47

(While the answers and comments at How do I deal with a compromised server? are useful, my question is more about prevention of hacking when I do not have total (or much) control over the server. I have SSH access but not root privileges. I cannot see or change anything beyond my own user account.)

I volunteer for a non-profit, maintaining their web site for them. We've been on a low-budget shared hosting platform (Bluehost) for several years. The site was built on Wordpress and I did my best to keep core WP and all plugins up to date.

But we got hacked multiple times. Sometimes it was malicious (defacing the home page) while other times it was stealth (I discovered hidden files that seemed to just allow someone to get in and snoop around).

I totally got rid of WP, rebuilding the site on Bootstrap. I removed all files from the server, ran multiple virus scans on the local version of the new site, grep'd for anything that would be suspicious, and then uploaded the files to the server. I was nearly 100% sure this new codebase was "clean".

But within a few days, I discovered (by comparing the server to my local version) a hacked index.php (some 'preg-replace' code was inserted before the first line) and found a "logo-small.png" file in a subdirectory that was not really an image file. It was a big hunk of obfuscated PHP that looked set to to nasty things (I de-obfuscated and viewed the code).

I knew that shared hosts, often with hundreds of sites, could be vulnerable. At this point, I totally distrust the server we're on. But when I asked Bluehost if we'd be safer on a VPS or dedicated server (thinking our "sandbox" would be harder to get into), they said it wouldn't really make a difference.

So I'm in a quandary. The non-profit I help out has limited budget. But I also don't want to continue spending tens to hundreds of hours monitoring and fixing the site. I don't know if hackers are getting in via the file system or an open port that shouldn't be open.

Is there a cost-effective solution that provides much better "hardening"?

user249493
  • 523
  • 1
  • 5
  • 8
  • 1
    Web servers for small sites don't need a ton of hardware. Do any of your members have an old PC that they never use and are willing to donate? Install Ubuntu on it and start running nginx or Apache on it and then you don't have to trust anyone else. For a smaller website on a budget but also someone who is security-aware working to maintain the server this is probably the best bet. If this is a larger-than-that type of site then disregard this comment. – sethmlarson Mar 09 '16 at 03:48
  • 6
    Possible duplicate of [How do I deal with a compromised server?](http://security.stackexchange.com/questions/39231/how-do-i-deal-with-a-compromised-server) – Deer Hunter Mar 09 '16 at 04:59
  • 21
    Until you learn more about server security you're going to be hacked. No server solution is a priori hacker-proof, you have to understand and implement all the steps that are listed in hardening tutorials and security guides. In short: security starts in your head, not at a third-party server. – Deer Hunter Mar 09 '16 at 05:03
  • 4
    @DeerHunter: That's assuming he is in control of the web server. If it is shared hosting (as mentioned) you're out of luck. – Jeroen Mar 09 '16 at 05:05
  • 11
    Doesn't seem like a duplicate of [How do I deal with a compromised server?](http://security.stackexchange.com/questions/39231/how-do-i-deal-with-a-compromised-server) to me. OP of this question is trying to understand security of different hosting options, not how to rectify a server breach. – Neil Smithline Mar 09 '16 at 15:32
  • Out of interest, the `preg-replace` thing [seems to be quite common](http://security.stackexchange.com/questions/114919/found-suspicious-obfuscated-php-file-is-this-a-hack-attempt-on-my-website) – Pharap Mar 09 '16 at 19:07
  • Static site generation is definitely the way to go, *especially* if you can use a hosting provider where you're colocated only with other static-hosting-only customers (so nobody sitting next to you on the same machine is running potentially vulnerable code either). See https://www.staticgen.com/ for a list of popular options re: open-source site generation tools. – Charles Duffy Mar 09 '16 at 19:08
  • @Oasiscircle That then requires the hoster to have a fast enough upload which they'd be willing to share with the site. Running a server also violates pretty much every ISP's terms of service for customer internet (you may get away with that depending on the ISP). – Voo Mar 09 '16 at 21:26
  • 3
    One possiblility is that the problem does not come from the hosting but from your computer. Some viruses can steal your FTP credentials and upload files on your hosting. Did you change the passwords each time the website was *hacked*? – A.L Mar 09 '16 at 23:04
  • 1
    I'm going to recommend [Jekyll](https://jekyllrb.com/), a **static site generator**, if you are just serving static pages (sounds like you are). You said that you rewrote the site using Bootstrap, so I'm guessing that you're not new to coding a bit. Jekyll is incredibly simple, and really isn't much coding at all unless you want to do some fancy stuff. Basically you just write web pages in Markdown (same as Stack Exchange) and it generates a site. It can also be hosted for free on [Github Pages](https://jekyllrb.com/docs/github-pages/). It may be worth looking into if you have an hour! – Chris Cirefice Mar 10 '16 at 15:00
  • Cost effective depends on your budget. If you're big like the Red Cross or some church denominations, then a virtual private cloud solution might work for you. If you're a smaller non-profit, google hosting might be sufficient. – pojo-guy Mar 10 '16 at 22:03
  • Did you change the account passwords after the first compromise? – Ángel Jul 02 '16 at 23:05
  • Unless you know what you're doing, VPS is **much harder** to secure than competent shared hosting. A VPS gives you a lot more freedom to configure your server, and a lot more ways to make errors. I don't know about a BlueHost, but a shared host configured by a competent sysadmin would not be more secure than a VPS as they would configure their servers such that compromise of one site wouldn't affect other sites on the same host. – Lie Ryan Jul 03 '16 at 00:16

