hacked me

Hi
Security is very low
I got hacked a few moments before
And in the Homeimage

  • of my 5 points, none have been totally rebutted - work continues on the ones that have been commented on, showing that they are not irrelevant and the remaining ones are indeed security vulnerabilities which need to be more widely accepted, comprehended and responded to.

    the ssl issue truly is a denied aspect of 'security'. the main reason, to my knowledge, that this is not more widely known about and cared about is that so many have blind faith in the ssl system as it has been and do not wish to admit to the large scale hacking and exploitation of the ssl approach (on all websites, not elgg specific) that has been occurring. the hackers want to keep hacking, the cert sellers want to keep selling and generally the 'public' doesn't know. whether these specific cases of elgg installs being messed with are related to the points i have put forward is irrelevant to the bigger picture. if one set of exploits is fixed, then others will be used until there are none left.

    before you knights mount up to the keyboard with your armoured gloves on to defend the honour of the code.. , i recommend researching the defcon series on youtube. ;)

  • @ura soul, it looks like files were changed on the guy's server. On a properly configured server that should not be possible. This has nothing to do with Elgg accounts or connecting to mysql.

    1. The web server user should not be able to write to any directory in the web directory or change any file. Permissions of 755 on directories and 644 on files are reasonable defaults assuming a user owns the files and not the web server user. If the web server user owns the files, change that.

    2. Protect your server account with a strong password and do not use telnet or ftp to connect to the server. Only use ssh, sftp, and scp. Even better, do not allow logins with passwords on the server but configure for using ssh keys.

    3. Keep the server up to date on security patches.

  • very nice ^_^ Michele i am using srvixe and s-z1.com my hosting company that i own : )

  • tell me who your host is and i will give you a elgg virtual hug lol ^_^

  • lol ok please inbox me then : ) let me know the host that you was using and you had directory protection enabled in cpanel etc? and a long password?

  • Another tip which I use to avoid admin misuse. I revoke access to /admin and a bunch of other vulnerable URL's based on IP address (be ware to only revoke URL's that are admin only). So even if someone would try the SSL man in the middle attack. They have very limited possibilities to harm the site.

    If using ssh or scp : Enforce passphrase authentication on top of username password and ssh keys. I am using that for over a decade now on various sites, with thousands of attacking attempts to that port. Never been compromised !

    @Michelle, it is a real shame that they hacked a site with such a noble goal. Let your hosting provider scan for root kits, since they messed up your smtp, they must have had os level access.

  • the man in the middle attack can involve the presenting of the intruder as having the ip address of the pc that initiates the connection, so i am unclear on how restriction of access to admin pages by ip would achieve much of an increase in security in terms of a mitm attack. e.g. if you set your server to only allow admin connections from your home pc then the man in the middle attack can occur in between your home pc and the webserver. you may perceive that to be an unlikely occurence; however, it is a common occurrence that is initiated by governments, for example and could possibly be initiated by others using various methods.
    http://arstechnica.com/tech-policy/2013/11/uk-spies-continue-quantum-insert-attack-via-linkedin-slashdot-pages/


    another point i real-eyesed is to not use the web-browser / email client on your server, since that is a primary weak point and attack vector.

  • i see well thanks for sharing this and the feedback as it has made me much more aware of security

  • @Ura soul. I limit pages to local IP addresses (which is only possible when you are on the same network as your server).

    @Michelle, glad to get a smile on your face ! If your provider cannot guarantee security or enable SSH keys and passphrase, you really need to switch provider. SSH attack is very popular from a hacker perspective because if succesfull, almost everything is possible. SSH is very powerfull and you can even forward traffic on ports and that makes it a hopping point into local networks.

  • @gerard - i see, ok.. all the more reason not to use web-clients to access external websites from the server network then.. :(

    see: http://www.youtube.com/watch?v=Zazk0plSoQg

    which shows how many types of router can be hacked relatively easily via browser javascript attacks.. 

    basically there are security holes in all the commonly used protocols currently!