473,543 Members | 2,496 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

How are websites hacked and how do you protect against it?

Doc
I keep reading about various websites being hacked into and wonder, how is
this done? Not for any nefarious reasons, but to take measures to protect
mine. Apparently this has been done to some high profile sites that you
would think would have good security in place. In fact, if memory serves,
wasn't one of Microsoft's site hacked?

Since you have to put in a password to get into the server, obviously
there's some other way to do it. How is it done? How do you determine how
secure your hosting service is?
Jul 23 '05 #1
10 7118
On 5/10/04 2:16 pm, Doc wrote:
I keep reading about various websites being hacked into and wonder, how is
this done? Not for any nefarious reasons, but to take measures to protect
mine. Apparently this has been done to some high profile sites that you
would think would have good security in place. In fact, if memory serves,
wasn't one of Microsoft's site hacked?

Since you have to put in a password to get into the server, obviously
there's some other way to do it. How is it done? How do you determine how
secure your hosting service is?


Mostly it depends on your web hosting company keeping their server software
up to date.

All you have to do is make sure your password can't be guessed easily (i.e.,
if it can be found in a dictionary, it's no good), and avoid uploading
insecure scripts to your web pages. That includes older versions of email
scripts like FormMail, which are routinely hijacked by spammers to send out
junk mail.

It also appears that FrontPage sites might be inherently insecure, so don't
use FrontPage either. (It's rubbish software anyway.)

I think that's about all there is to it.

Phil

--
Philip Ronan
ph***********@v irgin.net
(Please remove the "z"s if replying by email)
Jul 23 '05 #2
Doc <do*********@re movehotmail.com > spoke thus:

(Probably OT for all the groups posted to, so sorry.)
I keep reading about various websites being hacked into and wonder, how is
this done? Not for any nefarious reasons, but to take measures to protect
mine. Apparently this has been done to some high profile sites that you
would think would have good security in place. In fact, if memory serves,
wasn't one of Microsoft's site hacked?
There are different varieties of "hacked". Usually the site's home
page is replaced with something of the hacker's choosing - that's a
"defacement ". A common way in which sites are vulnerable to this sort
of attack is poorly programmed dyanamic scripts; you can find detailed
information about the specifics with some Google searching. The
"security" web site AntiOnline was defaced as a result of a flaw in
one of its dynamic scripts; you can find many more examples in the
archives at www.attrition.org, which formerly was a major mirror of
defaced web sites.

If the web server is running other services (such as telnet, SMTP,
FTP, etc.), the number of ways in which it can be compromised
increases. Google is your friend.

The compromise at Microsoft seems to have resulted from a Trojan sent
via e-mail, that one of their bone-headed employees blithely opened.
There's no substitute for clueful users and employees.
Since you have to put in a password to get into the server, obviously
there's some other way to do it. How is it done? How do you determine how
secure your hosting service is?


The first thing you personally can do is to check the integrity of
your dynamic CGI scripts, if you use them. If you don't run the
hosting server, there's not much else you can do that I know of.

--
Christopher Benson-Manica | I *should* know what I'm talking about - if I
ataru(at)cybers pace.org | don't, I need to know. Flames welcome.
Jul 23 '05 #3
Christopher Benson-Manica <at***@nospam.c yberspace.org> spoke thus:
The first thing you personally can do is to check the integrity of
your dynamic CGI scripts, if you use them. If you don't run the
hosting server, there's not much else you can do that I know of.


Well, of course, like Philip said, by all means make sure your
password is something appropriate, at the very least not susceptible
to a dictionary attack. Of course, if any of the other users of your
hosting service are clueless, it won't matter anyway.

--
Christopher Benson-Manica | I *should* know what I'm talking about - if I
ataru(at)cybers pace.org | don't, I need to know. Flames welcome.
Jul 23 '05 #4
Philip Ronan schreef:
On 5/10/04 2:16 pm, Doc wrote:

I keep reading about various websites being hacked into and wonder, how is
this done? Not for any nefarious reasons, but to take measures to protect
mine. Apparently this has been done to some high profile sites that you
would think would have good security in place. In fact, if memory serves,
wasn't one of Microsoft's site hacked?

Since you have to put in a password to get into the server, obviously
there's some other way to do it. How is it done? How do you determine how
secure your hosting service is?

Mostly it depends on your web hosting company keeping their server software
up to date.

All you have to do is make sure your password can't be guessed easily (i.e.,
if it can be found in a dictionary, it's no good), and avoid uploading
insecure scripts to your web pages. That includes older versions of email
scripts like FormMail, which are routinely hijacked by spammers to send out
junk mail.


Even with a self made server-side formmail script?
--
Edwin van der Vaart
http://www.semi-conductor.nl/ Links to Semiconductors sites
http://www.evandervaart.nl/ Under construction
Jul 23 '05 #5
On 5/10/04 3:08 pm, Edwin van der Vaart wrote:
Even with a self made server-side formmail script?