9 Answers9

61

If the only thing you expose to internet are non-interactive web pages and do not need to run server-side components, then you can substantially lower your risks by using a static web site.

You are then left with the web engine itself and to some extend the underlying OS. Apache or nginx are not simple to harden so you could have a look at Cherokee or publicfile.

You can go one step further by either hosting your static files on an existing environment which accepts them (Github Pages for instance) or move to a site you build with blocks like Google Sites (which are free for non-profit organizations).

WoJ
  • 8,968
  • 3
  • 33
  • 51
  • 8
    You can even use the AWS S3 for static site hosting and then never have to worry about securing the server ever again. They even support using your own domains: http://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteHosting.html – carbontwelve Mar 10 '16 at 09:47
20

The problem with shared hosting is that:

  1. You are dependent on all websites keeping their code up to date. It could be possible another account is compromised which allows an attacker to access your part of the web server. There are several ways to accomplish this, especially if a control panel like Direct Admin is installed.

  2. When I - as a hacker - purchase web space on the same server you're on I could just simply (in your case) upload a PHP web shell and (possibly) access all websites located on that server. This is even possible if file permissions are setup properly.

The solution is not to use shared web hosting.

I'd suggest you purchase a VPS. A good VPS (6GB RAM - SSD disks) can be purchased for $7 a month. I could give you the link if you want, but I do not want to advertise it here. That way you're more in control of what's happening.

Jeroen
  • 5,813
  • 2
  • 19
  • 26
  • 19
    "upload a PHP web shell and (possibly) access all websites located on that server" is it really that easy to gain access to all other websites on the same server? I guess for this to work there must be some server misconfiguration to allow such thing? – fduff Mar 09 '16 at 08:27
  • 1
    I know that with Direct Admin (out of the box) this works. But there are other ways to enumerate valid home directories / domain names when having shell on the server when these permissions are a bit more strict. – Jeroen Mar 09 '16 at 08:54
  • There are shared hosting options where you can have your site hosted on a cluster where no user accounts on the same system will have non-static functionality available either, mooting some of your concerns. – Charles Duffy Mar 09 '16 at 19:11
  • 1
    I know you don't want to advertise it, but what VPS are you referencing? "A good VPS (6GB RAM - SSD disks) can be purchased for $7 a month." – StackOverflowed Mar 09 '16 at 19:27
  • 2
    Google "VPS Dime" and you'll find it. – Jeroen Mar 09 '16 at 21:22
  • 1
    "I could just simply (in your case) upload a PHP web shell and (possibly) access all websites located on that server. This is even possible if file permissions are setup properly" - so are you saying that jails are inherently broken or just that some hosting providers don't use them or misconfigure (is there much to misconfigure? seems simple to me) them? Not really keeping up with current state of the art exploits, but I did assume that they worked as advertised, apart from possible bugs in some implementations which can never be excluded. – Voo Mar 09 '16 at 21:29
  • Although many hosts are now coming up with ways to prevent it for the reason Jeroen mentioned it is usually as easy as making a PHP script get the contents of ../ If poorly configured this would return a list of directories of other customers. So say if a customer had the directory of billysautoshop.com I could just make a PHP upload script on my account that uploads index.php to ../billysautoshop.com And sometimes you could do this to get full access to the server's root. Likely not the case with his current host but I would imagine many lesser known/inexperienced hosts still are affected. – Bacon Brad Mar 09 '16 at 23:16
  • The above is also known as a directory traversal attack. – Bacon Brad Mar 09 '16 at 23:19
  • The standard out of the box installations of Direct Admin are not jailed (at least a few years back). The ones that did have some permission issues, I created a script that would read the /etc/passwd to get all user names (/home/$username) and the file /etc/bind/domains (or what ever it was). Using a loop I searched if it was possible to read the /home/$user/$domain/public_html/index.php. This way it was possible to enumerate all valid paths on a system. Using a web shell I could read all config.php files and in return I had access to all databases (legally of course) – Jeroen Mar 10 '16 at 07:01
9

