Hacking a Website: Simple Security Tips

    Hacker activity never comes to naught. For example, only according to one hacker site zone-h.org (see the Onhold section), hundreds of sites are hacked daily. Your site is definitely not there?

    You do not need to be a professional hacker for hacking, the article is about the so-called “kulhackers” using the fruits of other people's “labors” and the simplest cases of hacking. An article is by no means howto how to hack a site. The goal is to show how easy it is to hack and recommend measures to protect the site and actions in case of hacking by “Kosovo Albanians”.
    An example of a successful search for a hacker by Russian law enforcement agencies is given.

    How is a site hacked?

    The most common ways to enter the site:
    • enumeration of simple passwords for access to the admin panel / ftp ("domain name", 12345, admin, test, etc.) - a large number of hacks, oddly enough, happens just like that;
    • the use of script vulnerabilities (CMS and modules).

    Let me illustrate with the example of Joomla + CKForms. In order not to lead into temptation, I do not publish a link to the description, it is too simple to use it , but it is also easy to find . Vulnerabilities in the CKForms module allow you to perform SQL injection or PHP inclusion, and, through simple manipulations, gain access to the admin panel. The vulnerability is exploited through a simple request in the address bar of the browser.

    It’s literally five minutes and does not require serious knowledge from the cracker. Further steps depend on the author’s imagination of hacking - from an unpleasant defacement, to destroying the site and trying to seize control of other sites and the server.

    I took action, but how was the site hacked?

    How can a hacker get access to other sites on shared hosting if all known measures have been taken by the site owner? Indeed, almost everywhere access to site sites is differentiated by user logins and, it would seem, this should protect the site from neighbors. We confine ourselves to one case. A serious danger is the launch of scripts under the Apache module, for example mod_perl. The script in this case is run under the Apache user, who has access to the data of site users. A hacker, as described above, gains access to the site of one site. Then the console script is placed, for example cgi-telnet

    . And if the rights to the configuration files of other users' sites are set to 644 (or even less so 777!), It’s easy to read the contents of files with passwords from the console. But! Only if the perl script is run under the Apache user, i.e. under mod_perl (a similar situation with mod_php). When working, for example, under FastCGI, this method will not give access to files. You can protect yourself from this by installing 600 rights on critical files and using FastCGI.

    How can I access the management of the server itself?

    Let me give you one common example for Linux systems. Similarly, first you need access to the site of one site.
    There are several vulnerabilities in the kernel through the null pointer that dozens of Linux systems are exposed to, for example: Linux Kernel 'sock_sendpage ()' NULL Pointer Dereference Vulnerability . Exploits are also described there (be careful, this works!) .
    Despite the fact that this problem has been known for a long time, there are many unpatched servers, including in Russia. The easiest way to protect is described, for example, here .
    This does not guarantee 100% protection, as for example, when installing wine, the mmap_min_addr parameter can be reset back to 0. It is strongly recommended to use the patches that can be taken on the page above or in official sources.
    Discussion on this issue was also conducted on Habr .
    Responsibility for protecting against exploit data lies with the server administrator.

    Remedial Procedure

    "Treatment" recovery from backup is not enough, once hacking the site, they will return to you. What should the site owner do?
    • Try to immediately determine which files have been replaced, it can be both index.php and template files, images, etc .;
    • Take screenshots of the consequences;
    • Be sure to notify the hosting provider and coordinate your next steps;
    • Save the site files in a separate directory, the time for modifying the files in the future will help you determine the attacker;
    • Restore the site from the backup or contact the hoster for this;
    • Download the error logs and access to the site or ask the hoster to provide them, it is better to copy them to a separate directory so that they do not go away during rotation of the logs;
    • Analysis of the file modification time and comparison with the log entries allows you to determine the nature of the vulnerability used and the IP address of the attacker;
    • Update scripts or (if this is not possible) refuse to use vulnerable modules;
    • Be sure to change all access passwords.

    Crime and Punishment

    Punish a hacker, especially if he acts under the jurisdiction of another state and takes all measures so that it cannot be tracked - it is difficult or almost impossible. But there are successful examples.

    Department K of the city of N initiated a criminal case under Article 272 of the Criminal Code of the Russian Federation “Unlawful access to computer-protected information ...” against a citizen of the Russian Federation at the request of a legal entity (website owner). In February 2010, a site was hacked into the production of one of the Russian design studios (a "script") through the vulnerability found in the code of the site by an attacker. The purpose of the hack was to place banner ads. The attacker brought his written apology to the site owner asking for a pre-trial settlement - in addition to the criminal article, he is also threatened with expulsion from the university. So to speak - in the interests of the investigation, details were not disclosed.

    If the damage is significant, and the IP address is “local” (even dynamic and belongs to the Internet provider), and not the “Chinese proxy”, you can apply to the law enforcement authorities, and specifically to the K. department, with the statement and available materials at the place of residence. Investigators themselves they will request an official letter from the hosting provider with magazines and explanations of the situation, from the Internet provider - to whom the IP address has been allocated. Companies are required to provide this information at the request of law enforcement.
    Attacker to communicate with law enforcement agencies will take much not pleasant hours, especially if the computer traces of illegal activity, not to mention the possibility of prosecution.

    Brief conclusions

    The security of your site is not only the task of the developer and hoster, who is obliged to provide maximum security for the servers, but also the site administrator.
    Trivial advice to the site owner:
    • do not store access credentials anywhere;
    • use long complex passwords and non-standard logins, periodically perform their change;
    • timely update scripts with the release of updates;
    • when choosing a component, check for open vulnerabilities;
    • monitor permissions on script files and especially critical configuration files;
    • by means of a web server (for example, .htaccess and .ftpaccess) to allow access only from your IP;
    • yes, it is necessary to preserve copyrights of script authors, but attackers also look for vulnerable sites using them, as well as fragments of the address bar of the modules — change at least the standard addresses for accessing scripts;
    • periodically, including external services, check the availability of specific sections of the site;
    • have local backup sites.

    Having assessed the chances of finding an attacker, you can and should contact law enforcement agencies.

    PS: the article does not pretend to be completely complete and is not focused on an IT guru, of course, other means may be used for targeted hacking of a specific server or site. I will be glad to supplement by the comments of the habrasociety, including other examples.
    And briefly about the actions of hacking the site .

    Also popular now: