Please allow me to return to the question of whether Javascript built into Freeway provides a hole hackers could use to invade and take over a Freeway-based site (an aspect of this matter was dealt with back in 2011). My Host just got hacked and a rep. insists that my Freeway-built site must now be subjected to regular file-checking (for a big monthly fee) because of the embedded Javascript.
My site has no other script, no PHP and no Wordpress stuff – all I have added to Freeway Javascript is HTML and graphics. I am skeptical that my site’s code is the source of hacking of multiple sites (including mine) at the Host; because my pertinent index files have just two calls to Javascript code (built by Freeway) and kept in the Resources folder.
Is there some way I can prove to my Host’s rep. that he is on the wrong track when claiming that the Freeway Javascript represents a hole hackers can use to invade my site?
I’ve also replied to the message you sent us directly, but for the benefit of others – scripts generated by Freeway are not the reason for sites getting hacked. JavaScript is a secure, client-side language (meaning it does everything it does in the browser on your machine and not on the server). It would need scripts running on the server itself to be able to do anything dastardly to the server, and those scripts won’t have been generated by Freeway. If your host insists you pay a fee for regular checks of your files, just switch hosts. If you can’t (i.e. you’re in a contract) then contact support(a)softpress.com and we will be able to advise you there, or join in the discussion with the host if necessary.
I hope this helps,
Joe
On 17 Jul 2013, at 08:52, Leroy Stone email@hidden wrote:
Please allow me to return to the question of whether Javascript built into Freeway provides a hole hackers could use to invade and take over a Freeway-based site (an aspect of this matter was dealt with back in 2011). My Host just got hacked and a rep. insists that my Freeway-built site must now be subjected to regular file-checking (for a big monthly fee) because of the embedded Javascript.
My site has no other script, no PHP and no Wordpress stuff – all I have added to Freeway Javascript is HTML and graphics. I am skeptical that my site’s code is the source of hacking of multiple sites (including mine) at the Host; because my pertinent index files have just two calls to Javascript code (built by Freeway) and kept in the Resources folder.
Is there some way I can prove to my Host’s rep. that he is on the wrong track when claiming that the Freeway Javascript represents a hole hackers can use to invade my site?
Thanks Joe! Your reply is what I was seeking to arm myself for a continuing debate with the people at the hosting service. I think it’s worth keeping this exchange here for use by your other clients as we move ahead.
At my host service (a famous one much in the news in June for being hacked yet again) all my index.html files were replaced by malicious code at the identical moment, and I have proof that happened at one of the host’s services. To get back in business, I simply overwrote the new bogus index.html files with good copies kept on my computer.
Let me add that uploading the replacement file will only work for a while – until the malicious script, which will have hidden itself somewhere innocuous on the host’s server, figures out that the file has reverted and replaces it once again. Knock on wood, I haven’t had this happen in years (2004, IIRC) but it is maddening when it happens.
The host, if they’re being responsible, will find the original penetration, figure out how it got there, and close the security hole that allowed it in the first place. Then they will tear down the server, rebuild everything from known good sources, and force everyone to re-create their user info. Any provider that does not follow those steps is not really worth your money.
Walter
On Jul 17, 2013, at 8:39 AM, Leroy Stone wrote:
Thanks Joe! Your reply is what I was seeking to arm myself for a continuing debate with the people at the hosting service. I think it’s worth keeping this exchange here for use by your other clients as we move ahead.
At my host service (a famous one much in the news in June for being hacked yet again) all my index.html files were replaced by malicious code at the identical moment, and I have proof that happened at one of the host’s services. To get back in business, I simply overwrote the new bogus index.html files with good copies kept on my computer.