Page 3 of 4 FirstFirst 1234 LastLast
Results 21 to 30 of 35

Thread: Site hacked

  1. #21
    Platinum Member SilverNodashi's Avatar
    Join Date
    May 2007
    Location
    Johannesburg, South Africa
    Posts
    1,197
    Thanks
    12
    Thanked 188 Times in 136 Posts
    Quote Originally Posted by Marq View Post
    Great idea - yes


    For sure - I pay a lot more than what you deridingly assume I do, and if all I am getting is some space on a server and no other service as you are suggesting then its damn expensive.



    Lets see - 200 staff X R5000 salary = R1mill
    25000 clients (WA's claim) X (your) R50 subscription = R1.25mill
    But on this basis - seeing as I make a change every three to six months on the odd page - thats say 8000 clients changing stuff over the year for the 25,000 clients divided by 200 staff = each staff member must monitor and worry about 3,3 changes a month. So 200 staff is way too much. So if each staff member looks after one client change a day - thats about 25 staff needed. They will be in business a long time and have happy clients.
    Fair enough, with R250K profit they have no excuse not to hold their client's hands, even when they surf. But, how much profit do they make from the R50pm subscription? They still need to pay rent, purchase new equipment (you want better technology in the future, right?), phones, water & lights, insurance, etc.

    Quote Originally Posted by Marq View Post

    The point though as we can see in your answer is that the client is always in the wrong. Take the pin code for example - I did not give it away. I say the isp let it out of the bag - but you automatically gave them the benefit of that doubt.

    Marq, I didn't say that, but instead I'm trying to imply that it's a 2-way street. The client needs to take responsibility as well.

    IF your website is really that important (let's take a bank's website, for example), then surely you (as owner) should do your part to make sure everything on your side is fine. The banks, in this example, spend a few million a month on security (staff / their own servers / own data centre space / developers who code very well / etc) IF their site get's hacked, who's fault is it? Theirs, or the ISP's? - this is an example, but I don't know if it came through properly.

    let's bring it to our level. If one of our reseller's accounts gets hacked, who's fault is it? Ours? Our client (as reseller), or his client? Let's say the 3rd party developer (so we're 4 levels down now, us -> reseller - his client -> 3rd party developer) doesn't follow secure coding standards, and a hacker discover an XSS flaw, and then get's the client's control panel password and hacks into the control panel. This hacker is then a bit more patient in leaving his marks. He then leaves some "worms" on the client's account to get other info from the client. Any username & password combination can be used to possibly hack other accounts the client has. BUT, since he has access to the client's account, he has access to the client's email as well, and could silently capture all emails the client get (like new password request from this forum, or even the bank, or whatever). This goes on for a month or 2, if he's really clever, he'll lay low for about 6 months (long enough for his "stealth worm" to have infiltrated the backups and the logs in such a way that an admin won't see it as abnormal activity), and then he strikes and causes havoc. IF, this account was a forum, then he would have thousands of email addresses & password combinations - even if the passwords are MD5 encrypted, he could probably have enough PC power to decrypt those passwords. My guess is, about 70% of those passwords are easy to pronounce, and could thus be cracked against a dictionary - which is quick on a multi-Core XEON.

    Quote Originally Posted by Marq View Post
    A restore was eventually offered by WA for an additional R300 - I had to suck them for the answers - it then turned out they only keep backup for 7days and did not have a clean version as the hack had happened prior to that. So they expected me to buy my site back from them after they lost it.

    I could not find how the hackers got in and the isp sure is not going to admit to having holes - so one will never know the answer to this.
    This IMO leads me to believe they either don't know, or don't want to dig deeper to find the problem. OR, they screwed up somewhere like you suspected.

    Do they not have an option where you could restore your website yourself?
    And do you have access to any raw logs on the server? This could sometimes indicate where / how the hacker got it.
    Can you pronounce your password? Is so, then you need to change it ASAP.

    Quote Originally Posted by Marq View Post

    If google can assume a malware hack and stop the site loading then I do not believe that the isp is unable to run software against their clients pages to look for the same, so I do not believe this is mission impossible. Similarly they could run software against the dates of files and scripts that may indicate old and vunerable software. This could then be offered as a service to the client to update the site for the client...at a cost of course. If that was offered and then refused and an attack occurred, well now theres a reason to say I told you so.
    It's not as simple as running a script against the date of the script. The main problem is, there's probably 50 billion scripts on the internet, and a date check alone won't be accurate enough.

