Over the past few months I've become increasingly aware of the number of web sites being compromised and used for phishing and/or dropping malware. I expect the owners of the sites were unaware of what was going on. I've contacted ISPs and gotten a number of such sites shut down. I've also read accounts of others in the security community about contacting the website owner, or registrant of the domain name, and that person being shocked and dismayed to learn that their site had been compromised and used for illegal activities.
Why is this happening? I'm told by one expert there is a painfully apparent lack of knowledge of how to secure a web server. I can believe it because aside from seeing a lot of hacked sites, I've read web hosting and webmaster forums where people running their own servers were admitting to being clueless about security and sometimes that was after they'd already been hacked.
I've seen some statistics on phishing sites including estimates of how many of them were compromised sites. The stats indicate that most of the sites are running older versions of Apache, really old versions in a lot of cases, and a high percentage have PHP.
What happens to home PCs that are not kept updated and patched? They get infected through exploits -- they are sitting ducks for things like the WMF exploit of earlier this year and the createTextRange() exploit that was just patched 2 days ago. I'm no expert on web server security but it seems to me that common sense would dictate that the same principles would apply. Servers get hacked, at least in part, because they are running old, outdated, unpatched software with exploitable vulnerabilities.
How to keep your web servers and web sites from being hacked?
Keep your software updated -- run the latest versions of Apache and PHP. The same goes for MySql and any other server side scripts. PHP forums have been heavily targeted by hackers, not so much for running phishing sites, but it seems like the script kiddies like to deface them. In case anyone was wondering, the phishing site statistics I saw showed only a few Windows-IIS sites.
CERT has a document called Securing Public Web Servers here.
Apache.org has Security Tips for Server Configuration here.
W3.org has WWWSecurity FAQ
Apache Week's Apache Security here.
ModSecurity (mod_security), an open source web application firewall can be found here.
I've seen a number of compromised sites being used to run exploits, both the WMF exploit and the createTextRange() exploits. Those sites were dropping trojan downloaders that contacted other servers to download malware including backdoors, key loggers, spam bots, password stealing trojans -- the really nasty spyware, and in some cases, adware as well. It's frustrating and sad, especially since it's largely preventable.
Our IT Commandments:
- Thou shalt not outsource mission critical functions
- Thou shalt not pretend
- Thou shalt honor and empower thy (Unix) sysadmins
- Thou shalt leave the ideology to someone else
- Thou shalt not confuse projects with planning
- Thou shalt not condemn departments doing their own IT
- Thou shalt put thy users first, above all else
- Thou shalt give something back to the community
- Thou shalt not use nonsecure protocols on thy network
- Thou shalt free thy content
- Thou shalt not ignore security risks when choosing platforms
- Thou shalt not fear change
- Thou shalt document all thy works
- Thou shalt loosely couple
- Thou shalt not let thy web servers be hacked