…and I’m not talking about a hacking cough here.
Twice this week, clients or friends of mine have had their web sites hacked. One was hacked for the second time in a couple of weeks.
I can tell a lot from the forensic analysis as I clean up a site. A bit of CSI as it were.
There is one really big problem that contributes a lot to these hacking epidemics.
The problem is these huge hosting organizations that have thousands of web sites on a single IP address (a single server in most cases, but not necessarily). The hacked site I looked at tonight was on a server that has over 1,311 sites on it. The one I fixed on Wednesday was on a server hosting over 303,000 sites (though the same server was up to 304,173 as of tonight). A single server most likely! (You can check your own server at DomainTools.)
Once a hacker gains control of the root account on a server, or for that matter gains control of even one of the thousands of user accounts, it is possible to compromise many if not all of the web sites on that server. I know because I’ve done the experiment myself, on private servers.
We’re not talking about automated software doing the hacking – these are real flesh-and-blood hackers who are gaining control of a server and then “walking the tree” going from one site to the next compromising the sites of the customers. In the case of the hack we discovered on Wednesday, the nasty work began in the morning, and we could follow his/her trail around the site for 30 minutes, until the last file was compromised. And this hacker knew how to recognize exactly the most effective files to modify to obtain maximum effect.
Interestingly, hackers don’t usually want to obliterate your web site or deface it – their primary goal is to inject something that won’t be noticed by your web site visitors, yet will infect their computers and turn them into zombies.
The solution ain’t pretty either.
Sure we can clean up a site, but that won’t stop the hacker from coming back later on to compromise the site again.
Actually the easiest “solution” is to get off these cheap hosting dives and buy yourself a hosting plan that includes a “virtual server.” It’s going to cost more, but it means the hacker has to target you individually, which they’re less likely to do. Why try to hack a server that only hosts one web site when they could hack 304,000+ sites by hitting one big Network Solutions (oops, yes that’s who the host was) server.
Another smart move is to keep a full backup of your site, so you can upload after a hack and after you’ve cleaned up. And move to another server after you’ve been hacked, for gosh sakes!
Interesting thing about one of these hacks this week was that the hacker even bothered to hack the backup copies that were lying around on the server! This was one determined hacker!
Another thing you want to do is set up a tripwire that will alert you if your site has changed while you were sleeping. Sorry, but I can’t give you any names of cheap services that do this – they are costly – but I do this monitoring myself for my clients’ sites, and I am informed (on my mobile phone) of hacking incidents within an average of 10 minutes so I can get to a computer and start fixing things.
Anyway, my main point was that choosing a cheap hosting plan can be dangerous to your web site’s health. And you shouldn’t pick a cheap host unless you’re willing to throw away your site, move to another server and upload your backup copy. A lot of grief.