    For example, a client uploads a static web page in 2003, with some basic HTML content and nothing more. The monitor script will then go berserk on this account due to the date. There's no need to update the site as the static content is invulnerable. Do you think this client would enjoy being spammed by the server every day / week / month - whenever the script runs to say his 7 year old HTML page is a hazard? I can see how this is going to peev off some clients already.

    Similarly, if you decide to upload a script, like say Joomla, which has 7,968 scripts (new install - no mods or anything yet) , and there's say 100 client's (there's normally more) on this particular server - that would be 796,800 script for a single Joomla installation per account alone. What if every client has a forum & blog installed as well. Now, this figure goes up to say 2,788,800 scripts.

    So, a simple date checker script will need to loop through 2,788,800 scripts, every day to see if the date is older than say 6 months (to be a realistic number)?



    In theory, your suggest is a valid one, but not practical, by a million miles. Is it really so hard to take responsibility of your own website? Does your website mean so little to you that you refuse to take care of it and insist that the ISP do it? And if they absolutely need to take care of it, are you prepared to pay extra for it?
    I'm asking this, as a matter of research

    Quote Originally Posted by Marq View Post

    From what I can feel, there is this thought that because the service is so cheap it does not include anything beyond storage and there is no responsibility out there in isp land.
    How much of the R50 (this is purely the example) you pay do you think the ISP's actually pocket as mark-up? Sure, I would love to assign a dedicated tech to every client I have, but my business will go down in flames on day1.

    And while the thought it probably very true, I can assure you that it's not 100% so. That R50 (with your calculations on 20,000 clients is R1.25mil) needs to pay for servers, switches, firewalls, server room (either rent or maintenance on own equipment) software licenses, staff, office, water & light, insurance, bandwidth (chances are R30 is for bandwidth only, so they don't even see that money), and the list goes on. The responsibility is in fact far greater than you think. If, for example, they didn't pend R25K on a new server recently, they couldn't accommodate your website. OR, that new R400K firewall makes a huge difference on DDOS, QOS, VLAN, etc control making everyone's life easier. And, the new software licenses probably cost them in the region of say R700K this year, but they need to pay it to keep up with the demand.

    i.e they provide you with all the tools you need to make sure you website is up and running, 24/7/365, with security (physical & electronical), with all the software that you need ( server OS, control panel, mail server, database server, site builders, etc, etc). You just need to maintain your own website. Is this not responsible enough?

    Do you want them to run your website as well? And take care of the CEO while their at it? And how about managing your company?
    All of these are possible (whether WA offers it or not,I don't know), but will cost you extra money. Did you pay the extra money? Then you get the service. If not, then you can't expect it.

    Quote Originally Posted by Marq View Post
    Like I said - all we want is some service, good advice and accountability, which we assume is in the monthly hosting fee. Denial of that service and hiding behind technical issues, when things go wrong, is no different to the insurance guys who let you believe you are covered and then run and hide when the claim happens.
    agreed. but again, I can't vouch for any other ISP. I just get a bit worked up when the ISP industry is always to blame for everything, even though 70%+ of the problems are user-related.
    Get superfast South African Hosting at WebHostingZone

  2. #22
    Platinum Member SilverNodashi's Avatar
    Join Date
    May 2007
    Location
    Johannesburg, South Africa
    Posts
    1,197
    Thanks
    12
    Thanked 188 Times in 136 Posts
    Quote Originally Posted by tec0 View Post
    Let us start, firstly I would love to see a sixty digit pass-code when you withdraw money. Typing it might take a few minutes but it will be secure. Is it the bank’s fault if I lose my cash-card? Oh HELL YES it IS the banks fault! Why are we using outdated technology! Do you know how easy it is to duplicate a cash cart “the one without the chip!” and how long did it take banks to implement the smart card???????
    How can you hold the bank / ISP / whomever responsible for your own foolishness / negligence ?

