Thread: Site hacked

    Quote Originally Posted by tec0 View Post
    Well it is true that weak passwords are to blame but again, no... If everything is our responsibility, and the ISP are only the host with no commitment to security what-so-ever then specify it in the contract. Also you can specify the length of the password and you can set-up a rule that will force the user to use caps and what not for their passwords. But this is not being done because some ISP’s found the system to difficult others just don’t worry about it.

    In the end of the day if you expect your client to be more educated then you then yes, but some clients are new to this world and the ISP needs to make sure that the client is protected on a basic level. But if it is a sink or swim scenario you want then chances are you will have a few people drowning and a negative image towards hosting in general.
    So, how do you propose the ISP's keep tab on what you do? Think about this, for a moment.
    How will a firewall help in this case? Your website is supposed to be "open on the internet", so the firewalls really only protect the servers / switches / routers / etc.
    If you (not you personally, the client) installs Joomla, and insists on using "Johny" as an admin password, then that's NOT the ISP's fault or responsibility. And if the client insists on using "Jonhy" as his email password, then again that's not the ISP's fault.

    We, for example, have a minimum password strength of 65 - which is rather high, you need a capital letter a lower case letter, a digit, and non-numeric password. To get 65 score on most encryption algorithms, you also need a minimum of 6 characters. But this is only effective on our own servers, where we have control over it, for example with cPanel, FTP, email, etc. This doesn't help you if you have a weak admin password in your Joomla installation.

    BUT, my point is still, if you access your control panel from the internet cafe in town, then NO SECURITY in the world will help you.

    Re: the comments on the bank: No matter how strong their vaults are, how secure their entire operation is, etc, if you go and withdraw R10,000 cash from an ATM in Hillbrow, then it's your own fault for being robbed.

    While we all like to blame someone else for problems that happen, we also need to be mature enough to take responsibility for our own actions. I can't vouch for another ISP, but I get a bit upset if it's always "the stupid ISP that is to blame".
    I dont think this should be a blame game cause neither side can really prove their case.

    What I do think is that there appears to be this unwillingness for isp's in general to help out given the various scenario's that can go down.

    When my site was hacked, the isp closed up ranks in an immediate 'its not our fault - you will have to sort it out' mode. It would have gone a long way, if they had firstly notified me, cause they knew the situation had gone down, and when I inquired, told me and guided me through resolving the situation. If they had gone into help mode, this thread probably would not be out there for discussion.

    The tones of their emails was that I was bugging them as an irritating client.

    I do think that isp's, instead of telling me they have a Brazilian clients, a gazillion gigs, a hoard of network wiring, a pentaflop of technical geeks and they are the greatest thing since the external harddrive - that they should concentrate on ensuring that I am aware of these very things mentioned , like adequate passwords, surfing at the internet cafe and local hotel, poor and old software and furthering my education so that I do not pose a threat to the whole system. And if I do ask them a question or have a concern, they take their time out to ensure that I understand the answer or have a warm feeling at the end of the call or email.

    My son, who fixes PC's and does IT type stuff, gleefully told me the other day that there are really stupid people in his town, they don't even know how to switch on their PC. When I pointed out that firstly a while back until he had been shown, he did not know how to switch the machine on either, and also that if it wasnt for these 'stupid' people that he also calls clients, he would be holed up in our spare room wondering if he was going to eat that day; his gleeful expression changed as has his disposition towards his clients.
    Quote Originally Posted by Marq View Post
    Valid comments.......if true:-

    except, using your analogy - if the bank cannot hold the money properly in its vault, is it the customers fault when someone breaks in and steals the cash?

    Would they - not tell the customer that his cash has gone and wait for him to say 'hey where's my cash?'
    Sure, but this isn't really the same thing. Is it the banks fault if you wrote your PIN on your card, and lost you card, thereby giving the thieves the money? IS this the bank's fault?

