Website hacking - tools to help spot issues

[Carol Haynes]

I have been building websites for a few years now using Joomla but recently my server seems to be under regular attack.

The attacks seem to be of the form that a php script is injected into a folder and used to pour out spam.

The trouble is with a lot of websites it isn't practical to wade visually through dozens of folders regularly to look for scripts.

The data centre has scanned the server for malicious scripts but I have already spotted and deleted a few that were missed.

Life currently feels like a war of attrition - I am spending so much time dealing with issues I now either need to pack it all in and give up or find a way to monitor user accounts to ensure I catch scripts and deal with them efficiently.

I am not sure how these scripts are even getting there - it isn't the clients I have. Even websites that are running the latest build of Joomla and a few well known and trusted extensions seem to be plagued.

Has anyone any suggestion where I can start.

One simple solution is to find a way to get the server to report when files are added to user accounts (preferably by email so that I can constantly monitor what is happening - with a couple of a notable exceptions most of the websites only change occasionally) - does anyone know a way to do this?

Any help or suggestions would be gratefully received.

The server is running Apache and WHM/CPanel.

I am not particularly technically minded when it comes to Linux - I just want to set up and maintain a few small local business and individual websites and not be driven batty by constant annoyances.

[wraith808]

I know that the datacenter that I use has something in place- it sends out e-mails to the user (and perhaps the admin) whenever any script is uploaded that sends e-mails.  I'm not sure of *how* it does it- but I do know it's at least possible.

Note: If this is the first time you received this mail, it contains the history for the entire month so far.

Below are the recently upload scripts that contain code to send email.  You may wish to inspect them to ensure they are not sending out SPAM.

It does come from cPanel on my server, so perhaps it's something in that?  I did some searching on newmailcgi which is in the subject for those e-mails- it's apparently a setting in WHM, though I can't seen any verification of the same.

[Carol Haynes]

Thanks I will check that out - that would be ideal - but it would also be nice to have a report of any new files added to the server - since I don most of the website maintenance for clients I shouldn't see much that I don't expect.

Out of curiosity does anyone know any way to scan MySQL databases for potential injection issues?

[wraith808]

It does have a list of files- I just didn't include that part

[Carol Haynes]

OOOOOOOOOOO  if that really works it will make my day! 

[Carol Haynes]

I suspect it is a CRON job - my data centre says they have no such feature - anyone know how to set up a cron job to do this?

[40hz]

Out of curiosity does anyone know any way to scan MySQL databases for potential injection issues?

-Carol Haynes (May 20, 2014, 11:16 AM)

Hoo-boy! Ran into that same question with a few of my clients last year...

OWASP has information on procedures to test a database for SQL injection vulnerabilities.

AFAIK, the default automated testing tool is sqlmap. That's what my two clients used as their starting point even though some sources have argued it won't catch everything. You can find info and the download links for sqlmap here.

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

However, most of what I've read suggests that rather than trying to scan or otherwise test for vulnerabilities, it's far easier to take the precaution of making sure all your SQL statements are paramaterized. Smart money says sanitizing your SQL that way is the only reliable method for stopping injection attacks. Nice short article on that over at Coding Horror. Find it here.

Luck!  

[joiwind]

My version of cPanel allows cron jobs.

Though this doesn't answer your question about tools to help spot issues, have you thought about read-write permissions ? Surely you could do something with that to protect your folders - and when you need to update your site you adjust the permissions temporarily.

There is also the .htaccess file that you could use to restrict write access.

 cPanel version 11.42.1.16

[wraith808]

There is also the .htaccess file that you could use to restrict write access.

-joiwind (May 21, 2014, 05:39 AM)

That was my first thought... but when I saw that she was talking about for her clients also (multiple directories) I realized how unfeasible that could become.

[Carol Haynes]

Just looking at that MySQL stuff (thanks 40Hz) and I am coming to the conclusion I don't want to do this anymore - too much stuff to learn to be able to be effective and no inclination to learn it.

All I want to do is run a few websites for local people I know and friends and not have to cope with bastards constantly attacking and disrupting everything.

So frustrating!!

Be far simpler in the long run to go back to hand coding pages in HTML without using any scripting languages!!!

[Carol Haynes]

Is there any way to restrict write access to the server to a whitelisted IP list?

[wraith808]

Just looking at that MySQL stuff (thanks 40Hz) and I am coming to the conclusion I don't want to do this anymore - too much stuff to learn to be able to be effective and no inclination to learn it.

All I want to do is run a few websites for local people I know and friends and not have to cope with bastards constantly attacking and disrupting everything.

So frustrating!!

Be far simpler in the long run to go back to hand coding pages in HTML without using any scripting languages!!!

-Carol Haynes (May 21, 2014, 08:20 AM)

Does Joomla have extensions/plugins for security?  I do the same thing- but Wordpress is my platform of choice.  I just use a few standard wordpress plugins and lock it down and it seems to work well.

How are the admin pages setup?  You can whitelist the IPs in a .htaccess that have access to the admin URL (if it's a separate URL) using regular expressions (I think).

[wraith808]

Looks like an excellent link that might have some ideas for you:

http://www.askwebhos..._An_Abuse_Issue.html

Specifically, point 4

4. Login to WHM (Web Hosting Manager) and click on "Contact Manager" under "Server Contacts" menu. Make sure you placed "2 or 3" on Alert Priority Assignment right beside "Recently Uploaded Cgi Script Mail". This will email you on a daily basis (if there are uploaded pages or scripts) that are set to use your smtp or mail on your server which could be the source of spam abusers to send out spam using your ip addresses. Setup a filter for it and it always is prefixed on the Subject: "[newmailcgi] Recently Uploaded CGI scripts" take note that even php form mail that are insecuredly setup to send spam are also reported to your email address setup as contact manager on your server's WHM. Make sure to actively monitor this and when it happened to give ample warnings to the user who uploaded this.

[40hz]

Just looking at that MySQL stuff (thanks 40Hz) and I am coming to the conclusion I don't want to do this anymore - too much stuff to learn to be able to be effective and no inclination to learn it.

All I want to do is run a few websites for local people I know and friends and not have to cope with bastards constantly attacking and disrupting everything.

So frustrating!!

Be far simpler in the long run to go back to hand coding pages in HTML without using any scripting languages!!!

-Carol Haynes (May 21, 2014, 08:20 AM)

With you 100% on that.

If I ever do up another website for myself it will definitely be hand-coded HTML and some well crafted CSS. No scripting language wanted or needed, thank you very much!

[wraith808]

Even with hand-coded HTML, if someone is intent on doing it, they can do it.

[40hz]

^Intent on doing what? Defacing a webpage? Bring it on. I'll just restore the site from backup.

But by not wanting to use pHp or related scripting languages, I was purely interested in doing it my own convenience. Not so much for security reasons. 

[Carol Haynes]

Looks like an excellent link that might have some ideas for you:

http://www.askwebhos..._An_Abuse_Issue.html

Specifically, point 4

4. Login to WHM (Web Hosting Manager) and click on "Contact Manager" under "Server Contacts" menu. Make sure you placed "2 or 3" on Alert Priority Assignment right beside "Recently Uploaded Cgi Script Mail". This will email you on a daily basis (if there are uploaded pages or scripts) that are set to use your smtp or mail on your server which could be the source of spam abusers to send out spam using your ip addresses. Setup a filter for it and it always is prefixed on the Subject: "[newmailcgi] Recently Uploaded CGI scripts" take note that even php form mail that are insecuredly setup to send spam are also reported to your email address setup as contact manager on your server's WHM. Make sure to actively monitor this and when it happened to give ample warnings to the user who uploaded this.

-wraith808 (May 21, 2014, 10:08 AM)

Fantastic exactly what I was looking for. I have also managed to get LFD and ClamAV sending email warnings and a daily off peak AV scan of the system.

LFD alerts are particularly useful because it also warns of email flooding events instantly which means I can quickly suspend an account while it is investigated.

[Madge]

I suspect it is a CRON job - my data centre says they have no such feature - anyone know how to set up a cron job to do this?

-Carol Haynes (May 21, 2014, 04:02 AM)

You can use this useful free webcron services to create cron job: https://www.easycron.com