Reset WordPress Username

Monday, January 11th, 2010 at 6:11 am

Websites to ensure

Websites to ensure

This article discusses some of the most common Web servers are attacked and several technical details that - and by extension of the websites that host - can be protected.

1. Introduction

For systems such as servers that are designed to be "always on" security is an issue important. Web servers are the backbone of the Internet. They provide basic services and features of the billions of websites worldwide and, consequently, act as a repository of personal data of everyone who visits. Ensure that servers are safe from external attacks is a primary concern for any organization that depend on them.

In recent years attacks against web servers have increased considerably. As the map below sample, it is immaterial where in the world in which the basis of a web server, the malicious code does not respect borders. The threat is not only international but now comes of organized gangs of criminals looking to harvest passwords, financial data and other information, rather than teenage hackers looking to cause harm. In most cases an attack occurs discretely, web servers and sites corrupted with malware designed to infect as many users as possible.

Web servers are particularly vulnerable because they are "open" in nature, with users sending and receiving information from them. The HTTPD (HTTP server daemon), database software and the code behind a web site of each can be rewritten by a criminal and its original function is impaired.

However, that does not mean that the web server can not be protected. You can, but requires an integrated approach to site administrators, programmers and designers, with areas such as anti-virus software, operating systems (OS) and access permissions that require constant review.

This document explores many of the common areas leading to a compromised server, and ways to prevent them.

2. Secure bases

The first step in the design, construction or operation of a secure website to ensure that the server that hosts it is as safe as possible.

A web server composed of layers that provide multiple avenues of attack, as shown in the diagram below. Remember, each block is a possible target.

The basis of any server is the operating system and secrecy to ensure that it remains safe is simple: keep updated with the latest security patches. Doing so could not be easier with Microsoft [1], along with many flavors of Linux, enabling organizations to apply patches automatically or take them with a simple mouse click.

However, remember that hackers also automate their own attempts to malware designed to jump from one server to another until it finds one that is out of date. By Therefore, it is important to ensure that patches are current and installed correctly, since any server running the patches will become a victim.

We also need to remember to update any of the software components running on a Web server. Anything that is not essential, such as servers DNS and remote administration tools such as VNC or Remote Desktop must be disabled or removed. If remote administration tools are essential, however, then Avoid using passwords or anything that could be guessed [14]. This not only applies to remote access tools, but user accounts, switches and routers as well.

The next area to address is the antivirus software. This is a must for any web server - if you have Windows and Unix - and in combination with a flexible firewall is one of the strongest forms of defense against security breaches. When a web server is intended for the attack attempt to upload malware or hacking tools immediately, in order to take advantage of the security breach before it is fixed. Without a good anti-virus package, a security breach can go undetected for a significant amount of time.

When it comes to defense, a multi-layered approach is best. In the first line are firewalls and the operating system, while in the trenches is the anti-virus, ready to run and fill gaps that arise.

In summary:

• Do not install software components is not necessary. Each component is a risk, the more there are, the greater the risk

• Keep your operating system and applications patched with the latest security updates.

• Use anti-virus, turn on automatic updates and check periodically that they are installed correctly.

Some of these tasks may seem expensive, but do not forget that only a security hole is only sufficient for an attacker. Potential risks include the stolen data and bandwidth, blacklisting IP the server, the negative impact on an organization's reputation and the possibility that your website could become unstable.

The next most important piece of software is the very HTTPD, with the two most popular alternatives are the ISS and Apache.

2.1 Internet Information Server (IIS)

ISS is part of Microsoft Windows and is a popular web server and commonly used because it requires very little configuration.

When it is applied, however, it is worth remembering the following:

• Disable the default services such as FTP and SMTP unless you need them. Disable directory browsing function unless necessary because it allows visitors to see what files are running on the system.

• Clear the FrontPage Server Extensions that are not being used.

You should also keep the ISS fully updated, can be done simply activate the automatic update feature found in Control Panel.

Apache 2.2 HTTP Server

Apache is a highly configurable and well-maintained open source web server. It requires a more detailed configuration to successfully implement, but provides more control over a web server. Most servers Apache on Linux / BSD, but you can also run on Windows.

Due to the Apache configuration is complex, there is no space in this paper to detail the whole procedure. However, the following tips [2,3,4] is important to note:

• Denying access to resources by default and only allow resource functionality to your liking.

• Among all web requests, and to help identify suspicious activity.

• Subscribe to the announcement of the Apache mailing list can send updates, patches and security updates.

Websites that require a more complicated functionality sometimes increase with an interpreter HTTPD server-side using CGI (Common Gate Interface). Both most popular PHP and ASP.

PHP 2.3 and MySQL

PHP is one of the most common server-side languages script. Code base has a large functional, simple syntax, code adaptable and, most importantly, interact with a large number of database formats data. MySQL is one of the options most popular database to use in conjunction with PHP, because it is fast, feature rich, easy to configure and use.

PHP has often been accused of being security at LAX and in recent years many exploitable bugs have been found within it. However, it has matured steadily and the majority of preventable errors tend to be either the installation setup correctly and / or write the code safely.

Here are some tips for setting (writing secure code is covered in a later section) that relate to the variables in the "php.ini" file:

• Set 'register_globals' off

• Set 'safe_mode' of

• Set 'open_basedir' the directory of the web site

• Set 'display_errors' off

• Set 'log_errors' in

• Set 'allow_url_fopen' off

For more information on these configuration directives are important and why, please see [6,7,10].

When installing MySQL creates the database 'test' a default and an open 'root' account is no password. The root account is automatically given free access to all other databases on the server so it is important

• Change the root password immediately.

• Create a new MySQL user and give minimum privileges.

• Remove test database and test users.

2.4 Active Server Pages (ASP)

ASP is a Microsoft which is supported by IIS, although there is also an implementation of Apache. ASP is integrated with IIS and typically require little or no configuration.

Security 2.5

Anti-virus is usually the last line of defense against an attack that is why web servers, especially those related with dynamically generated content, you must have access scanning allowed at all times. As the chart below shows, there is no web server is safe from malware. No matter how you secure your web server is always there is a possibility of hacking. Real-time analysis significantly reduces the likelihood of malicious code running on the system as it can scan both " Reading "and" write "modes, can then provide immediate notification as soon as a piece of malware attempts are stored in the server.

While on-access scanning can affect server performance a bit, but the benefits of greater security far outweigh any performance problems possible. There are also areas of the system, such as HTTPD log folder, which can be excluded from the analysis, which further reduces the impact on the system.

Attacks on web servers can be generally classified into two main types: local and global.

• The local attacks usually attempt to steal information or take control of a specific Web server.

• Global attacks are generally aimed at multiple Web sites and in order to infect anyone you visit them.

Although Linux and BSD are considered by some as more secure than Windows, they are certainly not exempt from organized crime. It can - and should - have antivirus software installed. Even if the malware can not run on the host server, and is protected with anti-virus software, which can still be served as content Valid for users of the web as some hackers is loaded into PHP or ASP, so heartbreaking the web server operating system redundant.

It is also possible that servers are infected through a local network. Fujacks family of worms, for example, infect HTML, PHP and ASP through files shared drives and resources network shares.

3. External Web Hosting

Most organizations do not have the hardware or the stability of bandwidth to host your own Web server and external and the use of such suppliers. There are three alternatives that are suitable for small and large organizations:

• Accommodation dedicated shared.

• Virtual dedicated hosting.

• Dedicated hosting.

3.1 shared dedicated hosting

This is possibly the most used and abused all forms of web hosting and includes a dedicated server hosting multiple Web sites. One of the most cheap accommodation and therefore one of the most dangerous because it can take only one infected user to infect others using the server.

Excellent real life example of the inherent problems with shared hosting can be found in the following SophosLabs blog posting:

http://www.sophos.com/security/blog/2007/06/172.html

3.2 Virtual dedicated hosting

Virtual dedicated servers - sometimes called elastic servers - are created using virtualization software to run a series of independent, autonomous virtual servers on one machine. This is appropriate for any organization growing, because each user has access to your own operating system and server software.

3.3 Dedicated Hosting

Dedicated servers are reserved exclusively for a user. In general, there are two forms available: managed and unmanaged.

• Servers staff managed to take care of the functions that the local governance of security and troubleshooting.

• Unmanaged servers unchecked and are cheaper to operate a little, any help would have to be purchased in

Of the three options presented here, virtual hosting Dedicated seems to be more efficient, being generally cheaper than dedicated hosting, while retaining the latter's flexibility and security.

4. Safer design yourself

No matter what you do and no matter how small your website is attacked. The design is intrinsic to the safety since it can reduce the damage caused by viruses, spyware and other malware.

Try putting yourself in the shoes of the attacker and use good common to plug the holes evident. Some errors are website so common - from beginners to veterans - that's worth going over them here.

4.1 The cookies

One of the main problems encountered in designing a web application is that each application for a new page dealt with independently from the previous application. Calling for a Web application for "Remember Me" is therefore more difficult than it is in the normal applications.

There are two methods that use Web applications to remind visitors that are supported by most browsers: biscuits and cookies session.

