Welcome to WebmasterWorld Guest from 18.204.48.199

Forum Moderators: LifeinAsia

Message Too Old, No Replies

Standard Obligations of a Webmaster

Reasonable site security?

     
1:33 pm on Feb 10, 2005 (gmt 0)

New User

10+ Year Member

joined:May 15, 2004
posts:8
votes: 0


Knowing little about site administration I contracted a programmer/webmaster to set up, maintain and test my new web service site. Turns out he used a same-case, common 6-letter English word (“giants”) to protect the backroom; the inner sanctum. To make a long story short, the site was hacked at the root, used for DOS attacks, totally compromised, etc. I had to take it all down because hidden hacker stuff likely remained, putting everyone at risk. I was told by the host server technicians that the hack almost certainly occurred by means of a dictionary brute force attack that could have been prevented by a better password. My site was about to go commercial and had lots of middleware etc. I don’t know when if ever I will get it back up; a big loss. Now the programmer/webmaster is demanding a final payment. This is not a request for legal advice but I need a reality check: He was the only “go to” guy entrusted with the backroom. Isn't it unusual to use that kind of password for the backroom on a server and not change it, apparently for over a year?
1:37 pm on Feb 10, 2005 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:May 22, 2002
posts:1001
votes: 0


An all too common story, and one which any decent webprogrammer should have avoided.

If he was the only guy with the password, and the server techs confirm that it was a brute force attack, then yes, he is responsible for your server being hacked. And if he claims to be a professional, then he will have to face up to this.

My advice is to fire him for incompetence. Thanks to him you've lost a lot of time and money.

6:57 pm on Feb 10, 2005 (gmt 0)

Senior Member

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 28, 2004
posts:7999
votes: 0


Wow that is pretty lame. But to be fair, you probably should weigh the overall performance of this person rather than just the password foolishness. Not to defend the guy, but if someone wants to get in, that's not the only way. Usually, such foolishness will be accompanied by many other shortcomings.

It seems like so many customers are downright annoyed by the fact that they have to convolute a password. They just don't get it. "If, if if, all I hear is if," is what I get . . . :-)

9:08 pm on Feb 10, 2005 (gmt 0)

New User

10+ Year Member

joined:May 15, 2004
posts:8
votes: 0


I am sure that in principle there are other ways in but tech support told me that in their experience it is overwhelmingly via the password and that this very weak one made it almost certain to have been how it happened. Anyway, I don't have much recourse; he's moved out of the area.
7:16 pm on Feb 11, 2005 (gmt 0)

Full Member

10+ Year Member

joined:May 22, 2003
posts:312
votes: 0


That is an unforgivable and incompetent offense. I would not pay the person another dime. Even if there wasn't a hack I wouldn't ever hire them to work again after finding something like that out.
10:43 pm on Feb 11, 2005 (gmt 0)

Preferred Member

10+ Year Member

joined:Apr 13, 2004
posts:504
votes: 0


Before leaping to conclusions, consider that the other possible culprit is your host. My site got hacked because of known php vulnerablility that the host failed to address by upgrading software in a timely fashion. If there are only two suspects-whom do you think the other will blame?
4:10 pm on Feb 12, 2005 (gmt 0)

New User

10+ Year Member

joined:May 15, 2004
posts:8
votes: 0


Again, I don’t know much about this but there are a couple of reasons why, if I have to argue this with the former webmaster, I believe the fault is his childish password rather than a host's fault (big, reputable, upgrade notices on php sent immediately). First, the result of the hack was not manifested in the ways that I have seen described for php hacks, e.g. the Santy worm, and the php vulnerability is used to mainly exploit phpBB which I did not use. Second, I recall asking a tech support guy when the hack had occurred and he replied that it happened prior to their log record of December which I think was before an onslaught of new php hacks started in mid to late December. Still, I appreciate these comments since they help me consider how to research and argue my case. Thanks.