    OR, if your PIN is 12345 / 24680 / 13579 - which although they may look "secure" to you, can be guessed very easily. You need to "think out of the box". The average human being is not a genius, and tends to forget things very quickly, especially with numbers. SO, most people will have a PIN / password they they can remember & pronounce. And, surprisingly, cracker bots are written to look for passwords with easy-to-make-up and easy-to-remember combinations. Even something like Bob@123 is easy enough for a computer bot to find.

    Quote Originally Posted by Marq View Post
    Would they after being informed that the cash is missing - ignore the customer and not inform him how to rectify the situation, say for example through insurance.....(ok don't answer that one - they probably wouldn't either - lol)
    You're right, the bank won't. But could probably offer such a service @ a extra premium, and ISP's more than often have backups of data as well, which they may or may not charge for above your monthly hosting costs.

    Could your website be restored from a backup?
    And could you, or the ISP determine where & how the hackers got in? This is the question which should make you decide to look for a better ISP though. I agree, if they don't support you afterwards then you may need a better ISP.

    Quote Originally Posted by Marq View Post
    And - these situations are controlled by the software- there is no staff member anyway looking after your site 24/7/365.
    Yes, and now. How will software know that a change on your website was a defacement, or a legit change? For example, how will a software program know that if there was changes made to this forum, that it's actual form posts, and not hackers? Someone still have to watch it, even if the software application send them an email saying there was changes. Imagine how many emails Dave's ISP's staff will get today, saying "There was a possible hack attempt on, please investigate."

    Quote Originally Posted by Marq View Post
    And - Yes - I expect, cause I know jack about these things, for the experts to tell me and inform me that my site is at risk. That is why there is a monthly payment for hosting. Google send the isp a message that the site has been hacked - its a simple procedure to pass that message on so that even if it is the clients fault - they can do something about it.
    Really? DO you really expect your ISP to know about EVERY change you make to you hosting account & website? So if you decide to try out a new PHP script, do you want them to automatically detect that you have installed it, and then tell you that it's insecure? OR to "advise" you to use something else, something better? Do you think this is worth the R50pm you pay them every month? How long do you expect they will be in business if they need to employ 200+ staff members @ say R5000pm, to watch your R50pm website for any changes made by you, at all.

    Think about it this way, you have a business which you need to protect from various elements - floods, lightning, fire, theft, robbery, bankruptcy, etc. Who's responsibility is it to make sure these things are all looked after? Even though I don't much about most of these things, It's my responsibility to find out about it, and learn what todo. I need to employ a guard, pay for an alarm system & armed response company, employ knowledgeable accountant, make provision for fire & floods ( in our case make sure we have off-site data backups, redundant internet connections, etc). Even if the shop I rent cost R20k/pm, it's still my own responsibility, not the landlords (even though my shop is on his premises, and I think that he should keep the thieves out), or the municipality's (for not making this a safer town), or even (as an example) Los Angeles' fault cause they have earth quakes.

    Quote Originally Posted by Marq View Post

    And - how do I know whether I was the only site hacked - the isp is not going to tell me or the world that they have a problem with many sites being hacked - not good business practice.
    True, but they may choose not to disclose this info, as it could lead to thousands of other hackers trying their hand to take this ISP down. Bear in mind that this, and every other ISP is in competition with all other ISP's, and another ISP could very well have employed the hacker(s) to take down WA. IF they were to disclose this info, then the hackers / competition won, and there would be chaos.

    Quote Originally Posted by Marq View Post

    Thats the message received a few days before the site was compromised. What must I make out from that - that they have a problem and moved their service?......or did someone find a hole after they moved to their own network?
    Well, what do they say? Is there any link with this? I don't know what they did, or how they operate.

    But, if it was my business, and I would have made this move, then I would either have moved the same servers that your website was running on to a new location, i.e. nothing on the servers would have changed except for the IP addresses and there would be no coincidence with the 2 matters.

