How websites get hacked:

There are fourmain ways that websites get hacked:

1. Exploited scripts – outdated scripts with security holes get exploited through the web by baddies.  They send special codes to your website that allow them to take over the website.

2. Stolen passwords – virus and trojan infections on your computer can steal passwords as they are typed, or from saved password files.  Once the virus has your passwords, they are sent up to a central repository and gradually exploited.  One of our web developer friends had this happen to him and they took almost 18 months to gradually work through and hack 3-4 of his sites – each with bank phishing sites.  Passwords can also be stolen by using them over public WiFi – both POP and FTP send passwords in the clear and shouldn't be used on public (unsecured) WiFi for that reason.
    
3. (2b) Stolen passwords on the server – some webhosts run accounts in such a way that they can see each other's database passwords, and thus each other's databases.  Yes, we think this is strange too.
    
4. Root compromise on the server – it is possible to take over a server completely, and hack the web server component so it occasionally sends viruses out to people looking at websites.  This is often done randomly, and sometimes only once per computer viewing the site, so it can be very hard to track down.  This is relatively rare as thankfully most hosts are able to protect themselves against this.  There were some recent examples of this in Australia over the last few years, though I'll refrain from mentioning the companies!
    

What we do to keep you safe

As we're in a unique position as a webhost as well as a web developer handling a lot of sites, we get to see more than a few sites hacked and we've worked out a methodology that successfully stops most hacking.  While we won't mention all our goodies here, some of the things we do are:

1. Block known attack signatures – when baddies attack scripts, they often use recognizable attack signatures.  Where possible we detect these and prevent them from getting through to your website, giving what's called a "406" error.
    
2. Firewall blocking of security scanners – a common hacker attack method is to "scan" a website by checking a list of vulnerabilities, or trying to guess a password by working through a list of common passwords, amongst other things.  If we see an IP doing things like these, we block them in the firewall and that's the last we ever hear of them.  While they can change IPs, only a few go that far, so this does cut down attacks.
    
3. Ensure user accounts can't see each other's databases – that way if one account gets hacked, it doesn't spread to others.  We hosted a small political organization for a few years that had been hacked around election time via this mechanism prior to moving to us, so it does happen!
    
4. Scan uploaded files – we scan all uploaded files for known virus and other related patterns, rather like an anti-virus on a PC.  We don't think many hosts do this yet.
    
5. Do server-based backups – these allow us to recover the unhacked versions of files, if we find out quickly that the site has been hacked.

One of the problems with a server that regularly hosts attacked sites is that it can start to affect things like email (listed in blocking lists) and of course, a server under attack often gets very slow.

What you can do to keep your site safe

There are two things that you can do that will help you keep yourself safe from a hacking attack:

1. Do regular backups of your site through cPanel – pop into cPanel regularly and download a backup.  You only need to do it every now and then unless you change your site a lot.  If you use WordPress, you can automate this with the WP-DB-Backup plugin, which can be asked to email you a backup on a weekly (or even daily) basis.  See our Backup article here for more information.
    
2. Keep your website's software up to date – if you use WordPress, for instance, it's merely a matter of logging into your dashboard regularly and running an update if there is a new version available.  If you run WordPress and don't have the time to log in regularly and want to ensure you are kept safe, there's a plugin called WP-Update-Notifier that will send you email when a new update is available.  See our article on updating web software here.

How we can help if you do get hacked

At the end of the day, any website can get hacked, even though you may have taken precautions, and we fully understand the distress that it can cause.

If you don't have your own developer, or if they would like a specialist to look at it, we are usually able to repair a website within a day, and do our best to diagnose for you how the site got hacked.  Contact us if you'd like to discuss this service.

Ever experienced losing a password? And having to waste time getting a reset code or link emailed to you? Or having to register yet again? We have .. many times!! Until we found a wonderful little tool recently.

I was quite amazed to discover a wonderful little tool called LastPass about 6 months ago and I’ve been delighted with how useful this gadget has been, and how well implemented it is. LastPass encrypts and saves your passwords safely in a database and will allow you to share them across computers.

