Results 1 to 6 of 6

Thread: can your competition put virus into your website?

  1. #1
    Banned
    Join Date
    Feb 2011
    Location
    9626 E Arkansas place Denver Colorado 80247
    Posts
    68

    Default can your competition put virus into your website?

    can someone put virus into your website on purpose

    So if the virus makes it through your website,Could that hurt your page ranking with Google

    please advice
    thank you.

  2. #2
    Senior Member Greg K's Avatar
    Join Date
    Apr 2002
    Location
    Upper Arlington, Ohio
    Posts
    577

    Default

    It depends on how your site is setup and how security minded you are.

    A properly set up site, they are only going to be able to modify the actual site by logging in (either through some type of control panel, or by actually FTP'ing into the server with your login credentials.)

    Tips to prevent this:
    1. Use secure non guessable passwords which consist of at least 8 characters, combining at least one lowercase letter, one uppercase letter, one number and for even more secure, at least one special character (ie. !@#$%^&*)
    2. If you must keep it written down, do NOT leave it out, keep it locked in your safe.
    3. If you loose (or even suspect something fishy with) an employee who knows the login, change it immediately.
    4. Same goes for if you think there is any possibility it has been compromised, change it immediatly
    5. Resist temptation to use the same password for many things.
    6. If you edit your site via a web page, make sure you connect to that control panel / CMS via a secure web page (https://www....)
    7. If you use a program to upload the files to your server (FTP client), resist telling it to remember you password. Many FTP programs store the password in a way that can easily be found if your computer gets compromised.
      1. If you can use SFTP instead of regular FTP so that your login credentials are not sent plain text out to the internet. (same as it is better to use a secure page over non secure)

    8. Do not use your laptop over an insecure wireless network. Traffic can be snooped. (Note though, using secure pages and sFTP are still encrypted, but it is easy to forget you are on an open network and start going somewhere you are not safe)
    9. Make sure your system is up to date on updates.
    10. Make sure you are running an up to date virus software.
    11. RESIST doing any non-work related browsing on the computer for business. Do not let others use it. I have had to go clean up someone's system that was infected because they let their nephew use it to check his mail, to which he then hit Facebook and followed a link to "Watch this video that will shock you" and fell for the link to install a flash update. The next day, their computer would not even boot. Computers are cheap enough that if you (or your employee) are that bored, get a second computer to screw around on. Think of old days, would you want them doodling on your accounting or trip books?
    12. If you have a site that is using something like Word Press/Drupal/Joomla, etc. make sure it (and any add-ons/plug-ins) are updated often!
    13. If you have a site that uses something else, but isn't just you uploading flat .html files and images hope that it is securely programmed. Poorly written web apps can be compromised easily.
    14. If you are using hosting on a shared account, verify if other users can possibly write to your directory. Properly set up systems it won't happen, but I have seen some servers where one site can write into another if the permissions are not set by the customer (hosting customer, YOU). With the right scripts, you can really mess big time with a server that you can read across user directories.

    Please note, any mention of passwords goes for all aspects of your business/web sites, from the login to your computer, to the login to your hosting account, the account for where you have your domain names registered, emails accounts, everything!

    Speaking of computer login, if you are on a windows machine, use a login with a password, and get used to hitting [WindowsKey]-L combination every time you get up from it to lock it. (Yes, at first harder more secure passwords are a pain, but after you enter it several times a day, becomes second nature.) I have been at businesses before where they leave computer wide open, in reach of a customer and go out of the room for 5 minutes, plenty of time for someone to do damage if they are looking to compromise you.

    So with these guidelines, you greatly reduce your chances of someone changing and or adding content to your site. Note, that when it comes to someone messing with your site, it is not always a case of you go to your site and there is an obvious message that you were hacked. A lot of times, they modify the site that search engines will see something different than what the normal person sees with a regular browser (usually to put links off to another site to improve their link listing with search engines, which can be eventually detected and then you get penalized for it by the search engines).

    Another hack that can get done is redirect vistiors off to a hack site somewhere to try to install a malicious program on your system. Usually, if google detects this, they will flag your site (Google results will list a "This site may harm your computer" and Browsers like Firefox/Chrome will use that same flag to warn people to not even visit your site)

    Trust me, I have done my share of cleaning up computers infected, web sites compromised and also servers that have been hacked server wide to affect all sites on that server. It can get time consuming and messy! (And made me good money, even considering that I have a conscious and don't gouge because I could)

    Lastly a #15, which is for if you ever have the day of "something was failed, and you are screwed!". Get a good backup program (I myself use Acronis True Image) and backup your data. I like Acronis as I not only back up throughout the day from one hard drive on my laptop over to the other drive on it (I love having two physical drives), and nightly it backs up to my network share on my desktop system, and once or twice a week, I let it do a full data backup to a removable drive, which is encrypted (in case someone gets that drive), and swap out the drives between office and safe deposit box. I can also set it to automatically send a backup to my server, again encrypted and offsite. Trust me, it takes just ONE time of loosing all your data to appreciate a good backup scheme!