    Quote Originally Posted by tec0 View Post
    There are some nifty new technologies that are able to identify you in a few seconds no matter if you had facial reconstruction because it takes a picture of your internal genetics like blood-vessels and if I recall it is only second to DNA identification. So this technology is available and can be implemented so that I can use my face and a pin-code. And if I am dead then the Camera will see it and it will not work.
    Even if it is available, people don't want to use it. It's a simple known fact that the more difficult it is todo something, the less willingness there is from a human to perform it. If my bank made me jump through 5 hoops just to get my money, then I'll definitely move to an easier bank. I keep an eye on all my cards, my PINS are super random, on every single card I own, and I don't carry all cards on my at any given moment. I take responsibility, cause the banks don't give me my own bodyguard just cause I pay them R150 per year, regardless of the fact that I have R1, or R1million on their vault. And, if I go and take out that R1million, their security still only stops at their door. What happens outside their door is my problem. Do I hold them responsible for being robbed?

    Quote Originally Posted by tec0 View Post
    Now let’s continue with what is possible. It is possible to specify a 31 character password to be used on the contract so there is no negotiation. Then on your password rules you specify that it must have X amount of whatever you feel is necessary 999AaC@#%$YIOT77895)(&^%((***^% I think cracking that will take a few seconds more than normal. So as an added extra you set up a second rule that the password must be renewed every 10 working days.

    Now you give the user a nice document that specifies the does and don’ts and everyone is happy.
    This is very possible, but how many people do you actually know, who will remember that password? And how many people do you actually know, apart from yourself who would change their password every 10 days.

    Even then, if whatever you have online is THAT important to you, then a shared hosting account is most definitely not the right solution for you. And then you also can't rely on a 3rd party for security, you need to employ your own staff who are sworn in by your rules, and whom you can sue if something goes wrong. In this case, is it the ISP's fault if you decided to make use of their shared hosting environment to store every human being's DNA code information?
    Get superfast South African Hosting at WebHostingZone

  3. #23
    Platinum Member SilverNodashi's Avatar
    Join Date
    May 2007
    Location
    Johannesburg, South Africa
    Posts
    1,197
    Thanks
    12
    Thanked 188 Times in 136 Posts
    Quote Originally Posted by Dave A View Post
    I think we should bear in mind that in most instances hacking doesn't occur due to a lucky guess or brute force attack. It's shoulder surfing, fooling a person into giving up their password, finding scraps of info that contain the password...
    Dave, you'd be surprised to know that is not entirely true. Do you know how many people have passwords like "Pass123", "Pass1234", "a1b2c3d4", "qwerty12345", etc? Although they all look safe, they're not. A lot of hacking attempts involve brute force since the average human has a limited brain span, i.e. only "think as far as their noses reach". Many people also stick to the default "root", "admin" or "administrator" usernames - which is as bad an idea. Joomla / Wordpress / vBulletin / etc checks to see if a given password matches a given username, so if one of the default usernames are already used, the then brute force attempts are much easier.

    We sometimes get aa few hundred emails a day, from our serves notifying us that a brute force attempt was made, the IP address blocked. normally these emails goes unread, but we have some software which looks for similarities, like a brute force on a certain service (for example POP3 / SMTP / SSH / FTP / SQL / etc), and the escalates a ticket to take action, at which point we contact the ISP(s) where the hacking attempts come from and get them to take action where needed.

    Yet, even with the more sophisticated firewalls in the world, nothing will stop a hacker if the password was written down & obtained that way (i.e. an employee writes the password in notepad & saves it on his PC, or on a piece of paper), or if the website has very poor security measures. Normally a website won't detect brute force attempts, and the hacker can get in. And then, more than often the owner uses the same username & password for his control panel as well, so the hacker doesn't need to try brute force, and the firewall won't pick it up, and the hacker gets in. - Is the ISP to blame in this case? Most definitely! It is their responsibility to monitor every guest, user & IP address on the website, trace the IP address to the hacker's home, and do a security check on them. The ISP is also supposed to contact the person on the other end of Russia and ask him 50 security questions before he can access your website.
    Get superfast South African Hosting at WebHostingZone

  4. #24
    Platinum Member Marq's Avatar
    Join Date
    May 2006
    Posts
    1,297
    Thanks
    73
    Thanked 283 Times in 216 Posts
    When it comes to non technical types employing/hiring/subscribing to a technical situation/company/person then unless the ground rules are specifically documented and laid out and agreed to upfront, the technical guy is always going to take the flak when a technical type issue comes about. This is the unwritten rule of technical guy blaming perfected by us non technical guys.

