Site security, hacking & penetration testing


#1

Afternoon all,

I’d like to gather opinion/knowledge about the “hardness” of the average DH shared server site to hacking or penetration, plus ideas as to how to test and what to do to harden the site.

I know it’s a big topic area but I don’t see it covered elsewhere in the forum.

It is also good site housekeeping but I’ve been kicked into action now as a number of my fellow users of one of the genealogy tools I run (TNG) have been getting “ethically” hacked, so we know there’s a hole but we don’t know where it is or how to find it :frowning:

I’ve been looking at tools found by googling but whilst I have pen test experience as a project manager I don’t have much “hands on”.

Regards, Mike


#2

I’ve never heard of a hack that came through a hole in DreamHost. It’s always been due to a hacked password, or vulnerable software that a user installed. Are you already running TNG here?

What do you mean “ethically” hacked? If someone’s hacked it, yet not told you how, that doesn’t sound ethical. I don’t see any forums on the TNG site. Does the author know there’s a vulnerability? The site mentions stronger protection against attacks.

Running PHP5 is a step in the right direction for security, as it has some weak features disabled. Doing a security audit of a site is quite an endeavor if you’re looking for an undocumented vulnerability.

-Scott


#3

Hi Scott,

My TNG instance hasn’t been hacked, although I also suspect it hasn’t been targetted either as I had previously altered the search string we think the hackers have been using to find sites. It’s in user test at www.maughan.ie/genealogy and is set to only allow registered users access. This version of TNG (7.x) has been pretty good so far at keeping out the mongol hordes, hence some of our concerns at this particular hackfest.

The author does know and is actively involved in looking for the root of the vulnerability, whether it be in TNG or in the sites upon which the hack targets are hosted.

“Ethically hacked” is not my choice of term (unprintable, as you would expect!) but is the term the hackers use to indicate they are not planting malware; hence my description of it as “online graffiti”. I’m torn between being pleased to have a weakness identified (and hopefully soon to get it fixed) and pi$$ed off that some scrote is trying to despoil my stuff.

The hack seems to be part of a hackathon hosted out of a r a b i c DASH m DOT o r g; our particular scrote is known as s t a r 0 8 (my spaces).

The wider enquiry into hackability and pen testing is that we’re wanting to extend the sites’ capabilities to ecommerce, which tends to draw the scrotes like flies to poo. I’ve PM-ed pen tests for big ecommerce sites but don’t have the budget or technical know-how to do what was done there in this instance. I know there are pen test tools out there, and I’m hoping someone will know a little more about them that I do.

Thanks for the pointer to php5; I think we are OK but I’ll get onto checking it.

Regards, Mike