Hacked Site: Caused by Forms?

Hi, Folks –

My site was hacked into the other day. I’ve spent the past 72 hours trying to fix the problem.

The only change I’ve made to the site recently was to add a PHP Feedback Form to the site.

The folks at my hosting company said that may have been the back door that caused the problem.

Two questions:

  1. Are the folks at the hosting company correct? Are forms a back door for hackers to get into a site?

  2. If so, what’s the solution to this? How can this be minimized in the future?

Thanks,
Jamie


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

It depends what the form does. If it allows file uploads, then definitely yes, this is a major attack vector. If it allows the malicious user to modify the pages of the site, through commenting or other sorts of unmoderated updates, then yes also, through another trick called XSS (Cross Site Scripting).

But the feedback form is neither of these things, and Tim has done a very good job of making it secure. About the only thing I can imagine it being able to do is to blindly Bcc: a bunch of messages out (I’m pretty sure it couldn’t be tricked into that, but this is PHP, so hard to say) but as for taking over your server, that’s a big fat no in my opinion.

Unless your site runs on a VPS (Virtual Private Server) or a co-located server where you have root, it’s never completely possible to pin the blame on something YOU did. Most modern hosting providers put hundreds or thousands of sites on the same Apache server, and that’s fine – Apache was designed for that – but they make it possible for one site to be compromised by something dumb done in another. Ask your host if they can provide a list of the following running on the same server (no names, but yes or no, and version if possible). These are the big attack surfaces that I know of:

  • PHP BB
  • phpMyAdmin (older versions)
  • Joomla!
  • Wordpress

The problem with these is that they are widely installed by users who don’t keep up with the security updates. Their host provides a One Click Installer! and they dutifully Click Once. Then they never think about it again. There are automated attack utilities that are written by bad people and either given away or sold for a reasonable rate to “script kiddies” who are out for bragging rights, a cheap thrill, or a trove of unsecured credit card numbers. (From their perspective, it’s like fishing with dynamite. Light the fuse, and see what floats to the surface.) These utilities probe the whole net, all day long, looking for out-of-date versions of these common platforms, and exploit well-known weaknesses to gain a foothold. Once they get into one host on the server, it’s often trivial to jump over the walls into other hosts. You need not necessarily be to blame here.

Since your business is the net, and since you just learned an expensive lesson in how much it can cost you to be off the net, it might be time to invest in a private server. These are not especially expensive any more, but they are at least 10 times more expensive than commodity “shared” hosting. But if it’s the difference between paying $100 a year or $1,000, ask yourself this: how long does it take you to bill $900? That’s how many hours and minutes you can afford to spend on cleaning up this mess the next time. I guarantee, you’ve already spent that several times over this time around.

Walter

On Sep 15, 2011, at 9:57 AM, Jamie Turner wrote:

Hi, Folks –

My site was hacked into the other day. I’ve spent the past 72 hours trying to fix the problem.


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Walt –

Great to hear from you, my friend. As always, thank you so much for your level-headed advice.

The bottom line is that it would appear that the problem could have happened from any of the ways you’ve outlined above.

I’m going to take your advice and use a private server. To your point – I’ve spent thousands of dollars in man-hours already, so it would be a worthwhile investment.

(Worse still, this happened 18 months ago, so it’s the second time this has cropped up. Ugh!)

Thanks again for your help. You and the rest of the regulars on the Forum are a huge help to the rookies like me.

– Jamie


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options