How are websites hacked and how do you protect against it?

On 5/10/04 2:16 pm, Doc wrote:

I keep reading about various websites being hacked into and wonder, how is
this done? Not for any nefarious reasons, but to take measures to protect
mine. Apparently this has been done to some high profile sites that you
would think would have good security in place. In fact, if memory serves,
wasn't one of Microsoft's site hacked?

Since you have to put in a password to get into the server, obviously
there's some other way to do it. How is it done? How do you determine how
secure your hosting service is?

Mostly it depends on your web hosting company keeping their server software
up to date.

All you have to do is make sure your password can't be guessed easily (i.e.,
if it can be found in a dictionary, it's no good), and avoid uploading
insecure scripts to your web pages. That includes older versions of email
scripts like FormMail, which are routinely hijacked by spammers to send out
junk mail.

It also appears that FrontPage sites might be inherently insecure, so don't
use FrontPage either. (It's rubbish software anyway.)

I think that's about all there is to it.

Phil

--
Philip Ronan
ph***********@virgin.net
(Please remove the "z"s if replying by email)

Doc <do*********@removehotmail.com> spoke thus:

(Probably OT for all the groups posted to, so sorry.)

I keep reading about various websites being hacked into and wonder, how is
this done? Not for any nefarious reasons, but to take measures to protect
mine. Apparently this has been done to some high profile sites that you
would think would have good security in place. In fact, if memory serves,
wasn't one of Microsoft's site hacked?
There are different varieties of "hacked". Usually the site's home
page is replaced with something of the hacker's choosing - that's a
"defacement". A common way in which sites are vulnerable to this sort
of attack is poorly programmed dyanamic scripts; you can find detailed
information about the specifics with some Google searching. The
"security" web site AntiOnline was defaced as a result of a flaw in
one of its dynamic scripts; you can find many more examples in the
archives at www.attrition.org, which formerly was a major mirror of
defaced web sites.

If the web server is running other services (such as telnet, SMTP,
FTP, etc.), the number of ways in which it can be compromised
increases. Google is your friend.

The compromise at Microsoft seems to have resulted from a Trojan sent
via e-mail, that one of their bone-headed employees blithely opened.
There's no substitute for clueful users and employees.
Since you have to put in a password to get into the server, obviously
there's some other way to do it. How is it done? How do you determine how
secure your hosting service is?

The first thing you personally can do is to check the integrity of
your dynamic CGI scripts, if you use them. If you don't run the
hosting server, there's not much else you can do that I know of.

--
Christopher Benson-Manica | I *should* know what I'm talking about - if I
ataru(at)cyberspace.org | don't, I need to know. Flames welcome.

Christopher Benson-Manica <at***@nospam.cyberspace.org> spoke thus:

The first thing you personally can do is to check the integrity of
your dynamic CGI scripts, if you use them. If you don't run the
hosting server, there's not much else you can do that I know of.

Well, of course, like Philip said, by all means make sure your
password is something appropriate, at the very least not susceptible
to a dictionary attack. Of course, if any of the other users of your
hosting service are clueless, it won't matter anyway.

--
Christopher Benson-Manica | I *should* know what I'm talking about - if I
ataru(at)cyberspace.org | don't, I need to know. Flames welcome.

Philip Ronan schreef:

On 5/10/04 2:16 pm, Doc wrote:

I keep reading about various websites being hacked into and wonder, how is
this done? Not for any nefarious reasons, but to take measures to protect
mine. Apparently this has been done to some high profile sites that you
would think would have good security in place. In fact, if memory serves,
wasn't one of Microsoft's site hacked?

Since you have to put in a password to get into the server, obviously
there's some other way to do it. How is it done? How do you determine how
secure your hosting service is?

Mostly it depends on your web hosting company keeping their server software
up to date.

All you have to do is make sure your password can't be guessed easily (i.e.,
if it can be found in a dictionary, it's no good), and avoid uploading
insecure scripts to your web pages. That includes older versions of email
scripts like FormMail, which are routinely hijacked by spammers to send out
junk mail.

Even with a self made server-side formmail script?
--
Edwin van der Vaart
http://www.semi-conductor.nl/ Links to Semiconductors sites
http://www.evandervaart.nl/ Under construction

On 5/10/04 3:08 pm, Edwin van der Vaart wrote:

Even with a self made server-side formmail script?

Pardon?

--
Philip Ronan
ph***********@virgin.net
(Please remove the "z"s if replying by email)

Doc wrote:

I keep reading about various websites being hacked into and wonder,
how is this done? Not for any nefarious reasons, but to take measures
to protect mine. Apparently this has been done to some high profile
sites that you would think would have good security in place. In
fact, if memory serves, wasn't one of Microsoft's site hacked?

Since you have to put in a password to get into the server, obviously
there's some other way to do it. How is it done? How do you determine
how secure your hosting service is?

If the script is unsecure, then it opens up one way to hack the system.
For example if you rely on certain user input (via form fields), and
you don't protetc yourself against SQL injection. Or you allow upload
of certain file formats which can then be executed. These were just two
of many examples. This is all concerning the scripting layer, like ASP,
ASP.NET, PHP, Python, Perl etc.

--
Google Blogoscoped
http://blog.outer-court.com

Philipp Lenssen <in**@outer-court.com> spoke thus:

If the script is unsecure, then it opens up one way to hack the system.
For example if you rely on certain user input (via form fields), and
you don't protetc yourself against SQL injection. Or you allow upload
of certain file formats which can then be executed. These were just two
of many examples. This is all concerning the scripting layer, like ASP,
ASP.NET, PHP, Python, Perl etc.

Or, if you're using C++ like we are, a buffer overflow would be a
wide door for those with malicious intent.

--
Christopher Benson-Manica | I *should* know what I'm talking about - if I
ataru(at)cyberspace.org | don't, I need to know. Flames welcome.

Philip Ronan schreef:

On 5/10/04 3:08 pm, Edwin van der Vaart wrote:

Even with a self made server-side formmail script?

Pardon?

Sorry.
I ment a self made server-side process script.
--
Edwin van der Vaart
http://www.semi-conductor.nl/ Links to Semiconductors sites
http://www.evandervaart.nl/ Under construction

On 5/10/04 6:54 pm, Edwin van der Vaart wrote:

Philip Ronan schreef:

On 5/10/04 3:08 pm, Edwin van der Vaart wrote:

Even with a self made server-side formmail script?

Pardon?

Sorry.
I ment a self made server-side process script.

Well obviously that's no problem as long as you know what you're doing.

Most problems seem to occur when people copy data directly from the POST
request into the email headers without checking for stray carriage returns
etc.

That's a bit OT for an HTML discussion though.

--
Philip Ronan
ph***********@virgin.net
(Please remove the "z"s if replying by email)

Philip Ronan schreef:

On 5/10/04 6:54 pm, Edwin van der Vaart wrote:

Philip Ronan schreef:

On 5/10/04 3:08 pm, Edwin van der Vaart wrote:
Even with a self made server-side formmail script?

Pardon?
Sorry.
I ment a self made server-side process script.

Well obviously that's no problem as long as you know what you're doing.

Most problems seem to occur when people copy data directly from the POST
request into the email headers without checking for stray carriage returns
etc.

Thanx for the info.
That's a bit OT for an HTML discussion though.

I know. I was a bit curiose that's all.
--
Edwin van der Vaart
http://www.semi-conductor.nl/ Links to Semiconductors sites
http://www.evandervaart.nl/ Under construction