    If, on the other hand, the servers can't be moved like this, to avoid downtime, then the new server(s) would be setup at the new data centre, with all security measures in place already, and the migration would happen in real time
    Quote Originally Posted by Marq View Post
    Thats the message received a few days before the site was compromised. What must I make out from that - that they have a problem and moved their service?......or did someone find a hole after they moved to their own network?
    That is an interesting coincidence.

    It had me thinking when I moved TFSA onto a VPS. Here's a few thoughts that flitted through my mind reading that and Softdux - you'll probably know the answers.

    If you're on a reseller account and you transfered your accounts onto a shiny new VPS or dedi on another service, what are the chances that all the security and permission settings will remain the same?

    What if that shiny new VPS or dedi is not on a managed package with experienced server techs tweaking the "default" security settings?

    What if the old files were left on the old server and someone from the old firm was p'd off or bored?

    Of course if they were really setting up their own server from scratch and weren't techs, I'd be truly sh*tting myself.

    Really? DO you really expect your ISP to know about EVERY change you make to you hosting account & website? So if you decide to try out a new PHP script, do you want them to automatically detect that you have installed it, and then tell you that it's insecure? OR to "advise" you to use something else, something better?
    Great idea - yes

    Do you think this is worth the R50pm you pay them every month?
    For sure - I pay a lot more than what you deridingly assume I do, and if all I am getting is some space on a server and no other service as you are suggesting then its damn expensive.

    How long do you expect they will be in business if they need to employ 200+ staff members @ say R5000pm, to watch your R50pm website for any changes made by you, at all.
    Lets see - 200 staff X R5000 salary = R1mill
    25000 clients (WA's claim) X (your) R50 subscription = R1.25mill
    But on this basis - seeing as I make a change every three to six months on the odd page - thats say 8000 clients changing stuff over the year for the 25,000 clients divided by 200 staff = each staff member must monitor and worry about 3,3 changes a month. So 200 staff is way too much. So if each staff member looks after one client change a day - thats about 25 staff needed. They will be in business a long time and have happy clients.

    The point though as we can see in your answer is that the client is always in the wrong. Take the pin code for example - I did not give it away. I say the isp let it out of the bag - but you automatically gave them the benefit of that doubt.

    A restore was eventually offered by WA for an additional R300 - I had to suck them for the answers - it then turned out they only keep backup for 7days and did not have a clean version as the hack had happened prior to that. So they expected me to buy my site back from them after they lost it.

    I could not find how the hackers got in and the isp sure is not going to admit to having holes - so one will never know the answer to this.

    If google can assume a malware hack and stop the site loading then I do not believe that the isp is unable to run software against their clients pages to look for the same, so I do not believe this is mission impossible. Similarly they could run software against the dates of files and scripts that may indicate old and vunerable software. This could then be offered as a service to the client to update the site for the a cost of course. If that was offered and then refused and an attack occurred, well now theres a reason to say I told you so.

    From what I can feel, there is this thought that because the service is so cheap it does not include anything beyond storage and there is no responsibility out there in isp land.

    Like I said - all we want is some service, good advice and accountability, which we assume is in the monthly hosting fee. Denial of that service and hiding behind technical issues, when things go wrong, is no different to the insurance guys who let you believe you are covered and then run and hide when the claim happens.
    Just the fact that from what I've read here, the customer doesn't trust the ISP, the ISP and customer aren't communicating on any meaningful level and neither the customer nor the ISP feel that security is their responsibilities or have a common understanding as to what is whose responsibility,it's no wonder the script kiddies are working in such a target rich environment and you're getting pwned by the haxors.
    Quote Originally Posted by Marq View Post
    Lets see - 200 staff
    25000 clients.
    OK. Scrap the palukas theory

    Let us start, firstly I would love to see a sixty digit pass-code when you withdraw money. Typing it might take a few minutes but it will be secure. Is it the bank’s fault if I lose my cash-card? Oh HELL YES it IS the banks fault! Why are we using outdated technology! Do you know how easy it is to duplicate a cash cart “the one without the chip!” and how long did it take banks to implement the smart card???????