How did we find LastPass? A number of us in the office have been using and enjoying Google’s great new browser, Chrome, for some time and enjoying its speed, robustness, and virus-proofness. However, we were concerned about the lack of security for saved passwords (also bad in Internet Explorer) which is one way a lot of people’s sites get hacked (virus steals passwords and sends to hackers etc etc). Firefox has a master password system which protects all your saved passwords with another password, so they can’t be stolen, and we wanted something similar.

Once you install LastPass, it asks you to setup an email and password, and from then on you have to login only the first time you need a password retrieved. Every time it sees you use a new password it asks you whether you want to save it, and it will auto-fill login details on webpages it recognizes.

One of the really handy features is that it saves your passwords on a secure server, encrypted with your own password. You might think this is an issue, but it’s far less of an issue than having them unencrypted – we’ve actually seen saved passwords stolen by viruses and used to hack websites on our servers.  If you are saving passwords with IE (Internet Explorer) or Firefox, you urgently need LastPass!

LastPass has other useful advantages:

1. it works in all the main browsers – Chrome, Firefox and Internet Explorer
2. the passwords are stored securely – don’t forget your password or you’ll lose the saved passwords
3. If your PC dies, you don’t lose all your passwords
4. it works in multiple locations – eg on your home PC and laptop
5. It works on both Macs and PCs

LastPass is many times more secure than saving your passwords in Internet Explorer and Firefox .. we strongly recommend you don’t do that any more!

How to install:

1. Install Chrome if you haven’t already (the fastest way to do this is with www.ninite.com if you are on a PC)
2. Go to www.lastpass.com and download the installer
3. Click on run and accept the defaults
4. Wait about 1 minute
5. Set yourself up a username and a good password that you won't forget

Note you don’t need Chrome – but it’s easier to install it now and let LastPass add itself to chrome than to do it later … and you might fall in love with this great little browser from Google!

Tips for use:

1. If you will ever use Firefox or Chrome, install them before installing lastpass so that lastpass sets them up properly in one hit
2. Common sense: Don’t ever store your banking passwords or credit card information in LastPass. Common sense says this is a bad idea, even though I have no reason to doubt LastPass’s security, which sounds top notch. Don’t tempt fate.
3. When saving a password change the description to be a little more meaningful, will save you time later
4. Change the LastPass settings to log you out after a 2 hour timeout, or after the browser is closed for 10 minutes. You’ll have to enter your password a little more often, but it’s going to be more secure. If you live in a family environment and share your PC, make the timeout shorter or logout when you finish, or both!
5. Use a sensibly good password for LastPass. This is definitely not the time to use your last name backwards, or your kids’ or dogs’ names!

LastPass is free to use, although if you like it you can send the developers some money by paying a tiny subscription annually.

We hope you enjoy this great free tool!

• You are only vulnerable if you are logged in over public (unencrypted) wifi
• Your banking service and many financial transactions are safe – look for the “https:” and padlock in your browser.  If this is present, you are fairly safe to use it over public wifi – although read the warnings below.  In fact, only a limited subset of websites are vulnerable, facebook.com unfortunately being an example!

The author of the tool released it to push the internet into getting itself more secure, and for testing purposes. By the way, it's actually important to note that similar tools have been available to really bad guys for some time now – the release of this tool has served primarily to push this information into the limelight. How can you protect yourself as  a user?

• Electrical supplies, accessories and fittings :: Melbourne, Australia
• Mattresses-r-us, quality innerspring mattress and base ensembles, Melbourne, Australia
• strategic partnerships, vendors, partners, citrix, legrand, novell, syncit
• property management, residential property, debt reduction, home consultations
• Exciting problem solving exercises to help unleash the power of your teams.
• Web Design Melbourne, Internet Design Melbourne, Graphic Design
• Whitepages.com.au – Search for Australian Postcodes, Maps, World
• Out From The Blue, Swimming Pool Design, Pool Landscaping, Landscape Design, Spa Pool, Melbourne, Australia
• MP3.com – the source for digital music!
• split system units, installation, maintenance, zoned ducted heating, panel heaters

Furthermore, when you scrolled down further, there was a blank space and then low and behold there was more! The keywords were listed again with a description underneath and a link to the company’s website.

