Webspammers Hack Sites

[annie]

I've been tracking webspammers for a while, and I've discovered some spammers hacking other people's websites in order to serve up their spammy websites.

 

They often stash a file named read.php in some directory off the root. But I've also seen other php files used. Usually the files are not supposed to be there rather than altered files.

 

The spammers will then spam guestbooks etc with the URL's to those spammy files.

 

I'm not saying that's happened here or even will happen here.

 

But with this development (and most of this seems to have started in August this year), we as site owners need to be a lot more vigilant. And webhosts also should be more vigilant.

[Deverill]

That's just evil! Bad spammers!

 

Thanks for the heads-up, Annie.

[stevevan]

spammers

[annie]

I heard one customer of a webhost who's had particularly many victims of this had gotten an e-mail from his hosting company saying they were under attack. That a hacker was sniffing their FTP passwords.

 

FTP passwords are not encrypted, so they can be sniffed. Might be time to move to secure FTP?

 

Can you guys speculate what the bad guys did in order to manage to sniff the FTP passwords? I assume they would have had to compromise a box on the webhost's net? Especially since they hacked sites on different IP numbers. It wasn't just the one box. So, if we're thinking a switched network, they'd have to sniff somewhere near the perimeter?

[Deverill]

That definitely makes sense. Any further out on the net and I'd think they'd get unusable results. But I'm no networking guru so don't trust me in this

 

The golden rule is that your "stuff" is safe if the pain to get/decrypt your password is more than the pleasure of getting your stuff. Until the spammers came along trying to make drop sites and zombie broadcasters and such I was definitely safe -- now with them standing to get email resources I'm not so sure.

 

I do, however, feel totally safe at TCH as long as I mind my pints & quarts (P's & Q's) because as a host they do everything sane and some that's not. When I'm careless or install faulty software (can you say Coppermine? I thought you could) then it's my fault.

 

(Twice they hit my Coppermine Gallery. I was dumb and had 2-minor-version-old releases and updated after the first time, but sheesh, why not just plug the holes Coppermine! I wasn't even using the email features. /rant off) It was entirely my fault.

 

Back on topic, TCH is so close to the backbone there are not many opportunities for "middlemen" to get a sniffer on the lines before it hits the backbone. That's another benefit of TCH - they are well connected and don't go through "Joe's Internet Waterin' Hole" thus reducing opportunities for problems.

[TCH-JimE]

Hello,

 

Anyone who ever uses a "name" password or something simple is being rather stupid. E.g. "trevor" or "011090"

 

All passwords should be 8 or more digits long made up of a mix of letters and numbers, and if the program /script will accept it, puncuntion marks too.

 

The owner of the website needs to make sure they are always up to date with the scripts (getting on the email for new releases always helps) and that all folders and upload areas are secure.

 

To sniff a password, all they have to do is keep on plugging away . E.g if your password is "dog" then all they need to do is keep putting in 3 letter combinations until they come accross the correct one.

 

Obviously if they try this too much, the owner (us) notices this and bans them, but people, because they do not like the hardship of remembering such passwords, perfer the easy option. Another trick is people often use a password attributed to the site. E.g if your site was about gardening, and you have used the word pansy, it wouldnt take long for someone to figure it out.

 

Also, always make sure your computer at home is safe and secure and never make the browser remember the password.

 

JimE

[annie]

Since I wrote the posts here, I've found more compromised sites. And I believe some of those were due to php scripts with flaws in them. I've seen how badly they've been trying to break into my site, so I believe that's an issue these days.

 

In my case, I've got a few blog posts with phpbb in the title, and hackers have found those in a search engine and tried highlight hacks and other hacks to get in. There's no phpBB installation on my site, so they're not getting in.

 

I also found a hack tool on one site that allowed anyone who had found it to upload files. Truly scary.