The Internet is a weird place…

I run several websites off of my one Linux server sitting here in my house.  I try to keep it reasonably secure: it’s behind a firewall with a limited number of open ports, I try to keep my software somewhat up to date, and I install code to intercept blatant attempts to spam or attack my site.

Unfortunately, I do maintain my server in my spare time, and I don’t put a ton of effort into it.  I realized a couple of years ago that my PHPNuke based sites were vulnerable.  The code itself is full of security holes, and is famous for providing numerous avenues of attack…particularly via SQL injection

In the past five years, my site or my server has been compromised several times.  Every incident started with SQL injection via one of my PHPNuke sites.  A few years ago, I migrated my main blog to WordPress, and it has been rock solid ever since…but the other sites are still vulnerable. 

During the worst such occurrence, the attackers actually managed to use this method to install a piece of software that allowed them to launch a terminal session.  From there, they successfully used my server for several days to send spam emails.  It was intriguing to follow their trail 72 hours after the fact and see what they had done.

My server is a lot more secure now than it was in 2003 when that last major attack occurred.  But my system is constantly being probed for vulnerabilities.  The latest intrusion was about two weeks ago- again, via PHPNuke and SQL injection.  I had that vector basically plugged for a couple of years, but apparently an update to PHPNuke unlocked the door just enough to permit a relatively minor intrusion.  This time, the bad guys installed a single pixel iFrame in the footer of one of my websites that attempted to launch a browser trojan impacting the visitor’s machine.  I cleaned it out within 24 hours of it being installed, and re-applied patches to PHPNuke that supposedly close the door once again. 

Since that day, my server has been brought to its knees three times in a row by what, based on the limited information I can gather, appears to be a very crude denial of service attack.  It could just be a coincidence, and I certainly could be reading the evidence incorrectly.  But it does make me wonder: why would someone put any effort into trying to compromise my tiny little server?  What is the point? 

Like the subject for this post says, the Internet is a weird place.

[tags]sql injection, phpnuke, crackers, script kiddies, morons[/tags]

6 thoughts on “The Internet is a weird place…”

  1. The answer maybe as simple as because. That’s it and nothing more, nothing personal or otherwise. Too much spare time for a few individuals out there perhaps.

    What frightens me is that you know what all that means… and I have no clue and even you weren’t immune to the attacks. This makes all the attempts to keep this little machine of mine clean impossible and I don’t consider myself completely incompetent.

  2. Well, that explains why you haven’t been posting for 2 weeks… and here I just thought you were lazy 😉

    Oblivions, there is a big difference between a server and your desktop PC, much akin to a public tore and a private home. A store that has it’s doors open and allows anyone to wander in off the street is going to be much more vulnerable to robbery than your house. All of the vulnerabilities Kelly mentioned only apply if you are using your computer as a server.

    Even if it is a small little store in an out of the way neighbourhood. Which might be exactly why they are attacking it Kelly, they figure it’s an easy target to practice on, rightly or wrongly think it has lower security, and they are less likely to get arrested than if they went after a big company with deep pockets.

    Other than that… either you pissed off someone, and on the internet that is ridiculously easy to do and you may never even know it – maybe you laughed at someones screen name – or it is because of who you work for and they are foolish enough to think they can get into your work stuff from your personal stuff.

    Oh, and last theory … the chinese hacker army needs someone to practice on so it may as well be you 😉

    And what frightens me is that in general I do understand what Kelly is talking about and I consider do myself to be completely incompetent *lol*

  3. For the most part, Chris has it right: your home workstation is somewhat less of a target than a web server. Both may be sitting on the big, bad, internet, but the webserver is advertising its presence: otherwise, its not doing much good serving web pages to people who can’t find it 😉 If you want to run a webserver in your home, you had better at least know the basics of security and OS administration.

    A properly configured firewall for your workstation can make your home PC completely invisible: even if someone knows your IP address, they can’t get at your machine unless you install something on your machine first that lets them. That’s where all those trojan applications and such come in: they “call home” to the bad guy, giving him a way in because the user knowingly or unknowingly opened the door first.

    Case in point: I installed a super-simple firewall and AV software on my Mom’s computer and directly attached her to the Internet a few years ago. My Mom is in her 80’s, so she’s definitely not keeping up with the latest worms or cracker exploits. All she does is keep her Antivirus software up to date, and ask my nephew or I when something weird happens on her computer (not often). After three years, her machine is still worm and virus free.

    My webserver, on the other hand, can’t be *completely* blocked via a firewall- folks have to be able to initiate a web session, so at least port 80 has to be open. And then there is the software that serves those web pages: in the case of my server, PHPNuke and WordPress. WordPress is well-written, and doesn’t have obvious holes. PHPNuke is poorly written, and has a *lot* of obvious holes. Unfortunately, I have sites using PHPNuke that would be more hassle to migrate than I want to invest.

    My server has nothing confidential on it, nor can it be used as a gateway to my work stuff. But it still bugs me that I have to periodically fix the mess the script kiddies leave behind. Sort of like having a nice front yard, and every once in a while the neighborhood thugs smash the flowers and knock over the garden gnomes…it is a “violation” and a bit frustrating, but nothing serious.

    That said, every once in a while I’d like to plant explosives in the flower bed and give my garden gnomes flame throwers…

  4. Nice visual, hoards of little garden gnomes in their pointy hats, with little “semper fi” tattoos and cigar stubs clenched in their teeth, squinting beady eyed at the neighbourhood offspring before they let loose with streams of flaming death! 😉

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.