Wednesday morning, someone tried hacking into my website. (Not the first
time, won't be the last) Didn't look like they made it. I can't be
surprised. I have a controversial article about hacking plus I offer a
security script. The fun part is there's nothing of value up there (my
shopping site doesn't store credit card info or anything like that). But of
course, they don't know that, and sometimes, they don't care.
Since we just had a discussion about security, I figured I'd relate some
details and observations for the sake of information. Perhaps this will help
some people improve their security. (I'm assuming it's a "he" for ease of
writing so don't get all sexist on me.)
Some non-important details have been left out to protect my butt, but you'll
get the full idea.
(hack attempt)
The first thing the guy did was try to use a well known IIS hole to look at
my application.cfm. Didn't work. Then he tried the same IIS hole to look at
my cart.cfm page. No luck there either.
Then I received about 100 calls in about 2 minutes, each one aiming for
locations of known scripts. It searched for known FrontPage extensions,
locations of standard DLL files, well known CGI scripts, EXE files, standard
Cold Fusion files, stock shopping cart files, the works. He even looked for
scandisk logs and other known items. It tried a few locations for the same
item, but not very much. Mostly it tried specific known holes.
When that failed, he seemed to leave.
(/hack attempt)
OBSERVATIONS:
This seems to have been what many people refer to as a "script kiddie". Some
young (in terms of computer skill) person with knowledge of a few holes and
a hacking program.
First, he poked around to see if he could get information on my sites layout
and vital statistics. Looking at the application.cfm and cart.cfm were the
best bets for finding out important info, so kudos to the hacker for having
some intelligence.
Once he realized he wasn't going to get anywhere that way, he launched his
"hack weapon of death".
He has a program that runs through a list of known security holes. It
systematically tries each one and alerts him to open doors.
This has become a very standard way of attempting hacks. The days of some
computer nerd exploiting one unknown hole is over. With so many systems and
possible security holes, the usual attack is a shotgun attack, trying every
known hole as quickly as possible.
One thing I've noticed is that this shotgun method relies on one thing:
Standard layouts.
Every single hole he tried attempted to find a specific file in a specific
location (or locations). These locations are known because programs install
the same way every time. For example, when installing FrontPage in the
default way (the way 99.9% of people install software), the same extensions
are placed in the same location every time. Since the locations are known,
the attack aims at those specific locations. The same is true about certain
settings. Since programs install with certain settings (or default
passwords) these are also scanned for.
In other words these attacks aren't like a "find" program that looks all
over your system for a particular file, they're more like a "run" program
that expects something to be in a standard location. Since the file it wants
isn't where it should be, nothing runs, and the hack is unsuccessful.
However, since nothing on my system is in "default locations", this attempt
doesn't seem to work. A more personal touch is required to enter my site and
this guy didn't want to spend the time when other sites will probably fall
victim to his shotgun technique.
The important thing to remember about this kind of attack is that it isn't
personal. These hackers are going "door-to-door" knocking and checking the
handle to see if it's unlocked. When they find an entrance they head on in.
They don't know who you are and they don't care.
This guy didn't have a personal vendetta against me or my site. If he did,
he would have poked around a little closer, searched the internet for
personal info about me, made phone calls, bribed employees and friends for
info and found out as much as he could about me and my sites layout so he
could find a way to break in.
That didn't happen. He couldn't find an easy entrance so he moved on to the
next poor sucker. I got lucky this time.
LESSONS:
So what can we learn from this?
Change all default settings on ALL programs:
If you use Cold Fusion (which of course we all do), or anything else on your
servers, place it in a non-standard location. Change the install from
C:\Program Files\Allaire\ColdFusion Studio x.x or C:\CFUSION
to something like
C:\MY FILES ARE\SAFERHERE\Allaire\ColdFusion Studio x.x
Place your websites in a non-standard location, so they can't jump to
something else via url hacking.
If you use a stock shopping cart, or stock CGI script, or anything like
that, Place it in a non-standard location like
www.website.com/cgi-bin/realscriptshere/sendmail.cgi. Make sure nobody
looking at your HTML can tell where your scripts are located.
Example: If you use AHP Shopping Cart, or CartEase or AbleCommerce etc.
Chances are that your files are right where hackers want them to be.
IMPORTANT: Many of the attacks are looking for a hole relative to the
website. For example they hunt for "../_vti_pvt/scripthole.dll" or
"../../_vti_pvt/scripthole.dll" since it's usually placed one or two folders
away from your website. (God I love picking on FrontPage)
Change standard passwords and default settings:
When you install something (in a non-default location), always go through it
and change potentially dangerous default settings. Look for default
passwords and change them.
A little fact to drive the point home: A well known car company got into big
trouble because they only made about 53 different keys for all the cars they
made. If someone has a collection of those keys, they have access to every
single car made by that company. This means your car unless you go through
the trouble to have the car rekeyed with a custom key. Websites are just
like this.
I am by no means a security expert. I'm just throwing out some things I've
noticed for the sake of discussion. If this helps great. If you have some
tips of your own, please share.
================================
Josh - [EMAIL PROTECTED]
================================
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
