Remove Unused/Testing/Debug Software From Your Site

We constantly see sites hacked due to vulnerabilities in various tools. In most cases, site owners don’t even realize they are there, or don’t even remember they were installed.

Higher Risk for Issues

For example, a site owner/manager has to make a quick modification in the database and installs phpMyAdmin, a few months (or even years) later their site gets hacked through a vulnerability discovered in phpMyAdmin.

One we are seeing often is found in webadmin.php (a script to manage sites). The user downloads the script and leaves it on the server, a short time later someone scans for the script, finds the file, and compromises the server.

The same applies for unused themes or plugins (if using WordPress). If you tried multiple themes or plugins, make sure to remove them once you are done. If it’s not in use, why store it on the server? You’re increasing your risk floor by keeping these files on the server, and you’re not even using them. In most cases, a vulnerable script found in a theme or plugin can be exploited whether the theme/plugin is activated or not. In our opinion, any exploit stinks, but the smell is especially rancid if you aren’t even using the software that gets exploited.

Remember the timthumb.php vulnerability? Come on, we know you do. Although a lot of sites were and are still actively using this script, 1000’s of sites were hacked because they had unused themes (or plugins) that included a vulnerable version of the script. Yes, in a lot of cases the script wasn’t even enabled, it was just sitting there idle on the server.

Another fun one we see all the time consists of test or demo accounts. Generally, test accounts are created with weak passwords, are shared, and can be easily compromised. Words of wisdom, GET RID OF THEM! It’s best to practice least privilege – only allow access to the right people, for the right amount of time, and only enough to get their job done. Make sense?

A Quick Checklist:

  • Have you installed PHPMyAdmin, webadmin, uploadify or some other tool you’re not using?
  • Have you tried multiple themes/plugins/modules on your site that are just hanging out and relaxing on your server?
  • Have you created test accounts for admin, some guy named Joe, or even yourself to test things? Yes, we realize if your name is Joe, the last two are the same. (FTP, SSH, wp-admin, etc)?
  • Have you set up test sites that are running the original version of WordPress, or even better, some home brewed .ASP app you learned how to code in a college programming class? Are they still there?

If you answer yes to any (or, in the case of some of you, all) of these questions here’s what to do:

How DId They Know

  • Remove all unneeded software from the server. Even at rest, over time, the risk of being exploited is growing.
  • If an account is not in use, don’t keep it. What for? If you absolutely need to keep it, which we don’t think you do, make sure to update the credentials to something uber-strong, and don’t share them with anyone.

In the security world, can you be 100% secure? Here’s our answer – NO! The name of the game is reducing risk. Security is all about protecting things of value from harm’s way. If you can implement solid controls, and follow best practices, you’re putting yourself in a more favorable position.

Have some ideas on how to mitigate some of the risks involved with being a site owner/manager? Leave us your thoughts in the comments, we’d love to hear from you!

Don’t forget to scan your site for malware, it’s free – Sucuri SiteCheck

Protect Your Interwebs :D

Scan your website for free:
About Tony Perez

Tony is the Co-Founder / CEO at Sucuri. He shares a deep passion for Information Security, Business and Brazilian JiuJitsu. He approaches the business the same as he trains BJJ, one move at a time and gently. You can follow him on twitter: @perezbox.