Experienced IT pros are unlikely to be faced by online scammers who primarily make money by tricking unsuspecting casual users. However, many cyber attackers target virtual server administrators and the services they manage. Here’s a look at the scams and exploits that managers should be aware of.
Targeted phishing email
While drinking morning coffee, open a laptop and launch an email client. Among the usual messages, an email from the hosting company informing you of the discount on the payment of the hosting fee stands out. It is the year-end and New Year holidays, or for other reasons, if you pay now, you will get a big discount.
Click the link in the email to enter. If you’re lucky, you’ll notice something weird at this point. There is nothing strange about the email. It looks exactly the same as the official message previously sent by the hosting provider. The font used is the same and the sender’s address is correct. Links to privacy policies, rules for handling personal data, and even parts that no one reads are all in place.
However, the admin panel URL is a bit different from the actual URL, and there are some suspicious parts in the SSL certificate. Oh, is this phishing?
Attacks like this that use fake admin panels to steal login credentials have recently increased. You might want to blame service providers for leaking customer data, but don’t be quick to conclude. It is not very difficult for a well-willed cybercriminal to obtain information about the administrator of a website hosted by a specific company.
An attacker could obtain an email template by simply registering on the service provider’s website. In addition, many vendors offer evaluation periods. The attacker can then use an HTML editor to change the content of the email as desired.
It’s not difficult to figure out the range of IP addresses used by a particular hosting provider. There are many services created for the purpose of checking a range of IP addresses. Then it is also possible to get a list of all websites for each IP address of the shared hosting. No problem except for hosting providers that use Cloudflare.
Afterwards, criminals can create a mailing list by collecting email addresses from the website and adding commonly used values such as’administrator’,’admin’,’contact’, and’info’. This process can be easily automated using a Python script or a program for automatic email collection. If you enjoy using Kali, you can adjust the settings and use theHarvester for this purpose.
Various utilities can be used to find the administrator’s email address as well as the name of the domain registrar. In this case, the administrator is usually lured to a fake payment system page and asked to pay for the domain name renewal. It’s not difficult to notice this trick, but it’s possible to get tricked when you’re tired or in a hurry.
It’s not difficult to protect against various phishing attacks. It’s helpful to set up multi-factor authentication for your hosting control panel login and bookmark the admin panel page. Of course, you should always pay attention.
CMS installation script and service folder exploitation
It is difficult to find a case where a content management system (CMS) is not used these days. Many hosting providers offer services to quickly deploy the most popular CMS engines in containers, such as WordPress, Drupal, and Zoomla. Just one click of a button in the hosting control panel.
However, some administrators prefer to manually configure the CMS, so they download the distribution from the developer site and upload it to the server via FTP. For some, this method is more familiar, more reliable, and fits the manager’s habits. However, there are cases in which the installation scripts and services folders are blinking and not deleted.
Everyone knows that the location of the WordPress installation script is wp-admin/install.php when installing the engine. An attacker can use Google Dock to get a lot of search results for this route. The search results are cluttered with links to forum posts about WordPress technical flaws, but it’s possible to go through them one by one and find the appropriate option to change the settings of your site.
The structure of the WordPress script can be viewed using the following query.
You can also find many interesting things by searching for forgotten scripts using the following query:
You can find a working script to install the popular Joomla engine using the characteristic title of the web page. Proper use of special search operators can find incomplete installations or discarded service scripts, complete the CMS installation on behalf of this unlucky owner, and create a new administrator account on the CMS.
Administrators must delete server folders or use containerization to block these attacks. The latter is generally safer.
CMS configuration issues
Additionally, an attacker can detect security problems in other virtual hosts. For example, you can find configuration defects or basic configuration problems. WordPress, Joomla and other CMSs have a number of plugins with known vulnerabilities.
First, an attacker can try to check the version of the CMS installed on the host. In the case of WordPress, while looking at the code on the page Just look for a meta tag like. The WordPress theme version can be obtained by searching for the following line.
The attacker can then retrieve the version of the plug-in of interest. Many plugins have https://websiteurl/wp-content/plugins/plugin_name/readme.txtContains the readme text file in.
Don’t leave files like these in your hosting account and let curious people access them, you should delete them right after installing the plugin. An attacker who obtained versions of CMS, theme, or plugin could attempt to exploit known vulnerabilities.
On some WordPress sites, the attacker /?author=1You can find out the administrator’s name by adding a string like: When the default setting is used, the WordPress engine returns a URL with the first user’s valid account name, and in many cases this account includes administrator privileges. A hacker who knows the administrator’s name can attempt a brute-force attack.
Many website administrators leave some directories accessible to outsiders. In the case of WordPress, you can often find the following folders:
Folders like these can contain sensitive information, including confidential information, and should never be allowed to be viewed by outsiders. Place an empty index.html file in the root of each directory or in your site’s .htaccess Options All -Indexes You need to deny access to the service folder by adding a line. Many hosting providers set this option by default.
Be careful when using the chmod command, especially when granting write and script execution permissions to a large number of subdirectories. If you do this carelessly, unexpected things can happen.
A few months ago, a company came to me and asked for help. The website redirects visitors every day to scam sites like Search Marquis, but the company couldn’t find a clear reason. I restored the contents of the server folder from backup, but it repeated again after a few days. I looked for vulnerabilities and backdoors in the script, but nothing was found. Meanwhile, the website administrator drank about a drum of coffee buried in a server rack.
It was only after a detailed analysis of the server logs that I could find the reason. The problem was the access via the’discarded’ FTP created long ago by a fired employee who knew the hosting control panel password. All employees seem to be dissatisfied with the dismissal and decide to take revenge against the former job. When I deleted all unnecessary FTP accounts and changed all passwords, this annoying problem disappeared.
Always be careful and vigilant
In the fight for security, a website owner’s primary weapon is caution, caution, and caution. You can and should use the services of your hosting provider, but don’t blindly trust them. No matter how secure the underlying solution may seem, you still have to check for yourself the most common vulnerabilities in your site configuration. Then check it again, just in case. email@example.com
*The article has been translated based on the content of ITWorld Korea by www.itworld.co.kr. If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!
*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.
*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!