    I think to resolve these issues in the future, the first thing that has to change is the communication of these elements we have talked about so that both parties know what is expected of them.

    ISP's generally have a couple of packages that they offer - for the cheap package you can have 5 emails, a static type side x megs of this and that etc. For the more advanced site with database and more stuff the package costs that much more. So we have a list of what is provided and catered for but thats it. There is a lot that is assumed one of those being that the new client knows what this is all about and should just get on with the job aof getting their site up and active. When I have signed on in the past, I have received very little afterwards besides an email saying heres the link to get to your domain via cpanel or whatever and your ftp password and user is as follows. Thereafter I do not recall receiving anything like - welcome to our isp, do you have any questions or thoughts on how this all hangs together.

    Nobody has sent me an email or picked up the phone and said 'welcome', can we establish a few principles of how we operate and what we do, and did you know that there are a few things you are responsible for and things we suggest you do, for example it is your responsibility to keep the password safe and did you know it should be at least 8 characters long (sleepygrumpyhewey,dewey....) etc and that we can do additional stuff like backing up your site and restoring your site but this will cost you an additional fee every month and if you want we can run some analytical software and advise of your sites content etc. for a few dollars more. Ok all set, tick this box here and its all systems go. I looked around at a few isp sites and cannot see these simple rules of engagement.

    The isp could identify their clients and place them into levels of competency, This list the guys seem to know stuff and we can leave them to get on with it, these guys do stuff and might need holding hands and these guys know absolutely nothing and it will be easier to do things for them, rather than try to explain them why the world goes round. The idea here being that the technical guys can learn that everybody is not as bright as them and that they should try and communicate at the right levels.

    The clients then can then get emails and communication in their own language and everybody feels a lot happier.

    I think that the basics and the problems experienced such as hacking and spamming are few enough that a set of thoughts and rules can be drafted to indicate who is responsible for what. If I had a set of rules that said...If your site get hacked - it is probably your fault. You must check that your scripts and passwords and method of operating are correct. If it does happen - we will notify you and we will help you get your site back up and running by doing the following....it would be great and most of the problems would go away.
    If you need to restore your files for some reason, it will cost you an additional R300 per incident.
    If you want a dedicated staff member to help you through and advise you what you should be doing, we will provided this with pleasure - absolutely free.

    I think if this side of customer relations came into being by isp's and the various options of what can be done on the net for the client as added extras and suggestions then the isp would be able to make a few extra bucks, create some client loyalty and a scenario where they would not be seen as the bad guys and can be trusted. Right now, my isp is the last company I contact for any advice on internet related issues - if one thinks about it.....they should actually be the first, but I hate being spoken to in that arrogant manner where I end up not getting an answer or wondering what it is that I am supposed to do.
    The cost of living hasn't affected its popularity.
    Sponsored By: http://www.honeycombhouse.com

  5. #25
    Diamond Member AndyD's Avatar
    Join Date
    Jan 2010
    Location
    Cape Town
    Posts
    4,923
    Thanks
    576
    Thanked 934 Times in 755 Posts
    I think passwords as security is not a good system. The average person might have a credit card, a debit card, online banking, 3 or 4 online login accounts, cellphone pincode, 2 x home pc logon, 1 x work pc logon, website admin login and so on. With this number of passwords it's not surprising people duplicate or use birthdays etc to make passwords. If you don't have an extraordinary memory you can't win, either your passwords are weak or duplicated or you write them down.

  6. #26
    Site Caretaker Dave A's Avatar
    Join Date
    May 2006
    Location
    Durban, South Africa
    Posts
    22,648
    Thanks
    3,304
    Thanked 2,676 Times in 2,257 Posts
    Blog Entries
    12
    This is one fascinating discussion - as much as it deals very honestly with our expectations of each other as all the technical issues raised.
    If you're on a reseller account and you transfered your accounts onto a shiny new VPS or dedi on another service, what are the chances that all the security and permission settings will remain the same?
    Quote Originally Posted by SoftDux View Post
    Very slim.

