Disqus - Latest Comments for WeWatchYourWebsite

Re: 4 security aspects to consider when choosing a web hosting provider

WeWatchYourWebsite — Fri, 10 Nov 2017 09:57:16 -0000

This highlights the need for off-site backups. Backups should be taken daily and stored off of the hosting providers servers. Don't forget to backup databases too. Keep in mind that SSL does not protect your website. It protects the data entered on your website from being "sniffed". I won't talk about the vendor mentioned for malware detection...

Re: Does Your Startup Dream End At 30?

WeWatchYourWebsite — Mon, 31 Mar 2014 12:33:49 -0000

I'll be 58 later this year. I feel energized by my drive and determination. I usually begin my workday around 3:00am and work until 6 or 7pm. I'm not sure what you younger people have that I don't - maybe nothing.

Re: Speedy attack targets Web servers with outdated Linux kernels

WeWatchYourWebsite — Fri, 21 Mar 2014 08:59:05 -0000

I commend Cisco for their report, however, to think that it's the kernel version that the hackers used as their point of entry is unfounded. This type of infection is typically either from outdated CMS software or stolen login credentials. Having cleaned over 440,000 websites, we've seen this infection and it's typically been one of those reasons. If it was the server that was used as the point of entry, the hackers would have used it to send spam or for other nefarious needs.

Re: 'Coding error' on NHS website redirected users to malicious sites

WeWatchYourWebsite — Wed, 05 Feb 2014 06:53:47 -0000

Um, according to the article it wasn't a vulnerability, it was a typo. Why go on and on about vulnerability scans when this particular issue was caused by a typo? Should it have been caught before it was widespread? Yes. But a vulnerability scan wouldn't have shown how this happened.

Re: Could XSS be the chink in your website's armour?

WeWatchYourWebsite — Tue, 07 Jan 2014 10:14:09 -0000

The problem here is that most website owners don't know how to sanitize their code. They get a hosting service, download WordPress or Joomla, buy a template and put up a website. They're not programmers. Also, they're not going to know how to read log files to know what normal, or usual traffic looks like and therefore not know what unusual behavior looks like either. Then they'll call their hosting provider after their site has been infected and complain.

This article needs to be re-titled.

Re: Think twice before you accept that 'friend' request

WeWatchYourWebsite — Wed, 06 Nov 2013 10:55:16 -0000

We frequently see phishing emails that appear to be a friend request or LinkedIn connection, however simply hovering over the links reveals the real link and often it's not who they pretend to be.

Re: Google's web crawler linked to SQL Injection attempts

WeWatchYourWebsite — Wed, 06 Nov 2013 10:39:52 -0000

It appears that the only safe way is to have good security regardless of where the traffic is coming from. If you're blocking SQL injection there shouldn't be any whitelisted IP addresses. If you're blocking RFI, there shouldn't be any whitelisted IP addresses. Not even Google. :)

Re: Weaponized Antivirus: When Good Software Does Bad Things

WeWatchYourWebsite — Wed, 30 Oct 2013 08:30:17 -0000

That is incredible! Thank you for the insight. I've known for awhile now that hackers are extremely smart (the hackers at the top of the ladder anyway). This proves it.

Re: WordPress attacks showcase botnet owner's expanding tricks

WeWatchYourWebsite — Tue, 16 Apr 2013 08:21:37 -0000

I'm not so sure this recent attack is trying to build a possible DDoS botnet. Most hosting providers and WordPress owners are notified quickly when their sites are breached. The infectious code doesn't stay there very long, so it's doubtful they could plan any future large-scale attacks.

My theory, and it's just my theory, is that they were using this distraction for more nefarious purposes. We did see on our honeypots that while they were using many common passwords, there were far too many legitimate looking passwords buried in this attack. It seems as if they were launching this massive attack to only gain foothold of some sites they already had the passwords to but wanted to overload the log files with thousands of attempts.

That's just my opinion, I could be wrong. (quoting Dennis Miller)

Re: How To Keep Your Mac Malware Free

WeWatchYourWebsite — Wed, 13 Mar 2013 09:17:10 -0000

Thank you for these tips. We frequently find that legitimate websites are infected via stolen login credentials. Often times the website owners are Mac users and rarely do we see any anti-malware software. Now with these tips we can help them help themselves.

Nicely done!

Re: Hacking of Indian National Security Guards Sends a Security Message to All Corporations

WeWatchYourWebsite — Mon, 11 Jul 2011 16:49:42 -0000

It could be that this particular website was hacked simply because the defacer found a vulnerability and exploited it. Quite often people think their site was targeted by hackers when in fact a vulnerability was found and exploited.

The really frightening part of this is how much further the hackers could have gotten, if they really wanted to. To me, the fact that they didn't go any "deeper" means they weren't really targeting the site as much as they just found an opening, and walked in.

That's my opinion - that's all.

