Welcome to WebmasterWorld Guest from 23.22.140.143

Forum Moderators: phranque

Message Too Old, No Replies

Protecting your website and your data from your host

I suspect someone from my host is playing with a site.

     
9:37 am on Jan 8, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Apr 5, 2002
posts:1510
votes: 0


Hi All,

I have a website. It is more of an advertising medium. People pay about 40 or $60 to advertise what I specialise in on my site. However, I recently got a couple of emails from some "customers" (you'll see why the inverted commas are in there in a minute). They said that their advert had been taken down without any notification and the time was not due to expire. I found their advert but there was NO order details which is why they didn't get an email.

This is weird so I asked when they signed up and they said a Mr.X from my company did it for them. I am the only one working for my company, however, the name rang a bell. They had all done a deal with Mr.X after he got in contact with them and they all paid him 1/4 of the price of advertising. He set them up and username and password and made their adverts live on my site.

I found this very worrying as my code is VERY secure and noone could possibly get the passwords. Then I remembered the name they mentioned. After checking some past emails to my host, he was one of the people there. Now, in order for my code to interact with the database the code needs read and write permissions. The password is stored in the global.asa. The number they contacted Mr.X on was the mobile phone number of Mr.X.

I think he is reading the global.asa to get the, frequently changed, password and is selling advertising space on my site cheaply. I am corrently writing code to catch him in the act.

My question is this. How can we protect our sites and databases from our hosts? As well as doing the dirty on my site I think he is selling off customer lists. How do we protect our data? Any advice is appreciated.

Chris

5:28 pm on Jan 13, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Apr 5, 2002
posts:1510
votes: 0


bcc1234,

You asked how? If I revealed that I'd be revealing a major security flaw on alot of systems. Needless to say, It's part of one of my jobs to know how to do it.

brotherhood_of_LAN,

I've considered that approach. The problem was the server talk time and down time. There was also a problem which I wont go into. WAY TO COMPLICATED.

Chris.

7:13 pm on Jan 13, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:July 1, 2002
posts:1421
votes: 0


You asked how? If I revealed that I'd be revealing a major security flaw on alot of systems. Needless to say, It's part of one of my jobs to know how to do it.

Which OS are your talking about?

9:00 am on Jan 14, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Apr 5, 2002
posts:1510
votes: 0


>> Which OS are you running?

It varies. Usually Win2K but the flaw is in alot of products.

Chris

9:22 am on Jan 14, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Apr 25, 2002
posts:872
votes: 0


bcc1234,

It's always a good idea to use one-way encryption.
There will be no decrypt funtion at all.
Something like: mypasss->HJkjhfs9d8fdh
And in the database you have:
myuser1 JK98uklhkjsdfsd
myuser2 K9efjk222redjfk

...and so on.

And when somebody enters a password - you encrypt it and compare it with what you have in the password field.

There is no way to know the original password in that case.

That's how it's done on most systems.

My point was that unless whatever you have stored your data inside supports this type stuff natively then that type of security is only good as long as I can't just side-step it...

i.e.

If you deployed this at the database-login stage then it's fairly secure but if this was moved into the application-login stage then the weak link becomes that I can probably get access to the database using the db login your code uses...

- Tony

3:37 pm on Jan 14, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member eliteweb is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:June 5, 2001
posts:2723
votes: 0


ooo chris_f i feel for you and your sitaution. its annoying how anything could have even been done. One of the reasons i don't host others peoples stuff on my server is for the sole fact that i value the data on my server more than that 10 bucks. Luckily for me my hosting co. knows my background in security and h. so i feel they wouldnt step on my toes. if i ever found out someone at the co. was to even log into my server without permission id go balastic. :D
4:55 pm on Jan 14, 2003 (gmt 0)

Preferred Member

10+ Year Member

joined:Feb 16, 2002
posts:533
votes: 0


I think you just hit the lottery and you can take this entire host down. Excellent.
5:44 pm on Jan 15, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Apr 5, 2002
posts:1510
votes: 0


id go balastic

If I walked up to my cabinet and he was there, he wouldn't have left the room walking. Lucky he was discovered over the internet.

you can take this entire host down

I don't know whether I want to talk the host down for one employee.

Chris

6:03 pm on Jan 15, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Sept 12, 2002
posts:885
votes: 0


My vote would be for taking the employee down hard. Only if they show a pattern of employing or protecting such sleezballs would I try to take down the hosting company.
1:04 pm on Jan 16, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Apr 5, 2002
posts:1510
votes: 0


Agreed.
12:49 pm on Jan 20, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Apr 5, 2002
posts:1510
votes: 0


Here's an update.

I'm in court (and hospital) tomorrow, a busy day :).

Anyway, I've just got of the phone with my lawyer. Appartently Mr.X is refusing to appear in court tomorrow. Boy will that make my day. If he does not appear then the hearing goes ahead as it would have. If he is let off :( then he will have to reappear to explain his actions. If he goes down :):):) then an arrest warrent will be produced and they will hunt him down like the dog he is :).

Chris.

8:31 pm on Jan 20, 2003 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 10+ Year Member

joined:Feb 10, 2002
posts:927
votes: 0


Well, I'll keep my fingers crossed for :):):) for you.
Nothing serious at hospital, I hope.

gsx

9:08 pm on Jan 20, 2003 (gmt 0)

Preferred Member

10+ Year Member

joined:Feb 20, 2002
posts:603
votes: 0


:)
9:40 am on Jan 22, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Apr 5, 2002
posts:1510
votes: 0


Nothing serious at hospital

It was! The was a 90% possibility of a tumor right near my brain. The test came back negative though :).

Anyway, back to the point in question.

Firstly, I can't post everything. Although I have been told by my laywer that a positive verdict will mean I can post what ever I want (including names), for Brett's piece of mind, I'm not going to mention the person or the company. I have recieved sticky's asking for the companies name. I am not giving it out. However, if someone is worried that my host might be the same one as their's, then send me a sticky with there location (e.g. Birmingham or Middlesex etc...) and the general colours of their website. I'll send reply with a 'it's possible' or a 'no'. I would only be worried if you host constantly reminds you of some of their BIG clients.

Right. As you can possibly guess I WON. No action was taken against the company, which is what I wanted, although it was advised that they monitor their staff more carefully. Mr.X was ordered to pay all the money he made out of the advertising to me. Damages were also awarded. 12,000 in total, which was mainly damages. He has been fired by the company and as a guesture of good will they have given me 2 years free hosting (worth around 16,000).

Me big :)ly :)ly.

Grand Total: 28,000 approx. Anyone for a loan ;).

Chris

9:53 am on Jan 22, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Jan 7, 2003
posts:1230
votes: 0


congrats chris! this seems to be a happy end. first the hospital and then this. a grand total
10:04 am on Jan 22, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 6, 2001
posts:2213
votes: 0


Well done Chris

No loan thank you, but if you have some spare hosting and bandwidth I might take you up :)

10:05 am on Jan 22, 2003 (gmt 0)

Preferred Member

10+ Year Member

joined:May 15, 2002
posts:542
votes: 0


Well done chris!

there is justice sometimes :)

10:13 am on Jan 22, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Apr 5, 2002
posts:1510
votes: 0


I have nothing to say other than :):):).
10:37 am on Jan 22, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Feb 4, 2002
posts:1314
votes: 0


Lawyers, doctors, and two happy endings :) :)

What's the chances of that!?

Congratulations, chris_f!

10:44 am on Jan 22, 2003 (gmt 0)

Preferred Member

10+ Year Member

joined:Feb 17, 2001
posts:409
votes: 0


All in all, this thread makes a great, almost movie-like story. Good guy, bad guys, good plot with interesting twists, happy-end...

Thanks for sharing it with us, chris_f!

This 49 message thread spans 2 pages: 49
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members