Printable Version of Topic

Click here to view this topic in its original format

The Other Side forums - suitable for mature readers! _ Daily life _ Hacked :(

Posted by: Mata Feb 17 2011, 04:08 PM

So, this site (and every other site that I host) was hacked in the past twelve hours. It might be a good idea to run a virus check on your machine.

Sorry about this - my site became hosted by a new company about six months ago and there seem to be a lot more breaches since this new company took over.

The telltale sign of a hack is often a tiny square, just a few pixels wide and tall, usually at the very top or the very bottom of the screen. If you see one of these then please let me know immediately.

Posted by: CheeseMoose Feb 17 2011, 04:11 PM

I did wonder why AVG went mental at me when I tried to come on here last night, but I assumed it was something to do with Rob's site again. Poor show by your hosting company.

Posted by: Hobbits Feb 17 2011, 04:53 PM

AVG shouted at me at home, and at work today, when accessing the site.

Just as a heads up: at work, AVG (fully updated) spotted the threat, but for some reason still seemed to let it do its dirty work. I used Malwarebytes' Ant-Malware program to help get rid of it, since AVG wasn't defeating it. So you might wanna run through a couple of scans with alternative software just in case? Particularly as the virus in question is a relatively new one.

Posted by: moooooooooooooooooooooooooop Feb 17 2011, 05:31 PM

Google Chrome gave me a full screen warning about it as soon as I tried to come near the site earlier today.

Posted by: CheeseMoose Feb 17 2011, 05:49 PM

Just came on with Chrome and it's still warning me about comic.matazone.co.uk specifically.

Posted by: Hobbits Feb 17 2011, 06:16 PM

QUOTE (CheeseMoose @ Feb 17 2011, 05:49 PM) *
Just came on with Chrome and it's still warning me about comic.matazone.co.uk specifically.


I haven't had any problems elsewhere, or here, since Mata took action. Could it be a cached version of the page that Chrome is getting angry with?

Posted by: moooooooooooooooooooooooooop Feb 17 2011, 06:23 PM

QUOTE (Hobbits @ Feb 17 2011, 06:16 PM) *
QUOTE (CheeseMoose @ Feb 17 2011, 05:49 PM) *
Just came on with Chrome and it's still warning me about comic.matazone.co.uk specifically.


I haven't had any problems elsewhere, or here, since Mata took action. Could it be a cached version of the page that Chrome is getting angry with?


I'm getting the same warning as moosh and wasn't earlier so doesn't seem related to cacheing. :/

Posted by: Mata Feb 17 2011, 06:44 PM

I've just registered the site in Google's webmaster tools and that site is listing the site as having no malware, so hopefully that means it will have the all-clear again very soon. This is very annoying since I'm about to draw tomorrow's comic and I can't be sure if anyone's going to read it...

Posted by: SPEAKERfortheLOST Feb 17 2011, 09:24 PM

And this is why I use Linux. I don't have to worry about these little headaches.

Posted by: MataTeachesMeLudology Feb 17 2011, 09:54 PM

Fun-fact: Computers can't get viruses from websites unless you download something like an executable, or batch file (exe or bat).

The message you probably received was the one that said that the website you are visiting is unsafe. This could basically mean the site would provide child pornography, viruses, or offer other stuff that can be regarded as unsafe.

http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=nl&site=http://comic.matazone.co.uk/
This is why it has been reported.

http://www.stopbadware.org/firefox?hl=nl&url=http%3A%2F%2Fcomic.matazone.co.uk%2F
This is how you fix this. Read some stuff about it.

Worst-case scenario: Someone actually hacked your site and puts scripts on it for advertisement purposes. In this case you should deny ALL downloads coming from this website, close pop-ups and press cancel to everything it offers you. Don't use anything that requires input, which unfortunately includes the donate button (You would possibly donate to a random person in Nigeria all of the sudden). Mata, I suggest that you check if everything still links to where you want it to link, and possibly, get someone that does the technical stuff on this website for you.

Posted by: Pikasyuu Feb 17 2011, 11:22 PM

QUOTE (SPEAKERfortheLOST @ Feb 17 2011, 01:24 PM) *
And this is why I use Linux. I don't have to worry about these little headaches.


helpful!

anyway, i haven't seen the little pixel boxes myself and malware bites hasn't picked anything up. have you spoken with your webhost at all about their incompetence and/or submitted a ticket?

Posted by: moooooooooooooooooooooooooop Feb 17 2011, 11:39 PM

QUOTE (MataTeachesMeLudology @ Feb 17 2011, 09:54 PM) *
Fun-fact: Computers can't get viruses from websites unless you download something like an executable, or batch file (exe or bat).

The message you probably received was the one that said that the website you are visiting is unsafe. This could basically mean the site would provide child pornography, viruses, or offer other stuff that can be regarded as unsafe.

http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=nl&site=http://comic.matazone.co.uk/
This is why it has been reported.

http://www.stopbadware.org/firefox?hl=nl&url=http%3A%2F%2Fcomic.matazone.co.uk%2F
This is how you fix this. Read some stuff about it.

Worst-case scenario: Someone actually hacked your site and puts scripts on it for advertisement purposes. In this case you should deny ALL downloads coming from this website, close pop-ups and press cancel to everything it offers you. Don't use anything that requires input, which unfortunately includes the donate button (You would possibly donate to a random person in Nigeria all of the sudden). Mata, I suggest that you check if everything still links to where you want it to link, and possibly, get someone that does the technical stuff on this website for you.

Even if it can't download executables and run them (though I'm sure there are problems in older browsers that would allow that) they've clearly injected data into the page and from there it's a trivial step to scripting vulnerabilities that could give access to someone's MZ password and email, and from there access to their email if they've not been careful and used the same password for both. That's pretty bad.

My points is, it's best not to be complacent about security. Being condescending to people for worrying about such things is just going to discourage them from sensible computer security habits. It's a lot less harmful to just let them run the virus scan!

Posted by: CrazyFooIAintGettinOnNoPlane Feb 18 2011, 08:50 AM

QUOTE (SPEAKERfortheLOST @ Feb 17 2011, 09:24 PM) *
And this is why I use Linux. I don't have to worry about these little headaches.

cool.gif

QUOTE (MataTeachesMeLudology @ Feb 17 2011, 09:54 PM) *
Fun-fact: Computers can't get viruses from websites unless you download something like an executable, or batch file (exe or bat).
hmm. What about stuff that exploits vulnerabilities in the browser/java? Also: what moop said.

QUOTE
http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=nl&site=http://comic.matazone.co.uk/
This is why it has been reported.

http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en&site=http://comic.matazone.co.uk/
QUOTE
What is the current listing status for comic.matazone.co.uk?

Site is listed as suspicious - visiting this web site may harm your computer.

Part of this site was listed for suspicious activity 1 time(s) over the past 90 days.

What happened when Google visited this site?

Of the 1 pages we tested on the site over the past 90 days, 1 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2011-02-17, and the last time suspicious content was found on this site was on 2011-02-17.

Malicious software is hosted on 1 domain(s), including gs34grsgdg.vv.cc/.

This site was hosted on 1 network(s) including AS33552 (FLUIDHOSTING).

[...]

Next steps:

* Return to the previous page.
* If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google's Webmaster Help Center.

Posted by: Mata Feb 18 2011, 09:01 AM

And now my sites have been attacked again. The bastards.

I've GOT to find the vulnerability.

Posted by: Sharazad Feb 18 2011, 11:34 AM

<3 for my avast! doing a virus scan and a boot virus scan XD and protecting me well.. otherwise I just re-install windows anyway >.>

Posted by: Mata Feb 18 2011, 12:02 PM

We have McAfee on the university computers... Guess what I'm trying to clean up now.

Posted by: Sharazad Feb 18 2011, 12:27 PM

QUOTE (Mata @ Feb 18 2011, 01:02 PM) *
We have McAfee on the university computers... Guess what I'm trying to clean up now.



Me spamming one of my teachers... *looks innocent to the other way*

Posted by: Mata Feb 18 2011, 10:08 PM

It took about six hours, but I'm pretty sure I've got everything at last. My machine is clean (thanks Hobbes for the tip on Malwarebyte's software, it worked a treat http://www.malwarebytes.org/mbam.php ), my grading is done, and it's time for a beer.

