After we had this, with a little update here, I'm still amazed how many website owners don't take responsibility.
I was researching/analyzing some SQL injection scripts a couple of days ago and a google search showed me how many websites, forums in particular are being hacked/compromised. A LOT!!
Above forum was not only hacked, but it was full with spam as well.
LACK OF RESPONSIBILITY!!
People hack forums/sites for different purposes. Some do it only to get attention, as a challenge - others do it for personal gain - for example, put malicious content on the site, so every visitor gets infected with a trojan/backdoor/whatever with their own purposes as well (steal data from your system, display ads..)
Or they post SPAM all over the place (as you see in above example). In other cases, you don't even see that the forum/site is hacked, but the scripts are doing its job anyway, silently in the background...
Some interesting info:
Anyway, when I saw the google results, I've contacted some of the forum owners + webhosting companies via mail to make them aware of the fact that they should take action asap.
Some replied and I was really suprised that many forum owners didn't know how to fix it, so that's why they left it as it was.
Luckily, we still have the webhosting companies who took action instead and took the forums offline or added a .htaccess to block access.
But then again, many didn't even reply to my mail and I see the compromised forums are still up and running. :(
This blogpost is mainly about forums/forum owners, because it's easy for anyone to install and run a forum, but maintaining it and keeping it secure is another story.
That's why, if you run a forum, take your responsibility!!!
Some tips to make your forum more secure:
*1. Install a forum - Read the documentation first!
Many install a forum without reading the documentation/tutorial how to properly install a forum.
This also involves how to CHMOD files and directories in order to properly install it - to set permissions for a file and/or directories. The most important part here is, make sure, after you installed your forum software, that you CHMOD your files and directories again, so it has restricted permissions.
Every forum software has (or should have) a tutorial available how to do this properly, even with support for several different FTP clients. So make sure you read it!
*2. Make sure you always use the latest forum software!
This is the most important part if you want to run a forum. The forum software is updated frequently, not only to fix some bugs in it, but mainly to fix security leaks/vulnerabilities.
In 80% of the cases, a forum was hacked/compromised because you were still running an outdated, vulnerable version of your forum software.
For most forum software, there's a mailing list available where you can subscribe to get notified about the latest updates. If your forum software is still running an older version, then update it ASAP!!!
Many forum owners also use a lot of plugins/mods. Make sure you're running the latest versions as well, because these plugins/mods may contain security leaks as well.
*3. Don't allow html
By default, if you install forum software, html is disabled to use in the forum. This is with a reason, because if html is enabled, it's a piece of cake to insert malicious content.
That's why BBcode takes its place.
However, some forum owners/administrators decide to allow html in the forum posts. If that is the case, make sure this option is only available for certain groups and not for everyone!
*4. Only for registered users
If you run a forum, only allow registered users to post. If you allow guests to post, they can post anything they want, post a lot of SPAM (with malicious links in it) and you can't do much against it.
That's why, if you give permission for registered members only to post, you can already avoid a lot of problems.
Some basic rules for registration:
*5. Make sure captcha is enabled
captcha is a way to avoid SPAMbots. This to make sure the registration is not generated by a computer. However, many spambots already found a way to "crack" the captcha and avoid a proper registration anyway.
That's also why..
*6. Use e-mail validation to register
During registration, people should enter a valid e-mail address to validate their registration, because the validation link will be sent to that address. So an account can only be registered via the link sent in that e-mail. This is also a way to avoid spambots.
*7. Rename your admin directory
Most forum software use their own way of creating directories/files. If you're a forum administrator, in most cases, the administrator directory related with your forum will be called admin or administrator. By default, this access is passwordprotected.
But, even though it's passwordprotected, there are many ways to get it. Bruteforcing the login/password, or retrieve the login/password somewhere else (for example, if you got infected and your data was stolen, or if if you gave your login/password to someone else etc..)
That's why it's always a good idea to rename your admin directory to something else, so it's not that obvious anymore. Make sure you also adjust this in your - in most cases - config.php file.
