Minimize your chances of being Hacked

actnow · Aug 30, 2005

How do you minimize your chances of being hacked?

It is speculated that DNJournal was entered thru cpanel.
Is there a back-door in cpanel?

This discussion will not help the hackers. They already know
most of the tricks.

I'm hoping this helps us "novice" on how to reduce our chances of this
happening to us.

Unfortunately, part of the reason it happened to DNJ is because of the
sites high profile.

Are there certain types of servers more susceptible to being hacked?

Are there certain html editors open to hacking? (ie, Frontpage, etc)

Can a password be blizzed til it is beaten?
(Why doesn't it shut down after so many attempts?)

Is spyware a factor in successful hackings?

What should we do to learn from this situation?

MrDude · Aug 30, 2005

These are in my opinion, Some of you may not agree but here goes:

How do you minimize your chances of being hacked? All you can do is apply latest server security patches and updates, patch all software, Have a good quality firewall configured correctly, Dont stay with default settings and have a secure atleast 12character password mixed with numbers and letters.

Is there a back-door in cpanel? There is a backdoor in everything, It just needs to be found, If somebody really wants in they can get in anything

Are there certain types of servers more susceptible to being hacked? Im not sure

Are there certain html editors open to hacking? (ie, Frontpage, etc) Just CHmod your files correctly, Maybe encrypt your source code.

Can a password be blizzed til it is beaten? Yes, this is called brute forcing, I have played around with this method (on my own password) and it took little over a day to complete.

Is spyware a factor in successful hackings? Spyware could be a factor, Spyware can contain keyloggers etc which send information back home, Spyware may or may not be a cause of this.

What should we do to learn from this situation? We should take extra precautions, Learn that our websites are never safe and always take regular backups.

DomainQuay · Aug 30, 2005

There is a book called: "Hacking Exposed - Network Security Secrets & Solutions" by Stuart McClure, Joel Scambray and George Kurtz, which was extremely helpful to me when I had a security problem last year.

MrDude · Aug 30, 2005

The only way to stop one is to become one

darrenl · Aug 30, 2005

There is an easy way to boost security to your site. If you are using htpasswd style login that cPanel uses DO NOT USE WORDS or common things as your password. Also make it so the password is longer than 8 letter and include a = because I hear brute force programs cannot crack that character. If you use PHP use addslashes() function on your variables that are received via forms or urls. Hope this helps.

labrocca · Aug 30, 2005

Also alternate lower and upper case. I use a rather complex password for my server. Also I don't use nor trust cpanel.

GT Web · Aug 30, 2005

this is a very newbish question, but how would the hacker use "brute force" to gain access?

for example, say my password is "greenapple"....how would this be easy to crack than "gH61l0JAo6gaA"

SouthernTn · Aug 30, 2005

GT Web said:
this is a very newbish question, but how would the hacker use "brute force" to gain access?

for example, say my password is "greenapple"....how would this be easy to crack than "gH61l0JAo6gaA"

From what I remember a while ago.. I don't think its easier nor harder.. Certain password, using lowercases/uppercase/letters/numbers will take someone longer to crack.. The longer it may take them, the less it may make them want to do it.. and they'll just stop... I think.

GT Web · Aug 30, 2005

but do they people just start randomly guessing passwords?

darrenl · Aug 30, 2005

No they have a program thats like that program in the terminator it checks ALOT of combinations.

Steen · Aug 31, 2005

Hmm- I was once hacked...

esger · Aug 31, 2005

Backup, backup, backup. Patches, updates, complex password could help, but if a good hacker really want to hack your site, he will find a way....

Bender · Aug 31, 2005

GT Web said:
but do they people just start randomly guessing passwords?

there are lists of common passwords available on the net-you'll be surprised also how many people use their name or birthday as a password.
Let me give you a real example,on a site I manage:

845 people use "123456" as their password.
365 people use "password" as their password.
269 people use "12345" as their password.
243 people have "1" as their password.
With a dictionary attack, in a few seconds the hacker can login.
Other "briliant" passwords:
"qwerty","123","abc123","hello"

I always suggest a password like this:
=AXdBnM<>}{)(=REwq
This is not hacker proof, but using brute force it will take a few days to crack.

namestrands · Aug 31, 2005

GT Web said:
but do they people just start randomly guessing passwords?

Brute force is like trying many different ways to kick down a door.. It is an automated script that tries every possible combination of letter - number etc. once you have the username

the script hits the login system

a
aa
aaa
........
abaa
abba
abbb
.........

I am sure you can get the picture.. however I am sure you can imagine how many different possible combinations there are (billions) so this method is last resort unless you know exactly how many letters the password is.

Brute attacks are also used for sites run by ex-army types as for some reason they love to use there ID codes. e.g 24948622 as there passwords

Better and quicker method is a dictionary attack as people tend to use passwords they can easily remember.. like a girfriends name or there favourite drink or sports team.. this is done by using a thing called a wordlist.

Unfortunetly there is not much you can do to prevent exploitable holes in your software or by someone calling up your ISP and using social engineering to gain access to your account details..

Never use the same password.. Change your password at least once a month. Think like a hacker.. if you had to gain access to your account what would you do..

Security starts with your own home computer, avoid cracked sofware and donwloading cracks as some contain trojans.. if you get an email asking you to sign up for something that is too good to be true then it probably is.. information like your date of birth and city of birth and mothers maiden name is great ammunition for a hacker.

Think of all your internet email accounts, forum, ppc, messenger as a link in a chain.. each one makes the chain stronger but if you ignore one the whole chain is vulnerable and weak.

...

Consider the fact that each time you sign up for something online you are giving these people all the information they need to get access to all your other online accounts. You could have the stongest password in the world protecting your webhosting, but your email account uses the same username and password you use for everything else.. a simple request to the hosting company and they email the password to your registered account.. THINK OF THE CHAIN.

Prosperous · Aug 31, 2005

Some great tips there.

Also, be careful copy/pasting passwords for log-ins. For example, copy this now:
Pass123Word

Next, in IE, go to: http://tinyurl.com/bqcub

.

Mr. Deleted · Aug 31, 2005

Prosperous said:
Some great tips there.

Also, be careful copy/pasting passwords for log-ins. For example, copy this now:
Pass123Word

Next, in IE, go to: http://tinyurl.com/bqcub

.

sh1thabbens. Wourld that make a good pw?

Wolfman · Aug 31, 2005

Nice tip, Opera however seems immune to it

had me worried there for a minute.

stevey · Aug 31, 2005

when using database driven websites always change the table prefix so it makes it harder to do sql injections.

passwords you should use more than just upper and lower case and numbers, you should also use !"Â£$%^&*()@:~ etc.. keys and to make it even harder again you should use the Alt key such as; ↔♣Ã¬←╒Â§Â¶δÂ¢♠Ã8 etc... and you should rotate your password every so often (for people who dont know what alt keys are they are when you hold down the ALT key and type in numbers, then release the ALT key, some combinations are: 1-32, 127-130, 132, 134-135, 142-146, 148, 153-159, 164-255, 0127, 0131, 0135, 0149,
0160-0167, 0170-0172, 0176-0178, 0181-0183, 0186-0189, 0191, 0196-0199, 0201, 0209, 0214, 0220, 0223, 0228-0231, 0233, 0241, 0246, 0247)

you should also check your pc on a regular basis for key loggers and signs of strange activity, you can use programs such as hijackthis to view everything running on your machine and terminate them if needed

never store passwords on your pc, clear your cookies regurly, if you need to store passwords then either write them down on paper and store in a safe place, or store your passwords on removable media, such as a floppy disk

one of the most important things is to keep all your software upto date

Theo · Aug 31, 2005

According to RJ at NamePr0s, his account was compromised when tech support actually handed the info to the hacker over the phone. It's called "social engineering".

Some useful reading.

SouthernTn · Sep 1, 2005

The Art of Deception is about gaining someone's trust by lying to them and then abusing that trust for fun and profit. - Im guilty of doing this to girls in my days lol .. just playing :-D

Thanks for the tips. Im starting to use &$#&#^ type of characters at the moment.