For example: Electrical supplies, accessories and fittings :: Melbourne, Australia In this age of multi national "mega corporations" and increasing pressures on local manufacturers, it is pleasing to see an Australian owned company producing locally made products that are still widely regarded as the best on the market. ^top

At the bottom of the page in a font that is barely visible, there is text that reads, “The sites linked hereby are not endorsed by the owners of this site.” But of course they’re not. The owner of the site had no idea that this was even on her site! This company of course had keywords and a link to their site as well (using a different domain name that redirected to their website):

Web Design Melbourne, Internet Design Melbourne, Graphic Design Power Linking Strategies and Website Promotion Secrets ^top

To assist you in understanding what is going on, Google likes external links that point to your website. If you think of it in terms of people, it’s like Mr. X vouching for Mr. A stating that Mr. A really is who he says that he is. Google hold this in high regard. So for this web development company to add keywords and links on hidden pages in the websites that their clients pay them to develop is poor form and borderline unethical but they cover themselves with the virtually hidden statement at the bottom of that page that states the 'links are not endorsed by the owners of this site’. The truth of the matter is that they shouldn’t be there in the first place! There is also another page that is not listed anywhere on the menu that has the following text that links to their web developer’s site:

We are building a reputation for ourselves as being the most driven and innovative web design company in Australia. Our dynamic web design team gravitates around creativity and innovation. A web site is a waste of
We then work with you long term to evolve your web strategy based on needs, target market feed back and metrics.

It should be noted that our client paid $6000 for this company to develop her 6 page website, that's $1000/page which is a lot of money to be paying for the company to then use dodgy SEO tactics! It is a shame that seemingly reputable companies will take advantage of their own customers especially knowing that their client is unsuspecting. NOTE: We have blurred out any reference to this company in the screenshots. The aim of this article is to make readers aware, not to name and shame this particular company.

Text of the latest spoof follows:
—————————- Original Message —————————-
Subject: Warning Code: ID67565434.
From: Webmail Upgrade Team © 2010
Date: Tue, October 12, 2010 12:46 am
To:
————————————————————————–
Dear user account

We are updating our database and e-mail account center. We are deleting all unused webmail account and create more space for new accounts. To ensure that you do not experience service interruption during this period, you must provide the details below:

Check your account BELOW
1. E-mail :……………………………
2. User :………………………………
2. Password :……………………………..
3. Confirm password :………………………….

You will receive a confirmation of a new alphanumeric password that is valid only during this period, and may be changed by this process. We regret any inconvenience this may cost you.

Please reply to this message so we can give you best services online with our new and improved webmail functionality and improvements.

Webmail © 2010 Team Upgrade Warning Code: ID67565434.

Here are 5 basic steps to prevent your site from being hacked:

1. Remember that any software you install on your website could get hacked – it’s like a PC – but it’s out there on the internet 24 x 7!  Not updating that software, is the same as hiding your head in the sand – hoping really hard nothing will happen – and it probably will!!
2. Change your website Admin password to something that contains (at the very minimum):
   • both upper and lowercase letters
   • at least one number
   • at least one character/punctuation mark
   • consider using another username, not “admin”
3. Update your website software (and check for updates at the very minimum every 3 months)
4. Pay attention to your website statistics. If your bandwidth all of a sudden/out of the blue is 3GB higher than it has been in the past 3 years and you haven’t done anything different (eg Adwords campaign, radio promotion, handing out flyers etc) this should raise some serious warning flags in your head and prompt you to investigate further.
5. Keep your computer anti-virus software up-to-date (kind of like #3… but not really). If you have a key-logger virus on your computer, your strong, super secure password is useless because the bad guys will be able to see it and wreak havoc on your site.  We see this regularly!

