How Your Webhosting Account is Getting Hacked

Published: 2013-03-25
Last Updated: 2013-03-25 02:51:08 UTC
by Kevin Liston (Version: 1)
5 comment(s)

If you're like me you actually have your own little website project hosted on one of the many inexpensive website hosting companies.  Perhaps you've recommended one as a solution to a small business, or organization.  You may also be aware that they are pretty attractive targets for professional computer criminals.  Brian Krebs has a nice writeup of the value of your standard PC to a criminal here:

The Value of a Web-Hosting Account

I want briefly expand on the added value of compromising a box sitting in a rack in one of these hosting companies.

The first is that since they're already webservers, they do a better job with all the standard exploit-hosting, phishing-site, and other webserver values identified in Brian's analysis.  Secondly, they usually enjoy more bandwidth access than the average home/business PC, which a big advantage for criminals interested in launching Distributed Denial of Service (DDoS) Attacks (  Thirdly, compromising a single session on a shared server opens up all of the other accounts on that server as well as other servers in that data-center.

How They Are Gaining Access

A webserver has a different attack surface from the normal workstation.  This is how they're being compromised in no particular order.

Many webhosting providers limit the customer us using a web-based management tool like cpanel or webmin.  They may have their own vulnerabilities that let an attacker in that way (if the hosting company isn't updating regularly or following good security practices.) 

Many customers use these services because they don't have a lot of experience running servers, so they make make poor choices in selecting which applications they install and may be lax in keeping them up to date.  Popular packages like wordpress, or drupal need to be regularly updated and configured securely.  This is not always intuitive and there are a lot of vulnerable builds running out there.

FTP credentials are commonly targeted by other malware.  For example, if your home PC stumbles upon an exploit site, one of the intermediary payloads will search for registry settings identifying FTP applications on the system and will attempt to extract the username/password and feed that up to the botnet controller.  So while that botnet-for-hire is installing whatever banking trojan that they've been contracted for, they're also building up a database of credentials to other potential future hosting sites.

Once a criminal has an account on a server, it become easier for them to attack other accounts on the system or escalate privileges to take over the entire system.  If a criminal has a stolen credit card or paypal account, they can easily gain access to an otherwise secure server.

What You Can Do

While you can't patch the server, cpanel, etc. you can keep your own services patched and configured securely.  We live in an environment where you can't be certain that everything is secure, so you have to plan on something getting compromised and having a plan.  In this case, you plan on the server being compromised some time in the future, and develop a recovery plan.  This mean regular backups and inspection of the site.  Logs should be exported off regularly for analysis and alerting.  You want to quickly detect when things begin to go awry.  So you should already work out what the best emergency/security/abuse contact process is for your hosting provider.  These are things you will have to keep in mind when you recommend an inexpensive hosting solution to a friend, family member, or volunteer organization.

5 comment(s)
Diary Archives