Posted by: Hobbits Feb 18 2011, 11:31 PM

QUOTE (Mata @ Feb 18 2011, 10:08 PM) *
It took about six hours, but I'm pretty sure I've got everything at last. My machine is clean (thanks Hobbes for the tip on Malwarebyte's software, it worked a treat http://www.malwarebytes.org/mbam.php ), my grading is done, and it's time for a beer.


No problem, and sounds like a well-earned rest smile.gif

Posted by: SPEAKERfortheLOST Feb 19 2011, 01:21 AM

I would suggest you look into changing ALL your site passwords with very strong ones (14+ characters including upper and lower case, numbers, and symbols). And I would update every bit of software on the server. After that, it would seem that it is a server issue and then you would have to move to a different host. If you want help with this, let me know.

Posted by: MataTeachesMeLudology Feb 19 2011, 10:10 PM

QUOTE (moooooooooooooooooooooooooop @ Feb 18 2011, 12:39 AM) *
QUOTE (MataTeachesMeLudology @ Feb 17 2011, 09:54 PM) *
Fun-fact: Computers can't get viruses from websites unless you download something like an executable, or batch file (exe or bat).

The message you probably received was the one that said that the website you are visiting is unsafe. This could basically mean the site would provide child pornography, viruses, or offer other stuff that can be regarded as unsafe.

http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=nl&site=http://comic.matazone.co.uk/
This is why it has been reported.

http://www.stopbadware.org/firefox?hl=nl&url=http%3A%2F%2Fcomic.matazone.co.uk%2F
This is how you fix this. Read some stuff about it.

Worst-case scenario: Someone actually hacked your site and puts scripts on it for advertisement purposes. In this case you should deny ALL downloads coming from this website, close pop-ups and press cancel to everything it offers you. Don't use anything that requires input, which unfortunately includes the donate button (You would possibly donate to a random person in Nigeria all of the sudden). Mata, I suggest that you check if everything still links to where you want it to link, and possibly, get someone that does the technical stuff on this website for you.

Even if it can't download executables and run them (though I'm sure there are problems in older browsers that would allow that) they've clearly injected data into the page and from there it's a trivial step to scripting vulnerabilities that could give access to someone's MZ password and email, and from there access to their email if they've not been careful and used the same password for both. That's pretty bad.

My points is, it's best not to be complacent about security. Being condescending to people for worrying about such things is just going to discourage them from sensible computer security habits. It's a lot less harmful to just let them run the virus scan!
Up-to-date browser USUALLY (as in, almost always, but there are small exceptions) does not allow applications to be stored on your computer under any circumstance without properly notifying the user about this. Next to that, the latest versions of Windows automatically detect whenever an application that is downloaded from the internet or is coming from a questionable source and notifies the user whenever that application is trying to run. This means basically that the user can deny the launch of any unwanted applications as well.

Java could do stuff to your computer, but you're properly notified of the fact that it's trying to do that by the Java application itself. Exploits could still happen, but is rather unlikely.

My point is, you're pretty safe as long as you know what you're doing. I've been running without a virus-scanner for quite some time now and I am doing fine, because I know what I can download and what not. But, as long as you're unsure about what to download, keep your virus-scanner on.

And next to that, injecting data into a page is useless, as it's stored on your own computer. You'd be doing nothing at all. You'd have to send something to the server.
QUOTE (SPEAKERfortheLOST @ Feb 19 2011, 02:21 AM) *
I would suggest you look into changing ALL your site passwords with very strong ones (14+ characters including upper and lower case, numbers, and symbols). And I would update every bit of software on the server. After that, it would seem that it is a server issue and then you would have to move to a different host. If you want help with this, let me know.
I'd only do this if Mata keeps your passwords stored without an hash. Which, by standards, he'll probably do. (I don't see him changing the source code of IPS, no offence)

Posted by: moooooooooooooooooooooooooop Feb 19 2011, 11:03 PM

QUOTE (MataTeachesMeLudology @ Feb 19 2011, 10:10 PM) *
And next to that, injecting data into a page is useless, as it's stored on your own computer. You'd be doing nothing at all. You'd have to send something to the server.