    When it comes to websites, there's 2 (visible) levels of security, that of the server and that of the website.
    That's pretty much what I thought. When I upgraded to a VPS I was staggered at the options. Happily I'm on a managed account so tweaking them is not my problem.

    I think we should bear in mind that in most instances hacking doesn't occur due to a lucky guess or brute force attack. It's shoulder surfing, fooling a person into giving up their password, finding scraps of info that contain the password...
    Quote Originally Posted by SoftDux View Post
    Dave, you'd be surprised to know that is not entirely true. Do you know how many people have passwords like "Pass123", "Pass1234", "a1b2c3d4", "qwerty12345", etc? Although they all look safe, they're not. A lot of hacking attempts involve brute force...
    And if we just look at successful hacking attempts?

    I hear you about weak passwords, but wouldn't timing out an IP range for a series of unsuccesful login attempts give a heck of a lot more bang for your (password strength) buck?

    Quote Originally Posted by AndyD View Post
    I think passwords as security is not a good system. The average person might have a credit card, a debit card, online banking, 3 or 4 online login accounts, cellphone pincode, 2 x home pc logon, 1 x work pc logon, website admin login and so on. With this number of passwords it's not surprising people duplicate or use birthdays etc to make passwords. If you don't have an extraordinary memory you can't win, either your passwords are weak or duplicated or you write them down.
    A way to deal with this is to have a key password which is pretty secure in itself and then insert a context specific fragment to make sure each one is different. Personally I've got 4 keys with 3 different fragment rules for different segments of my (password) life.

  7. #27
    Platinum Member SilverNodashi's Avatar
    Join Date
    May 2007
    Location
    Johannesburg, South Africa
    Posts
    1,197
    Thanks
    12
    Thanked 188 Times in 136 Posts
    Quote Originally Posted by Dave A View Post

    And if we just look at successful hacking attempts?
    I'm busy fixing a hacked account for a client right now. He was running Joomla 1.0.8 and the website wasn't updated in 3 years.The hacker brute forced his Joomla installation, so the firewalls didn't pick it up. From there the hacker found a weakness in the Joomla installation, and installed a rootkit on the client's account. Our server security prevented the rootkit from doing any harm to the server itself, so the damage isn't too bad.

    Quote Originally Posted by Dave A View Post
    I hear you about weak passwords, but wouldn't timing out an IP range for a series of unsuccesful login attempts give a heck of a lot more bang for your (password strength) buck?
    Not really. Bob is on a Telkom ADSL account and attempts to hack the server, our server then blocks the whole Telkom IP range, and 40 of our actual client's suddenly can't get email, or into their websites. This cause more problems, since "the ISP is down again" - I often get threatening emails from angry clients who can't get into their websites, and 97% of the time John have received a dynamic IP from Telkom / Vodacom / iBurst / etc which was previously blocked by our firewall for hacking attempts. And then we're the ones who have poor uptime and "email is always down". Simply put, we can't win.


    I also, from time to time, get other smaller ISP's blocking access to our mailservers, so the client who hosts their website on our server, and use them for internet access can't get his email. Who is to blame? We are, since our systems are down again.

    Who remember, a few years ago, Mweb blocked access to their client's websites for internet users who dialed up with other ISP's. Who was to blame? The other ISP's. What ended up happening, a lot of those angry clients ended up signing up with Mweb, since "Mweb's systems always work"
    Get superfast South African Hosting at WebHostingZone

  8. #28
    Diamond Member tec0's Avatar
    Join Date
    Jun 2009
    Location
    South Africa
    Posts
    4,624
    Thanks
    1,884
    Thanked 463 Times in 410 Posts
    Blog Entries
    3
    Look, all I am saying is you get “online inscription host keys” You get server to user inscription hardware. And in most cases it is the packet header that gets “heavy” and inscription keys are a good piece of technology to start with. See net hosting was designed to have a “control panel” and basically if you know how to log on it will only take time before you are in.

    Fact is networks is not as secured as it used to be. A 10 year old can do data capture and getting the data decrypted is just a matter of time because most keys can be found on “script-kiddie” websites all over the net.

