I think one of the lessons we all learn growing up is that being a snitch — tattling, whistle blowing, etc. — is a bad thing; and that only in the face of death (even if that counts for anything) should you even consider being a snitch.
Sometimes I think that attitude is so pervasive in our society, at large, that most of us impacted by hackers do not even consider snitching on the hacker who tried to break into our web site, email, database, or server. Even if it did cross one’s mind, some might have the attitude of what good will it do especially given the global nature of the Internet — who has jurisdiction, language barriers, culture barriers, and what else might be present.
How does one even know if their web site or server is subject to being attacked?
If you or your host performed proper log file monitoring and management, you might be surprised that most sites are attacked throughout the day, every day, 365 days a year. The average survival time of vulnerable machines on the Internet per the Internet Storm Center was 10 minutes as of August 15, 2011.
Earlier this week, I was not surprised to read about a web site owner who just set up an non managed VPS (virtual private server), installed WordPress 3.2.1, and two hours later was hacked. The site was not yet live for more than two hours, and it was already compromised!
Just so you know, any machine out of the box is vulnerable. Any software just installed is vulnerable. Unless someone takes specific measures to secure a machine or secure an application on a machine, the machine and application are vulnerable.
That’s why our company believes that security should be an entitlement to Web hosting, email hosting, and database hosting customers. It is also why we believe hosting providers need to go above and beyond PCI Compliance.
If you are completely satisfied with your hosting company, then ask their technical support department to help educate you how to read your web site logs so you can track attacks, and report them to the appropriate data center hosting the attacker; if you are not completely happy with your hosting provider, and want to switch to our managed hosting service, please contact us. If you are a hosting provider, please do consider our security services where we can help make you more money through customer retention, and new customers (who know you take security seriously).
On a typical day we are reviewing a large number of logwatch reports, brute force detection reports, and other types of security alerts. We use various WHOIS services to get the abuse email information of the data center or web hosting provider that is providing the services to the IP address that tried to attack one or more of our customers — our customers in this case include our managed service provider customers as well as our managed hosting customers.
We then contact the data center / hosting provider giving them segments of the log file, GMT time stamps, and ask them to take appropriate action.
Since we are not seeking any legal or criminal action be taken — i.e. just deal with the hacker or malware being used by the hacker — we are typically greeted with fellow security (often working in an abuse department) administrators who know we are just trying to work with them rather than force their hand, or otherwise make their job harder.
Over the past 16 years, we’ve learned that everyone’s comfort level in finding the malware or tools used by the hacker varies, so we’ve learned to include a number of tips we’ve learned over the years to track down malware and infected web sites. By helping to make the job easier for the abuse department person working with us, in the end it typically means a faster resolution time.
The responses we get from data centers vary. Some have a policy of not responding via email (though from follow up phone calls, I know they get the email), others alert their customers (who sometimes need multiple follow ups to clean up and secure their environment), and others are very quick to respond either suspending the account, or cleaning it up.
As a live example, on August 15th, we received the following response from a data center in Germany:
Sehr geehrte Damen und Herren,
Server wurde neu installiert und gerade habe ich eine Abus email bekommen.
werde heute nochmals Fail2ban installieren.
###
(which when translated to English tells us)
Ladies and Gentlemen,
Server has been reinstalled and I just got an email Abus.
Fail2ban’ll install again today.
Another live example received on August 17:
Hello, Mr. Abraham,
thanks for the time you spend us the log file excerpt.
We identified a hacked costumer web space and will close it within the next 10 minutes.
Best regards,
Thomas Schüring
Our typical experience is that if you consistently contact the appropriate abuse department asking them to stop a given attack (and providing them with log file samples, time stamps, what is the GMT time of the logs — i.e. GMT -4) that over time, the number of attacks on your site / server are reduced.
They rarely get to zero (and rarely stay at zero if you get there), but as each infected web site, malware, hacked server (that is used to attack) is cleaned up, the Internet at large becomes a safer place for everyone.
I’m a firm believer that when you put part of your life on the Internet, security must became a way of that life. Security should be layered, containing as many layers as it is practical to manage daily.
For the web site owner, those layers should consist of the following:
- Hosting your web site, email, databases, etc. with a managed hosting provider that secured the server, and keeps it secure (don’t assume such things; when in doubt, ask).
- Regularly change your passwords using unique passwords for any control panel, application, email, FTP, etc; and use only very secure passwords that are at least 12 wide consisting of uppercase letters, lowercase letters, numbers, and where allowed special symbols where none of the letters form a word found in the dictionary.
- Regularly scanning all personal computers connected to the Internet for malware and viruses; we do recommend MalwareBytes and ENOD/32.
- Keeping your applications like Drupal, Joomla, WordPress, and the like up to date.
- Keeping all plugins, themes, add ons and extensions up to date; and to be aware if a particular plugin, theme, add on, etc. is listed as being either vulnerable or an outright back door to hackers. When in doubt, ask your managed hosting provider.
- Whether done by your hosting provider, yourself, or someone on your team, review your log files daily, investigate, and report hack attempts to the data center or hosting provider of the attacker.
If you host your site with us, we will let you know if your (non custom) applications are out of date, check daily if your site is listed in Google as being unsafe, check daily if your site is listed by Norton as being unsafe, and throughout the day report hack attempts to the appropriate abuse department to stop the hacks. Every one of our customers who has gone for PCI compliance received it.
Most of our customers are small business owners who appreciate there’s a lot that goes into being secure; and while they can do the tasks listed in the bullet points above, would prefer we do most of those tasks for them (did I share we regularly check for weak passwords as well?).
Contact us if you have questions.