Are you quite sure of that? I was suggesting someone could inject some Javascript.

Did you realise that Javascript is perfectly capable of sending off asynchronous HTTP requests? There is protection against cross site requests in browsers but I can think of a few exploits where sending a request to the server on which the forum is hosted would be enough. I'm not going to post any details as I'm sure Mata wouldn't appreciate it.

I'm not going to change your opinion and I'm getting pretty tired of this argument. It seems like you're happy to be complacent about security and have decided you don't need the protection, but in the end you need to guard against all possibilities whereas an attacker need only consider one. Bear in mind that viruses and worms like to spread themselves around so by ignoring such things it is not just yourself you put at risk. I hope your friends don't get any fallout when you inevitably get an infection.

QUOTE (MataTeachesMeLudology @ Feb 19 2011, 10:10 PM) *
Up-to-date browser USUALLY (as in, almost always, but there are small exceptions) does not allow applications to be stored on your computer under any circumstance without properly notifying the user about this. Next to that, the latest versions of Windows automatically detect whenever an application that is downloaded from the internet or is coming from a questionable source and notifies the user whenever that application is trying to run. This means basically that the user can deny the launch of any unwanted applications as well.

Java could do stuff to your computer, but you're properly notified of the fact that it's trying to do that by the Java application itself. Exploits could still happen, but is rather unlikely.

It's all in the usually. That minority to which it doesn't apply are going to get screwed by your poor advice. The others won't be terribly inconvenienced so I still consider it a fairly irresponsible thing to say.

QUOTE (MataTeachesMeLudology @ Feb 19 2011, 10:10 PM) *
I'd only do this if Mata keeps your passwords stored without an hash. Which, by standards, he'll probably do. (I don't see him changing the source code of IPS, no offence)

Why must you get so uppity every time anyone offers people decent advice? I think speaker was talking about Mata's passwords for administering the server, rather than every user.

Why bother with this sentence if you're immediately going to point out that it's probably bad advice in the next? It doesn't impart any information and is just confusing.

Posted by: Mata Feb 20 2011, 10:14 AM

MTML - Moop is a pretty hardcore coder and has been in the industry for many years. With all due respect, I'm going to take his advice on this. For example, having anti-virus software is just a sensible precaution given the various server tricks that can be played: advising people against this is a little on the foolhardy side, because you only need one slip and somthing will get through.

Posted by: CrazyFooIAintGettinOnNoPlane Feb 20 2011, 12:12 PM

I'd like to add that Speaker's advice shouldn't be taken lightly. The attack surface presented to hackers by ubiquitous software like IPB & wordpress is pretty significant, so you do not want to be running old versions that have known security problems. And using strong passwords should be a no brainer anyway. It doesn't matter what security measures take place on the server has if someone can just guess it.

Posted by: SPEAKERfortheLOST Feb 20 2011, 01:27 PM

Thanks for agreeing. Working as the network administrator for a fairly large medical practice I come across this problem all the time. Unfortunately, before I came on board, the practice had an issue with data security and couldn't manage to get rid of the conficker worm/virus due to their issues. Its just amazing what out-of-date software and bad passwords can cause.

<pulpit>

The tenents of the Network Security religion are:
1. STRONG PASSWORDS
2. UP-TO-DATE SECURITY SOFTWARE
3. UP-TO-DATE APPLICATION SOFTWARE
4. MINIMAL USER RIGHTS
5. RTFM

</pulpit>


Posted by: MataTeachesMeLudology Feb 20 2011, 02:15 PM

QUOTE (moooooooooooooooooooooooooop @ Feb 20 2011, 12:03 AM) *
QUOTE (MataTeachesMeLudology @ Feb 19 2011, 10:10 PM) *
And next to that, injecting data into a page is useless, as it's stored on your own computer. You'd be doing nothing at all. You'd have to send something to the server.

Are you quite sure of that? I was suggesting someone could inject some Javascript.

