We have a site hosted at one of the top hosting companies.

It is basically an informational site with low traffic. We pay $19/per
month  for unlimited access and the server is running on Windows NT
Server. There are some online forms that run under Microsoft SQL
Server.


The site is updated once in a few days and we use Cute FTp 4.2 to
update the site ( using a user id and password )
 

We found the Site was hacked on 14 Feb 2003  . More specifically , the
whole site was replaced by a home page and the attackers were claiming
to be from Turkey and supporting IRAQ .

There was no notification from the service provider.  When contacted,
the service provider  sent us an apology and asked us to reload.  They
have cited leakage of password as the possible reason for the hacking.

What I like to know is how can such a hacking occur if the service
provider does proper monitoring .( everytime a home page is replaced
should ring alerts to staff of the service providers who are
monitoring ? ) Also how could such a thing happen to one of the top
service providers ?. The password and user id is known to only one
staff so how did the hacker get to replace  a all the apges with their
propoganda ?

---

Request for Question Clarification by joseleon-ga on 25 Feb 2003 09:34 PST

Hello:
  Hacking a web page could be a very large topic, there are many ways
to do it, but basically hackers uses these three ways (there is a lot
more, of course):

  -Social engineering to "guess" user names and passwords
  -Exploit some bugs on the software running on the webserver

Most common causes are:
-Bad choices for passwords, i.e Dictionary words or surnames
-No updates on the software running on the web server, this must be
done by your hosting provider and they are responsible to update the
web server when there is some security flaw

In any case, there are some techniques called "forensics" to try to
know what happened and how they could break your server security. Ask
your provider to investigate what happened.

I submit this as a clarification, because it's a very large topic,
feel free to request for more information until we reach an acceptable
answer.

Regards.

Hello:
  I post the answer to your question because I don't know if the
clarification was enough, in any case, this is a very large topic, so
don't hesitate to request for any clarification, I will be very glad
to help you.
  
  I have tried not to use technical terms and explain things as
clearer as I can, again, don't hesitate to ask.
  
  Usually host providers don't monitor sites they host, they just
check the logs of the machines they host looking for unusual
activities. The logs are files that contain information about any
activity on that computer, logins, warnings, errors, etc. It's very
possible your site was hacked due a leakage of the password but it
would be nice they investigate a bit more on your web server to know
exactly what happened. The first thing you must do it's to change the
password to access your site to a password hard to guess or crack.
  
Here are some pages that will help you to choose a good password:

Selecting Good Passwords
http://www.alw.nih.gov/Security/Docs/passwd.html

How to Choose a Good Password 
http://www.mit.edu/afs/sipb/project/doc/passwords/passwords.html

How To Choose a Good Password
http://wwwinfo.cern.ch/pdp/ose/security/cern/documentation/password.html

This kind of hacking can occur even if the service provider does
proper monitoring, because they don't detect any incorrect behaviour.
The only possibility for your host to detect something strange is that
the hackers used a brute force attack to get your password. A brute
force attack consists in try to get your site password by attempting
login using autogenerated passwords.

brute force cracking
http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci499494,00.html

If this is the case, the logs of your server must show a lot of
unsuccesful logins.

Host providers don't get notified when you update your pages, it's not
a common practice unless they host a few sites and they want to, but
it's very strange.

How could this happen to one of the top service providers? Well, if
your password was easy to guess/crack, there is no protection against
this, even if it's the best host provider. On the other hand, there
would be a problem if you site was cracked using a vulnerability of
your web server and your host provider didn't patch it. Almost
everyday, new exploits or vulnerabilities are found, so system
administrators must be informed and patch the systems they manage. If
you host provider is a top one, they must provide this service, check
out your contract to see if this service is covered and if not, ask
your provider for details.

At last, two personal recommendations:

-Unless you need some specific Windows feature, don't use Windows as
web server, it's more vulnerable to hackers, try to use some kind of
Unix/Linux server.
-Don't use FTP to upload files to your server, this method is not
secure at all, all the information, including user ids, passwords and
data is transmitted without encryption, I recommend you to use SSH
instead, ask you provider about it. They must inform you if you can
use it on your server, or even, if it's already installed, how to use
it.

I hope this is the answer you were looking for, and don't hesitate to
request for any clarification.

Search strategy 

choose a good password
://www.google.com/search?q=choose+a+good+password&ie=UTF-8&oe=UTF-8&hl=es&lr=

Regards.

Why are they a top hosting company? From my experience, the biggest
hosting companies are just as likely to cut corners as a little
company. Usually to get big they offer the same features as others,
but for less. The "less" has to come from somewhere...

A moderate-sized hosting company could host half a million separate
sites in one server room; you update yours every few days and other
webmasters might update several times a day. It's simply impossible
for the hosting company to contact every customer every time a page is
changed. Besides, it would be wrong of the hosting company to make
assumptions about your political beliefs.

You should also understand that FTP is an inherently insecure
protocol. It was designed in the 1970s - before the Internet became
widespread, before security really became an issue and before the
computing power for strong encryption was economically widely
available.

You could enquire if your web hosting company supports any version of
Secure FTP, and use an appropriate secure FTP client, if this is
crucial to you. However, you may find you need more than a $20/month
hosting account for this.

There is a useful "Secure FTP 101" article at
http://www.intranetjournal.com/articles/200208/se_08_14_02a.html

which comments "The main reason that web sites get hacked is because
they are being updated with insecure FTP transfers." As you will see,
your hosting company is not necessarily at fault.

Owain

I have to agree with owain-ga here. FTP is an inherently insecure
protocol, because it sends the password across the internet
unencrypted. If you want to have a secure website, don't update it by
FTP!

"Without secure FTP, it is very easy to hack a web site and edit it
with digital graffiti. All a hacker has to do is find out the IP
address of the web site using a reverse ping on the domain name, and
then set up a sniffer to run 24 hours a day on the IP address to sniff
and log the login connection. As soon as the web master logs in to
update the site, the hacker's sniffer can grab and record the password
and login information."
Secure FTP 101:
http://www.intranetjournal.com/articles/200208/se_08_14_02a.html

As an alternative to Secure FTP, you can look for a hosting company
that allows secure shell ("SSH") logins. I am a happy customer of
FutureQuest, who allow SSH on their $8-per-month (and above) packages.

FutureQuest Services
http://www.futurequest.net/Services/Packages/

Once you have SSH access, you can use the rsync command to keep your
website synchronised with your local copy. The rsync command is
included "out of the box" with most Linux distributions, and can also
be obtained for Microsoft operating systems. An additional benefit of
rsync is that it only uploads the parts of each file that have
changed, rather then the entire file as with FTP.

rsync home page
http://samba.anu.edu.au/rsync/

Installing SSH and rsync on a Windows machine
http://optics.ph.unimelb.edu.au/help/rsync/

Regards,
eiffel-ga

CuteFTP 4.2 has a known vulnerability to use weak encryption for
password storage.

A buffer-overflow was probably used against your web server to access
the CuteFTP password file, which was then likely hacked offline to
allow full ftp access to the system.

If your FTP allows access to the directories required by your website,
then this is a very likely scenario.

Without more details, and preferably excerpts from your logs - this is
mere speculation, but a very possible scenario.

Thanks for very useful answers from owain and eiffel .

I would like to draw your attention to a new, related question I have
just posted at http://answers.google.com/answers/threadview?id=452330