I know we’ve written about this (numerous times actually) in the past but you’d be surprised (or maybe you wouldn’t) by the number of sites being hacked despite our warnings. Cleaning up a hacked site is not a trivial matter and can become quite costly.

If they’re made available to you, why wouldn’t you jump on the chance to take precautionary measures to protect your site?

If you’re not sure what this means, you’re welcome to ask for details.

We sometimes have clients contacting us in desperation when it comes to SEO – either because they have no idea who to trust, or worse, because they’ve been ripped off by what’s know as ‘black hat’ SEO fly-by-nighters. Black hat means they are the ‘dodgy brothers’ of the SEO game and best avoided.

But how do you know who’s honest Joe? And who’s going not only rip you off, but may also get your site black banned on Google, or worse, destroy your good name and leave your online reputation in tatters?

Let’s start with how to recognize the bad guys… the ‘black hats’…

How do you know if an SEO Company is ‘Black Hat’? They will try to out-smart Google by various unethical and ‘illegal’ tricks, they…

• Send you email ‘spam’ out of the blue. Actually I never trust anyone that sends me spam – of any kind. Spam is evil, and spam must die. It usually reads like this:
  
• Won’t explain what they do – usually because they’re using illegal techniques that could get you blacklisted from Google results pages altogether. And being blacklisted from Google is bad – your site won’t show up even for your business name or URL address. The only solution being to get a new domain and website, and start all over again.
• Will promise to register you on “1,000’s of search engines” – so what? Google has almost 90% market share, so why bother?
• Will promise you ‘thousands’ of links to your site, often on poor quality sites known as ‘link farms’. These are the sites that you stumble upon that are just full of links and nothing else, these sites are known as search engine spam. Google is savvy to these sites and if you have a link on one of them, your ranking may actually suffer.
• Use ‘blog spamming’ – this means to create links by various ‘spamming’ techniques like posting your domain name to hundreds of blogs comments fields. This makes your business look REALLY BAD, and will kill your online reputation. Imagine if you had to try to clean up hundreds of spam links to your website? Where would you start? You’d be better off starting all over again with a new site. Read last month’s case study of one of our clients who had this happen to them.
• Guarantee you a number #1 organic ranking on Google, by either claiming to have ‘cracked the Google code’ or that they have some kind of ‘special relationship’ with Google. No one can truly promise you a #1 ranking because the Google algorithm is top secret, and only a handful of people actually know it. Want to know more about how Googlebot works? Check out this article on Wikipedia.

Okay, so what about the good guys? (AKA the ‘white hats’… )

A ‘white hat’ SEO plays by the rules. And they should be able to…

• Show you examples of their previous work & success stories: They should have some real-world examples to show you wherein they have improved a site’s Google ranking, and also show that this has had a positive runoff in terms of real-world sales conversions. That is, their efforts have directly improved the client’s bottom line.
• Show you real client testimonials… from real people, not made up ones!
• Display honesty and transparency – explain exactly what they do, and how it affects site rankings.
• The proof is in the pudding – their own site should rank well for top keywords and exemplify their efforts and SEO skills.
• Keep up to date with the latest developments in SEO, e.g. how Twitter or Facebook might improve your SEO efforts.
• Play by the rules and follow Google’s Webmaster Guidelines: If they play fair everyone wins out in the end. Read the Google Webmaster Guidelines.

Want to know more? Contact Meri Harli, SEO and Social Media Specialist, on 0408 369935, or email: meri@whitedoggreenfrog.com.

Your blog is very enriched. You can see my website [Company Name] Australia which is best [keyword] Shop in Melbourne, Armidale, Brunswick. It also eminent [keyword] Suppliers and [keyword] Stores as well as best [keyword] Shops in Brunswick, Melbourne, Armidale .