Even better is, if you rename your admin directory and delete all "visible" links pointing to it on your forum. This can also be done via the "config.php" file (or whatever file your forum software is using for "main access" to your database).
Some forum owners love to have a Web counter and statistics tracker on their forum to see how much traffic the forum gets. In case you decided to change your admin directory and remove all "visible" links pointing to it - then make sure that the web counter/statistics tracker results are visible for you only! Because otherwise it won't make sense to rename directories if anyone can achieve it via the statistics page.
*8. Check your files in the forum directory frequently
If you install a forum, you should upload files via FTP this in order to make the forum "work".
If you update your forum, some files will be patched or added - make sure you are aware of that.
That's why, it's always a good idea to check your files in your forum directory and root directory (if possible) for any changes. This especially if some php files, script files, whatever are added which are not a part of the basic forum software or upgraded parts. Ofcourse if you allow users to upload avatars or attachements, that part will be changed/updated frequently, however, always be cautious!!!
If your webhosting company supports access via SFTP-SSH file transfer protocol and your FTP Client supports it as well, then I recommend you switch to that. This because "normal FTP access" doesn't show all files/folders present - SFTP (SSH) access does - so in case your website/forum is compromised, it's better to have "full" access and be able to view everything present there instead of "restricted access". You can also use PuTTY for that, to have the same access - but normally, every decent FTP Client should support it as well.
*9. Back up your database and files frequently!
If you run a big forum with lots of traffic and forum posts everyday, then I suggest you back up your database once a day. In other cases, I suggest a backup at least once a week.
A backup of the database is the most important part, however, I also recommend to backup your files (the ones you uploaded via FTP) frequently as well. This in case some files were patched by malicious scripts/contents.
*10. Don't give your login/password to anyone!!
Unless you can trust the person for 100%!
Keep in mind, if many people are aware of your login/password and they get infected with a password stealer (which is common nowadays), then it will be known as well.
*11. Disallow PM for new members
This is something I noticed a lot in the last couple of months - and that is - SPAM via PM (Private message).
A lot of spammers (sometimes spambots), manage to bypass the captcha, enter a valid mailaddress, so they are in! Then they start to spam the forums..
Moderators and administrators should catch these spamposts, delete them and ban the user. However, what if SPAM, or malicious links are being posted via PM (Private message)? So admins, mods don't know about these spam messages, since they are sent via PM.
That's why it's always a good idea to disable PM for guests in the first place! For registered members, there should be a policy present to accept PMs if they have posted at least 3 posts in public - this as an example.
*12. Don't let the people know what forum software/version you are running!
The best way to find vulnerable forum software is via Searchengines. Google for example..
Most (free) forum software require their Copyright signature below. You may not remove that!
In some cases, forum software also displays what version you are running (however, in most cases, that is also disabled by default now). In anyway, an easy way for hackers, mainly scriptkiddies to find out if your forum is vulnerable, is via a searchengine. They search for "powered by.. whateveverforumsoftware" and then they try to run their scripts against it to see if it's vulnerable or not.
As I already said, you may not remove the "forum copyright" and links, unless you paid for it to be removed. So that's why it's always a good idea to replace the copyright with an image (jpg/gif/png) instead. Ofcourse, if there are links involved, it's advised to use image maps so that you can retain the links to the copyright/forum.
*13. Still so many other tweaks to make your forum more secure...
I only made you aware of the most important ones. There are still a lot of other tweaks/modifications to make your forum much secure. You can find a lot of extra tips/tweaks on the main site of the forum software you are running.
In anyway.. If your forum was hacked/compromised, then it's YOU who should take action ASAP! Don't leave it as it is, because it's YOUR responsibility if people get infected when they visit your site/forum. It's YOU who should fix it and make your forum/site more secure.
In case you are pretty sure that your forum/site is secure, then try to find out how exactly it was hacked/owned. Contact your webhosting company and ask for the logs. If you can find the cause, then you can do something against it!
