Web-hosting biz and domain-name registrar Network Solutions was pummelled offline by attackers last night - and took its customers' websites down with it. The distributed denial-of-service assault (DDoS) lasted for about two or three hours before the US company was able to mitigate the effects and get its systems back online. …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Thursday 18th July 2013 10:31 GMT Alister

Unlike compromised home PCs, there really is no excuse for compromised web servers.

The vast majority of web servers are managed by someone who is paid to do it, and therefore should be responsible and competent enough to either stop the compromise in the first place, or be able to detect and remove any malicious software if an infection occurs.

If a server is identified as one of the sources of a DDoS attack then it's owner / operator should be notified, and sanctions applied if it's not fixed.

10 0
1. Thursday 18th July 2013 10:57 GMT Jamie Jones
  
  I agree. The amount of times I've heard of web-application bugs being used to install malware by modifying files is mad.
  
  It's simple enough to make all code files owned by a different user to the one running the web server.
  
  Also, simple firewall rules can stop an account making outbound calls.
  
  I suspect the main culprits are the systems that give users a single non-root username - sometimes with only ftp access!
  
  Think how many non-techie people run their own wordpress or phpbb etc. under such an environment.
  
  1 0
2. Thursday 18th July 2013 11:27 GMT Antonymous Coward
  
  >Unlike compromised home PCs, there really is no excuse for compromised web servers.
  
  Incompetence.
  
  Admin, code or often both. Was it "nimda" or "code red" that infected hordes of servers when a software vendor advised customers to install an emergency patch from their (infected) servers?
  
  2 0
3. Thursday 18th July 2013 12:10 GMT Anonymous Coward
  
  @Alister
  
  "Unlike compromised home PCs, there really is no excuse for compromised web servers."
  
  Agreed, but there should be even less excuses not to act against such servers, which is in my opinion the main problem.
  
  If you noticed Internet abuse and then notified the involved parties then it remains to be seen if anything is done against it. More than often people let it slide because apparently they either can't be bothered to fix it or they don't want to upset their customers.
  
  3 0
Thursday 18th July 2013 10:49 GMT Anonymous Coward

dream on

The vast majority of web servers are not managed by anyone at all. Many will simply be wordpress or similar sites which once set up by their point and click owners are rarely if every upgraded and thus open to every expoloit going. The underlying systems on such services are probably never upgraded either as that would break too many of their customers sites. So sadly in the real world there are plenty of web servers to exploit.

Even identifying the owner/operator as you put it of a site can be damn near impossible sometimes, getting a hosting company to take down a site/server is even harder even when it's clearly a fraudlent banking clone.

The good ones spot the issue and block until it is cleaned up.

Sadly we don't live in a perfect world.

3 1
1. Friday 19th July 2013 07:10 GMT Alister
  
  Re: dream on
  
  The vast majority of web servers are not managed by anyone at all. Many will simply be wordpress or similar sites which once set up by their point and click owners are rarely if every upgraded and thus open to every expoloit going. The underlying systems on such services are probably never upgraded either as that would break too many of their customers sites. So sadly in the real world there are plenty of web servers to exploit.
  
  You're confusing websites, and web servers. Yes there are thousands of "fire and forget" web sites out there, but they nearly all sit on managed servers provided by a hosting company. It is the hosting company's responsibility to manage and monitor the server, not the site owners. And it is the hosting company that should be penalised, if one of their servers is part of a DDoS attack and they don't do anything about it.
  
  0 0
Thursday 18th July 2013 11:34 GMT Don Jefe

Upgrades

Looks like the NSA botched a system upgrade.

3 0
1. Thursday 18th July 2013 11:56 GMT Anonymous Coward
  
  Re: Upgrades
  
  "NSA" "jokes" are tired now.
  
  1 8
Thursday 18th July 2013 11:47 GMT Anonymous Coward

Perfect weapon

There are some harsh comments above but a web server is always on and public facing. it is far better to attack than a home PC because it will sit there and suffer while you keep trying. Admins get the blame but they are trying to protect a prize goose while standing alone in a crowd of customers and attackers. The web server must be accessible, but only by the right people. Who is the right people? Payloads and attacks are delivered in many ways and that leads to developers who make a mistake or outright cowboy. The admin can do his best but a developer could mess up. But then there are workers in the company who could compromise their machine and let an attacker onto the network!!! A small business wont have a lot of separation between servers and their primary network and so again.

It is easy to blame the few guys plugging the many holes but there are a lot of ways to be compromised. And once compromised you may not know about it, you may be part of a DDOS and know nothing about it. Because your server is owned!

0 0
1. Thursday 18th July 2013 13:15 GMT Alister
  
  Re: Perfect weapon
  
  It is easy to blame the few guys plugging the many holes but there are a lot of ways to be compromised. And once compromised you may not know about it, you may be part of a DDOS and know nothing about it. Because your server is owned!
  
  If your server is being used as part of a DDoS attack and you don't know about it, then you're doing it wrong.
  
  The most rudimentary traffic and resources monitoring should highlight that the server is doing something it shouldn't.
  
  2 0
  1. Thursday 18th July 2013 16:04 GMT Anonymous Coward
    
    Re: Perfect weapon
    
    @Alister
    
    "If your server is being used as part of a DDoS attack and you don't know about it, then you're doing it wrong.
    
    The most rudimentary traffic and resources monitoring should highlight that the server is doing something it shouldn't."
    
    And who will monitor it? Considering a lot of small businesses dont have a single IT competent among them yet they need the site to sell. Or they have a single IT competent who is tied up doing the flood of jobs they are buried under. What tools do you suggest as a lot of uni graduates are not really taught to do it.
    
    Obviously you are not talking of resource monitors on the server itself as a compromised server will lie.
    
    0 0
Thursday 18th July 2013 15:41 GMT Anonymous Coward

The fun has just begun

Now the crims will end up in prison for the next 5 years. We'll see how they like the iron bar hotel.

0 1
1. Thursday 18th July 2013 17:02 GMT Shades
  
  Re: The fun has just begun
  
  You're still here then I see, Morris! You really should learn some new phrases!
  
  2 0
Thursday 18th July 2013 23:11 GMT Andrew 99

word press admin

so as an admin of a small wordpress site, how would I know if my site has been compromised?

I've bought space from a hosting company, I dont have access to network traffic monitoring tools. Any suggestions?

0 0
1. Friday 19th July 2013 07:05 GMT Alister
  
  Re: word press admin
  
  so as an admin of a small wordpress site, how would I know if my site has been compromised?
  
  You shouldn't - your site sits on a server provided by and administered by a hosting company, and they should have the necessary monitoring in place, and it is their responsibility, not yours.
  
  0 0
Friday 19th July 2013 01:10 GMT ecofeco

Net Sol?

Wow. Just... wow.

0 0
Monday 22nd July 2013 11:52 GMT Anonymous Coward

Monitoring..

Oh look.. I just googled "website monitoring service" and now have around a gazillion (mainly free) choices to monitor my website up/down time...

If anyone needs the website address its: www.google.com or in the uk www.google.co.uk, but if you go to google.com it is usually very clever and sends you to the country that your computer is located in, or potentially what the locale is set to.

0 0