**Please note that we have removed the company name, website, and industry keywords Apart from the blatant grammatical mistakes and awkward language, this comment is being spammed on many (87 at last count) blogs in this particular industry – and these poor quality postings can really tarnish their professional reputation. What's worse is that most of the blogs that are being spammed with these comments are hosted on Blogger/blogspot.com, a blogging platform owned and operated by Google. This is considered "black hat SEO" which is essentially a foolhardy attempt at fooling Google. This is what will happen – there will be a spike in the client's website's ranking (which could possibly justify this SEO company promise of a listing on the 1st page of Google), but once Google tracks what is happening, our client's website will be blacklisted. When you're blacklisted on Google, you not only lose your ranking but basically will need to start at the bottom (which could be page 1,000!) and re-establish yourself all over again trying to earn back Google's trust by submitting a request reconsidering your site. Not worth it. This same SEO company had posted comments and entries on behalf of this company on sites and directories completely unrelated to the client's industry, such as the "adobe learn" site and "athiest news and views".  I rang up the company because I had to hear for myself their sales pitch: "We guarantee you'll be on the first page of Google" and "It takes 3 weeks". Disgraceful. This is what the Official Google Webmaster blog page says about spam comments. Unfortunately pleading ignorance just isn't worth the headache and negative penalty effects that your site might receive as a result. The quintessential tip-off of a dodgy company:  guaranteeing you'll appear on the first page of search results. Google does not disclose their searching algorithms. Google pays their employees very very well, provides all kinds of perks, essentially treating their team like royalty so that there aren't rogue employees who tell all of Google's deepest, darkest secrets; what is the likelihood that some random company can hold true to their promise/guarantee your business to be listed on the first page? Google provides a LOT of information on their site and in the Webmasters area. Before you pay some dodgy company $200-300/month (yes, that's what they charge!) to ruin your ranking, arm yourself with information. You don't need to be an expert, but you should walk into the meeting with some knowledge of the basics. If you're lucky and persevere, Google may be forgiving in the long run. The question you need to ask yourself is how many months will your site not appear in the search listings and how much business will you have lost as a result? Moreover, how much money will you then in turn need to pay for a legitimate SEO expert to fix your ranking, remove your site from being blacklisted, and put you back into Google's good graces? Think about that and whether it's worth it? Unfortunately, ignorance is not bliss and in this day and age, you get what you pay for. These dodgy companies prey on innocent, unsuspecting business owners and lure them in with false promises. Knowledge is key, read for yourself straight from the horse's mouth in Google's SEO Starter Guide the do's and don'ts so you aren't fooled!!

Firstly, does the proposed internet filter protect our children? In short – no, in fact, and perhaps surprisingly, it makes it much harder to do so! Let’s talk about why that’s so in more detail – because in a lot of ways that runs counter to what you’d think.

The proposed filter works by blocking known bad or problem websites (such as phishing or malware sites that infect your computer). Once it is active, those sites cannot be reached directly. The problem lies in the fact that there are a number of workarounds for filters – the most common being “proxy sites” and what is known as a “VPN”. Proxy sites work by making it look like the access is coming from somewhere else, so the site can be accessed through the intermediary. Unless we filter all the proxy sites, we can’t stop that from happening – and even if we filter all the known ones, new ones pop up all the time. Once the sites are being accessed through proxies, it becomes harder to detect that they are being accessed. “VPN” access works by taking all the traffic from your PC and running it through a site in the US, making it automatically bypass any Australian filtering system. This is one serious concern re filtering – a filter simply pushes much of the traffic access underground, making it harder to detect and deal with. It doesn’t actually protect our kids, and dangerously, it may lull many parents into thinking that they’re safe.

Perhaps the most foolproof method of protection is basic common sense – create a sense of family around internet use. Have the computers in a public area, or at an absolute minimum, facing a bedroom door which must be open during use. One family I know bought an auto timer for their modem and set it to turn off at 10pm, thus effectively shutting off internet use overnight. However, at the end of the day, nothing can replace encouraging an open culture with your kids where such things are able to be discussed.

Secondly, are there dangers in the setting up internet filtering that may cause problems down the line? To look at that very simply and briefly, let’s examine actual history from a democracy not too dissimilar to Australia – Turkey. Turkey introduced an internet filter only two years ago. In that time, already the whole of YouTube and Google have been censored – two major sites that in themselves cannot be considered controversial! Do we really want to create the mechanism that would allow our Government to walk down the same path, even assuming all good intentions and perhaps a saner government?