Did you realise that Javascript is perfectly capable of sending off asynchronous HTTP requests? There is protection against cross site requests in browsers but I can think of a few exploits where sending a request to the server on which the forum is hosted would be enough. I'm not going to post any details as I'm sure Mata wouldn't appreciate it.
What happens when you go to webpage is that you download the file that the server prints out for you. So, you're currently given, being on this page, index.php. Javascript is embedded in this page, and browsers can read and run it, but it is in no way run on the server or handled by it. You can do HTTP requests in Javascript, but it would just be the same as sending HTTP requests using a pure packet sender or using your browser (besides the fact that it's actually not asynchronous, but it wouldn't matter much). So, basically, you're doing a strange workaround.

For information about this sending technique: http://en.wikipedia.org/wiki/Ajax_%28programming%29
I highly advice you to look into that. Especially the first sentence. And that you click on 'client-sided'.

But, the server can be quite harshly attacked by other methods. Stuff such as Register Globals being on, SQL injections, DDOS attacks, Cross-site request alterations, XSS attacks can do quite some damage.

Let me go through this, as I just finished up my optimisation homework and my pathfinding implementation in our gamelab project. (boast boast)

First off: SQL injections. Probably the known ones. The server accepts POST and GET variables, these are variables sent by html forms or by links (or standard static html stuff, anything really) for contact with the server.

This is quite a cool method. Let's say we've got a URL like this: http://jamesbond.com/profile.php?user=MataTeachesMeLudology.
The site will most likely show a profile page from the user MataTeachesMeLudology. But, there's more behind it. Most likely, the site is running on the PHP language with a SQL setup. The php script will see that you've entered a new variable, user. And that it is MataTeacheMeLudology. So it requests the SQL-database to get the user MataTeachesMeLudology with the following Pseudo-SQL instruction:
"SELECT * FROM 'site_users' WHERE 'username' = 'MataTeachesMeLudology' LIMIT 1". In plain english that means "Hey, give me all the info for the user with the name MataTeachesMeLudology, oh yeah, I just need one result (LIMIT 1)". What happens next is PHP receives that info and puts whatever it should know into the page.

But what if you change the name MataTeachesMeLudology to something else? It would get the result for that. Now, do note that in the SQL result everything is covered in '-signs. These are the limits of that instruction. But, on unsafe software, (and older PHP version) you can exploit these limits. Let's change the user to something else.

http://jamesbond.com/profile.php?user=' OR password = '123456

What the duck did you just do? Let me explain. So, the server will do the exact same as it did before (It does not see you're changing the instruction), so the instruction to the database will be:
"SELECT * FROM 'site_users' WHERE 'username' = '' OR password = '123456' LIMIT 1", or, in English that is "Yo database, I need all the info for the user with the username '' or whoever has the password 123456.. Oh yeah, limit the result to 1 person." PHP thinks "' OR password = '123456" is the username you wanted, while the SQL server thinks it's part of the instruction.
The database will answer this call, and give you the result of whoever's password is that.

There can be done so much worse with this. Luckily, PHP prevents this in newer versions by default, and every larger software distribution prevents these exploits (Wordpress, etc)

Second, DDOS attacks. These are nasty little things. Basically, you get a group of 14 years old kids, and make all of them send massive amounts of requests to the server using programs. MASSIVE amounts. The server will try and answer all of these, but can't keep up and dies a slow and painful death.

DDOS attacks are usually aimed at weak spots of a website, so on register pages, mail scripts, feedback buttons, that sort of things. You can prevent these with captchas. These lovely solutions make it impossible for applications to fill in forms as they should be filled in as they require human input (you need to read an image, or answer a question)

But in overall, you can't protect yourself enough from these. But they don't count as hacks, they just make your site very slow or kill it, at most.

Register Globals. These are basically a setting that has been used in older versions. Turn them off if you have the option to. These put GET and POST in independent variables. When you have the URL http://jamesbond.com/profile.php?user=james, it would create $user and put james in it. If you were already using $user, it would be overwritten and the site could behave in the way the hacker wants it to do.

Cross-site request alterations are basically requests to other sites. Check http://en.wikipedia.org/wiki/Cross-site_request_forgery#Example_and_characteristics out for a very good example.