    There are some nifty new technologies that are able to identify you in a few seconds no matter if you had facial reconstruction because it takes a picture of your internal genetics like blood-vessels and if I recall it is only second to DNA identification. So this technology is available and can be implemented so that I can use my face and a pin-code. And if I am dead then the Camera will see it and it will not work.

    Now let’s continue with what is possible. It is possible to specify a 31 character password to be used on the contract so there is no negotiation. Then on your password rules you specify that it must have X amount of whatever you feel is necessary 999AaC@#%$YIOT77895)(&^%((***^% I think cracking that will take a few seconds more than normal. So as an added extra you set up a second rule that the password must be renewed every 10 working days.

    Now you give the user a nice document that specifies the does and don’ts and everyone is happy.
    Quote Originally Posted by tec0 View Post
    There are some nifty new technologies
    At what cost? Just remember, ultimately the client foots the bill.
    Quote Originally Posted by tec0 View Post
    It is possible to specify a 31 character password to be used ... So as an added extra you set up a second rule that the password must be renewed every 10 working days.
    Erm... We're talking about people doing this, right?

    I think we should bear in mind that in most instances hacking doesn't occur due to a lucky guess or brute force attack. It's shoulder surfing, fooling a person into giving up their password, finding scraps of info that contain the password...

  10. #20
    Quote Originally Posted by Dave A View Post
    That is an interesting coincidence.

    If you're on a reseller account and you transfered your accounts onto a shiny new VPS or dedi on another service, what are the chances that all the security and permission settings will remain the same?
    Very slim.

    When it comes to websites, there's 2 (visible) levels of security, that of the server and that of the website. Moving your website to a new server means you'll loose all the current server's security protection. The only security settings you pertain, is that which you have control over. For example, on a cPanel server, your cPanel username & password will stay the same. If you setup extra security measures on your website, for example .htaccess files / CAPTCHA protection / "smart PHP script that could do firewalling" / etc, then that goes with you.

    But, if the previous server had, for example, phpsuexec installed, or a bruteforce detection script, then it stays behind. And the server admin (whether it's the ISP in question, of if you prefer / have an un-managed server) responsibility to setup the security measures on the new server again. The internet has changed a LOT in the last 2-3 years, and security measures have taken a leap over what it used to be 2 years ago. For example, on our servers, we deploy about 50 different security measures before we even consider setting up a client's account on it.

    Quote Originally Posted by Dave A View Post
    What if that shiny new VPS or dedi is not on a managed package with experienced server techs tweaking the "default" security settings?
    Then you have a problem There's generally 2 ways of running a server, if you want to run your own server. It's either managed by the ISP - with different levels & pricing involved, or self-managed, where you take care of it yourself.

    If you don't know how to manage a server, or VPS, then you either need to employ a tech who does, or pay the ISP to manage if for you.

    Quote Originally Posted by Dave A View Post
    What if the old files were left on the old server and someone from the old firm was p'd off or bored?
    Quote Originally Posted by Dave A View Post
    As in, someone from the old ISP took revenge on you? Sure, it's possible, BUT probably only really if your website hosting brough in say R20k/pm, and they suddenly lost that R29k/pm. OR, maybe if you did something which directly influenced them and their business. But, for the average joe-soap site, I don't see why another ISP would go through that effort. But even then, it's still your responsibility to change your password on the new ISP's server for this exact reason.

    Of course if they were really setting up their own server from scratch and weren't techs, I'd be truly sh*tting myself.
    WA has some good techs, but I have seen a lot of cases where they have messed up big time, with similar results as the OP experienced.

    I'm not taking WA, or any other ISP's side in this, I'm purely trying to show you that ISP's are not always to blame, even though South African's enjoy playing the blame-game.
