An analysis of the latest website hacks
After the latest spree of hacks on thousands of websites, it is time to look at some of the commonalities and ways to security our sites better. Given that the security holes are clearly at the level of the website hosting companies, and it is their duty to close those holes, nothing stops us from securing our own sites better. That is what our next series will be about: how to secure our self hosted blogs.
Godaddy published more background information on their blog:
This is a complex attack with many components. Here is a high-level overview of how they occur:
- The attacker is coordinating attacks against three different hosting providers for this to work.
- At Hosting Provider ‘A’ – A malicious file is placed on hosting accounts at this provider. No two files have the same name.
- At Hosting Provider ‘B’ – A file is uploaded listing the infected domain names and unique file names from provider ‘A.’
- At Hosting Provider ‘C’ – A malicious “scareware” site is placed on compromised accounts
- After the attackers put their files in place, they use Hosting Provider ‘B’ to trigger the malicious files on Hosting Provider ‘A.’ When triggered, the malicious file:
- Scans the hosting account for any php file
- Injects malicious content, installing malware that directs to Hosting Provider ‘C’
- Removes any trace of itself from ‘Hosting Provider B’
- The attack is complete when an infected website receives a visitor. The visitor, if not adequately protected, will have malware installed on their machine.
- The malware will alert the infected computer to purchase fake anti-virus software, located at Hosting Provider ‘C.’
The common factors of all the recent hacks are:
- The affected sites were all .PHP based CMS’s (Content Management Systems): WordPress, Drupal, Joomla, phpBB…
- A .php file was put on the root directory of the website, executed a few hours later, and then deleted (more).
- While executing, the .php file inserted malicious code in all .php files of your site which redirected visitors to a site which infected the visitor’s computer with a virus. (more)
So the basic questions are:
- How can we avoid .php file being dropped on our site?
- If a .php file is dropped through a hosting provider’s security hole, how can we detect it fast, before it executes?
- If our .php files are infected, how do we cure them easily?
Again, while we can not close the security hole of the hosting providers, we sure can take some measures to either tighten the hole ourselves, or at least monitor the changes happening on our sites?
In this post, I suggest a solution to monitor for file changes and uploads on your selfhosted WordPress blog.
In this post, I described how to cure infested files.
Here, I describe how to protect login information being read from our WordPress blog.
Picture courtesy WikiMedia