Sunday, February 24, 2013
Forensic Samples of a Wordpress Hack
I run a website that is used by around 10 people for private reasons. This server hosts no ads, sells nothing, and gets almost no pageviews. But it still is regularly probed by spammers and hackers to see if it is secure. How do I know this? I watch my server logs. This week, 9 out of the top 10 “page not found” (404) errors were for hackers attempting to find exploits. In fact, I wouldn’t be surprised if 90% of the site’s traffic is by those same hackers attempting to hack my little site. I saw access attempts to the following files: webdav/test phpMyAdmin/scripts/setup.php mysqladmin/scripts/setup.php websql/scripts/setup.php pma/scripts/setup.php etc...... All of these attempts were logged in my error log because none of those pages exist on my server, but if they did exist, they could have become a way for hackers to turn my website into a tool for their purposes. In this case, all but the first one were attempts to hack phpMyAdmin with the setup file, probably to do some form of SQL-injection on the site. The webdav/test was probably trying to do the same thing with a possible webdav server on my website. And as you can see from those error logs, the hackers don’t stop with the default name of the file they want to exploit. Don’t assume that just because you’ve renamed your phpMyAdmin directory to “pma” that the hackers won’t find it. Security through obscurity isn’t security, and your file names and directories can be figured out, especially by the determined hacker who uses a script to simply hit dozens or hundreds of possibilities. But Don’t Stop with Just the Error Logs It can be tedious, but it’s a very good idea to scan your access logs periodically to make sure that nothing strange is happening. If you start getting hundreds or thousands of hits to a page (especially a PHP or CGI page) that previously was almost invisible, you should check out that page to see what it is. If it has any type of form on it, you may have opened yourself up to attack without realizing it. I also like to keep tabs on the dates that files were edited. I don’t have all the file dates on my many websites memorized, but I know that I did or didn’t edit a file last week. If you notice a strange date on a file on your server (and you’re the only one who edits files there), check out that file. Make sure that it says what you want it to say, and not what some script kiddie changed it to say. Keep Your Scripts Up-to-Date If you use tools like phpMyAdmin or WordPress on your website, you should make sure that they are up-to-date. Scripts and tools from reputable companies have a vested interest in keeping their tools secure. And you are only going to be secure if you use the most up-to-date version. A hacker still might find an exploit, but you’re safer than with an older version. Be Vigilant Don’t think that you’re too secure to be hacked or too small or anything else. There are a lot of hackers out there with automated scripts that simply troll the internet looking for sites to exploit. If your site has a vulnerability, it might be next. The only way you can be secure is to be vigilant. watch your server logs for suspicious activity deal with exploits as soon as you find them keep your scripts and tools up-to-date put scripts and tools (like phpMyAdmin) behind server passwords make those passwords as secure as you can (12-20 or more characters long, with letters, numbers, and symbols, and no words via webdesign.about.com
Labels:
CyberCrimes,
DATA BREACH,
ELyssaD™,
HAARP,
HACKING,
INFOSEC
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment