authors site. These can include (but are not limited to) Forums, Blogs, Chat Rooms, Photo Galleries and Content Management Systems. Most of the time these are free to download and use, though sometimes they require a license to either run in full or in part.

Typically you download them from their websites and install them on your own website, or in some cases, web hosts will provide them for you as a quick and easy “Instant Install”.

The big problem with these Third Party Programs is that the source code is freely available and can be picked apart piece by piece by hackers. They search high and low for the slightest exploit and then use them against you and your visitors. In my time with Scrub Radio and Scrub Records, every single Third Party Program we ever used was hacked at one time or another. Hacking is probably about 95% of what killed Scrub Records, but I'll talk about that another time.

So what exactly can we do to protect ourselves from these threats? Well, the best option would be to never use Third Party Programs on your websites, but to simply write your own (or have someone you trust write them for you). However, for most people that's just not a viable option. So what then?

In my opinion, the first thing you should do is research the brand (like vBulletin for example) you are thinking about installing prior to going live and see what its history is like. How much do people like it? How good is their support? How much is a license and are you expected to pay for patches and upgrades? Does it include all the features you want?

You want to make sure that whatever “brand” you choose is a brand you can live with, can work with you, and will live up to your expectations.

The next step would be to stay on top of all upgrades and patches that are released for the software you choose. Just be careful to make sure you only use upgrades and patches you can trust. Sometimes hackers will try and pass off their own work, which opens the program up even more, as an “official” patch.

A lot of times an older version of a program will become depreciated and abandoned by the author(s) in favor of newer (paid) versions, or if the company no longer exists. Sometimes in cases like this, others will take on the responsibility of keeping it patched, but this is a very dangerous route and you should be careful if you ever find yourself in that position.

Unless you have someone else taking care of things for you (that you can trust), you should make sure you never get complacent about maintaining your programs/scripts. Don't stop searching for patches no matter what, or be prepared to suffer the consequences of potential hacks.



The Tricks They Use

Hackers use a variety of tricks and methods for hacking, and I would never pretend to know even half of them. But I do know, at least somewhat, a few of them.

In some cases, a hacker will know of a specific exploit for a specific program/script, and what they will do is use search engines to find sites using the specific program and version. At the bottom of most (if not all) programs/scripts, there is typically some copyright information that includes the company's name and website, the name of the program/script, and the version being used. The hacker will use a search engine to search that specific text (company name, program name, version) to find sites using that specific program and version.

There's really little you can do about this, outside of making sure you are keeping your program/script updated religiously. However, there are a few possible measures you can try (and I emphasize try because this is in no way foolproof). In some cases, you can pay the author/company that wrote your program a fee to remove the copyright information entirely. In some cases, you MAY be allowed to modify, at the very least, the version number.

You are almost never allowed to remove the copyright information yourself without prior permission. However, there are some license agreements that will allow minor modifications as long as you leave the company's name and web link in tact and fully visible and properly clickable.

This option will only be possible on a case by case basis, and you'll first have to check with the programs license agreement or the company/author directly. But it is worth looking into for at least some, small protection (and again, this IS at best only a small deterrent).

So if you are using vBulletin 4.2 (for example), and you are able to remove the 4.2, hackers won't know your version and may not find your site if they are specifically searching for 4.2 versions to hack.

Another tactic some hackers employ is the use of bots to find sites using specific programs in order to later hack. The way it works is the bot goes through a list of domains and then go to URLs that are common with specific programs.

For example, here are a few files/paths specific to WordPress, a popular blogging program:

/wp-content/plugins/woocommerce/assets/css/admin.css
/wp-admin/
/wp-login/


So the bot is programmed to go through a list of domains (domainA.com, domainB.net, domainC.com, etc) and then it pairs off each domain with a specific file or path, “domainA.com/wp-admin/” for example. If the bot gets a response code that basically confirms that the domain contains that file or path, it knows that that domain has WordPress installed and logs that domain for later use.

I'm not totally clear on the exact procedures, and it probably varies from case to case, but once the list of domains has been completed, and the hacker knows which domains have what programs installed, then either another bot or the hacker himself/herself will attempt to exploit any vulnerabilities in those programs. And each program can have an extensive list of past and present vulnerabilities to exploit.

Again, the best defense against this (other than not using third party software) is to be vigilant on keeping your programs/scripts updated and patched. Other than that, I can't say that there are any foolproof actions you can take, but there are some preventative measures you can try.

The first (and possibly best) thing is quite simple, but could put some people off due to an attachment to proper/easy URLs; avoid using default/common folder names for your installations.

For example, if you are going to use WordPress, do NOT install it in a folder named “wordpress”. If you are going to install any kind of forum software, do not install it in a folder named “forum” or “forums”. I understand that something like “domain.com/blog” will sound like the ideal URL, but hacking bots will be scanning for all of these folders (forum, forums, blog, blogs, gallery, etc).

Now, this does not mean you cannot have the word(s) IN your folder name, you just don't want the exact match. For example, “domain.com/myforum” can be perfectly acceptable. And as long as your home page has proper links to all sections of your site, your visitors will still be able to easily find what they are looking for.

*This tip can apply to anyone using custom programs/scripts as well. Even if your custom made forum isn't vulnerable to the same exploits as say vBulletin, you should still try and keep it out of the sights of any hack bots if possible.

*While “domain.com/myforum” can be acceptable for a forum, you should avoid abbreviating things like “domain.com/wordpress” and definitely avoid “domain.com/wp” for your WordPress installation (some are programmed to look for a “wp” folder specifically).

Second, you should really look into .htaccess files, assuming your server supports them. With a .htaccess file, you can secure your site against some intrusions. .htaccess is a powerful set of codes and commands, and in of itself could take up a series of blogs, so I will simply leave some external links for you.

The third thing is to keep an eye on any logs your site/server provide and if you notice anything out of place, investigate thoroughly, including contacting your web host if necessary.

One thing I do is keep a record of all 404 page requests. These are basically URL requests where the URL does not exist. This could be because you deleted, moved or renamed a file and someone/something is trying to access it. It could be invalid coding, like referencing the wrong css or image file in your HTML. But it could also be a bot or person trying to determine if you have a specific program installed, like described above.

So first I have a custom 404 page using .htaccess. In my .htaccess file I have the following:

RewriteEngine on
ErrorDocument 404 /404.php


In my 404.php page, I have a section that records the entire $_SERVER array and records it into a database. Now, this is more information than I need, but that's ok with me. Most of the information either is, or can be useful, like the IP address of the computer making the request, the page/file that was being requested, and sometimes a referring URL.

This is a very simple piece of code, but it works for me:

$n_server = "";
foreach($_SERVER AS $key => $val) {
  $n_server .= "<p>\$_SERVER['{$key}'] => <b>{$val}</b>";
    if(is_array($_SERVER[$key])) {
      foreach($_SERVER[$key] AS $key2 => $val2) {
	$n_server .= "<br />----{$key2} => <b>{$val2}</b>";
      }
    }
  $n_server .= "</p>\r\n";
}


Then just save the value ($n_server) into a database so you can view it later at your leisure. *You may want to specify the values you want instead of saving all of them.

With the information you gather with this piece of code alone, you can try a number of tactics to combat potential hacks. Though, I should warn you that battling hacks and hackers is an uphill battle, and the hackers do tend to be five steps ahead. But when the alternative is to lay down and wait for an impending hack, anything you can do is worth while in my opinion.

Some things you can do is block anyone trying to access files/folders that do not exist on your server based on the 404 logs, or ban IP addresses. Neither option is great, but it's better than nothing. Here is an example of what to put in your .htaccess file to block bad requests:

RewriteEngine On 
RewriteCond %{REQUEST_URI} wp-login\.php [OR]
RewriteCond %{REQUEST_URI} /phpmyadmin/ [OR]
RewriteCond %{REQUEST_URI} uploadify\.swf
RewriteRule ^(.*)$ index.php [F,L]
deny from 0.0.0.0 1.1.1.1


(0.0.0.0 and 1.1.1.1 would be the actual IP Addresses you are trying to block)

*Note, not all 404 requests are hacking attempts. There are several common files that some non-malicious bots will look for, like robots.txt which is a text file that gives obeying bots instructions on how and where to crawl your site. Some other files that may be legitimately looked for by a bot is atom.xml, or browserconfig.xml. And these are just a few of those files that could end up in a 404 log.