A good example.. My forum was once hacked/owned as well. And even though I had taken all precautions and the forum software was up to date as well, it appeared afterwards that there was still a vulnerability present in the forum software I was running. I've researched/investigated it and made the forum developers aware of it. Glad to see they have patched it now as well, even though it took them more than 2 weeks to release the patch! Imagine how many forums were compromised in between..... :(
That's why I changed forum software since I couldn't trust it anymore.
Also, even though you are responsible for your forum/site, if you have a good webhosting company, they will already make you aware of suspicious action/behavior and take action before you are even aware of it. I've had/used a lot of webhosting companies in the past, but the one I'm using now is SUPERB! Support is great and they take action asap! I never want to change anymore!
AFTER ALL, if you are running a site/forum/whatever, It's still YOUR responsibility for whatever happens on your site. If you don't want to take responsibility, or you don't know how to take action if something similar happens, then make sure you know someone who does - if not, then you shouldn't run a forum/site anyway!
Thursday, April 24, 2008
After we had this, with a little update here, I'm still amazed how many website owners don't take responsibility.
Saturday, April 12, 2008
... can anyone give me more information about the new Antivirus krepolsky ?
One of the newest members at my forum is using it: Click me
/me is puzzled.. Most probably new Polish version of Kaspersky... :P
Thursday, April 10, 2008
One of the tools I have been using a lot of times with success is Dial-a-fix (DAF), developed by DjLizard.
And that's why I wanted to blog about it - this to make people aware that most common Windows issues can actually be fixed with one single tool, instead of creating several different fixes such as registry fixes, batches etc...
Even though this tool is meant for Power users, technicians, it's safe to use without technical experience. However, guidance is still recommended.
Some examples of what it fixes:
* Windows Installer
* Windows Update
* Registration of ActiveX, Control Panel Applets, Explorer/IE/OE/Shell, OLE...
* Reinstall of BITS, Windows Firewall, WMI, Help and Support, defrag... and so many more.
Take a look at the following screenshots to find out what options/fixes it contains:
And the Tools option (Hammer below in the main screen):
Many programs/tools, or malware may change default settings, break applications, so the idea behind Dial-a-fix is to fix problems by resetting everything back to their original Microsoft defaults.
For example, if you have been using Registry Cleaners, System Tweaking tools which I do not recommend, then Dial-a-Fix may be the solution to restore what above tools have broken.
Dial-a-Fix is mainly developed for Windows XP, but it also works under 98, 98SE, ME, 2000 and Server 2003. It doesn't support Vista yet.
Important note.. Before you use Dial-a-fix, make sure you read the WARNINGS section on the Dial-a-fix site first.
And in case you need assistance with Dial-a-fix, or there are problems with Dial-a-fix, post your issues here.
Saturday, April 5, 2008
This is an update to my previous post here.
I received another phonecall from the guy who was having problems with his website..
This time, he was complaining about the fact that he couldn't access his admin panel anymore.
(This since the "Webmaster" passwordprotected it with .htaccess)
Me: "Ok, so what problem are you exactly having"
He: "There's a login box now and I don't know the login name and password. Whatever I try, it doesn't work."
Me: "Did, xxxx (name of the webmaster) contact you to tell you what login and password you have to use?"
Oh boy.. I started to swear in a non understandable Bruges dialect :)
So, once again, I called the Webmaster...
Me: "It's good you passwordprotected the admin directory now, but it's also a good idea to let your clients know what login and password they have to use"
He: "True, I forgot" The login is xxxx and pass is xxxxx" (yes, he really told me)
Me: "Why are you telling me this, you have to tell your clients!"
While I was on the phone, I did a Reverse IP domain check to see what other sites he created/was hosting..
7 of them... and they all had an admin directory. This time all passwordprotected. (Glad to see he really updated/changed that).
The login box appeared and I entered the login and password he gave me previously.. I was in!!
I mean, I was in for all the sites he created, this since all logins and passwords were the same...!
Should I start to cry or....
So I once explained him that it was a bad idea to give everyone the same login and password - and that he also should contact his clients to make them aware of the updates he made etc etc..