    Also, make sure you have copies of your website. If it is just a static site you upload files to, that is easy, as you usually have the files on your system that you uploaded from, so should get backed up with the other files. If you are running a site that is where you enter data on a control panel /CMS, make sure you have a way to backup all of your data. Then if your site is compromised, you can quickly get it back up and running. At the very least have a Rip of it (see http://www.limousinesonline.com/show...f-your-website)

    Hope this info helps. If you have any questions about any of the tips, feel free to contact me via PM and I'll help you the best I can.

    -Greg

  3. #3
    Banned
    Join Date
    Feb 2011
    Location
    9626 E Arkansas place Denver Colorado 80247
    Posts
    68

    Default Oh man thanks a lot this is more than enough

    Oh man thanks a lot this is more than enough   
    Quote Originally Posted by Greg K View Post
    It depends on how your site is setup and how security minded you are.<br>
    <br>
    A properly set up site, they are only going to be able to modify the actual site by logging in (either through some type of control panel, or by actually FTP'ing into the server with your login credentials.)<br>
    <br>
    Tips to prevent this:<ol class="decimal"><li>Use secure non guessable passwords which consist of at least 8 characters, combining at least one lowercase letter, one uppercase letter, one number and for even more secure, at least one special character (ie. !@#$%^&amp;*)</li><li>If you must keep it written down, do NOT leave it out, keep it locked in your safe.</li><li>If you loose (or even suspect something fishy with) an employee who knows the login, change it immediately.</li><li>Same goes for if you think there is any possibility it has been compromised, change it immediatly</li><li>Resist temptation to use the same password for many things.</li><li>If you edit your site via a web page, make sure you connect to that control panel / CMS via a secure web page (http<font color="#ff0000"><strong>s</strong></font>://www....)</li><li>If you use a program to upload the files to your server (FTP client), resist telling it to remember you password. Many FTP programs store the password in a way that can easily be found if your computer gets compromised.<ol class="decimal"><li>If you can use SFTP instead of regular FTP so that your login credentials are not sent plain text out to the internet. (same as it is better to use a secure page over non secure)</li></ol>
    </li><li>Do not use your laptop over an insecure wireless network. Traffic can be snooped. (Note though, using secure pages and sFTP are still encrypted, but it is easy to forget you are on an open network and start going somewhere you are not safe)</li><li>Make sure your system is up to date on updates.</li><li>Make sure you are running an up to date virus software.</li><li>RESIST doing any non-work related browsing on the computer for business. Do not let others use it. I have had to go clean up someone's system that was infected because they let their nephew use it to check his mail, to which he then hit Facebook and followed a link to "Watch this video that will shock you" and fell for the link to install a flash update. The next day, their computer would not even boot. Computers are cheap enough that if you (or your employee) are that bored, get a second computer to screw around on. Think of old days, would you want them doodling on your accounting or trip books?</li><li>If you have a site that is using something like Word Press/Drupal/Joomla, etc. make sure it (and any add-ons/plug-ins) are updated often!</li><li>If you have a site that uses something else, but isn't just you uploading flat .html files and images hope that it is securely programmed. Poorly written web apps can be compromised easily.</li><li>If you are using hosting on a shared account, verify if other users can possibly write to your directory. Properly set up systems it won't happen, but I have seen some servers where one site can write into another if the permissions are not set by the customer (hosting customer, YOU). With the right scripts, you can really mess big time with a server that you can read across user directories.</li></ol>Please note, any mention of passwords goes for all aspects of your business/web sites, from the login to your computer, to the login to your hosting account, the account for where you have your domain names registered, emails accounts, everything! <br>
    <br>
    Speaking of computer login, if you are on a windows machine, use a login with a password, and get used to hitting [WindowsKey]-L combination every time you get up from it to lock it. (Yes, at first harder more secure passwords are a pain, but after you enter it several times a day, becomes second nature.) I have been at businesses before where they leave computer wide open, in reach of a customer and go out of the room for 5 minutes, plenty of time for someone to do damage if they are looking to compromise you.<br>
    <br>
    So with these guidelines, you greatly reduce your chances of someone changing and or adding content to your site. Note, that when it comes to someone messing with your site, it is not always a case of you go to your site and there is an obvious message that you were hacked. A lot of times, they modify the site that search engines will see something different than what the normal person sees with a regular browser (usually to put links off to another site to improve their link listing with search engines, which can be eventually detected and then you get penalized for it by the search engines).<br>
    <br>
    Another hack that can get done is redirect vistiors off to a hack site somewhere to try to install a malicious program on your system. Usually, if google detects this, they will flag your site (Google results will list a "This site may harm your computer" and Browsers like Firefox/Chrome will use that same flag to warn people to not even visit your site)<br>
    <br>
    Trust me, I have done my share of cleaning up computers infected, web sites compromised and also servers that have been hacked server wide to affect all sites on that server. It can get time consuming and messy! (And made me good money, even considering that I have a conscious and don't gouge because I could)<br>
    <br>
    Lastly a #15, which is for if you ever have the day of "something was failed, and you are screwed!". Get a good backup program (I myself use Acronis True Image) and backup your data. I like Acronis as I not only back up throughout the day from one hard drive on my laptop over to the other drive on it (I love having two physical drives), and nightly it backs up to my network share on my desktop system, and once or twice a week, I let it do a full data backup to a removable drive, which is encrypted (in case someone gets that drive), and swap out the drives between office and safe deposit box. I can also set it to automatically send a backup to my server, again encrypted and offsite. Trust me, it takes just ONE time of loosing all your data to appreciate a good backup scheme!<br>
    <br>
    Also, make sure you have copies of your website. If it is just a static site you upload files to, that is easy, as you usually have the files on your system that you uploaded from, so should get backed up with the other files. If you are running a site that is where you enter data on a control panel /CMS, make sure you have a way to backup all of your data. Then if your site is compromised, you can quickly get it back up and running. At the very least have a Rip of it (see <a href="http://www.limousinesonline.com/showthread.php?12875-How-to-get-a-static-copy-of-your-website" target="_blank">http://www.limousinesonline.com/showthread.php?12875-How-to-get-a-static-copy-of-your-website</a>)<br>
    <br>
    Hope this info helps. If you have any questions about any of the tips, feel free to contact me via PM and I'll help you the best I can.<br>
    <br>
    -Greg

  4. #4

    Default

    That is a lot of great information Greg. But is there any way to determine if someone has been 'messing' with your site?

  5. #5
    Senior Member Greg K's Avatar
    Join Date
    Apr 2002
    Location
    Upper Arlington, Ohio
    Posts
    577

    Default

    Quote Originally Posted by LGAL View Post
    That is a lot of great information Greg. But is there any way to determine if someone has been 'messing' with your site?
    It is a little different from what I am used to compared to what many people have access to. I'm used to having full access into a server and being able to check all log files, scan all files for things that have changed, etc.

    Find out from you provider what all log files / stats you have option to. A lot of people just depend on Google Analytics, which does an awesome job of monitor things you set it to monitor, however if someone gets a file on your server for malicous activity, they are not going to tie it to your account ;-) This is where a program like AWStats / Analog or another one that generates off of you raw access logs for the server can come in handy. If you do nothing but watch which files are called, you over time will get used to what does get called, and can stop unusual things.

    If you think something was messed with, contact your provider asap. The sooner you do, the easier it will be for them to look through log files to see things like FTP logins to the server. Depending on your sever setup (see #14 from my other post), your provider may be very concerned.

    Again, the big thing is knowing what the "Norm" looks like, both in logs, in your site, and search results for your site. Like many things, it takes time to learn, but as you do it more, it becomes easier as you know what to look for. Unfortunately is it not a "do this step and you are good".

    -Greg

  6. #6
    Senior Member Cedar Mill Limousine's Avatar
    Join Date
    May 2008
    Location
    Crown Point, Indiana (Northern Indiana)
    Posts
    2,788

    Default

    Great info as usual, Greg! Thanks!

    Quote Originally Posted by Greg K View Post
    It depends on how your site is setup and how security minded you are.

    A properly set up site, they are only going to be able to modify the actual site by logging in (either through some type of control panel, or by actually FTP'ing into the server with your login credentials.)

    Tips to prevent this:
    1. Use secure non guessable passwords which consist of at least 8 characters, combining at least one lowercase letter, one uppercase letter, one number and for even more secure, at least one special character (ie. !@#$%^&*)
    2. If you must keep it written down, do NOT leave it out, keep it locked in your safe.
    3. If you loose (or even suspect something fishy with) an employee who knows the login, change it immediately.
    4. Same goes for if you think there is any possibility it has been compromised, change it immediatly
    5. Resist temptation to use the same password for many things.
    6. If you edit your site via a web page, make sure you connect to that control panel / CMS via a secure web page (https://www....)
    7. If you use a program to upload the files to your server (FTP client), resist telling it to remember you password. Many FTP programs store the password in a way that can easily be found if your computer gets compromised.
      1. If you can use SFTP instead of regular FTP so that your login credentials are not sent plain text out to the internet. (same as it is better to use a secure page over non secure)

    8. Do not use your laptop over an insecure wireless network. Traffic can be snooped. (Note though, using secure pages and sFTP are still encrypted, but it is easy to forget you are on an open network and start going somewhere you are not safe)
    9. Make sure your system is up to date on updates.
    10. Make sure you are running an up to date virus software.
    11. RESIST doing any non-work related browsing on the computer for business. Do not let others use it. I have had to go clean up someone's system that was infected because they let their nephew use it to check his mail, to which he then hit Facebook and followed a link to "Watch this video that will shock you" and fell for the link to install a flash update. The next day, their computer would not even boot. Computers are cheap enough that if you (or your employee) are that bored, get a second computer to screw around on. Think of old days, would you want them doodling on your accounting or trip books?
    12. If you have a site that is using something like Word Press/Drupal/Joomla, etc. make sure it (and any add-ons/plug-ins) are updated often!
    13. If you have a site that uses something else, but isn't just you uploading flat .html files and images hope that it is securely programmed. Poorly written web apps can be compromised easily.
    14. If you are using hosting on a shared account, verify if other users can possibly write to your directory. Properly set up systems it won't happen, but I have seen some servers where one site can write into another if the permissions are not set by the customer (hosting customer, YOU). With the right scripts, you can really mess big time with a server that you can read across user directories.

    Please note, any mention of passwords goes for all aspects of your business/web sites, from the login to your computer, to the login to your hosting account, the account for where you have your domain names registered, emails accounts, everything!

    Speaking of computer login, if you are on a windows machine, use a login with a password, and get used to hitting [WindowsKey]-L combination every time you get up from it to lock it. (Yes, at first harder more secure passwords are a pain, but after you enter it several times a day, becomes second nature.) I have been at businesses before where they leave computer wide open, in reach of a customer and go out of the room for 5 minutes, plenty of time for someone to do damage if they are looking to compromise you.

    So with these guidelines, you greatly reduce your chances of someone changing and or adding content to your site. Note, that when it comes to someone messing with your site, it is not always a case of you go to your site and there is an obvious message that you were hacked. A lot of times, they modify the site that search engines will see something different than what the normal person sees with a regular browser (usually to put links off to another site to improve their link listing with search engines, which can be eventually detected and then you get penalized for it by the search engines).

    Another hack that can get done is redirect vistiors off to a hack site somewhere to try to install a malicious program on your system. Usually, if google detects this, they will flag your site (Google results will list a "This site may harm your computer" and Browsers like Firefox/Chrome will use that same flag to warn people to not even visit your site)

    Trust me, I have done my share of cleaning up computers infected, web sites compromised and also servers that have been hacked server wide to affect all sites on that server. It can get time consuming and messy! (And made me good money, even considering that I have a conscious and don't gouge because I could)

    Lastly a #15, which is for if you ever have the day of "something was failed, and you are screwed!". Get a good backup program (I myself use Acronis True Image) and backup your data. I like Acronis as I not only back up throughout the day from one hard drive on my laptop over to the other drive on it (I love having two physical drives), and nightly it backs up to my network share on my desktop system, and once or twice a week, I let it do a full data backup to a removable drive, which is encrypted (in case someone gets that drive), and swap out the drives between office and safe deposit box. I can also set it to automatically send a backup to my server, again encrypted and offsite. Trust me, it takes just ONE time of loosing all your data to appreciate a good backup scheme!

    Also, make sure you have copies of your website. If it is just a static site you upload files to, that is easy, as you usually have the files on your system that you uploaded from, so should get backed up with the other files. If you are running a site that is where you enter data on a control panel /CMS, make sure you have a way to backup all of your data. Then if your site is compromised, you can quickly get it back up and running. At the very least have a Rip of it (see http://www.limousinesonline.com/show...f-your-website)

    Hope this info helps. If you have any questions about any of the tips, feel free to contact me via PM and I'll help you the best I can.

    -Greg
    Rich Rottier
    219.808.0976 | richrottier@gmail.com

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •