[Pro] SERVER HACKING ISSUE

I have a Museum client who uses an local, independent, small corporation for their secure site. They are telling the Museum that their server is being hacked through the code from the website I created in Pro. They said it happened already 3 times this morning alone. I let Freeway handle all the code and did nothing out of the ordinary. Yesterday however, the Museum asked me to upload a Google site verification html file to their site for something they want to do with them. Not sure whether or not this would affect anything. Question is, is it possible that someone could hack into their site via the Freeway code. This is what they are claiming.

https://museumgreatplains.org/index.html

Any ideas?

Thanks in advance, Clark


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

HTML itself is a read-only markup language. There is nothing inherently dangerous about this. Freeway can use FTP to transmit site documents to the server, and that process is inherently insecure, because authentication tokens are passed in clear text. Freeway can also be configured to use SFTP (FTP tunneled through SSH – secure shell) and that is secure.

The only things you could use for hacking a server through a Freeway site would come in the way of third-party add-ons, like FormsToGo, which lets you create file upload forms, or comment scripts that don’t require moderation, or the ubiquitous Matt’s Formmail CGI script.

Now, depending on your hosting setup, this hacking can come from any number of other vectors besides your site. Most hosting providers do what’s called “shared hosting”. Hundreds or thousands of sites are hosted on one physical server, and the Apache software figures it all out transparently. If someone installed PHPBB or Wordpress or any of a hundred other popular and often-successfully-attacked scripts on their virtual server, yours could fall victim to the same attack, even though your address is nothing at all like theirs. As long as the physical server is in common, the attack can jump over the virtual walls that divide them.

First step is to try to isolate the damage. Set up a new server on a different provider (with entirely different passwords), and upload from Freeway again there. Fiddle with the DNS settings at your domain registrar to move just the Web stuff over to the new server. See if the problem travels – if the “hack” happens on the new server. I sincerely doubt that it will.

If you really want to make sure that this can’t happen again, ask your client to spend about ten times as much for hosting, and get a VPS (virtual private server) from Linode or Rackspace or Media Temple. Those are completely the opposite of “shared” hosting. Each account spins up a new virtual Linux or Unix machine for you, and nothing at all is shared between virtual hosts on the same physical hardware. And even the hardware is abstracted away – your virtual host is running on a grid of physical machines, which together act like a mainframe-class server. If one of them fails, the others carry on as if nothing happened, and a new commodity server is just plugged into the grid to repair the fault. It’s often less expensive to throw away the broken server node than to repair it.

Walter

On Sep 23, 2011, at 10:48 AM, Clark Brown wrote:

Question is, is it possible that someone could hack into their site via the Freeway code. This is what they are claiming.


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Walter,
As always thanks for the invaluable information! I will pass this on to my client.

Clark


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Walter,
I received a message from the ISP and they said they would prefer the website incorporate PHP, and thinks there’s some vulnerability in the current HTML.

Is this bunk or what?

Clark


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

This is crazy-talk. HTML is inherently secure. There are no ways in, because it is not a programming language. It’s a markup language, and if they have done the very basics of their job correctly, it is READ-ONLY.

PHP is a programming language, and there are plenty of holes in it. Security patches are released for it monthly. Furthermore, you have to actually know what you’re doing to write a program in PHP that doesn’t expose you to risk. In HTML, the very worst thing that can happen is that IE will display your pages badly. (Bit of a shock, that!)

Walter

On Sep 23, 2011, at 4:13 PM, Clark Brown wrote:

Walter,
I received a message from the ISP and they said they would prefer the website incorporate PHP, and thinks there’s some vulnerability in the current HTML.

Is this bunk or what?

Clark


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options