Protect Your Site Or suffer the consiquences

Thinking your site is safe and knowing it is safe are two different things.

Hackers can easily get into any site that isn't protected. They can then access databases to find user information, steal files, or plant dubious files that will get your account taken off of you.

To ensure that the above doesn't happen, you need to keep your site as secure as possible.

If you think that databases and the relevant programming (PHP, ASP, etc) are secured, think again. Simple SQL injections, Cross-site scripting, exposed session data or session hijacking is but a few suggestions that hackers use.

Google Hacking.

Last December set a new foot-mark for all hackers everywhere. The Santy worm used Google to search the web for sites vulnerable to a particular form of attack. The attack was only minor and the only damage done was the text on a front page of the site being changed.. However, some 40,000+ sites were affected within...24 hours.

This is a daunting fact, as the worm could have easily been very serious. And who is to say the next one wont be.

The terrible news to all, is that anyone can search for vulnerabilities in sites. For example, enter inurl:"passwd.txt" at Google. This command returns an addresses that have passwd.txt in the URL.*

Don't Panic:

There are ways in which to help prevent hackers.

1) Don't use obvious file(s) and folder(s) names.

2) Use Gooscan from ihackstuff.com* to scan your site for various risks when searched for using Google.

3) Encrypt your coding.

4) The Google Hack Honeypot (ghh.sourceforge.net) pretends to be a vulnerable PHP application, but actually watches and records everything that an attacker does.

Overall: (adapted from a .NET article to suit.)

1) Check the log files of you site occasionally, to look for any attempted attacks. A decent log analyser might help.

2) Make sure that the permissions on your site folders are set correctly.

3) Site developers should make sure tha all input data is properly validated and anything isn't validated us deleted.

4) Turn all detailed error reporting offm if possible(set display_errors to 0 in PHP for instance).

5) Think about the file extensions on your server. Ue .inc for PHP included files, for instance.

6) If you want to portect a particular area of your site, then validate the user's login credentials every time.

7) Unexpected user input or actions can lead to application erors, giving away system information or casuing other problems.

8) Be careful about browser caching.

Finally, there are no real 100% methods of trying to stop hackers, but if the worst should happen, contact your webhost for further help.

--mik:P

Great post! I never knew that my site could be potentially so vulnerable to hackers.This post reminds me of another form of website "hacking", namely people simply loading the source code of your website and copying it for their own uses, to make their own websites. All the scripts you've painstakingly coded is stolen so easily by others.Also, on websites selling downloadable products such as ebooks, smart users can look at the source code and tell where the download page which should appear only after payment has been made, is found. Then they can just download the product for free.

I forgot to equal the *.* = Attempt to do this at your own risk. All actions of this sort are IP recorded. It is also illegal.--mik

Being very new to setting up a site, your information was EXCELLENT food for thought! THANKY!

I dont think there is much a hacker can do to most of us other than mess up our sites. Unless ofcourse you have a bunch of vital information. A hacker wouldnt bother with my site lol

Another thing along these lines, although more for bandwidth thieves than hackers, is to have hotlink protection enabled....I went to check it out today, and found 5 myspace profiles direct linking to graphics from my websites! GA!

Oh wow, I can't believe these guys are doing this out of fun. I seriously hope these virus spreaders are warned or caught, because I don't want my sites to be down because of hackers and viruses finding the slightest opening to go thru and take control. There needs to be some great programs that can help.

heck yeah this is a great post... i need to do this... are there any extra steps i should take for a site made entirely in flash or does that make any kind of difference? i have the password protection enabled but im not sure if thats just for downloading or whatnot...

sweet, i can use that for my clans site.

I didn't realise google could do that, lucky I don't have a passwd.txt on my site, but wow, I never knew, nice guide Twitch!I am going to take some of your suggestions into mind while I work on my forum software... Thanks you very much for the food for thought Twitch... There was actually another Santy worm a few minths back, the Perl Santy B...

Thank you very much for all the tips, I will definitly keep all this in mind when I start to make my own website. I really never ever knew that my website was so vunreable. Is there such a thing that a website has become hack proof?

woow.. great post.. I've never been aware about hackers lyk this b4.. thank for the infos!

That is one good tutorials . Thanks for sharing! I thought that most files have the permissions set, but I guess I have to check them myself! Also good information about the google hacking, but what can we do to avoid it?

Nice post, twitch. I also did not realize that I was so exposed.Moreover, when I had problems running my php programs, I read some hints saying "chmad 777 every file and directory". The chmod was great, my bug disappeared, but now I realize that chmod 777 makes any file readable by everyone, so there is a way for anybody to copy everything.On Xisto we could imagine doing professional work, selling things, having customer's addresses in the database, and that could be dangerous. Not for myself because my databases are empty or have only flower pictures addresses, but I hate the principle that everything could be hacked. Especially if my first page has unwanted things and if I have no backups.So, very nice tutuorial, thanks a lot.

So what is really a best thing to do, If I plan to run a site with payable content... how can I hide download links to be efficient and good, and that one user who downloads file, can't be able to guess a download link again, and share it...??