page hacking and mutual server

[phdphd]

Hi All,

 

When one clicks a link in a search engine, they might be redirected to another site than the one they want to visit, due to a hacking issue.

 

Let's suppose that the site is hosted on a shared server and that the webmaster of the site cannot be held responsable for this issue. Can there be an issue at server level ? Could the use of a dedicated server bring an additionnal protection ?

 

Thanks for sharing your view.

 

PhD

[trq]

Im not sure I understand the question / problem.

[phdphd]

Let me try to rephrase it.

 

Problem : imagine you own a website that is listed in a Google search results page when the user enters some key words. One day, it appears that when the user clicks the link, the homepage of another website appears instead of the homepage of your website.

 

Questions :

• (a) can this be due ONLY  to a violation of the security procedures implemented by the webmaster for the website (htaccess file, password/login settings, etc) or (b) can it be also achieved by exploiting a weakness of the configuration of the server that hosts your wbsite ?
  
• If answer is (b), does a dedicated server (i.e. a server that hosts only your website) offer a better protection ?
  

 

Thanks.

 

PhD

[trq]

1) it could be either a or b

2) a dedicated server is always going to have less ability to be tampered with by other users simply because there aren't any.

[phdphd]

Thanks for your quick answer.

 

In case of (b), can the hacker open/modify the php files without violating the procedures that the webmaster had set for the website ?

 

Regards,

 

PhD

[trq]

What?

[phdphd]

Sorry, I am not an IT/Internet specialist. Let me try to rephrase again 

 

If a hacker just exploits a weakness of the configuration of the server that hosts the website, does this always give them access to the php files of your site and to their contents or do they also need to violate the security procedures set by the webmaster at the website level in order to access the php files?

 

Regards

 

PhD

[trq]

If a hacker just exploits a weakness of the configuration of the server that hosts the website, does this always give them access to the php files of your site and to their contents

 

No. That would completely depend on the exploit.

 

do they also need to violate the security procedures set by the webmaster at the website level in order to access the php files?

 

If they have access to the filesystem there is nothing stopping them accessing the php files. A php application itself cannot protect itself in that mannor.

 

What exactly are you trying to get at? Do you have a specific issue?

[phdphd]

Well so far I have no specific issue, I am just wondering how to get the best protection against any violation of the website, which is still under construction.  There will be a lot of php coding and time spent on it.

 

One of the issues could be redirecting the visitor to another website. I have read in another forum that a hacker can do this by editing a website file. This implies the hacker can access the file. Then other issues can happen : by accessing the php files that make up a website, the hacker can also steal php coding, get database credentials, make any change to the DB, etc, and eventually ruin all the webmaster's efforts, even if the webmaster regularly makes backups of the website and DB.

 

Any suggestions/procedures that a webmaster should follow to implement the highest level of protection are welcome.

 

Thanks.

 

PhD

 

 

[scootstah]

Make sure to use the proper directory/file permissions and make sure to thoroughly check any user-submitted file uploads. Also, make sure to properly sanitize any user input when using a script that creates files based on user input.

[thehippy]

The Computer Security Resource Center (CSRC) at the National Institute of Standards and Technology (NIST) has many publications on all aspects of computer security.  They are an USA Government working group that provides recommendations on such things as computer security for nearly all the government branches.

 

A Listing of the publications - IIRC I'm not allowed to link directly to PDFs on this board

 

I picked out a few that are relevant to website security.  Take into consideration the date of publication on some of the articles, while the important ones are updated regularly the more obscure publications are not, but still have valuable information.

• Guide to Intrusion Detection and Prevention Systems (IDPS)
  
• Recommended Security Controls for Federal Information Systems and Organizations
  
• Guidelines on Securing Public Web Servers
  
• Guidelines on Firewalls and Firewall Policy
  
• Creating a Patch and Vulnerability Management Program
  
• Managing Information Security Risk: Organization, Mission, and Information System View
  
• Engineering Principles for Information Technology Security (A Baseline for Achieving Security)
  
• Generally Accepted Principles and Practices for Securing Information Technology Systems
  

 

Given that you've stated 'I am not an IT/Internet specialist,' hire a professional if its important.