Welcome to WebmasterWorld Guest from 184.108.40.206
In the last couple of weeks, I've been getting a ton of alerts for sites that mention and scrape some of our news and then have these convoluted urls after a three letter php file (like bxh.pkp, ikk.php) that, if clicked, redirects the visitor to one of those fake virus scan, drive-by download sites.
Visiting one of the sites, I saw it was an American Legion site that obviously wouldn't be covering news in our genre. Digging deeper on another message board I was informed that these backdoors have been uploaded unwittingly to a lot of sites.
When I did a search on the relevant search term, I found a lot of references to our site's content being used as a lure to these malware links. Neither AVG's linkscanner nor Google's malware detection passed on any warnings.
Has anyone else seen this behaviour lately?
I know of a web server that was probably compromised through FTP but it wasn't from the work station that managed the server, just an exploitable flaw in the FTP server itself. Quite simply, the software hadn't been upgraded. Back doors were planted on the server and the rest was managed through that.
The problem with managed servers is that in many cases only the standard server software and utilities are available. There is no facility to add specialist software. Apart from that I agree: if you can find a really good company that knows what it's doing (which I suspect is relatively rare) and don't need specialised software running on it then it's better than the average web designer managing it. But people will do what they want regardless. :(
I don't think "sloppy" companies are going to fade soon. There are far too many who are in it for the bucks, who dump knowledgeable staff at the hint of a recession - or for any other excuse come to that. Build high, sell wide.
And, of course, there are those hosting companies who welcome criminals with open arms until they are forced to close down, move elsewhere and begin again...
In regards to managed web hosting, yes there are some trade offs. Like you pointed out I can't install specialized software or Apache modules. I have to accept what my web host has approved unless I go to a dedicated server. This hasn't impeded me too often with my website development as they have installed the most critical Apache modules. You are right that the sloppy companies aren't going anywhere very fast. I've been with my current web host for over ten years and I feel very lucky to have found them.
You can disable Flash and some other things at Tools > Manage Add-Ons.
I mention these because most of the previous discussion was about Firefox+NoScript.
ianevans, you can report the sites that are using your content as a lure to malware at [google.com...] . (Only report sites/pages that you are certain are malware-infected. That is not a place to report a site merely for scraping.) Then at least those pages will be flagged as harmful in Google and users will preferentially go to your site for the same content when/if your site and the other appear in the same SERP.
One of the unexpected benefits was the one-click enable/disable feature of NoScript that you mentioned, which truly is a lot easier than IE because it can en/disable script, iframes, PDF, and other active content with a single click.
Having installed and become used to about a dozen FF add-ons that now I don't want to have to give up, it's unlikely I'd ever go back to IE unless FF enters a period of similar unusability.
But it's still just as important for IE users to have active content disabled in IE when visiting new sites, even if the interface for adjusting the settings is clunky.
All the settings can be found (possibly with some digging) in the tabs at Tools > Internet Options or Tools > Manage Add-Ons or other menu items in the Tools or Safety menus. When you want to allow active content, you add the site to the "Trusted Sites" zone where the permissions aren't so restrictive. That's the process that FF+NoScript does much more easily.
It is far more efficient to install a virus on a server direct from the botnet
I concede it's efficient to grab FTP, SSH etc codes and pass them back to the botnet but I would expect the quantity of exploitable holes through that method to be orders of magnitude fewer than direct virus injection into a server.
It also depends on the security awareness of the server manager. It would not be possible on most of my customers' accounts to even get as far as attempting to log into the FTPES servers let alone succeed and upload suitable files to a sensitive area (eg root). It all depends on the type of site, though, and (if used) what kind of web site management software is in use. Since most of the bot accesses are automated anything that is non-standard is likely to at least slow them down a bit; although obviously this is not something to rely upon. :)