Herself’s Webtools

If you are new to web development or if you are debating which tools to use for your site you’ll want to give this paper a read. It covers all the main and many less common technologies. Descriptions, pros and cons of the various web technologies are covered.

Web-based application developers face a dizzying array of platforms, languages, frameworks and technical artifacts to choose from. We survey, classify, and compare technologies supporting Web application development. The classification is based on (1) foundational technologies; (2)integration with other information sources; and (3) dynamic content generation. We further survey and classify software engineering techniques and tools that have been adopted from traditional programming into Web programming. We conclude that, although the infrastructure problems of the Web have largely been solved, the cacophony of technologies for Web-based applications reflects the lack of a solid model tailored for this domain.

Download (pdf) Survey of Technologies for Web Application Development

I. Take your site offline.
You can do this with a temporary redirect in your .htaccess file.

RewriteCond $1 !site-offline\.html$
RewriteRule ^(.*\.php)$ http://www.yourwebsite.com/site-down-message.html [R=302,L]

2. Download everything on your website to a safe computer at home. You will want to see what went wrong and it’ll serve as an emergency backup.

3. Check all your CMS ( content managment software ) for new versions and load new, clean versions on to the site.

4. If you have a clean back up of your site upload it now, taking care not to over write the new CMS.

5. Check everything, then check it again. Make sure everything is clean and you’ve prevented future attacks by what ever method the attacker entered.

6. Check Google Webmaster tools to see if you’ve been banished and check Stop Badware. Let them both know your site has been attacked, cleaned, and it back up again.

— Many of the newer attacks plant things in your MySQL database to reinfect your site once you’ve cleaned it so be sure to wipe them too.

— But since no one is ever thinking I’ll be hacked today I think I’ll do a back up, you might not have a clean backup. Contact your hosting company, they might if you don’t.

— If there are no clean back ups you’ll have to do it by hand. This means you must find a corrupted file and see what the attacker added. Usually it will be in an iframe. If you have a Mac or Linux box you can go to the root directory of the website files and type

grep -R ‘iframe badStuff’ *

and get a list of every file that has the bad stuff in it. Replace badStuff with what ever string the attacker placed in your files. Do this also with the directory holding your MySQL backups. MySQL backups are text files and easily edited by hand.

If you have Windows you will need to download a copy of grep from WinGrep.

If you use

grep -Rn ‘bad stuff’ *

it will also give you the line number the bad stuff is found on each file.

Keep grepping for corrupted files and cleaning until you have a clean copy of your website.

Next check with all the content management systems you are using for updates. Very likely there has been an update to what ever software was hacked. Upload new, clean copies of the blogging, photo or other software. Then upload your cleaned files and restore your cleaned databases.

Download everything and check again to make sure you were not re-infected.

Now if you can run cron jobs on your webhost you will want to run the following script daily
find . -mtime -1 -print | ls -lt

And have it email you the results. This will send you a list of every file that has been changed in the last 24 hours. This way you can keep a close eye on your site until you are sure everything is locked down and secure.

And remember you can’t have too many backups.

More information:
Know your enemy: web application threats

Since getting hacked last month I’ve seriously tightened up security. But it would be nice to stop attempts before they even get to the website. That is what Bad Behavior tries to do. It is a plugin that should work with just about any php based content management system.

Bad Behavior for WordPress and most other popular CMS
Bad Behavior Coppermine Plugin

Bad Behavior is completely different from any other anti-spam solution out there, in that it doesn’t specifically target spam itself. Rather, it targets the methods by which the spam is delivered. Until I released the first version in 2005, this approach had never been tried. It proved very effective at stopping a lot of malicious activity, not just spam: It also blocks many email address harvesters, meaning less e-mail spam, and some types of automated cracking attempts, improving your server’s security.

While a somewhat similar solution called mod_security exists, it has a rather different purpose, doesn’t target spam, and regular people can’t install mod_security on their shared web hosting accounts. Bad Behavior blocks spam as well as other malicious activity and can be installed by anyone.

On some high traffic sites, or those specifically targeted by spammers, the traffic from these spam attacks can be so excessive as to exceed your account’s bandwidth limits, or overload the server, and cause your account to be suspended. Bad Behavior helps to prevent both of these situations by blocking malicious activity as soon as possible, before either bandwidth or CPU are expended on a request which will turn out to be bogus.

It’s not the only tool you need but it is a great front line defense. The workings are straight forward; first BB checks the white list, then a known list of bad ips are checked, then bad user agents, then corrupted user agents. If POST is done instead of GET more tests are run. The author claims it runs by ‘black magic’. Looking at the simplicity of the code I have to say that is a good description.

You’ll also want the BB log reader for WordPress so you can see what Bad Behavior has been doing.

I found most of the bounces I had were from known trouble makers or browsers whose headers did not match what was expected of a particular browser.

I also found that BadBehavior gave a fair number of false positives. This doesn’t bother me so much on the Coppermine sites but it is one of the reasons I wrote the TTC Security plugin for Wordpress.. The second reason is that it is not easy for the user to change the criteria. I made this easy to do on the TTC Security plugin. So if those are important use the TTC security plugin, if not, use BadBehavior but use something. It also slows down posting a great deal. On the flip side it is quite a bit stricter than my plugin.

Once upon a time only the larger websites got hacked. The reason they were hacked was someone wanted to show off or make a political statement.

Times have changed. Now sites are hacked in bulk and the hack is done to promote less ethical websites or to deliver payloads of malware to home pcs.

So if your website was a victim of one of the recent bulk attacks how did you get chosen?

The first thing that happens is that a security flaw is found in a commonly used CMS ( content management system ). It might be Coppermine, Wordpress or any of the other popular systems. The more popular the software is, the more people are looking to find a weak spot in the software.

Once a flaw is found in the software a script is written to take advantage of the flaw.

Next a search is done to compile a list of sites running the software. For instance if you use ‘Acme photo content management’ and a flaw is found in the file acme.php; then a search is done for acme.php. The site list is compiled by a bot and all the sites are attacked over a very short time. Or a Perl script is run on across several websites looking for flawed programs. ( See RFI vulnerability scanner )

One way to help keep your site off the list is to keep those files off of Google and other search engines. Use your robots.txt file and disallow all directories the public does not see. For WordPress disallow /wp-admin and /wp-content/plugins. Go through your website and disallow in robots.txt all the directories not meant for public viewing.

For Wordpress I disallow:
User-agent: *
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins
Disallow: /wp-content/themes
Disallow: wp-app.php
Disallow: wp-atom.php
Disallow: wp-blog-header.php
Disallow: wp-comments-post.php
Disallow: wp-config-sample.php
Disallow: wp-config.php
Disallow: wp-cron.php
Disallow: wp-feed.php
Disallow: wp-login.php
Disallow: wp-links-opml.php
Disallow: wp-mail.php
Disallow: wp-pass.php
Disallow: wp-rdf.php
Disallow: wp-register.php
Disallow: wp-rss.php
Disallow: wp-rss2.php
Disallow: wp-settings.php
Disallow: wp-trackback.php
Disallow: xmlrpc.php

For Coppermine I disallow:

Disallow: /coppermine/bridge
Disallow: /coppermine/docs
Disallow: /coppermine/images
Disallow: /coppermine/include
Disallow: /coppermine/lang
Disallow: /coppermine/logs
Disallow: /coppermine/plugins
Disallow: /coppermine/sql
Disallow: /coppermine/themes
Disallow: /coppermine/addfav.php
Disallow: /coppermine/addpic.php
Disallow: /coppermine/admin.php
Disallow: /coppermine/albmgr.php
Disallow: /coppermine/anycontent.php
Disallow: /coppermine/banning.php
Disallow: /coppermine/bridgemgr.php
Disallow: /coppermine/calendar.php
Disallow: /coppermine/catmgr.php
Disallow: /coppermine/CHANGELOG
Disallow: /coppermine/charsetmgr.php
Disallow: /coppermine/config.php
Disallow: /coppermine/COPYING
Disallow: /coppermine/db_ecard.php
Disallow: /coppermine/db_input.php
Disallow: /coppermine/delete.php
Disallow: /coppermine/displayecard.php
Disallow: /coppermine/displayreport.php
Disallow: /coppermine/ecard.php
Disallow: /coppermine/editOnePic.php
Disallow: /coppermine/editpics.php
Disallow: /coppermine/exifmgr.php
Disallow: /coppermine/faq.php
Disallow: /coppermine/forgot_password.php
Disallow: /coppermine/getlang.php
Disallow: /coppermine/groupmgr.php
Disallow: /coppermine/image_processor.php
Disallow: /coppermine/install.php
Disallow: /coppermine/installer.css
Disallow: /coppermine/keyword_create.dict.php
Disallow: /coppermine/keywordmgr.php
Disallow: /coppermine/image_processor.php
Disallow: /coppermine/login.php
Disallow: /coppermine/logout.php
Disallow: /coppermine/minibrowser.php
Disallow: /coppermine/mode.php
Disallow: /coppermine/modifyalb.php
Disallow: /coppermine/phpinfo.php
Disallow: /coppermine/picEditor.php
Disallow: /coppermine/pluginmgr.php
Disallow: /coppermine/profile.php
Disallow: /coppermine/ratepic.php
Disallow: /coppermine/README.TXT
Disallow: /coppermine/register.php
Disallow: /coppermine/relocate_server.php
Disallow: /coppermine/report_file.php
Disallow: /coppermine/reviewcom.php
Disallow: /coppermine/scripts.js
Disallow: /coppermine/search.php
Disallow: /coppermine/searchnew.php
Disallow: /coppermine/showthumb.php
Disallow: /coppermine/stat_details.php
Disallow: /coppermine/update.php
Disallow: /coppermine/upgrade-1.0-to1.2.php
Disallow: /coppermine/upload.php
Disallow: /coppermine/usermgr.php
Disallow: /coppermine/util.php
Disallow: /coppermine/versioncheck.php
Disallow: /coppermine/viewlog.php
Disallow: /coppermine/xp_publish.php
Disallow: /coppermine/zipdownload.php

See Robots.txt and how to use it.

Go through your logs and if you see robots crawling your site that you don’t know. Find out who they are. If you still don’t know - banish them using your .htaccess file.

Next you want to check each directory on your website. If a directory does not have an index.html file, then when someone types that directory into a browser a list of all the files in that directory is shown on the webpage.

You can prevent this by creating a index.html file and placing it in every directory that does not already have one. Mine just says ‘You should not be here’. Yours could include a link back to the home page of the site or anything else you’d like. This keeps prying eyes out of places they should not be.

See also: Are your directories showing?

More information:
MySQL Injection attacks
3 Must Apply Security Tips for WordPress