Good news – filtering is already available for free

The good news is that there is already a simple family filter, ready to use, which can be used to cover all the PCs in your house. Provided by OpenDNS, FamilyShield prevents access to porn and questionable sites, and perhaps more importantly to virus and bank phishing sites. The virus filtering in itself should make this a no-brainer! To get this set up, visit the FamilyShield site which explains it in more detail – you’ll need to change an entry in your ADSL modem settings. It’s about 10 minutes work for an IT guy to do, if you know someone. Once this is done, most bad sites will be filtered, and you can further customize the sites that are filtered by setting up your own OpenDNS account.

It’s a pity that ISPs don’t yet provide this service in a re-badged form, but from an ISP’s point of view, there’s not much demand for this service, it would create a support burden, and no other ISPs are offering it. Ironically as soon as one ISP starts offering it, I’m sure the others would follow suit! Rather like the “unlimited” plans maybe!!

For the IT administrators among you: If you have a Billion modem or a modem that supports the dnsomatic.com dynamic DNS service, or are willing to run an OpenDNS client on your network, you can create an OpenDNS account which allows you to be specific about what you want filtered – there are over 40 regularly maintained and updated categories.

This article is obviously not directly web-related – if you like it and find it useful, please comment and we’ll continue the occasional trend of publishing other types of articles.

–

Cameron Male, Director of I-net Central says, “Installing this technology into the modem/router is far more effective long term rather than installing some flimsy software on each computer which can be bypassed with a small amount of computer knowledge”

Surprisingly, the same concept holds true for your White Dog Green Frog passwords. You are provided with different logins for different areas. This is not to confuse you or make your life difficult for our own personal amusement, but because well, they are different. Not only that but if one area is compromised, you aren’t affecting the other areas and more importantly the other accounts on the server.

So to break it down, here are a few of the main login details for White Dog services that you may have:

Billing System -  Here you will find information such as:

• Invoices
• Credit card details
• Contact info (phone #, email address, etc)
• Login details for your cPanel account
• Products/services renewal dates
• Listing of your Support Tickets
• Domain management
  • Contact details for Whois
  • Nameserver details
  • EPP/auth code

We try and make it easy for you too. If you don’t recall your password,  you can always reset it.

cPanel (eg: www.yourdomainname.com.au/cpanel). This is the control panel/dashboard of your hosting account and as such you will be able to perform various useful functions such as:

• Manage your email account(s)
  • Create new email address(es)
  • Reset your email password
  • Modify your email account quota
  • Create email forwarders
  • Create mailing list
  • Change MX records for domain(s)
• Create/restore backup of your website
• Park/add-on domains
• View disk space & bandwidth usage
• Website statistics
• Install software with Fantastico
• and many more

Email credentials for Outlook  setup:

• Your username is your FULL email address (that is, your entire email address. Not just your name, but the bit before and after the @ symbol)
• Email password that you set up in your cPanel. If you don’t remember your password, login to cPanel and reset it

While on the subject of passwords, it would behoove you to have a reasonably strong/secure.  Words that you would find in a dictionary would not make a good password because it’s easily guessable. Not guessable in the sense that I’m going to try words that I think you might use, but guessable in the sense that hacking programs can scan your account until it either can’t break your password (“Ste8v_in!” – secure) or is able to figure out your password (“buttercup” – not secure). It’s like using a common office paperclip as the key to open your Lexus car door.  If you really want to use the name of your pet, try adding a number and a punctuation mark as well as mixing the case to the password for an added level of security.

For example:

skippy – bad
Ski$5ppy – better

smokey – bad
Smo6keY! – better

Incidentally, two of the most common causes of hacked accounts are 1) weak password and/or 2) a keylogger virus (which is a software program on your computer remembers your passwords by tracking the key strokes that you make on your keyboard).

Read another article on the WDGF blog on password security here.