Question on maleware

doubtful · #1 (**permalink**) 11-05-2007, 07:50 AM

How can someone add maleware to a site they have no access to edit? I had someone do this to one of my sites and was unaware until I was notified by Google they listed it as a threat. How do you stop this?

Also I heard that if you take a site down off the Internet that it may not be removed from the Internet? Is that possible?

**wige** · #2 (**permalink**) 11-05-2007, 09:35 AM

To your first question, by giving themselves access to the site. It is not extremely hard to gain unauthorized access to a web server that has not been properly secured. To be very blunt, if you are a webmaster and are asking this question, your site is not properly secured.
Sorry I can't give too much detail, but there are just so many ways. If you check my blog (see my sig) I cover a couple of light attacks and defenses, but most of my articles have been focusing on network security issues.

For your second question, there are computers on the internet known as "caching proxies". Typically they are used by dial-up service providers to give customers faster access to web sites - by storing local copies of the site content, they can respond faster than your server. As everyone moves to high speed connections, however, these are being used less and less. The other thing is search engines. They cache copies of the web sites they crawl, as does archive.org.

doubtful · #3 (**permalink**) 11-05-2007, 11:08 AM

Thank you and to the first answer you are right. I host my sites on a shared server. The company tells me that they are unable to help block what they call stalkers. Which they said and accused me of giving access to the site.
Second How does one make sure that this doesn't happen? I did go to your site and I do understand monitoring, but if you are not allowed to do this then what? Example lets say a sight is hosted on Hsphere and the company claims after you notice someone signed up with a suspicous address that made us look deeper. We traced it to Nigera which was in conflict with the American address giving. When we talked to the techs of this company they said they had noticed someone "stalking" the site.
When I questioned the tech they said they couldn't do anything including not even warn me cause it was not their job.
Still hope you will help me please.

**wige** · #4 (**permalink**) 11-05-2007, 11:54 AM

That is a doozy of a question.

If I wanted to break into your site, I would go through a few steps. I would fingerprint the server (identify what is running on the server that I could attack), I would
test your web applications and forms, as well as the forms of other users hosted on the site looking for exploits, and then I would find a way to trick the server into thinking I had the access to write new data to the server. Unfortunately, because you are on a shared server there is almost no way to determine how a specific attacker breached your site - you don't have access to the logs, and you can't implement your own attack against the server to find probable targets that need to be patched.

doubtful · #5 (**permalink**) 11-05-2007, 12:04 PM

Is it possible to protect yourself on a virtual server? If you have all the access to the root files. Would it be helpful to install a program such a SNSI (Sunbelt Software)? It is suppose to scan the sites. I am getting my virtual server setup as we speak and have cPanel X11 on it that also has scanning software. Would this be enough or could you recommend something else? You have been quit helpful by the way. Thanks

**wige** · #6 (**permalink**) 11-05-2007, 12:10 PM

Wow, that is a pricey little program - it also seems that the program is geared more for searching for network vulnerabilities. You might get better results from an IDS (intrusion detection system) which looks at incoming traffic patterns for possible malicious access, together with running vulnerability scans from your location. I take it that your site is hosted by a third party at a remote location?

(BTW: check your personal messages)

doubtful · #7 (**permalink**) 11-05-2007, 01:30 PM

Again you are correct. I went searching the term IDS and man does that sound technical. I on the other hand am not technically orientated. Is it possible for you to recommend a particular IDS Service or Software? Please. I know that I have asked a lot of questions, I have a lot to learn in this area. You have been so helpful, I was hoping you could help a little more with advice or suggestion on a certain Company that would be helpful to a newbie. Again you are correct on the fact it is very pricey for a small business to swallow.

**wige** · #8 (**permalink**) 11-05-2007, 02:20 PM

I have never actually used an IDS - it is to reactionary for me. Someone has to actually start hacking your site before the IDS activates, and it is possible to get around them. If your first attack works, the IDS won't even try to stop you in some cases. I go with the vulnerability assessments myself. I have software that I use to try to break into my own servers, and then fix any problems I find with these tools. My site is also audited by an external company daily. When we were comparing auditors, we had the site scanned by four of them (ScanAlert and ControlScan being two of them, ScanAlert is being bought by McAfee I think and is the one we use, ControlScan is a little less expensive but doesn't have the same client base, honestly though I liked ControlScan better). Between the four of them, they were not able to find a single vulnerability in our web server. Using my own tools, I was able to catch most of the major vulnerabilities.

This is, again, a technical solution and it takes some know-how to implement, but I might be able to set something up for you. If you send me a PM with your domain name, I can create a profile you might be able to use with one of the better tools.