I really hope he'll take his responsibility as a webmaster now, since his clients pay for this!
Thursday, April 3, 2008
A guy phoned me this morning and explained that he was having problems with his Internet Explorer.
He wanted to update his website with new pictures, but for some reason, the new pictures didn't appear in his browser after he submitted them.
He asked me if I could try it for him instead - this to figure out if it was an issue with Internet Explorer or with his website.
Since I was at my work, I couldn't try it, so I asked him to mail me the link to his site, so I could check it in the afternoon.
I also asked his login+password, because how would I be able to upload images to his site otherwise..? He knows he can trust me...
He: "There's no login and password needed"
Me: "Erm, if there's no login and password needed, how should I upload the pictures then?"
He: "You can do it via the admin panel at my website"
Me: "Ok, but I need the login and password for that"
He: "As I said, it's not needed"
Hmmmmmm... strange.. guess he's missing something...
Back at home, I received his mail with the link to his admin panel : http://*********/admin
(left out the sitename for obvious reasons :) )
Entered the url... and I was in. I mean, I was really in! I couldn't believe my eyes.
What I saw was a preview of his main site with several applications present - to edit text, add text, submit files/pictures whatever.
I still couldn't believe it, so I uploaded some stupid pictures via the applications, added some stupid text > submit > OK.
Went to the main site and it was there!!! I refreshed once again, to make sure.. I even closed and opened my browser again to doublecheck, it was still there what I submitted.
OMG! This is a REAL BAD idea!
So, I phoned the guy and asked him if he created the website and the admin application... and why he didn't password protect it. Nope, he didn't create the website - he actually paid a lot of money to create it for him instead. I explained him what a bad idea this was and asked "his" webmasters phonenumber.
So I phoned the Webmaster... creator of the site.
Me: "You think it's ok if people compromise the site(s) you created? Put malicious content on it? - so every visitor gets infected? Or if someone deleted the entire content of the site?" (and some extra rants).
He: "I have no clue what you are talking about"
Me: "Once again, you did create this website with the admin application?" (gave him the name of the site)
He: "Yes, I created that one"
Me: "Is there any reason why you didn't passwordprotect the admin directory or access to edit/update the site?"
He: "To make it easier for our clients, so they can update the site any time"
He just didn't get it...
Me: "To make it easier for your clients??? You make it easy for EVERYONE!! Everyone can access it, upload whatever they want, edit whatever they want.." (I didn't try it, but I'm sure that the editable text boxes there supported html as well)
He: "Erm, Ok, so what should I do then?"
Me: "Passwordprotect it!!!"
OMG..! I was stumped.
Anyway, I explained the guy how to passwordprotect it - gave him a lot of options - hence, he didn't even know what .htaccess was.
I also told him that it is also a good idea to give the admin directory another name etc etc..
He finally understood my concerns (and not only my concerns) and said he would change/update it immediately for every website he created.
A Webmaster?? Yeah, sure.. And he's getting paid for this?? This is totally irresponsible!
Anyway, I just checked a couple of minutes ago and I'm glad to see that there's finally a login box present to enter the "admin site", where it's asking for login and password. Not sure if it works, if the loginname matches the password, but it is present at least... :)
After I experienced this - Imagine how many so called "Webmasters" are around there, making the same BIG mistakes.
Sidenote: The "not viewing images" issue is resolved now as well - Flushed IE cache and all was OK again. :)
Tuesday, April 1, 2008
As expected, the Storm worm was present again today (actually in the last 24 hours), taking advantage of April 1st.
It's spreading through e-mails as an April Fool's day e-card. Subjects are random, such as : "Happy April Fools!", "Happy All Fools Day!", "Join the Laugh-A-Lot!" etc..
Contents of the mail:
The mail contains a link to a webserver, where it downloads an installer for the file aromis.exe.
More info about the file here.
So always be careful what you receive via mail!
Sidenote - offtopic - even though it's April 1st today, I received a mail from Microsoft today that I was re-awarded - the MVP Consumer Security award - this already for the third year.
So this was no joke! :)