XSS can be a user-specific attack, where you steal the cookie of a user on that computer. These cookies contain info about the user that identifies them to the website (They make you log in on forums, for example). You could steal this cookie from one's computer and use it as your own, in the hope that you will become logged in as that user. If this is an admin, you can do quite some damage. PHP sessions are being used by larger websoftware (such as forums or wordpress) and stores an ID of that session in a cookie, so you can't read the content of whatever the site holds to identify you. You can prevent this in multiple ways, and is incorporated by larger websoftware.

So, if the site was hacked, it was probably a Mata-specific problem, someone targeted his computer with a keylogger and exploited the forums. If the site was simply attacked, (as in, "dawg your site is deeeeaaaad") it was a DDOS attack (which are very popular lately).

QUOTE
QUOTE (MataTeachesMeLudology @ Feb 19 2011, 10:10 PM) *
Up-to-date browser USUALLY (as in, almost always, but there are small exceptions) does not allow applications to be stored on your computer under any circumstance without properly notifying the user about this. Next to that, the latest versions of Windows automatically detect whenever an application that is downloaded from the internet or is coming from a questionable source and notifies the user whenever that application is trying to run. This means basically that the user can deny the launch of any unwanted applications as well.

Java could do stuff to your computer, but you're properly notified of the fact that it's trying to do that by the Java application itself. Exploits could still happen, but is rather unlikely.

It's all in the usually. That minority to which it doesn't apply are going to get screwed by your poor advice. The others won't be terribly inconvenienced so I still consider it a fairly irresponsible thing to say.
It is in the usually indeed! I can safely say that 99% of the time software does not contain damaging vulnerabilities. This is, when you download only applications that are advised, massively used by others, under heavy inspections, and in a stable version.

QUOTE
QUOTE (MataTeachesMeLudology @ Feb 19 2011, 10:10 PM) *
I'd only do this if Mata keeps your passwords stored without an hash. Which, by standards, he'll probably do. (I don't see him changing the source code of IPS, no offence)

Why must you get so uppity every time anyone offers people decent advice? I think speaker was talking about Mata's passwords for administering the server, rather than every user.

Why bother with this sentence if you're immediately going to point out that it's probably bad advice in the next? It doesn't impart any information and is just confusing.
What I pointed out with this sentence is that Mata probably installed IPS software using the wizard, set the settings, created forums, installed some plugins he liked and left it for it was. IPS most likely (REAL LIKELY) stores passwords in hashes, which makes them unreadable for the admin or anyone that can access the database (whether it is allowed or not). If he'd changed the passwords to be stored as normal-viewed, anyone with access could read these passwords and use them in any way they wish. But that would require Mata to have PHP knowledge and actually know how to make that come out the right way, without bugs, which is, unless you wrote the IPS code yourself, hard to do.


What do I want to point out with this post?

You're pretty safe. Use your virus-scanner as you wish, but please do understand that people can't reach you that easily. I honestly believe that some people actually are afraid to go on a webpage without running their virus-scanner every time they land on a new page. It's pretty safe, every piece of software is trying to prevent you from getting viruses (except for the viruses, of course, hehe), besides applications that don't give a shit you get viruses or not (like some torrent applications, or other P2P applications.. But you're doing illegal stuff whenever you're doing that, so basically you get what you deserve if you don't know what you're doing.)

I am saying 'usually' or 'almost always' or anything related to that a lot. This is basically to prevent the use of fallacies in my sentences, (as I expect with implying expertise in my comments). Specifically I am trying to prevent the generalisation fallacy. Look that up if you wish.


TL;DR: I trust Mata with the contents of my harddrive and whatever is going to be put on it
QUOTE (SPEAKERfortheLOST @ Feb 20 2011, 02:27 PM) *
Thanks for agreeing. Working as the network administrator for a fairly large medical practice I come across this problem all the time. Unfortunately, before I came on board, the practice had an issue with data security and couldn't manage to get rid of the conficker worm/virus due to their issues. Its just amazing what out-of-date software and bad passwords can cause.

<pulpit>

The tenents of the Network Security religion are:
1. STRONG PASSWORDS
2. UP-TO-DATE SECURITY SOFTWARE
3. UP-TO-DATE APPLICATION SOFTWARE
4. MINIMAL USER RIGHTS
5. RTFM

</pulpit>
As a professional web-developer I agree with these.. Although the last one should have 'Or at least the Ducking instructions on-screen'. wink.gif

Posted by: Polynomial Feb 20 2011, 05:48 PM

I happened upon this thread whilst lurking and decided to sign up just to say how much I agree with MTML here. To say he speaks the truth is an understatement.

Nearly all website hacks are SQL injection related these days. There are a few cases where underlying services (httpd, ftpd, etc) are vulnerable, but the vuln report counts are several orders of magnitude lower than SQL injection flaws in CMS software.

I'd also like to add that password hashes alone are no longer secure. Even if you're using SHA1, short passwords can be cracked in a few minutes and simple passwords are easy to recover from a whole array of hash lookup database sites. The only way to truly secure them is to append a random salt value to the password before hashing, which is stored along with each individual user. For example:

CODE
$pass = 's3cret_p4assword';
$salt = 'UPr!qlZMyA/w#5et'; // generate at random for each user
$hash = sha1($pass . $salt);

You can then look up the salt from the table when the user logs in and use that with the password to generate the salted hash. This prevents database lookups and rainbow table attacks. However, users still need to choose secure passwords.

Anyway, as MTML said, update frequently. And, if you can, modify the core of IPB to detect and filter SQL injections.

Posted by: Mata Feb 20 2011, 06:35 PM

All of these things are lovely in theory, but when the software is a pain in the arse to update (like forum software and shop software) sometimes you just have to hope for the best.

Two amusing things I've noticed about software:
- older versions are generally run by smaller sites with less personal data on them, so they are less interesting targets for hackers
- older versions are generally by their nature less feature-rich. With every new feature you add, the interactions between the code becomes more complex, allowing more possibilities for vulnerabilities to creep in.

Also, one over-riding rule about every piece of software:
- everything is crackable.

I've got more than one friend who, as a profession, hack banks and other institutions. They are paid to do this by the institutions to test the security, and every single time they manage it. Everything is crackable.

With this in mind, it becomes a balancing act between how much of your life and/or money you want to spend on hardening your online defences compared to how vulnerable you are. If hackers are suitably smart or determined then there really is nothing you can do to stop them. Nothing at all. So, I try to keep my sites secure, my passwords strong, and my software reasonably updated, but I am also very aware of the limitations of my capacity to actually stop this completely, I can only reduce the risk.

In other words there is a balance between effort and reward - it would take infinite effort to prevent hacker attacks completely, so eventually a line must be drawn where you feel you've done enough and anything further is just too much of a pain in the arse.

Posted by: TigerLily013 Feb 24 2011, 04:58 AM

QUOTE (Mata @ Feb 20 2011, 02:35 PM) *
All of these things are lovely in theory, but when the software is a pain in the arse to update (like forum software and shop software) sometimes you just have to hope for the best.

Two amusing things I've noticed about software:
- older versions are generally run by smaller sites with less personal data on them, so they are less interesting targets for hackers
- older versions are generally by their nature less feature-rich. With every new feature you add, the interactions between the code becomes more complex, allowing more possibilities for vulnerabilities to creep in.

Also, one over-riding rule about every piece of software:
- everything is crackable.

I've got more than one friend who, as a profession, hack banks and other institutions. They are paid to do this by the institutions to test the security, and every single time they manage it. Everything is crackable.

With this in mind, it becomes a balancing act between how much of your life and/or money you want to spend on hardening your online defences compared to how vulnerable you are. If hackers are suitably smart or determined then there really is nothing you can do to stop them. Nothing at all. So, I try to keep my sites secure, my passwords strong, and my software reasonably updated, but I am also very aware of the limitations of my capacity to actually stop this completely, I can only reduce the risk.

In other words there is a balance between effort and reward - it would take infinite effort to prevent hacker attacks completely, so eventually a line must be drawn where you feel you've done enough and anything further is just too much of a pain in the arse.


To put it briefly - lurker translation for Mata to those who were attempting to step in with advice:

YOU AIN'T GOT NO PANCAKE MIX!!

Mood's topic? Lightened +5.

Posted by: Sharazad Feb 24 2011, 05:24 AM

QUOTE (TigerLily013 @ Feb 24 2011, 05:58 AM) *
QUOTE (Mata @ Feb 20 2011, 02:35 PM) *
All of these things are lovely in theory, but when the software is a pain in the arse to update (like forum software and shop software) sometimes you just have to hope for the best.

Two amusing things I've noticed about software:
- older versions are generally run by smaller sites with less personal data on them, so they are less interesting targets for hackers
- older versions are generally by their nature less feature-rich. With every new feature you add, the interactions between the code becomes more complex, allowing more possibilities for vulnerabilities to creep in.

Also, one over-riding rule about every piece of software:
- everything is crackable.

I've got more than one friend who, as a profession, hack banks and other institutions. They are paid to do this by the institutions to test the security, and every single time they manage it. Everything is crackable.

With this in mind, it becomes a balancing act between how much of your life and/or money you want to spend on hardening your online defences compared to how vulnerable you are. If hackers are suitably smart or determined then there really is nothing you can do to stop them. Nothing at all. So, I try to keep my sites secure, my passwords strong, and my software reasonably updated, but I am also very aware of the limitations of my capacity to actually stop this completely, I can only reduce the risk.

In other words there is a balance between effort and reward - it would take infinite effort to prevent hacker attacks completely, so eventually a line must be drawn where you feel you've done enough and anything further is just too much of a pain in the arse.


To put it briefly - lurker translation for Mata to those who were attempting to step in with advice:

YOU AIN'T GOT NO PANCAKE MIX!!

Mood's topic? Lightened +5.



hi hi

Posted by: CrazyFooIAintGettinOnNoPlane Feb 24 2011, 09:46 PM

QUOTE (TigerLily013 @ Feb 24 2011, 04:58 AM) *
QUOTE (Mata @ Feb 20 2011, 02:35 PM) *
All of these things are lovely in theory, but when the software is a pain in the arse to update (like forum software and shop software) sometimes you just have to hope for the best.

Two amusing things I've noticed about software:
- older versions are generally run by smaller sites with less personal data on them, so they are less interesting targets for hackers
- older versions are generally by their nature less feature-rich. With every new feature you add, the interactions between the code becomes more complex, allowing more possibilities for vulnerabilities to creep in.

Also, one over-riding rule about every piece of software:
- everything is crackable.

I've got more than one friend who, as a profession, hack banks and other institutions. They are paid to do this by the institutions to test the security, and every single time they manage it. Everything is crackable.

With this in mind, it becomes a balancing act between how much of your life and/or money you want to spend on hardening your online defences compared to how vulnerable you are. If hackers are suitably smart or determined then there really is nothing you can do to stop them. Nothing at all. So, I try to keep my sites secure, my passwords strong, and my software reasonably updated, but I am also very aware of the limitations of my capacity to actually stop this completely, I can only reduce the risk.

In other words there is a balance between effort and reward - it would take infinite effort to prevent hacker attacks completely, so eventually a line must be drawn where you feel you've done enough and anything further is just too much of a pain in the arse.


To put it briefly - lurker translation for Mata to those who were attempting to step in with advice:

YOU AIN'T GOT NO PANCAKE MIX!!

Mood's topic? Lightened +5.

I heartily endorse this event or product.

Posted by: Mr Fuzzy Feb 28 2011, 01:58 AM

OK, I've cracked, and will wade in with my two-penneth.

MTML - if you think that keeping your software up to date is any protection, you're doing worse than people who think that security through obscurity is a viable approach. The suggestion that you're only likely to become infected through piracy is arrogance beyond belief. Over the years I have built networks with levels of security that people have described as bordering on the obsessive, yet things have still got through despite the fact that cleaning up systems eaten alive by the unwary has been the bane of my life. To suggest that poor data hygiene is the cause of all infection is to utterly discount such things as zero day flaws and fuzzers, and (to be brutally frank) makes me wonder at your claim to be a "professional." You may be able to code a page, but are you certain that nothing in the chain can be exploited?

Please don't be so arrogant as to suggest that people can get away with poor security habits, or argue with people with *vastly* more experience than you, without penetration testing experience. All your advice can do is open doors which allow people to fill my inbox with spam, and make my firewall work for its living.

Powered by Invision Power Board (http://www.invisionboard.com)
© Invision Power Services (http://www.invisionpower.com)