Standard Obligations of a Webmaster - Professional Webmaster Business Issues forum at WebmasterWorld - WebmasterWorld

Forum Moderators: LifeinAsia

Message Too Old, No Replies

Standard Obligations of a Webmaster

Reasonable site security?

lukunor

1:33 pm on Feb 10, 2005 (gmt 0)

10+ Year Member

Knowing little about site administration I contracted a programmer/webmaster to set up, maintain and test my new web service site. Turns out he used a same-case, common 6-letter English word (“giants”) to protect the backroom; the inner sanctum. To make a long story short, the site was hacked at the root, used for DOS attacks, totally compromised, etc. I had to take it all down because hidden hacker stuff likely remained, putting everyone at risk. I was told by the host server technicians that the hack almost certainly occurred by means of a dictionary brute force attack that could have been prevented by a better password. My site was about to go commercial and had lots of middleware etc. I don’t know when if ever I will get it back up; a big loss. Now the programmer/webmaster is demanding a final payment. This is not a request for legal advice but I need a reality check: He was the only “go to” guy entrusted with the backroom. Isn't it unusual to use that kind of password for the backroom on a server and not change it, apparently for over a year?

Sanenet

1:37 pm on Feb 10, 2005 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

An all too common story, and one which any decent webprogrammer should have avoided.

If he was the only guy with the password, and the server techs confirm that it was a brute force attack, then yes, he is responsible for your server being hacked. And if he claims to be a professional, then he will have to face up to this.

My advice is to fire him for incompetence. Thanks to him you've lost a lot of time and money.

rocknbil

6:57 pm on Feb 10, 2005 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Wow that is pretty lame. But to be fair, you probably should weigh the overall performance of this person rather than just the password foolishness. Not to defend the guy, but if someone wants to get in, that's not the only way. Usually, such foolishness will be accompanied by many other shortcomings.

It seems like so many customers are downright annoyed by the fact that they have to convolute a password. They just don't get it. "If, if if, all I hear is if," is what I get . . . :-)

lukunor

9:08 pm on Feb 10, 2005 (gmt 0)

10+ Year Member

I am sure that in principle there are other ways in but tech support told me that in their experience it is overwhelmingly via the password and that this very weak one made it almost certain to have been how it happened. Anyway, I don't have much recourse; he's moved out of the area.

tolachi

7:16 pm on Feb 11, 2005 (gmt 0)

10+ Year Member

That is an unforgivable and incompetent offense. I would not pay the person another dime. Even if there wasn't a hack I wouldn't ever hire them to work again after finding something like that out.

akmac

10:43 pm on Feb 11, 2005 (gmt 0)

10+ Year Member

Before leaping to conclusions, consider that the other possible culprit is your host. My site got hacked because of known php vulnerablility that the host failed to address by upgrading software in a timely fashion. If there are only two suspects-whom do you think the other will blame?

lukunor

4:10 pm on Feb 12, 2005 (gmt 0)

10+ Year Member

Again, I don’t know much about this but there are a couple of reasons why, if I have to argue this with the former webmaster, I believe the fault is his childish password rather than a host's fault (big, reputable, upgrade notices on php sent immediately). First, the result of the hack was not manifested in the ways that I have seen described for php hacks, e.g. the Santy worm, and the php vulnerability is used to mainly exploit phpBB which I did not use. Second, I recall asking a tech support guy when the hack had occurred and he replied that it happened prior to their log record of December which I think was before an onslaught of new php hacks started in mid to late December. Still, I appreciate these comments since they help me consider how to research and argue my case. Thanks.