IT Commandment: Thou shalt not let thy web servers be hacked

IT Commandment: Thou shalt not let thy web servers be hacked

Summary: Over the past few months I've become increasingly aware of the number of web sites being compromised and used for phishing and/or dropping malware. Why is this happening? I'm told by one expert there is a painfully apparent lack of knowledge of how to secure a web server.

SHARE:
TOPICS: Security
2

Over the past few months I've become increasingly aware of the number of web sites being compromised and used for phishing and/or dropping malware.  I expect the owners of the sites were unaware of what was going on. I've contacted ISPs and gotten a number of such sites shut down. I've also read accounts of others in the security community about contacting the website owner, or registrant of the domain name, and that person being shocked and dismayed to learn that their site had been compromised and used for illegal activities.

IT CommandmentsWhy is this happening?  I'm told by one expert there is a painfully apparent lack of knowledge of how to secure a web server. I can believe it because aside from seeing a lot of hacked sites, I've read web hosting and webmaster forums where people running their own servers were admitting to being clueless about security and sometimes that was after they'd already been hacked.

I've seen some statistics on phishing sites including estimates of how many of them were compromised sites.  The stats indicate that most of the sites are running older versions of Apache, really old versions in a lot of cases, and a high percentage have PHP. 

What happens to home PCs that are not kept updated and patched?  They get infected through exploits -- they are sitting ducks for things like the WMF exploit of earlier this year and the createTextRange() exploit that was just patched 2 days ago.  I'm no expert on web server security but it seems to me that common sense would dictate that the same principles would apply.  Servers get hacked, at least in part, because they are running old, outdated, unpatched software with exploitable vulnerabilities.

How to keep your web servers and web sites from being hacked?

Keep your software updated -- run the latest versions of Apache and PHP. The same goes for MySql and any other server side scripts.  PHP forums have been heavily targeted by hackers, not so much for running phishing sites, but it seems like the script kiddies like to deface them. In case anyone was wondering, the phishing site statistics I saw showed only a few Windows-IIS sites.

CERT has a document called Securing Public Web Servers here.

Apache.org has Security Tips for Server Configuration here.

W3.org has WWWSecurity FAQ 

http://www.w3.org/Security/Faq/

Apache Week's Apache Security here.

ModSecurity (mod_security), an open source web application firewall can be found here.

I've seen a number of compromised sites being used to run exploits, both the WMF exploit and the createTextRange() exploits.  Those sites were dropping trojan downloaders that contacted other servers to download malware including backdoors, key loggers, spam bots, password stealing trojans -- the really nasty spyware, and in some cases, adware as well. It's frustrating and sad, especially since it's largely preventable. 


Our IT Commandments:
  1. Thou shalt not outsource mission critical functions
  2. Thou shalt not pretend
  3. Thou shalt honor and empower thy (Unix) sysadmins
  4. Thou shalt leave the ideology to someone else
  5. Thou shalt not confuse projects with planning
  6. Thou shalt not condemn departments doing their own IT
  7. Thou shalt put thy users first, above all else
  8. Thou shalt give something back to the community
  9. Thou shalt not use nonsecure protocols on thy network
  10. Thou shalt free thy content
  11. Thou shalt not ignore security risks when choosing platforms
  12. Thou shalt not fear change
  13. Thou shalt document all thy works
  14. Thou shalt loosely couple
  15. Thou shalt not let thy web servers be hacked

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • Wow, that's 15 IT Commandments....

    I wonder how many stone tablets will be needed to write them all down? Wait a sec, it's the 21st century, we could just put it on a Tablet PC and be done with it! ;)

    Seriously though, your 15th IT Commandment is very crucial(the others are great, too). Perhaps a corollary Commandment can be made here: [b]Thou shalt not ignore software updates[/b]. Yeah, it's a no-brainer and broad, but important nonetheless.
    Tony Agudo
  • re Obsolete Code

    The importance of keeping abreast of releases and patches cannot be overestimated.

    Back in Dec 2004 the Santy worm reared its ugly head and attempted to penetrate phpBB sites worldwide. The phpBB group released a patch shortly after. So here we are in 2006 some 16 months later and I have just observed a resurgence of the same tired old exploit attempts.

    These continue to work because some sites never get the message.
    0ldfrog