    Secondly is “social hacking” getting your target’s e-mail, keyboard loggers and all that bad stuff can be done easily and is being done by people that do this kind of thing for fun.

    Let ask a question: Do you or don’t you send out newsletters regarding security? If so what new developments are there available? Was this technology tested?

    See homework needs to be done from the user’s side and homework needs to be done from the ISP’s side. Can the “control panel” be a small program that you install and with that program you get a special activation key and this key will run with the inscription key and your username and password. What about random passwords. “Like what is your dog’s name” stuff like that... Random passwords can be effective and is more difficult to attack.

    The point I was hoping to make was “innovation!”
    peace is a state of mind
    Disclaimer: everything written by me can be considered as fictional.

  9. #29
    Platinum Member SilverNodashi's Avatar
    Join Date
    May 2007
    Location
    Johannesburg, South Africa
    Posts
    1,197
    Thanks
    12
    Thanked 188 Times in 136 Posts
    tec0, your points don't go unnoticed.

    From experience though, I find that a lot of users either don't read those emails, or they forgot the info already.

    Why do they ignore, or not the emails?
    - Is the info too technical - most probably, but how do you speak about a technical issue, in a non-technical way?
    - Are they too busy too bother? Probably as well.
    - Is the info in the emails relevant? I don't know.

    I'm work with the servers every day, so technical emails like this is good for me. But I don't think they mean much to a shop owner who sells roses, for example.


    When a client signs up, they automatically get a welcome email with a lot of info, including on how to login to their control panel, how to setup email addresses, upload website,etc. Yet, we still get a lot of support calls on, "how do I setup an email address", or "how do I upload my website".

    Then, 45 days later we send out another email asking them if they need any help with anything, or if they found everything they need. All emails have links to our: billing portal, support desk, knowledge base, order form, etc.

    This tells me that those emails are either not read, or not understood well enough.

    We have a fairly large knowledge base with everything the clients need to manage their hosting account, but we still get the support calls & tickets.

    Bottom line, I think, is that people don't like reading emails or website content. They want to be spoon fed, and then they insist you help them chow the food as well.
    Get superfast South African Hosting at WebHostingZone

  10. #30
    Diamond Member tec0's Avatar
    Join Date
    Jun 2009
    Location
    South Africa
    Posts
    4,624
    Thanks
    1,884
    Thanked 463 Times in 410 Posts
    Blog Entries
    3
    Well you may be surprised at what it is I can do and what it is that I know when it comes to computer security. It used to be my job. But more importantly I also got sick with all the support questions and people just phoning all the time.

    This is how I got through to the customers. I stated with the questions asked. I then identified the important questions and made a “lot” of 7 minute to 10 minute video clips and converted it to DVD format so that anybody that can operate a DVD player would be able to watch the clips.

    I got a CD/DVD Duplicator and in about 3 months our calls went down by about 30% more or less. Also I wrote a topic list so that if the people that called asked about something that was on the DVD they would be told by support team that this is number so and so on the DVD. And then helped them with their problem.

    Still after a while things did get better. Every six months there would be a new DVD that was delivered to them via “registered post” and I could say it was a success especially with our wireless products. I got the call volume down to about 50% and that is a lot! Especially when it comes to wireless products and setup support! It was really a successful strategy.

    See “innovation” the technology exist so use it.
    peace is a state of mind
    Disclaimer: everything written by me can be considered as fictional.

Page 3 of 4 FirstFirst 1234 LastLast

Similar Threads

  1. Build your own web site, it is easy
    By pietpetoors in forum Marketing Forum
    Replies: 55
    Last Post: 09-Mar-10, 09:12 PM
  2. Get links to your site
    By Ryan S in forum Marketing Forum
    Replies: 9
    Last Post: 12-Aug-08, 12:05 PM
  3. Yahoo site explorer
    By duncan drennan in forum Technology Forum
    Replies: 6
    Last Post: 05-Aug-08, 10:23 PM
  4. [Article] Online Media Optimization (Post 100)
    By Chatmaster in forum Marketing Forum
    Replies: 1
    Last Post: 21-Sep-07, 02:35 PM

Tags for this Thread

Did you like this article? Share it with your favourite social network.

Did you like this article? Share it with your favourite social network.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •