PDA

View Full Version : Ten Questions on Site Security



howard
11-10-2005, 03:42 PM
Thanks again to all who replied to an earlier post ( http://forums.westhost.com/showthread.php?t=8542 ).

The group I mentioned before is moving ahead with their website. They have a member who has created a 3-page information site. They have a regular hosting account (not WestHost) with features such as cPanel, and FTP access.

They asked me some questions, which they say their group will be asking them, and wanted to know my answers, so they will be ready when the questions are asked.

Here is a list of ten questions, and my answers. Please look at them to see if I would be giving any incomplete or incorrect responses.

--

Q. How will we know if our site security has been compromised and that someone has hijacked our site?
A. Look at the pages. Are they defaced? Do the links lead to porn or gambling sites instead of where they should go? Are there any extra links or pages you did not write?

Q. What do we do if that happens?
A. Change the password (contact the host if the hijacker has already changed it) and restore backups.

Q. Is it possible that the web author could have a virus on her own computer, and accidentally load that virus on one of their pages so that, when someone else visits the pagre, they get the virus?
A. Theoretically possible, but viruses can't really be hidden in plain html pages the web author may upload from her computer.

Q. Same question for if the site is hijacked.
A. I guess it is possible for a hijacker to upload such content if the site were hijacked.

Q. How do we know if that has happened?
A. When you check your site, and view the infected page, the AV program on your computer shold alert you.

Q. Can the pages on the server be scanned on the server, the way we scan our hard drives?
A. It would be more appropriate to FTP them down to your own hard drive and scan them there, if you are concerned about that.

Q. Don't the people that own the server where we are hosted have anti-virus programs for their servers?
A. Probably, but only for the software that runs the server, which just delivers files to the viewer. That's all it does. I'm not sure that answers your question.

Q. If email addresses are set up under our domain name, is it possible for a member to get a virus by someone sending him or her an email?
A. Yes, just as it is possible with any email.

Q. And then he or she could pass that virus on to others?
A. Yes, just like any email system.

Q. But hotmail checks for viruses, will our site do that?
A. No, but, since you are going to be forwarding any emails received, rather than giving webmail access, if someone is fearful of that, they can set up a hotmail account to have their email forwarded to.

--

jalal
11-11-2005, 02:10 AM
Q. How will we know if our site security has been compromised and that someone has hijacked our site?
A. Look at the pages. Are they defaced? Do the links lead to porn or gambling sites instead of where they should go? Are there any extra links or pages you did not write?

These are two different questions. A site can be compromised and not defaced. In fact, most security breaks will not be visible from the outside. The computer system will be used for sending spam, attacking banks/governments or attacking other computer systems.



Q. What do we do if that happens?
A. Change the password (contact the host if the hijacker has already changed it) and restore backups.

If there are any legal repercussions, you will want to immediately save whatever logs you have (including shell histories) for analysis. And ask the ISP to do same.
A competent attacker will know how to cover their tracks, but you may find some evidence.

Restoring from backups is usually useless as they will simply break in again. It is important to find out how they got in and then plug the hole before restoring.



Q. Can the pages on the server be scanned on the server, the way we scan our hard drives?
A. It would be more appropriate to FTP them down to your own hard drive and scan them there, if you are concerned about that.

It is quite simple to run scanning software on the server, run by a cron job. I use rkhunter for example. But again, a competent attacker will know and understand how to get around that. More powerful defences are tripwire and such.


Q. Don't the people that own the server where we are hosted have anti-virus programs for their servers?
A. Probably, but only for the software that runs the server, which just delivers files to the viewer. That's all it does. I'm not sure that answers your question.

You could also scan for trojans in the webspace.

Most attacks, at least on the servers that I run, are done by 'script kiddies' using automated scripts, and these are easily defended against with equally automated defense scripts. If you have a minimum of defense then the kiddies will move on. There are lots of easily broken systems available.

Should you get a determined attacker, then things are a little more difficult and you will need to do a little studying yourself. It's a big subject and more than I can get into here.

howard
11-11-2005, 08:37 AM
Jalal,

Thanks for the reply.

The site will not be using any php or perl scripts such as form to email, nor allowing anonymous ftp.

I will look into rkhunter and tripwire.

Howard