*Also, be sure you don't block any files/paths that you actually DO have on your server. If you have WordPress installed, do not block files/paths associated with it.

Another thing that hackers and hacker groups do is collect active domain names and then pass their lists off to one another, or share them on hacking websites. This keeps those domains in hacking circulation so you could be exposed multiple times to multiple hackers. Sometimes in various logs (like web stats, or the 404 logs I described above) will show you a referring website. If you find a site that has referred someone to you, that does not look legitimate, you may want to consider blocking all incoming traffic from that domain as it might be a hacking website.

You will have to make that call yourself on a case by case basis, but it is something you should consider. Here is some .htaccess code to help you do that (this is taken directly from a link I'm going to provide later):

# block visitors referred from indicated domains
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_REFERER} scumbag\.com [NC,OR]
RewriteCond %{HTTP_REFERER} wormhole\.com [NC,OR]
RewriteRule .* - [F]
</ifModule>


Blocking traffic may seem like a drastic step, but any “bad” traffic you can avoid will mean less stress on your server, and that can help make for a happier server and website. If you don't have WordPress installed on your site (for one example), you should block any and all requests looking for WebPress specific files/folders just because that will be less stress. Bots are generally persistent and can slow down your entire site while they relentlessly crawl your site.

Now, please don't think I'm trying to discourage the use of Third Party Programs. There are millions and millions in use all over the Internet, and most run smoothly. But you do not want to be on the receiving end of a nasty hack and you do have to keep an eye out for unusual behavior.

I'd like to close this post by writing a few final points.

*There is absolutely nothing wrong with using third party software, so please don't think that that has been my point. I'm just strongly suggesting that if you do, make sure you keep them updated (I know I've said that over and over again, but that is simply how important it is).

*No matter what you decide to do with your site, no matter what programs or scripts you use, third party or custom, be as vigilant as you can. Look at logs, create your own logs and take whatever action you can to prevent hacks and unnecessary stress on your server.

*Every time you add a new rule to your .htaccess file, you will reduce your servers wasted system resources that much more. And eventually, your 404 logs should get less and less as you stop these intrusions.

*Make sure you do NOT block traffic to installations you actually do have, or legitimate traffic (IP Addresses, Site Referrers, etc).

Finally, as sad as it is, I've really only scratched the surface when it comes to protecting your site and visitors, bots, and hacks. In the near future I hope to post about web bots specifically, though that should be a vastly shorter post. Also, you'll probably notice that I never really mentioned what can come from these hacks. That's partly because there are just too many possible outcomes to a hack, but also partly because I do plan to eventually go through some of the hacks that happened at Scrub Radio and Scrub Records.



P.S. Here are a few good links for learning how to use .htaccess files:

Apache HTTP Server Tutorial
17 Useful Htaccess Tricks and Tips

P.P.S. A lot of sites/tutorials will give the following code for preventing access to viewing the .htaccess file:

# secure htaccess file
<Files .htaccess>
order allow,deny
deny from all
</Files>


Preventing access to this file is a very good idea, everyone should do it. However, the code above does not always work. If you use that code, you should try viewing it directly in your browser to see if you can view it (yourdomain.com/.htaccess). If you can view it, try this code:

RewriteEngine On
RewriteCond %{REQUEST_URI} \.htaccess
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]


If the former code does not work, the latter should.

All Blogs (8)   Books (1)   Internet (3)   Movies (2)   Music (1)   Video Games (2)   Web Coding (4)

Blog Comments
There are currently no comments for this Blog.
Jump To Forum:
Active Users:
1 active user(s) in the past 15 minutes.
0 guest(s), 0 member(s), 0 anonymous member(s) and 1 bot(s).
Web SpiderCCBot
Past 24 Hours Logins:
1 Member Login(s) for the last 24 hours (0 Anonymously):
DistantWords
Admin | Members | Moderators ( Viewing Via Mobile = Viewing Via Mobile )