Why your site was choosen to be hacked and how to avoid being chosen

Posted by ljmacphee on May 30, 2008 under security, things you should know | 2 Comments to Read

Once upon a time only the larger websites got hacked. The reason they were hacked was someone wanted to show off or make a political statement.

Times have changed. Now sites are hacked in bulk and the hack is done to promote less ethical websites or to deliver payloads of malware to home pcs.

So if your website was a victim of one of the recent bulk attacks how did you get chosen?

The first thing that happens is that a security flaw is found in a commonly used CMS ( content management system ). It might be Coppermine, Wordpress or any of the other popular systems. The more popular the software is, the more people are looking to find a weak spot in the software.

Once a flaw is found in the software a script is written to take advantage of the flaw.

Next a search is done to compile a list of sites running the software. For instance if you use ‘Acme photo content management’ and a flaw is found in the file acme.php; then a search is done for acme.php. The site list is compiled by a bot and all the sites are attacked over a very short time. Or a Perl script is run on across several websites looking for flawed programs. ( See RFI vulnerability scanner )

One way to help keep your site off the list is to keep those files off of Google and other search engines. Use your robots.txt file and disallow all directories the public does not see. For WordPress disallow /wp-admin and /wp-content/plugins. Go through your website and disallow in robots.txt all the directories not meant for public viewing.

For Wordpress I disallow:
User-agent: *
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins
Disallow: /wp-content/themes
Disallow: wp-app.php
Disallow: wp-atom.php
Disallow: wp-blog-header.php
Disallow: wp-comments-post.php
Disallow: wp-config-sample.php
Disallow: wp-config.php
Disallow: wp-cron.php
Disallow: wp-feed.php
Disallow: wp-login.php
Disallow: wp-links-opml.php
Disallow: wp-mail.php
Disallow: wp-pass.php
Disallow: wp-rdf.php
Disallow: wp-register.php
Disallow: wp-rss.php
Disallow: wp-rss2.php
Disallow: wp-settings.php
Disallow: wp-trackback.php
Disallow: xmlrpc.php

For Coppermine I disallow:

Disallow: /coppermine/bridge
Disallow: /coppermine/docs
Disallow: /coppermine/images
Disallow: /coppermine/include
Disallow: /coppermine/lang
Disallow: /coppermine/logs
Disallow: /coppermine/plugins
Disallow: /coppermine/sql
Disallow: /coppermine/themes
Disallow: /coppermine/addfav.php
Disallow: /coppermine/addpic.php
Disallow: /coppermine/admin.php
Disallow: /coppermine/albmgr.php
Disallow: /coppermine/anycontent.php
Disallow: /coppermine/banning.php
Disallow: /coppermine/bridgemgr.php
Disallow: /coppermine/calendar.php
Disallow: /coppermine/catmgr.php
Disallow: /coppermine/CHANGELOG
Disallow: /coppermine/charsetmgr.php
Disallow: /coppermine/config.php
Disallow: /coppermine/COPYING
Disallow: /coppermine/db_ecard.php
Disallow: /coppermine/db_input.php
Disallow: /coppermine/delete.php
Disallow: /coppermine/displayecard.php
Disallow: /coppermine/displayreport.php
Disallow: /coppermine/ecard.php
Disallow: /coppermine/editOnePic.php
Disallow: /coppermine/editpics.php
Disallow: /coppermine/exifmgr.php
Disallow: /coppermine/faq.php
Disallow: /coppermine/forgot_password.php
Disallow: /coppermine/getlang.php
Disallow: /coppermine/groupmgr.php
Disallow: /coppermine/image_processor.php
Disallow: /coppermine/install.php
Disallow: /coppermine/installer.css
Disallow: /coppermine/keyword_create.dict.php
Disallow: /coppermine/keywordmgr.php
Disallow: /coppermine/image_processor.php
Disallow: /coppermine/login.php
Disallow: /coppermine/logout.php
Disallow: /coppermine/minibrowser.php
Disallow: /coppermine/mode.php
Disallow: /coppermine/modifyalb.php
Disallow: /coppermine/phpinfo.php
Disallow: /coppermine/picEditor.php
Disallow: /coppermine/pluginmgr.php
Disallow: /coppermine/profile.php
Disallow: /coppermine/ratepic.php
Disallow: /coppermine/README.TXT
Disallow: /coppermine/register.php
Disallow: /coppermine/relocate_server.php
Disallow: /coppermine/report_file.php
Disallow: /coppermine/reviewcom.php
Disallow: /coppermine/scripts.js
Disallow: /coppermine/search.php
Disallow: /coppermine/searchnew.php
Disallow: /coppermine/showthumb.php
Disallow: /coppermine/stat_details.php
Disallow: /coppermine/update.php
Disallow: /coppermine/upgrade-1.0-to1.2.php
Disallow: /coppermine/upload.php
Disallow: /coppermine/usermgr.php
Disallow: /coppermine/util.php
Disallow: /coppermine/versioncheck.php
Disallow: /coppermine/viewlog.php
Disallow: /coppermine/xp_publish.php
Disallow: /coppermine/zipdownload.php

See Robots.txt and how to use it.

