[thelist] Web Site hacked wasiPhone (browser) detection
Bob Meetin
bobm at dottedi.biz
Sun Sep 28 08:50:45 CDT 2008
Fred Jones wrote:
>> I take it back, they have hacked the file system ...
>>
>
> I used to host with HostRocket. Then someone hacked into their servers
> and edited our files, adding a virus for visitors. They corrected the
> situation but I started hosting elsewhere. A colleague of mine
> remained with them and his site was then hacked, the same way!
>
> Then another person I know on MaximumASP was hacked the same way.
>
> This is simply a sign of a bad host. The only thing which can be done
> is to switch to a host with better security.
>
> Fred
>
Well perhaps a little more than that.
* First thing I would do with a support request is try to find out how
it happened. (hacked into their server here)
* The other thing that would be really go to know which I can't imagine
the hosting company sharing willingly is whether or not other accounts
were hacked at either the same time or at all.
-->> I would like to know if the root cause is poor security or bad bad me
Your control panel password, shell access, ftp should not be stored in
plain text anywhere that can be cruised. For programs that I create I
keep mysql password above webroot (as php). CMS, eCommerce programs,
etc. usually place it in a php config file within the directory
structure. If this is deemed a risk you can always change the config
file to reference an include file above webroot.
It is slightly more work for you, but wise to make the passwords
different. For that matter make it more difficult by using different
passwords for your domain management provider.
Also, depending on provider file permissions (at least with Linux,
Apache) should be 644 for regular files and 755 for directories.
-->> I'm no security expert and I'm sure there is more, but these are
relatively painless simple steps to improve security.
One other thing - unless you have inside information that your hosting
provider has a very good, very regular, backup routine, don't rely on
them. You can write a simple backup script, cron job that can be used
to restore the database and file system in minutes as opposed to
aggravating hours of hopeful anticipation. Your backup process should
include not only yesterday but also the ability to retrieve backup files
from a week, a month ago, etc.
--
Bob Meetin
www.dottedi.biz
303-926-0167
Hook up with me on Twitter, Facebook, LinkedIn, Plaxo Pulse and Bebo
or catch my blog at www.dottedi.biz/blog.php
Standards - you gotta love em - there are so many to choose from!
More information about the thelist
mailing list