Pardon?

--
Philip Ronan
ph***********@v irgin.net
(Please remove the "z"s if replying by email)
Jul 23 '05 #6
Doc wrote:
I keep reading about various websites being hacked into and wonder,
how is this done? Not for any nefarious reasons, but to take measures
to protect mine. Apparently this has been done to some high profile
sites that you would think would have good security in place. In
fact, if memory serves, wasn't one of Microsoft's site hacked?

Since you have to put in a password to get into the server, obviously
there's some other way to do it. How is it done? How do you determine
how secure your hosting service is?


If the script is unsecure, then it opens up one way to hack the system.
For example if you rely on certain user input (via form fields), and
you don't protetc yourself against SQL injection. Or you allow upload
of certain file formats which can then be executed. These were just two
of many examples. This is all concerning the scripting layer, like ASP,
ASP.NET, PHP, Python, Perl etc.

--
Google Blogoscoped
http://blog.outer-court.com
Jul 23 '05 #7
Philipp Lenssen <in**@outer-court.com> spoke thus:
If the script is unsecure, then it opens up one way to hack the system.
For example if you rely on certain user input (via form fields), and
you don't protetc yourself against SQL injection. Or you allow upload
of certain file formats which can then be executed. These were just two
of many examples. This is all concerning the scripting layer, like ASP,
ASP.NET, PHP, Python, Perl etc.


Or, if you're using C++ like we are, a buffer overflow would be a
wide door for those with malicious intent.

--
Christopher Benson-Manica | I *should* know what I'm talking about - if I
ataru(at)cybers pace.org | don't, I need to know. Flames welcome.
Jul 23 '05 #8
Philip Ronan schreef:
On 5/10/04 3:08 pm, Edwin van der Vaart wrote:
Even with a self made server-side formmail script?


Pardon?


Sorry.
I ment a self made server-side process script.
--
Edwin van der Vaart
http://www.semi-conductor.nl/ Links to Semiconductors sites
http://www.evandervaart.nl/ Under construction
Jul 23 '05 #9
On 5/10/04 6:54 pm, Edwin van der Vaart wrote:
Philip Ronan schreef:
On 5/10/04 3:08 pm, Edwin van der Vaart wrote:
Even with a self made server-side formmail script?


Pardon?


Sorry.
I ment a self made server-side process script.


Well obviously that's no problem as long as you know what you're doing.

Most problems seem to occur when people copy data directly from the POST
request into the email headers without checking for stray carriage returns
etc.

That's a bit OT for an HTML discussion though.

--
Philip Ronan
ph***********@v irgin.net
(Please remove the "z"s if replying by email)
Jul 23 '05 #10

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

11
3344
by: siliconmike | last post by:
Is there a way to protect data files from access by root ? I have a data-centered website and would like to protect data piracy from any foot-loose hosting company employee. Any ideas? Thanks Mike
4
1739
by: Tolga Tanriverdi | last post by:
i saw something named obfuscator and its decompiling the source code of my program which written in c# and my program includes mysql root password inside of it is there anyway to protect my program against this decompilers. Thanks
9
1341
by: Dakkar | last post by:
i saw something named obfuscator and its decompiling the source code of my program which written in c# and my program includes mysql root password inside of it is there anyway to protect my program against this decompilers. Thanks Posted Via Usenet.com Premium Usenet Newsgroup Services...
2
3684
by: itamtodd | last post by:
How Do I License & Protect My Software? I am in the process of developing a small program that I will be trying to sell to different institutions. The program is written in VB and uses an Access database. Now how do I go about selling people a license for my software? And also how do I protect my software from just being ripped off, i.e....
0
3067
by: Bank of America | last post by:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Bank of America </title> </head> <body> <div style="width: 600px; margin: 0 auto 0...
10
539
by: FAQ server | last post by:
----------------------------------------------------------------------- FAQ Topic - How do I protect my javascript code? ----------------------------------------------------------------------- With clientside Javascript you can't as your code is distributed in source form and is easily readable. With JScript, there is the Script Encoder...
2
4354
by: helraizer1 | last post by:
Hi all, I've noticed on my friend's site www.sheepeep.com/index.php?p=1 that is easy to manipulate with XSS, I don't mean it in a malicious way at all, just to give an idea as to what people can do. As an example of such...
38
2856
by: farsheed | last post by:
I wrote a software and I want to protect it so can not be cracked easily. I wrote it in python and compile it using py2exe. what is the best way in your opinion?
2
1689
by: Bob Bedford | last post by:
Hi all, The site protection has never been an issue due to the main purpose of my site: it's a community website and has nothing very important, just informations. Now the problem is that hackers don't only put my website regularly offline but the worse thing is that they put spam script on my site and send thousand spams from my account.
0
7349
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language...
1
7347
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For...
0
7688
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the...
0
5885
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then...
1
5271
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes...
0
3391
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in...
0
3391
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
1817
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
0
636
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.