Go through your logs and if you see robots crawling your site that you don’t know. Find out who they are. If you still don’t know - banish them using your .htaccess file.

Next you want to check each directory on your website. If a directory does not have an index.html file, then when someone types that directory into a browser a list of all the files in that directory is shown on the webpage.

You can prevent this by creating a index.html file and placing it in every directory that does not already have one. Mine just says ‘You should not be here’. Yours could include a link back to the home page of the site or anything else you’d like. This keeps prying eyes out of places they should not be.

See also: Are your directories showing?

More information:
MySQL Injection attacks
3 Must Apply Security Tips for WordPress
How to secure WordPress sites

4 ways to spring clean your website

Posted by ljmacphee on May 26, 2008 under things you should know | Be the First to Comment

I try to clean up and update my websites once a year but that doesn’t always happen. Sometimes life just gets too busy.

But since I had to move everything to new servers I’ve been making time this week to dust off the sites.

1) Check your images directory - remove unused images, and look for hidden files or html files. Often hackers use these directories to store phishing scams when your site gets hacked. The less images in a directory the quicker the server can find and load up the image your page is requesting. Keep it lean. Break up your image directory into smaller directories if you have lots of images.

2) Proof read old pages and posts. No matter how many times I reread old posts I usually find typos or better ways to word my posts. You are getting new visitors to those old pages every day. Dust them off. Your site’s come a long way make sure those early pages reflect that.

3) Run a link checker and make sure pages you linked to a year or more ago still exist. Often they don’t.

4) Update your pages. Maybe you’ve learned more about a subject or found better tools for doing something. Keep those resources current and cutting edge and you’ll get more visitors.

Then back it up - to your server and to your home computer and to an usb key. You can’t have too many copies of your website if a problem appears.

How to incorporate Twitter into your WP blog, twittering my time away

Posted by ljmacphee on May 19, 2008 under how to, tools, wordpress | Be the First to Comment

All the major blogs on blogging were urging their readers to start Twittering a few months back. I had heard of Twitter, looked Twitter, but hadn’t yet done anything with Twitter. So I signed up for an account: Twitter.com/timestocome.

There it sat with nothing but the default tweet for over a month. I then attended a garden blogger’s convention in Austin and several garden bloggers said they were using Twitter on their blogs and quite happy about it. ( And I’m thinking I’m really behind the times if my fellow garden bloggers are out teching me. )

So things have finally quieted down and I had a chance to play with Twitter again. There are several plugins for Wordpress blogs and Twitter. I started using Twitter updater to post notices to my Twitter account when I have a new blog post, but it updated Twitter every single time a file saved, even if the post date was in the future and the post wasn’t completed.

I’m trying Twitter for Wordpress to publish my most recent Twitter in my sidebar on my personal blog.  So far it seems to be working well.

There is also a Twitter Tools plugin which allows you to send notices of your posts and also add tweets to your sidebar. I’m now using that to send tweets for new posts. I’ve found it also updates Twitter when you update an existing published post, but not for pages.  So that was a bit of a pain.  It also posted a link back to the Twitter Tools plugin page on each and every tweet.

As well as announcing new blog posts you can use Twitter from your cell phone with SMS. It is extremely simple. Go to Twitter->Settings->Devices and plug in your mobile phone number. Twitter then gives you a code, you send an sms to Twitter ( 40404 ) with the code and you’re good to go. Just sms to 40404 any thing you want posted on Twitter from then on.

Tweets are limited to 140 characters so like text messages you’ll need to be short and to the point.

Twitter might turn out to be useful for blogging, but I’ve yet to find a plugin that updates only new posts with out adding stuff to the tweet.  So for now I’ll be updating Twitter manually to announce new posts.  Twitter has badges for MySpace, Blogger, Facebook and TypePad.  Just follow the ‘Display Twitter on your website links’ while on Twitter to build a badge.

I’m also noticing that none of the profiles on the techy forums I post at have Twitter spots in user profiles.  So I’m thinking it’s not really mainstream yet.  At least among the geekiest of us.

WordPress Blue-box theme converted for Coppermine users

Posted by ljmacphee on May 12, 2008 under coppermine, hack your template | Be the First to Comment

Here is another popular Wordpress Theme ( Blue-Box) I converted to work with Coppermine. You should find it easy to tailor to your needs including adding in advertising to your sidebar. Coppermine Blue-Box WordPress adapted theme