Several of our clients had the unfortunate “opportunity” this week to clean up the mess after their web sites were hacked. An “iframe” had been inserted into several pages which caused people viewing these web sites to also – invisibly – download malicious JavaScript programming from servers in places such as China and Russia. I have listened as people vented fury at the cost, inconvenience, and sense of violation almost akin to a physical assault. I share those feelings, believe me!
The rest of this posting gives a bit of background on the hack and some “best practices” for keeping your web site safe from attacks including this one.
First, if your site was hacked, you are in good company. Security Labs, back on June 16, reported that the Nine-Ball injection attack had compromised more than 40,000 web sites. EWeek reported that security vendor Prevx had found 88,000 stolen FTP usernames and passwords, possibly related to the same attack, and the result of nefarious activities over a span of at least two years. The attacker had nothing against you, in particular. Your web site just happened to be “in the right place at the right time.”
One of the sites which I helped clean up this week is hosted on one of our virtual private servers so I had full access to the log files and had the chance to see exactly how and when the files were modified. In the wee hours of the morning, 119 different machines FTP-ed into the server and worked in a coordinated fashion to deface the web site. One machine would download a file and a few seconds later, a different machine, often on a different continent, would upload the poisoned version of the file. This went on for about 20 minutes, with no machine visiting more than once. In the end, about 30 files had been modified. Before beginning the attack, “they” knew the correct username and password; there was no guesswork involved. Clearly, this is a professional operation; it is not some junior high school kid hacking around in his bedroom at night.
The FTP usernames and password were probably stolen from personal computers, not web servers, which had these items “memorized” in programs such as Internet Explorer, Firefox, WS_FTP, etc. It is certainly convenient to avoid typing your password every time you log into your web site but it does create a security risk. The malware which stole the passwords probably came from visiting another infected web site but the actual code may be been executed by the web browser or by any of several other programs such as the Adobe Flash player, the Adobe (Acrobat) Reader, the Apple QuickTime player, and so on. It is impossible to know exactly how any one password was stolen because the thieves are so creative and there are so many programs with security holes.
There are several things which you can do to protect yourself. Please realize that all of these suggestions are equally important. Do not make the mistake of thinking that cherry-picking off the top of the list will make you magically safe.
- Practice safe browsing. When you are surfing the ‘net, avoid the dangerous places. The web sites which look shady might well be. The advertisements for products and services which are too good to be true are just that: too good to be true; don’t click on them. If you have a business computer with sensitive information on it (such as the username and password for updating your web site), you might even make a rule that that machine is never to be used to non-business purposes; no games, no video or music downloads, no desktop plug-ins to display the weather, etc. Limit the number of places where you might get some malware.
- Assure that your anti-virus software is up-to-date and working correctly. It is not enough to buy and install the software. Confirm that your machine is downloading the updated data files on a regular basis. Since there are new viruses and trojans coming out all the time, you need to be sure that your anti-virus software “knows” about them and can detect them.
- Keep track of the software you use and install all of the security patches. This is absolutely vital for any software which touches content from the internet but a good idea for everything. For instance, make sure that you download and install security patches for your operating system, your web browser, the Adobe Flash player, the Adobe (Acrobat) Reader, the Apple QuickTime player, etc. If you downloaded some special plug-in to view the content for one particular web site, be very suspicious. Some of these are legitimate but some are nothing but spyware. If you visit gaming or video or music web sites which require you to use such plug-ins, it would make excellent security sense to do so only from a “play” computer which does not contain any valuable data.
- Stop using Internet Explorer 6; it is a security nightmare. Upgrade to IE8 (or at least to IE7). Better yet, switch to Firefox or Chrome or Safari or Opera. (Firefox is my favorite.)
- Backups are golden! If you do get hacked (or even accidentally delete a file), nothing beats ready access to a nice, fresh backup of your files. Make sure that your entire web site is backed up; not just the files you created yourself but everything. Did you install WordPress? If so, back up the entire WordPress directory including themes, modules, uploaded photos, etc. Did you install some e-commerce software? If so, back up all of the e-commerce stuff including configuration files, log files, templates, product images, etc. Do any of your programs use a database such as MySQL? If so, back up the database. All HTN hosting accounts include nightly disk-based backups and weekly tape-based backups. We also offer an automated solution for virtually any web server account, Nest Egg Backup for Web Servers, which gives 30 days of backups.There are lots of other ways to accomplish the same safety, of course. The important thing is do the backups.
- Backup often and keep several backups in case the most recent one (or two (or three)) does not have what you need. How much would it hurt your business if your web site was down for several days or even weeks? How much would it cost to recreate the site if the content was truly lost or destroyed? That feeling in your gut gives you some idea of how important this issue is; trust your gut.
Choosing “good” passwords is important, too, but not germane to this particular attack because these folks stole the passwords from personal computers; they did not guess the passwords. When selecting a password, follow a few simple rules:
- Make sure that the password is not in the dictionary, even if it is a long word. Similarly, don’t pick a dictionary-based word and simply add a digit or two to the beginning or end of the word.
- Use characters from at least three of these sets:
- Upper case letters
- Lower case letters
- Numerals
- Punctuation marks and special characters, e.g., !@#$%^&*()
- Longer passwords are much more secure than shorter passwords. For instance, you might pick a couple of words and throw in a couple digits and a couple punctuation marks and end up with something 16 characters long. That’s good.
Finally, talk to your webmaster about this. What measures does he take to protect your web site? If, heaven forbid, something happens to your site, how can he help repair the damage? Plan ahead.
Security is achievable and you can do it, even though it does take some attention and work. If you do get hacked by professionals like this, remember that it’s not personal; it’s just about money and your web site is one tool they are trying to use to steal the money. Restore your files, change your passwords, double check your security procedures, and go back to running your business.