Move to a Static page system. I too used to have WordPress - but after being hacked 2 times by the "Free Syrian Army" (in an effort to promote their situation ...) I got fed up with Wordpress, and used Nikola.

Simple and easy - static Web Pages.... no accounts/ports/SQL vulnerabilities etc.

There are others (Forks of the same) - look for Pelican as well.

Neil Smithline
  • 14,702
  • 4
  • 38
  • 55
Tim Seed
  • 333
  • 1
  • 3
6

Digital Ocean offers dedicated virtual machines for as low as $5/mo. This would be comparable to a dedicated server in terms of comparing the solution to VPS.

The problem is most commonly going to be your software solution used in the actual serving of content, however. Hardening the configuration files of your chosen suite is non-trivial unless you have experience with that sort of thing.

Server hardening as a general topic is massive, but if you have scoped out a particular set of programs you want to use, Google and ServerFault.SE will most likely have plenty of tips for how to lock them down.

Or like WoJ suggests, you can use a more pre-built hosting solution.

Vegard
  • 233
  • 1
  • 6
5

As a rule, it's not the host that gets hacked, it's your site. If you have a safe site, then a simple VPS can keep you safe.

Assuming you don't need your content to respond differently to different visitors, then a static site generator will work for you. Typically they're a bit like wordpress in that you write your own custom content and it gets turned into a themed site, but it's different in that the generator lives on your computer (not on the webserver) and the only thing on the server is static HTML.

So there's nothing to hack. It's not alive. The server can't do anything. It's just content.

If you want to put that on your own VPS, you can get one at Linode or Digital Ocean, or if you're feeling brave, AWS or Google Compute. The lowest tier server at all these places is around $5/mo, which is sufficient for your needs.

You can even host such a site at Github Pages at no cost at all.

tylerl
  • 82,665
  • 26
  • 149
  • 230
4

If you already have experience with Wordpress, then why not just use the wordpress.com cloud. Hopefully, they will take care of the system administration including security. You just need to keep the password safe and export/backup your posts regularly. You are of course at the mercy of the company, - my blog once got blocked, but I managed to convince them to open it again. Furthermore, possibly not all plugins that you need might be there. There could also be privacy issues, the issue of the domain name of your non-profit organization and ads that wordpress.com might put on your homepage.

2

There is lots of good advice in the responses. However, possibly the most important advice is to only use a hosting company with a good reputation. Don't base your decision on cost and go for a budget site based solely on that criteria.

The reality is, running a hosting company comes with considerable maintenance overheads. To achieve sufficient profit, cuts need to be made somewhere. Unfortunately, these cuts are often applied to risk management processes because there is no obvious 1 to 1 relationship between expenditure and revenue. The result is that security often suffers.

Larger organisations where reutaiton is seen as an important aspect of their profitability will likely spend more in these areas. They also have the benefit of being able to take advantage of economies of scale. If your not in the position to manage the security risks yourself, you have to rely on your hosting company.

Several replies suggested using a static site rather than wordpress. A static site can help, but of course, if the server is compromised, it makes little difference. However, poorly maintained dynamic frameworks which are not updated are always going to be more of a risk than a static site given the same hosting security.

