Web Hosting Domain Registration Web Design Support Contact Us Links Home Page

Website Security

Is there such a thing as dangerous software?

Absolutely!

The Internet abounds with it. Unfortunately, Thousands of Webmasters download dangerous software every day, totally oblivious to the fact that they might as well have put a huge banner on their site saying I'm Open For Abuse!

Any program code running on an Internet server is a potential security risk simply because it is an executable program, anyone from anywhere on the Internet can call and execute it. The fact that most programs accept parameters (your name, address and email for example in a mail form) makes them especially vulnerable to exploitation from malicious attack. To learn more about Server security in general, click here.

It is true to say that the Internet is not the "safe" place it was 5 or 8 years ago when it was much smaller. Driven by the lust for money and infamy, SPAMMERS and hackers have become the scourge of the Internet. They employ the skills of whoever they can find to help them practice their illegal trade (O yes, spam and server hacking is illegal) - even some of the top programmers help them from time to time. After all, it pays good money!

What this means for you if you have a website is that you dare not use any old script (we are referring to server side scripts) you find on any old site and install it on yours. If you do, you are likely to get yourself into a lot of serious trouble -- not only with your hosting company but also with the law. This is how it works. Badly written scripts can be used for a number of things. Here are four of the most common ones.

A badly written piece of code can be used to:

Hijack your mail server

Why would someone want to do this? The answer lies in the law - spamming is illegal in most countries and get you prison time for doing it these days. If a spammer can use your website to send a couple of million (that is not a typo) SPAM emails, you will get into trouble with the law because it was your website that sent the spam.

Hijack your site or even the whole server

Ever seen all the Messages on a family friendly Message Board replaced with porn images? Or a whole website gone AWOL? That's the kind of thing we mean. Even more sinister is when the perpetrator uses stealth to intercept your email and monitor your outgoing mail - credit card numbers, passwords and other personal information can all be stolen in this fashion.

Hack other servers

Hacking of several servers is normally used by hackers when they want to orchestrate a massive DOS (Denial of Service) attack on another [big] server like Yahoo or Hotmail. They normally install what is called a root kit which gives the hacker a "back door" into the server whenever he wants it.

Attack other servers

They refer to this as a DOS (Denial of Service) attack. One or more servers gang up on another server and overload it with data so that it crashes. You may remember from the news that Yahoo and Hotmail were attacked in this way not so long ago. Obviously this is illegal and there is serious prison time if the hackers get caught. Why do they do it? Beats me! Probably because they can.

Even if you are an experienced, seasoned desktop programmer, unless you are an experienced Perl, PHP or Python programmer this probably applies to you too! (Fact is, most programmers are familiar with Desktop, PC and client software. Server software -- especially Internet software -- is an entirely different animal).

  • Never download software from hey check out my cool free software type of sites. You will be buying yourself a whole lot of trouble in most cases.
     

  • Never modify scripts if you are not 100% sure. A customer recently modified a script he bought - he changed 4 lines of code. In just one of them he made a mistake. Just one line is all it took to get his mail server hijacked!
     

  • Never download and install software you cannot find running on other [reputable] sites somewhere else on the Internet.
     

  • Never use Form mail from Matt's Script archive and leave the name unchanged - it is too easily recognised. Simply change the name of the script to something obscure. On our servers we will suspend any domain that uses Form Mail without taking the necessary precautions.
     

  • DO NOT download software from places like CGI Resources, Hot Scripts etc unless are sure the author knows what s/he is doing. (We have nothing against these websites. On the contrary, they have many excellent scripts. The problem is anyone who thinks he's a programmer can write code and submit it to them and they make no distinction between secure and badly written software). If you want to find decent software to use on your site go to places like Perl.com or the Comprehensive Perl Archive Network and look there. Use the sites they recommend to get the software you need. (There is still no guarantee the software you download will be secure, but you stand a far better chance there than at the places where any wannabee can publish code.
     

  • Always be extra careful of using software that invokes any of the following. These are not security risks per se but are often the point of entry to a badly written script for the crafty hacker
     

    • Executes system commands from within the script,

    • sends email,

    • Accesses and manipulates files on a server,

    • receives information from the internet e.g. name, email address etc.

    • Deletes files or directories,

    • accesses and manipulates any database,

    • There are probably many more but these are the ones we have found to be most problematic.
       

  • Always check with your server admin before installing software on your site. Contact us first before you install anything you are not 100% sure about.
     

  • Always check with webmasters more experienced -- if you can -- that yourself if a script is safe to use.
     

  • Always search for more information on the background of the author of the particular script you want to use. Look for sites that do software and security reviews and see if you can dig up anything there. The search engine is your friend. Use it.
     

  • If you are not an experienced programmer find someone who is to help you find secure CGI programs for your site.
    NOTE: Delphi, VB, any flavour of C for Desktop PC's doesn't count, experienced means experienced with web servers.

 

 

 

Other services:

Gift Products
Baby Products
Mobile Phones
Wedding Cards
Christmas Cards

© Ecosse-Online. All rights reserved. Page design by Ecosse-Online
Terms of Use - Privacy Statement