homepage Welcome to WebmasterWorld Guest from 54.205.193.39
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Visit PubCon.com
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque & physics

Webmaster General Forum

This 49 message thread spans 2 pages: 49 ( [1] 2 > >     
Protecting your website and your data from your host
I suspect someone from my host is playing with a site.
chris_f




msg:380988
 9:37 am on Jan 8, 2003 (gmt 0)

Hi All,

I have a website. It is more of an advertising medium. People pay about 40 or $60 to advertise what I specialise in on my site. However, I recently got a couple of emails from some "customers" (you'll see why the inverted commas are in there in a minute). They said that their advert had been taken down without any notification and the time was not due to expire. I found their advert but there was NO order details which is why they didn't get an email.

This is weird so I asked when they signed up and they said a Mr.X from my company did it for them. I am the only one working for my company, however, the name rang a bell. They had all done a deal with Mr.X after he got in contact with them and they all paid him 1/4 of the price of advertising. He set them up and username and password and made their adverts live on my site.

I found this very worrying as my code is VERY secure and noone could possibly get the passwords. Then I remembered the name they mentioned. After checking some past emails to my host, he was one of the people there. Now, in order for my code to interact with the database the code needs read and write permissions. The password is stored in the global.asa. The number they contacted Mr.X on was the mobile phone number of Mr.X.

I think he is reading the global.asa to get the, frequently changed, password and is selling advertising space on my site cheaply. I am corrently writing code to catch him in the act.

My question is this. How can we protect our sites and databases from our hosts? As well as doing the dirty on my site I think he is selling off customer lists. How do we protect our data? Any advice is appreciated.

Chris

 

ukgimp




msg:380989
 10:03 am on Jan 8, 2003 (gmt 0)

Man that stinks.

Change host?
In the current broadband world :Self host?

Not really great options.

When you catch this monkey are you willing to let us know how your went about it?

Cheers

jackofalltrades




msg:380990
 10:10 am on Jan 8, 2003 (gmt 0)

Get evidence.

Change host.

Sue old host.

Surely this must be a breach of the Data Protection Act? Scratch that question - what the guys doing (im assuming there isnt an alternative explanation here) is obviously illegal.

Get the evidence and hit him with it.

JOAT

Tony_Perry




msg:380991
 10:24 am on Jan 8, 2003 (gmt 0)

chris
If what you say is really happening that is a very serious case of fraud which an English court would punish severley! Collect all evidence and get yourself a commercial litagation lawyer, now!

Tony

DaveN




msg:380992
 10:24 am on Jan 8, 2003 (gmt 0)

chris how big is the host? can you go above his head.

what format is the site php, asp, etc etc.

depending on your setup could you mutli-host passwords or adverts on a different host.

We host quite a few customer database site and would never think about selling client details never mind adverts on thier sites, id there is anything we can do to help sticky me.

DaveN

Dreamquick




msg:380993
 10:58 am on Jan 8, 2003 (gmt 0)

That does suck, however what I would say is;

How can we protect our sites and databases from our hosts? As well as doing the dirty on my site I think he is selling off customer lists. How do we protect our data? Any advice is appreciated.

Indirect experience has shown that 99% of the time unless it is your own box the hosting company will have a better or equal level of access to the box and your scripts due to maintenance needs and/or original setup. However the level of access they have should be stated in your contract if it is not obvious.

A direct DB edit if you have a complex system seems unlikely as in my experience directly editing someone else's tables in a complex database to make stuff work is a total pain unless someone has explained *exactly* what you need to do.

Does your database seem like someone has used the trial & error approach of entering data into it?

A more likely scenario is that they have been using the nice interface if one exists... Assuming you have a web-based interface to maintain this sort of stuff and this is how they did it, wouldn't the logs show the stuff being modified or setup (assuming they didn't get modified too)?

If you can see people using your admin tools who aren't you then you should be able to work from there...

Another scenario you might want to consider is that is that there is at least one "insecure" part in your "secure" setup and someone has gotten access to your site's internal admin interface and started meddling.

Finally you said that someone claimed to have paid for these services but not paid you... Well surely this is the place to start?

If they paid by CC or similar then they might have a merchant reciept or at least have a note on their statement telling them who they paid or whom processed it.

If they paid by cheque/phone then even better because you then have a physical address!

If you honestly feel that your site has been "hacked" then I could suggest at least one place where you could ask the "who/ what/ where/ why" type questions and get decent answers - if you want this drop me a sticky.

- Tony

chris_f




msg:380994
 1:00 pm on Jan 8, 2003 (gmt 0)

Hi All,

Thanks for all the responses.

>> In the current broadband world :Self host?
Alas, I would love to, however, I can't seem to get hold of a static ip address.

>> When you catch this monkey are you willing to let us know how your went about it?
Damn straight. You'll be the first to know.

>> Surely this must be a breach of the Data Protection Act?
This guy obviously does not care.

>> Collect all evidence and get yourself a commercial litagation lawyer, now!
Just got off the phone to a friend who is a specialist laywer in this field :).

How big is the host? can you go above his head.
It is a very big hosting firm. They host for alot of VERY BIG COMPANIES.

>> what format is the site?
ASP and ASP.net. With an excellent control panel for setting up my emails, DSN, sub domains and folder permissions.

>> depending on your setup could you mutli-host passwords or adverts on a different host.
It will be a very big job to alter all the code.

>> We host quite a few customer database site and would never think about selling client details never mind adverts on thier sites, id there is anything we can do to help sticky me.
Thanks for the offer Dave. I might just take you up on that.

>> That does suck
You can say that again.

Does your database seem like someone has used the trial & error approach of entering data into it?
There were a few unexplained and strange occurance before all this started.

A more likely scenario is that they have been using the nice interface if one exists... Assuming you have a web-based interface to maintain this sort of stuff and this is how they did it, wouldn't the logs show the stuff being modified or setup (assuming they didn't get modified too)?

If you can see people using your admin tools who aren't you then you should be able to work from there...

My logging system says no. All the login times match me.

Another scenario you might want to consider is that is that there is at least one "insecure" part in your "secure" setup and someone has gotten access to your site's internal admin interface and started meddling.
Logs say no again.

If they paid by cheque/phone then even better because you then have a physical address!
I'm getting all the details sent to me.

Chris

gsx




msg:380995
 1:11 pm on Jan 8, 2003 (gmt 0)

If they placed the orders on his mobile phone, where did they get that number from?

mack




msg:380996
 1:13 pm on Jan 8, 2003 (gmt 0)

The best way to getting proof, aproach mr x as a potential customer and see if he does the same for you?

chameleon




msg:380997
 1:14 pm on Jan 8, 2003 (gmt 0)

chris_f

My first set of advise would be to print out every e-mail you've had with your customer (if it was a phone conversation, ask them to send you the details in an e-mail), and take them to a lawyer.

My second set of advice is never store a password as plain text. NEVER. NEVER EVER.. Store them encrypted. Use something like RC4 to encrypt the password in your global.asa, and the challenge password entered into your system during login. Compare the encrypted strings, not the unencrypted ones.

By using this approach, NO ONE will ever know what the password is -- even if the look at the global.asa. It's EXTREMELY difficult to "unencrypt" a password that uses strong encryption, so the viewer will be left guessing until he finds the right password. That could take 100 lifetimes.

Of course, you must use a good password (not your name, or your company name, or the city you live in), and use a long encryption key as well (which RC4 will use along with your password to generate the encrypted string).

Good luck!

jackofalltrades




msg:380998
 1:15 pm on Jan 8, 2003 (gmt 0)

>The best way to getting proof, aproach mr x as a potential customer and see if he does the same for you?

ooh! <raises hand and volunteers for that job!>

Im great at stuff like that!

You wouldnt believe the information ive gotten outta the competition by calling their marketing department and saying i was writing a report for uni! ;)

JOAT

chris_f




msg:380999
 2:01 pm on Jan 8, 2003 (gmt 0)

>> If they placed the orders on his mobile phone, where did they get that number from?
The email he sent I suppose.

>> The best way to getting proof, aproach mr x as a potential customer and see if he does the same for you?
I didn't think of that. I think I will. I record phone conversations as well.

>> My first set of advise would be to print out every e-mail you've had with your customer (if it was a phone conversation, ask them to send you the details in an e-mail), and take them to a lawyer.
Doing now.

>> My second set of advice is never store a password as plain text.
It is encrypted and a dll is used to encypt the password on the system for a match, however, as it is a dll it is a component. My host will only allow you to have components if you send them the code and they compile it. This is for legit security reasons.

>> The best way to getting proof, aproach mr x as a potential customer and see if he does the same for you?
ooh! <raises hand and volunteers for that job!>
Im great at stuff like that!

I know what my clients are like so I can act like them. I also know what questions to ask and what background info to give. Thanks for the offer though.

Chris

jackofalltrades




msg:381000
 2:07 pm on Jan 8, 2003 (gmt 0)

>>> The best way to getting proof, aproach mr x as a potential customer and see if he does the same for you?
ooh! <raises hand and volunteers for that job!>
Im great at stuff like that!
I know what my clients are like so I can act like them. I also know what questions to ask and what background info to give. Thanks for the offer though.

Awww.... :(

K then, s'pose so...

Good luck n have fun! :)

JOAT

ukgimp




msg:381001
 2:14 pm on Jan 8, 2003 (gmt 0)

>>I didn't think of that. I think I will. I record phone conversations as well.

I "think" that is illegal or certainly not admissible unless you have permission to do so in advance. May be enough for the persons employer if you wish to bust him. Just something you should consider.

Dreamquick




msg:381002
 2:19 pm on Jan 8, 2003 (gmt 0)

Good luck with this Chris_f, I forgot to say that earlier!

chameleon,

You comment about encrypting / hashing the password is definitely a step in the right direction but that doesn't necessarily stop them getting access to whatever that password is for (I'm assuming the password is for a database or a db server).

Encrypting passwords where the encryption is not totally end-to-end (ie the will password exist in an unencrypted state during one or more phases of the authentication process) is that the password needs to be decrypted at some point.

Now if I know the code *must* talk to the database at some point, the code must know the password! I also know that a decrypt function must live inside the site code so in theory all I need to do is figure out where this happens and it's as good as mine...

However long as the "attacker" (for want of a better word) has physical access to the machine then there is no real way to keep a box, or anything on it, "secure".

Firstly you have the problem that they may already have a login with superior access levels to yours or perhaps a network-wide trusted login. Even if they cannot directly access the database due to restrictions they could attempt to intelligently brute-force the password in its secure form if they have a login which can see the hash - it can be tricky but it is possible with enough time.

Secondly with physical access they could also sniff out the password as it goes down the wire - if it's sent "in the clear" then they have it already, if not then they might be able to decrypt it (or perhaps replay this data at a later date if the security has not been implemented properly).

Alternately you could hook the database library/drivers which may allow you to see the password it was given to connect to the server if it ends up in an unencrypted state inside it.

- Tony

gsx




msg:381003
 2:41 pm on Jan 8, 2003 (gmt 0)

ukgimp, I believe it is not illegal to records telephone conversations in the UK anymore as long as one party knows it is being recorded(chris_f will have to check that though), or you have a warrant.

ukgimp




msg:381004
 5:03 pm on Jan 8, 2003 (gmt 0)

GSX

Thats what I meant, i think :) You would have to let them know you were recording though, I dont think it is enough for just the person recording to know.

Cheers

chris_f




msg:381005
 5:31 pm on Jan 8, 2003 (gmt 0)

>> Recording telephone calls.
I have called him and alerted him that the telephone call was recorded as it was the company I was pretending to work at policy. He all cleared it which means I'm ok.

>> I have rang him. He is some stuff that interested me.
1. He helped set up my company 5 years ago and is a CEO.
2. The site was coded and designed mainly by him.
3. He is giving discounts as a celebration of us breaking an undisclosed profit barrier.

WHAT BULL.

Anyway. I contact the CEO of the hosting company. I told him what I suspected and what I was planing. He is a friend of a friend so I know he would help me as my grip is with his employee and not the company.

I have asked Mr.X to put up an advert and have paided. Guess what it's live. My lawyer is drawing up papers for him and the police. I will know more tomorrow. I have the logs and evidence it is him.

The CEO of the hosting company has passed my lawyer security logs showing Mr.X's doings. I have got a copy and it is absolute proof. He accessed my database at the time the advert went live. Apparently, I'm not the first to complain about an employee doing something like this. There was no proof previously though and no suspect.

Chris

This is moving so fast. I was suspecting it would take months. Guess I've got to wait for a court data yet.

jackofalltrades




msg:381006
 5:35 pm on Jan 8, 2003 (gmt 0)

Nice one mate! :)

JOAT

mack




msg:381007
 4:20 am on Jan 9, 2003 (gmt 0)

well be sure to keep us all posted!

:)

chris_f




msg:381008
 12:53 pm on Jan 9, 2003 (gmt 0)

Wow,

This is happening TOO QUICK,if there is such a thing in the legal practice. The evidence is overwelming. He has been suspended pending the trial which is Tuesday 21st Jan. How come a person who stole money off me Feb last year still ain't in court until March? My lawyer thinks it will be an open and shut case.

Chris

chameleon




msg:381009
 1:28 pm on Jan 9, 2003 (gmt 0)

Wow, that's great news Chris.

We're rooting for you....

chris_f




msg:381010
 8:41 am on Jan 13, 2003 (gmt 0)

Just got court confirmation this morning. The 21st it is.

Chris

ukgimp




msg:381011
 8:44 am on Jan 13, 2003 (gmt 0)

You have had some quick responses on this. I bet there are some people here wondering how you did it. I took much longer than this to get my mortgage sorted :).

Nice one anyhow.

chris_f




msg:381012
 1:51 pm on Jan 13, 2003 (gmt 0)

Ukgimp,

To get anything done in this world you need one of 3 things:

1. Power
2. Money
3. Friends

For me:

Power = 0
Money = A fair bit but not enough to influence
Friends = Loads with major influence, but alas, none in this field.

Therefore, I had to do number 4. Be very annoying, persistent and make every second question WHY?. For example,

Why did you employee him?
Why did you not check up on him?
Why are you not doing anything?
Why will it take that long to do anything?
Why? Why? Why?

It's a natural talent. If I need something sorted it get's sorted.

Chris

bcc1234




msg:381013
 2:24 pm on Jan 13, 2003 (gmt 0)

If it's a dedicated box and you know what you are doing - change PAM settings to disable console login and watch the uptime.
There is no way your host can access your box without rebooting then.

But make sure you know what you are doing. One wrong move and you'll lock everybody out of the box.

<edit>sp</edit>

chris_f




msg:381014
 2:27 pm on Jan 13, 2003 (gmt 0)

bcc1234,

It is a dedicated server, however, what you have suggested is very tricky to setup. There is also two drawback to that approach.

1. It can be easily overridden (without a reboot)
2. I loggon regularly. This would prevent that.

Thanks anyway.
Chris.

bcc1234




msg:381015
 2:31 pm on Jan 13, 2003 (gmt 0)

Now if I know the code *must* talk to the database at some point, the code must know the password! I also know that a decrypt function must live inside the site code so in theory all I need to do is figure out where this happens and it's as good as mine...

It's always a good idea to use one-way encryption.
There will be no decrypt funtion at all.
Something like: mypasss->HJkjhfs9d8fdh

And in the database you have:
myuser1 JK98uklhkjsdfsd
myuser2 K9efjk222redjfk

...and so on.

And when somebody enters a password - you encrypt it and compare it with what you have in the password field.

There is no way to know the original password in that case.

That's how it's done on most systems.

bcc1234




msg:381016
 2:34 pm on Jan 13, 2003 (gmt 0)

1. It can be easily overridden (without a reboot)
2. I loggon regularly. This would prevent that.

1. How?
2. You allow shell access, but not the console access. And change your root password.

The only way I see it being changed is with a boot from a floppy, cd or net. Anyway requires a reboot.

<added> Oh, are you using windows? Just noticed the part about dll. Sorry, nevemind then.</added>

brotherhood of LAN




msg:381017
 3:54 pm on Jan 13, 2003 (gmt 0)

Congrats on getting that sorted chris_f, man, you must have been well **$(T% when you found out what this guy was playing at. Sad as.

RE the password thingy

Maybe having part of the script on another server could help, it would be a little slower, but at least no single (and shady) host will have access to all parts of your working script.

This 49 message thread spans 2 pages: 49 ( [1] 2 > >
Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved