Ask Sucuri: How to Stop The Hacker and ensure Your Site is Locked!!

With the rise in web malware over the last 6 – 12 months, it’s important that we take some time to continue to educate and offer insight into ways that can help you stay ahead, in the hopes of stopping the hacker.

Understanding The Hacker

Before we get started, lets take a look at the name “Hacker.” What many folks don’t realize is that while “Hacker” is often associated with bad, it also has a good association.

To the popular press, “hacker” means someone who breaks into computers. Among programmers it means a good programmer. But the two meanings are connected. To programmers, “hacker” connotes mastery in the most literal sense: someone who can make a computer do what he wants—whether the computer wants to or not. – source: Paul Graham

It’s also good to understand the different hacker classifications:

  • White-Hat – these guys often work for companies like ours, they are set on identifying security weaknesses and disclosing them appropriately, while not exploiting them.
  • Grey-Hat – as the name implies, these guys are in the middle. They are not on either side of the spectrum, but have the skill-sets to manipulate information systems into doing what they prefer.
  • Black-Hat – as you might imagine, these are the trouble-makers. Often finding and exploiting weaknesses in hardware and software alike.

In the rest of this post we’ll talk specifically to black-hats.

Black-hats, more often than not, are working with an agenda and it often revolves around monetary gain of some sort. That being said, it could also be around social awareness – bringing attention to a cause with no real monetary gain. To stay in business, their tactics must evolve, in some cases their lack of creativity makes it easy to identify and decipher.

Some of the more common tactics include:

  • Defacements
  • Stealing Content (Copy Scraping)
  • Hi-jacking Twitter feeds and followers
  • SEO Poisoning
  • Malicious Redirects
  • Injected Obfuscated Code
  • Phishing Attempts

What’s important to understand in all this is that the target is often the weakest in the pack. So what does weak mean? Glad you asked:

  1. Website with known vulnerabilities
  2. Out of Date Software
  3. Bad Usernames and Passswords

What’s also important to note is that if your website lives in the interwebs then its fair game. Attackers usually scan a large array of sites at one time, and they find great benefit in attacking sites with a high volume of traffic.

What most people don’t realize is that the impact can be the same. Its about reaching as many people as possible.

I only write about cup-cakes, no one will want to hack me. – unsuspecting victim

Often case the hacker doesn’t even know what site they’ve injected. Today’s more common technique makes use of things called botnets to do the dirty work for them. The process will begin by running random scans across servers and ports, first trying to identify entry points to the environment, then moving on to web applications and looking for known vulnerabilities in the software, weak access credentials, out of date software and other similar issues.

Stop the Hacker!

So how do you make it stop? -infected victim

A question we get every day. People are always looking for that silver bullet that puts the big bad hacker down for good. We’re here to say that there is no such thing in this business. Want to know why, read the first section “Understanding the Hacker.”

When money and passion are involved, you will have those willing to invest their time and energy to come up with the next attack vector. Don’t allow yourself to become that unsuspecting victim writing about your hobbies or cupcakes.

Things you can do to stop the hacker include:

  • Stay away from Soup Kitchen servers – dedicate a server for your testing, staging and production environment. Familiarize yourself with the concept around website cross-contamination.
  • Please, please, please update your software – this includes all thing from the web server OS, CMS platform, associate plugins and themes. In the last month or so we have seen updates to both WordPress and Joomla.
  • Back up your site, data and anything else associated with the site – don’t back it up onto the same server, that kind of defeats the purpose of a backup.
  • Engage a professional – Would you allow your cousin to operate on you if you needed surgery?
  • Use unique credentials, stay away from admin and use random generators for your passwords. This applies to everything from your cpanel to database access, every one of those access points are possible attack vectors. Here is an article you might find interesting talking to how someone would crack your credentials, “How I’d Hack Your Weak Passwords“. Here is another one of a small test we did internally to identify the most commonly used credentials through the use of brute-force attacks.
  • Don’t forget about your local environment, ensure you are running an AV on your machine – more often than not we see infections initiate from compromised  machines housing trojans.
  • Educate yourself – learn the do’s and don’ts about operating your own website, even if you have a professional. Don’t let yourself be a victim to a professional.
  • Learn how to use .htaccess to lock down your site.
  • Proactively scan your site manually to make sure things aren’t missed. There are a number of tools available to you, here are a few free tools (no emails and or registrations required): SiteCheck and UnmaskParasites.

Things to Ask a Web Malware Company

If you do get hacked and you engage with a malware company make sure you know what you are looking for. Here are a few things to ask the service provider:

  • Do your fees include cleanups?
  • Will your monitor catch everything? If they say yes, turn the other way. Google doesn’t even catch everything. If one company had mastered that then there wouldn’t be a need for so many service providers.
  • If they do, how many cleanups do you offer under the existing fee structure?
  • Do you guarantee they won’t come back? If they say yes, turn the other way. No one can guarantee you this.
  • How does the cleanup work?
  • Will my site stay in operational order? If destroyed, what happens then?
  • What access will you require?
  • Do your plans cover a site or a server?
  • Does my host configuration matter?

Closing Thoughts

Contrary to the phrase, stopping the hacker is more of an idea than a reality. If it were a reality, there wouldn’t be so many new providers trying to penetrate the market space. What there is however, is a number of proactive steps you can take to ensure you are not an easy victim.

The web malware problem is growing month over month, and everyday we are seeing new adaptations to the same problems. What’s probably most frustrating of all is the vectors we are seeing exploited are so simple to address if only you, the end-user, would become more aware and proactive.

Know where to go to get help for free:

Key word of the day: Proactive!

Scan your website for free:
About Tony Perez

I'm a technologist with a passion for the Information Security domain. I am especially interested in malware reverse engineering, incident handling and response as well as offensive counter measures. Catch my personal rants on tonyonsecurity.com and follow on twitter at perezbox.