Wordpress is a high risk solution. It is actively targeted and there are a number of weaknesses in the plugin system. Even if you keep plugins up-to-date, there is no guarantee. Only this week there was a report of a popular plugin which has significant security holes which have been deliberately added by the new maintainer of the plugin (this is a common issue with plugin architectures - chrome plugins suffer from the same issue. You look for some functionality. You are security aware, so you check the references, reputaiton and user reports for a plugin. All looks good and the developer has a good reputation, so you install it. Later, the developer moves on - either selling the plugin or handing it over to anotehr who may not be as ethical. There is no mechanism to alert you to this change. The new owner issues and update which has malicious code. You apply the update (or perhaps the update is auto-applied). game over).

If you cannot just use a static site, then perhaps consider using something other than wordpress which isn't as actively targeted. this won't be convenient as it will likelymean learning a new framework, but may provide some additional protection.

The other thing to seriously consider, especially if there simply isn't enough budget is to sale back your non-profits web reputation. There is a cost associated with having a web presence. If the non-profit cannot afford the cost for a sufficiently secure site, either they must accept the risk of being hacked or they must scale back their web presence to something they are willing to fund. In general, there are few 'cheap' security solutions - you get what you pay for (you can overpay - especially with some of the snake oil merchants being drawn to the lucrative security space, but if you do your research, look for good references/referees, remember there is no such thing as a free lunch and if it sounds to good to be true, it probably isn't, blah blah blah, you will generally be OK).

Tim X
  • 3,252
  • 14
  • 13
2

First of all, I should note that I disagree with the premise about being vulnerable just for being on a shared host. If your shared-hosting account is compromised by another user, that's because either:

  • The hosting company didn't properly isolate the users
  • The user did something silly (like having 777 files)

With a VPS, the isolation is provided by a different layer, which is harder to overcome. And even more with a dedicated server. So, I disagree with the answer Bluehost gave you.

However, if the compromise originated from your account (eg. a vulnerable wordpress plugin), then it will certainly not matter the hosting option you use.

Certainly, your logo-small.png file looks as if it was uploaded through your application.

As for detecting compromises, I recommend keeping the file in version control. It's easy to make an script that rsyncs your website and commits to eg. a git repository.

This serves as backup and also highlights very clearly the differences when files get modified.

Several answers promote using static files. If the files don't change remotely, and assuming you are the only one changing the web pages (or that they are changed at the same "master" computer) a simple rsync -avz --delete website/ the-server: would roll back to the "clean" version, should such compromise arises. You can even automatically synchronize that way "just in case", although if the website is somehow vulnerable, automatically restoring from backup, although time-effective, is not a real solution.

user2320464
  • 1,832
  • 1
  • 16
  • 18
Ángel
  • 18,188
  • 3
  • 26
  • 63
1

Personal Computer Security

As per the comment form A.L, the vulnerability may have nothing to do with your website or the hosting but more to do with passwords being stolen from a compromised website administrators computer or similar or maybe the attacker has control over an administrative account that has not been reset since the initial clean-up.

Ditching WordPress vs Upgrading to a Better Host

Moving away from WordPress may help but finding a host with better security practices may be a more effective solution.

I look after about 50 or so websites built with a CMS similar to WordPress and am very conscientious about regularly applying updates. The sites on good quality hosts (e.g. SiteGround) rarely get hacked. SiteGround regularly update their web application firewall to block the most common WordPress, Joomla and other vulnerabilities although you should still promptly update your CMS and any third party add-ons as updates are released.

Shared Hosting vs VPS

Moving to a VPS may reduce the risk of contamination from other accounts on the same server but the security of a VPS relies on the skills of the person or people maintaining it, just the same as shared hosting.

A shared hosting account on a well maintained server is less likely to be hacked than a poorly maintained VPS.

Common Sense Security Precautions

Whatever you do, nothing on the web is ever 100% secure. You can minimise the risk of data loss by running regular backups, copying the backups off-site and regularly testing the backups.

Learn about other common sense security precautions such as:

  • regularly applying updates
  • keeping the PHP version up to date,
  • choosing software only from established and trusted developers
  • minimising the number of add-ons where possible
  • minimising the number of administrative accounts
  • implementing a web application firewall to protect the website and/or enabling a content delivery network (CDN) that includes a web application firewall

In Conclusion

I'd argue the most cost effective solution in your case where you have a budget conscious client is a shared hosting solution with a good quality hosting provider.