• A cookie is a small file that is created by the browser and is stored in the user's computer. It can contain anything, but usually a name, expiration date and an arbitrary amount of data as "Count = 100" or "member = false".

• A session cookie a cookie is similar to normal, except that it allows web applications to store data in memory.

The difference between the two is that a cookie is stored directly the user's computer and remain resident unless manually deleted. A session cookie, in turn, only saved the time a computer is on, and therefore automatically lost as soon as you close your browser. They have something in common: both can be manipulated.

Developers often rely on data retrieved from the cookies, simply because he developed the code and therefore must be good, right? Evil hackers can easily modify a cookie (And in some cases live session data) to trick a web site to give them access to a restricted page.

In designing the system never trust the user input, whether it comes directly from visitors, or indirectly through cookies. Try to limit the amount of data that is stored in cookies on especially if it is data that should not be made available to the public. A good rule is to treat all data that is stored on an end user machine as a suspect.

MySpace.com was attacked by a trojan (JS / SpaceStalk-A) earlier this year, he stole the information stored in cookies and transmitted to a remote server. This information could theoretically contain sensitive information such as usernames, passwords and Internet preferences.

4.2 Authentication

If your site contains areas that are only for certain customers or subscribers, you need a way for identify visitors before entering [8].

There are a number of ways to authenticate users: basic authentication, digest authentication and HTTPS.

• Basic authentication allows a user / password combination that is visible within the Web application. Even if the content is not particularly constrained the secret of this is best avoided, since a user can use the same password in many places. A Sophos poll showed that 41% of users use the same password for all online activities, whether it is a banking site or a local community forum [15]. Seeks to protect its users this error by using a more secure authentication method.

• Digest authentication - all popular servers and browsers support - Encrypt the username and password securely inside the application. It keeps the user names and passwords, which creates a better impression on the user and reduces the chances of your server abuse.

• HTTPS encrypts all data transferred between browser and server, not just the username and password. You must use HTTPS (which is based on a security system called Secure Sockets Layer, or SSL) when you are asking users to provide private data or like your address, credit card or bank account.

When choosing an authentication system is a good practice to choose the best available. Any thing less to worry security-conscious customers, and possibly expose them to unnecessary risks.

4.3 Components, libraries and add-ons

Many web developers do not have time to reinvent the wheel. When asked to add a feature that is common elsewhere it is easiest to source a package that already contains the necessary component and customize it. Outsourcing is particularly true as many complex functions, micro-applications such as blogs, forums and content management systems (CMS).

The reason for using pre-built systems and customizable are obvious: it saves time and money.

Like all pieces of software, however, supplements may contain errors and so it is advisable to keep an eye on packages are in use and regularly update. The popularity of some of these packages can sometimes create a misleading sense of confidence among the public and many of the products Popular been found to be exploited, even when apparently installed and configured correctly.

Popular server applications that have problems in the past with criticism, exploitable bugs are:

• WordPress (blogging software).

• phpBB (forum software).

• CMS Made Simple Software (CMS).

• PHP-Nuke (CMS Software).

• bBlog (blogging software).

Many of previous (and similar) add-ons are widely used, making them attractive targets for hackers because they increase greatly the number of victims as possible. Like most operating systems and software can be updated automatically HTTPD many developers' set and forget "certain characteristics, but forget to update the different accessories: a dangerous mistake.

Again, the rule of thumb here is as before, if not needed, get rid of it! If your hosting provider supplies such features off by default. If you can not disable them, then you should think about finding a new supplier.

4.4 Log Files

Server logs is a very important in managing a website. Most HTTP servers can be configured to store access logs and error logs, and this must be activated at any time, it can be important when performing a review.

They should also be reviewed periodically as they can provide a better understanding of the threats that sites web face. Log files give an idea of any possible violation of the recording, in great detail, every single successful access or attempt a site.

5. Breaking the code

Writing secure code is not always as easy as it sounds. Not only is an expert programmer, but also one that is knowledgeable about specific security issues [9]. There are entire books dedicated to writing secure code, so as to cover only the basics here [13].

• Always turn the global variables and can be deliberately started by a false application GET or POST.

• Clear the error notification and make sure you connect to file instead, as this information can help attackers to cause a similar problem and then manipulated to expose vulnerabilities.

• Do not rely on user data and always use the filter functions to remove special characters SQL and escape sequences.

5.2 of SQL injection

SQL injection can be used to attack sites web interacting with databases. Occurs when the unfiltered input designated by the user that is used in an SQL query.

SQL queries can be used to query a database, inserting data into a database or modify / delete data from a database. A lot of modern web sites use scripts to generate SQL and content of the page dynamically. User input is often used in SQL queries and can be dangerous as hackers can try to embed code SQL invalid input data. Without attention, this malicious SQL can be executed properly on the server.

Take the following PHP code:

$ Name = $ _POST ['name'];

mysql_query ("SELECT * FROM users WHERE '$ name' 'name =");

After submitting your name to the web form, the SQL query returns a list of users who have their name. If I put my name "Chris" in shape, SQL query would be:

"SELECT * FROM users WHERE = 'name' Chris'"

This is a valid statement and works as expected, but what if instead of my name, I got something like "'; DROP TABLE, #"? The statement would as follows:

"SELECT * FROM users WHERE last_name ='';' #; DROP TABLE users"

The semicolon allows multiple commands to be executed one after another. Suddenly, the simple statement is now a complex three-part statement:

SELECT * FROM users WHERE 'Name ='';

DROP TABLE users;

# '

The original statement is useless, and can be ignored. The second statement tells the database to low (Delete) to the entire table and the third uses the character '#', which tells MySQL to ignore the rest of the line.

This is particularly dangerous and can be used to display sensitive data, update the fields or remove / delete the information. Some database servers can still be used to execute system commands through SQL.

Fortunately, this type of vulnerability can be avoided easily by validating user input. In PHP there is a special function for the extraction of potential SQL injection code named "mysql_real_escape_string". This function must be used to filter the data passed to an SQL statement.

5.3 XSS (cross-site scripting)

This type of attack focuses on web sites that display the data you provide. Instead of trying to manage the database with malicious input, the attacker tries attack the web site code to the output very malicious.

Many sites store the names of all visitors in a database so they can display a name Specifically, that user logs on for an attacker is a simple thing to create a fake account, but place malicious code on the user name field instead of a name. These attacks are achieved with malicious JavaScript scripts then load content from another website. The database stores what it thinks is the username, but is actually malware. Later, when the website tries to show the user name at the top of the page, the malicious code is executed without being account. Because the code could, depending on the circumstances, do almost anything, this is a very real concern, and often overlooked by developers. In recent history many high profile web sites have been victims of XSS attacks, such as MySpace, Facebook and Google Mail.

Take the following PHP code:

$ Forename = $ _POST ["Name"];

echo "Your name is $ name";

After submitting your name the web form, the website displays the following message on the page. If I put my name "Chris" in the way, the message said: "His name is Chris."

What if we decided to use "<script> alert (" I just hacked script !");</> "instead my name?

Unfortunately, XSS attacks can sometimes be difficult to defend because they are based on proper filtering in and out and then the validation all the individual fields can be modified by a user. This includes data from GET and POST requests and queries that have been returned from the database.

If you use PHP on a number of packages that can help filter out easy, CodeIgniter is an example [5]. Moreover, there is a function PHP native called "htmlspecialchars" that can be used to filter the results.

6. A study of how easy is

While researching this work I decided to see how easy it would be to find examples of data loss and so Google the name default log file to a common FTP client. I found thousands of websites that expose publicly (and unknowingly indexing) the FTP log file seemingly unimportant. Each was a shining example of data leakage.

Here's an example (censored) Registered:

99.07.16 08:34 A x: xxxxxxxx xxxxxx xxxxxx WS_FTP.LOG <- <site name> / export / home / <name / xxxxxx / xxxxxx WS_FTP.LOG

99.07.16 08:53 A x: xxxxxxxx xxxxxx xxxxxx home.html -> <hostname> / xx / www / xxxxxx-xxx / xxxxhome.html

From this I learned many interesting things:

• The <site name> gave me the name of the website.

• User <name> as long as the user name Server Type Linux / BSD.

<hostname> • The supplied server name.

This tells me the following on the host:

• The name and the IP of the webserver.

• The remote path is copied.

• The local path that was copied.

This information is gold dust to any criminal, as the name and user that he or she may try to obtain administrator access. They could also simply discover the number of web hosting company phone or email address and try to get the password through social engineering.

The latter is easier to attack the server itself because many web hosting companies achieve the minimum security controls prior to delivery of security credentials. This may be because they are often contacted by individual site contractors who are building a site on behalf of a third, so they are used to receive calls asking for credentials for the account or the password reset.

I myself have done this several times - legitimately, of course - And only one of four companies asked the original business need to provide permission.

Yes, it really is as easy as that.

About the Author

This article was provided by Sophos and is reproduced here with their full permission. Sophos provides full data protection services including: security software, encryption software, antivirus, and malware.

Just use WordPress - how to login to WordPress - Go Daddy hosting