A rash of website/mysql hackings recently...change your login info!
- Thread starter Derek
- Start date
Shane Deubell
Supportive Member
- Joined
- Jun 30, 2011
- Messages
- 4,052
Over last 2 days i keep receiving requests from the "SECURITY" team at my email accounts to verify login info.
Clearly a phishing scam, Thanks Derek DON'T FALL FOR IT!
Clearly a phishing scam, Thanks Derek DON'T FALL FOR IT!
Answerphone
Member
Godaddy actually provides a simple site survey tool that you can use. Another software solution that is also pretty big in the industry is a tool called acunetix: http://www.acunetix.com/
I work a lot with IT security and vulnerabilities, and work with php/mysql on practically a daily basis. A few tips to secure your mysql databases.
1) Create multiple tiered users. Many people just use the "root" administrator user that comes with the mysql installation. Using this account makes your database susceptible to a 'brute force' type attack (basically where a hacker would use a program to guess your password). If you have a website that connects to your database, there's almost no reason that the average site needs a db user connecting to it that has 80% of the priviledges granted to the root user by default.
1a) Deleting or Renaming the "root" user is often a good idea (after replacing it with a new administrator account, naturally)
2) Derek is spot on on the password. Make it UBER complex. That means upper & lower case, numbers, and special characters. As a rule, I always make mine at least 15 characters long with no common words (helps prevent dictionary attacks).
3) The number one attack against mysql databases is known as an SQL injection attack. A simplified example of this is let's say you have a login form on your site. If you don't place restrictions on what a user can input into your form (ie numbers/letters only), and don't restrict the length (say 20 characters)...a hacker can actually put SQL commands in these fields and execute them (this can be things like sending all of your db's content to the hacker or even dropping/deleting an entire database).
4) If you have users for your website, always, always use a one way encryption algorithm to store their passwords.
5) Want your email destoryed? Use the "mailto: blah@blah.com" tag on your website to have people email you. Your email will be brimming with spam. Not to mention, hackers can hijack your form and spam whoever they want.
6) Sanitize everything. That means you validate your form input (an email is an email...a phone is a phone number). The rule of thumb is you never trust the user. You validate by trimming white space and limiting the characters that can be used with the use of what are called "regular expressions" or "regex" for short. This is this single best way to prevent things like SQL injection attacks.
7) Static sites (stuff that has plain html) are relatively safe. It's the dynamic sites that get you in trouble. The big thing with static sites is make sure your password is complex, and that you're not using a username like "admin" or "administrator" to upload your files.
8) The defacto standard for web application security is a site called OWASP (Open Web Application Security Project) If you guys find this stuff interesting and want to learn more, they have tons of educational material on there.
The number of ways the hacks attack is almost limitless, and they think of new ways to get into our systems all the time. A long time ago, in a galaxy far, far away, I took a 'ho, hum' approach to web security, and thought I was safe because my site was hosted on go daddy. Actually had an attacker hack my contact form, send thousands of work at home spam emails out, create a carbon copy of my website with only the contact information changed, and stole people's identities by having them send in all their personal information for the work at home 'opportunity'. It was a well thought out fishing scam. Actually had to get the FBI involved. Actually had to shut down the site. That was the last time I was ever hacked, and I don't plan on letting it happen again.
Anyways, I could talk about this stuff all day lol. I hope this information helps and if anyone has any questions feel free to pm me if you like
I work a lot with IT security and vulnerabilities, and work with php/mysql on practically a daily basis. A few tips to secure your mysql databases.
1) Create multiple tiered users. Many people just use the "root" administrator user that comes with the mysql installation. Using this account makes your database susceptible to a 'brute force' type attack (basically where a hacker would use a program to guess your password). If you have a website that connects to your database, there's almost no reason that the average site needs a db user connecting to it that has 80% of the priviledges granted to the root user by default.
1a) Deleting or Renaming the "root" user is often a good idea (after replacing it with a new administrator account, naturally)
2) Derek is spot on on the password. Make it UBER complex. That means upper & lower case, numbers, and special characters. As a rule, I always make mine at least 15 characters long with no common words (helps prevent dictionary attacks).
3) The number one attack against mysql databases is known as an SQL injection attack. A simplified example of this is let's say you have a login form on your site. If you don't place restrictions on what a user can input into your form (ie numbers/letters only), and don't restrict the length (say 20 characters)...a hacker can actually put SQL commands in these fields and execute them (this can be things like sending all of your db's content to the hacker or even dropping/deleting an entire database).
4) If you have users for your website, always, always use a one way encryption algorithm to store their passwords.
5) Want your email destoryed? Use the "mailto: blah@blah.com" tag on your website to have people email you. Your email will be brimming with spam. Not to mention, hackers can hijack your form and spam whoever they want.
6) Sanitize everything. That means you validate your form input (an email is an email...a phone is a phone number). The rule of thumb is you never trust the user. You validate by trimming white space and limiting the characters that can be used with the use of what are called "regular expressions" or "regex" for short. This is this single best way to prevent things like SQL injection attacks.
7) Static sites (stuff that has plain html) are relatively safe. It's the dynamic sites that get you in trouble. The big thing with static sites is make sure your password is complex, and that you're not using a username like "admin" or "administrator" to upload your files.
8) The defacto standard for web application security is a site called OWASP (Open Web Application Security Project) If you guys find this stuff interesting and want to learn more, they have tons of educational material on there.
The number of ways the hacks attack is almost limitless, and they think of new ways to get into our systems all the time. A long time ago, in a galaxy far, far away, I took a 'ho, hum' approach to web security, and thought I was safe because my site was hosted on go daddy. Actually had an attacker hack my contact form, send thousands of work at home spam emails out, create a carbon copy of my website with only the contact information changed, and stole people's identities by having them send in all their personal information for the work at home 'opportunity'. It was a well thought out fishing scam. Actually had to get the FBI involved. Actually had to shut down the site. That was the last time I was ever hacked, and I don't plan on letting it happen again.
Anyways, I could talk about this stuff all day lol. I hope this information helps and if anyone has any questions feel free to pm me if you like
Last edited:
