1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Security Issues?

Discussion in 'General Troubleshooting' started by seekyt, Feb 26, 2011.

  1. seekyt

    seekyt Donor Donor

    My website has been repeatedly hacked by Russians (or at least I assume they are Russian).

    Good member accounts appear to be posting journals in the Russian language with nothing but links to other Russian websites in them. It only seems to happen with journals, and I know it's not these members - in fact, there is no trace of anyone even posting those journals in Piwik.

    I have resorted to denying access to Russian users using an IP block range in the .htaccess file, but I don't know how effective this is since they could technically use proxies or other means to get back in.

    Has anyone experienced anything similar on their Hotaru sites? I don't know if my members' accounts are actually being accessed, or if it's a security flaw with the journal code, or what.

    Does anyone have any solutions for this issue, or any advice of what I can do?
     
  2. Jason

    Jason New Member

    I've had similar issues with numerous platforms (WordPress, SMF, phpBB, etc.) where valid accounts were effectively taken over and used to post spam, dangerous links, or infected files. It is incredibly difficult to solve the problem 100% because there are a number of very common tricks that effective script-kiddies can employ.

    Regarding "good member accounts", ensure these people are using long passwords that are not simply words with a number after. After requiring a number of my sites to require a combination of special characters, non-dictionary words, and numbers, account take overs dropped almost to nil. That said, the "forgot password" function use sky-rocketed ... but that's okay.

    Another tactic that can be employed is IP filtering of good member accounts. Good members typically post from only a handful of IPs. You can store these and ensure that good members can only post from such locations, and it is also (theoretically possible for them to add new locations on their own. Plugins would have to be made ... but by limiting accounts to specific IPs, you can make it darn near impossible for people to take over good accounts unless the script-kiddies are so desperate to post on your site that they start IP spoofing good people with complex passwords.

    Barring this, if the people are coming in from the back, you may have a server issue on your hands. I've seen time and time again where someone hacks a web host (such as GoDaddy) and gains access to every site on the same server. Once this is done, these people can put pretty much anything into your database since the server IP, username, and password are stored in your config files. The only effective ways to guard against this kind of attack is to use a VPN or dedicated server. Unfortunately this is also quite expensive.

    Hope this gives you a few ideas or areas to check. If you have any other questions, be sure to ask.

    Cheers,
     
  3. seekyt

    seekyt Donor Donor

    Thanks Jason, those are some fantastic tips. For now, I'll just send out emails asking members to change their passwords when it happens. It was happening repeatedly to only one member, and now it's happening to another.
     
  4. seekyt

    seekyt Donor Donor

    I thought I would post something that seemed to work for anyone else who might have this issue:

    If you use cPanel, get your raw access logs and search for the URL of the spam in your log. You will find the website/server they are using to hack in.

    Block their IP, the website they are using, and the website of the spam they are posting. Do this with the IP Deny Manager within cPanel. Then, block the IP of the user within Hotaru's admin panel. This should, at least temporarily, solve the issue.

    The "hacker" seemed to be using a proxy or some kind of cloaking to hide his activity from my analytics software. I guess you can't hide yourself from the server, though.
     

Share This Page