Re: Federal Government, Partners Educate Small Organizations on Website Security

WeWatchYourWebsite — Mon, 11 Jul 2011 14:46:14 -0000

The problem with this approach is that the majority of websites are owned by small business owners. Many of them know how to run a business, but they may not even know if they have a SQL database. They also believe that hackers don't want their small sites. They believe that hackers only want what the larger websites have. Therefore, the millions and millions of website on the Interent will never read this information.

The people who own websites need to know if their WordPress blog is vulnerable and what to do about it. Or is their osCommerce site going to be infected. Those are terms and situations they understand.

Re: How To Check for Old, Vulnerable or Exploited Joomla Extensions

WeWatchYourWebsite — Thu, 12 May 2011 06:52:17 -0000

That is great advice. Quite often hackers do search for vulnerable extensions. The one thing I would suggest in your procedure is to use Joomla's Vulnerable Extension list: http://docs.joomla.org/Vuln... to do your comparison with. There are also ways to protect the extensions without updating. We don't recommend this, but at times, the original author may have charged some fee for the extension and it might not be feasible to update - although that is always recommended.

Good advice.

Re: Update: Attack on Network Solutions Hosting Customers

WeWatchYourWebsite — Tue, 26 Jan 2010 09:40:08 -0000

Well done. Handled in a responsible way. I congratulate you on being an example of how this type of situation should be handled.

You didn't "sweep it under the rug". You announced it and took corrective action.

Nicely done.

Re: Help my Joomla web site has been hacked!! | Tips and Tricks - brian.teeman.net

WeWatchYourWebsite — Wed, 21 Oct 2009 11:23:11 -0000

While I was reading your post here I immediately thought that it must be a virus/trojan on that person's computer. We've seen this numerous times. Especially when considering the common denominators: all Joomla sites, all one main contact person. I honestly, rarely assume that it's Joomla. I know not everyone keeps their sites up-to-date, but I don't like pointing fingers at software - unless it's the anti-virus industry.

These new viruses and trojans steal FTP login credentials then just have their automated programs use valid FTP credentials to hack as many websites as possible. They do it all the time.

After reading your post, I will have to start considering what plugins people have installed on their websites.

Thank you for the insight, your thought processes and your investigative work.

Re: 55,000 Hacked Sites Serving Malware Coctail

WeWatchYourWebsite — Sat, 29 Aug 2009 07:17:52 -0000

@Jen,

Well GoDaddy might be partially correct. It might not have been "cracking" the password, but it may have been from a compromised FTP password.

Many sites have been hacked by compromised FTP credentials. Not hacked, but by a virus on a PC with FTP access to the hacked website. This virus can steal the FTP credentials in a few different ways.

First, it knows where many popular FTP programs store their saved usernames and passwords. It scans for these files, opens them, steals the credentials and sends them to a server where the server will carry out the hack.

Second, the virus is also a keyboard logger and it just waits until there is some FTP traffic then it records the keystrokes which will capture the login credentials and carry out the hack.

Third, it sniffs the FTP traffic leaving the PC. Since FTP transmits all data, including FTP credentials, in plain text, it's easy to steal the login information.

Fourth, it injects the malscript into the FTP data stream as the files are being sent to the website. This is the most difficult to detect because if you look at the FTP logs, all that is seen is files being sent from a legitimate IP address.

What these methods point to is gettiing and keeping all PCs with FTP to websites, clean.

Since the current anti-virus doesn't see the virus, a new anti-virus program needs to be installed because the virus obviously knows how to evade detection of the current anti-virus program.

Many have had good success using: AVG, Avast, Avira or Malwarebytes.

Scan and clean all PCs with FTP access, then change the FTP passwords and then replace the files on the website with known, good files.

Although, I'm sure you knew all this already. I just thought I'd post it for others.

Re: 55,000 Hacked Sites Serving Malware Coctail

WeWatchYourWebsite — Tue, 25 Aug 2009 16:48:20 -0000

It appears from reviewing thousands of these sites, that most of them are using .asp or .aspx pages which are generally dynamically generated.

This leads us to believe that this is probably a SQL injection attack as the dynamically generated pages probably derive their content, or a portion of it, from a back-end database.

Some of the iframes injected are right in the middle of legitimate lines of html code furthering our theory of the SQL injection.

That’s just our opinion, we could be wrong

Re: Stolen FTP credentials likely in massive web attacks

WeWatchYourWebsite — Fri, 05 Jun 2009 04:50:21 -0000

The method used to steal the FTP credentials is a virus/trojan on the PC used to update the website.

We've seen numerous cases where the FTP credentials were "sniffed". Since FTP transmits in plain text, sniffing the username and password is easy. That information along with the destination IP address of the website are sent to server.

That server downloads the website, modifies the code, then re-uploads to the original server with the malscripts inserted. It then checks that website periodically to see if their "modifications" are still there. If not, it tries it again.

We're encouraging people to change their FTP password then move to either SFTP or FTPS to transfer to their websites. These 2 protocols encrypt the data and the login credentials so it's nearly impossible to "sniff".