Four ways attackers exploit hosted services
Attackers are either targeting admins for hosted services with phishing campaigns or exploiting mistakes made when setting them up. Here's what to watch out for.
7 January 2021 | 0
Experienced IT professionals are believed to be well protected from online scammers who profit mostly from gullible home users. However, a huge number of cyber attackers are targeting virtual server administrators and the services they manage. Here are some of the scams and exploits admins need to be aware of.
Targeted phishing e-mails
While drinking your morning coffee, you open the laptop and launch your email client. Among routine messages, you spot a letter from the hosting provider reminding you to pay for the hosting plan again. It is a holiday season (or another reason) and the message offers a significant discount if you pay now.
At the same time, the admin panel URL differs slightly from the real one, and the SSL certificate raises some suspicion. Oh, is that a phishing attempt?
Such attacks aimed at intercepting login credentials that involve fake admin panels have recently become common. You could blame the service provider for leaking customer data, but do not rush to conclusions. Getting the information about administrators of websites hosted by a specific company is not difficult for motivated cybercrooks.
To get an e-mail template, hackers simply register on the service provider’s website. Moreover, many companies offer trial periods. Later, malefactors may use any HTML editor to change e-mail contents.
It is also not difficult to find the IP address range used by the specific hosting provider. Quite a few services have been created for this purpose. Then it is possible to obtain the list of all websites for each IP-address of shared hosting. Problems can arise only with providers who use Cloudflare.
After that, crooks collect e-mail addresses from websites and generate a mailing list by adding popular values like administrator, admin, contact or info. This process is easy to automate with a Python script or by using one of the programs for automatic e-mail collection. Kali lovers can use the Harvester for this purpose, playing a bit with the settings.
A range of utilities allow you to find not only the administrator’s e-mail address but also the name of the domain registrar. In this case, administrators are usually asked to pay for the renewal of the domain name by redirecting them to the fake payment system page. It is not difficult to notice the trick, but if you are tired or in a hurry, there is a chance to get trapped.
It is not difficult to protect from various phishing attacks. Enable multi-factor authorisation to log in to the hosting control panel, bookmark the admin panel page and, of course, try to stay attentive.
Exploiting CMS installation scripts and service folders
Who does not use a content management system (CMS) these days? Many hosting providers offer a service to quickly deploy the most popular CMS engines such as WordPress, Drupal or Joomla from a container. One click on the button in the hosting control panel and you are done.
However, some admins prefer to configure the CMS manually, downloading the distribution from the developer’s site and uploading it to the server via FTP. For some people, this way is more familiar, more reliable, and aligned with the admin’s feng shui. However, they sometimes forget to delete installation scripts and service folders.
Everyone knows that when installing the engine, the WordPress installation script is located at wp-admin/install.php. Using Google Dorks, scammers can get many search results for this path. Search results will be cluttered with links to forums discussing WordPress tech glitches, but digging into this heap makes it possible to find working options allowing you to change the site’s settings.
The structure of scripts in WordPress can be viewed by using the following query:
There is also a chance to find a lot of interesting things by searching for forgotten scripts with the query:
It is possible to find working scripts for installing the popular Joomla engine using the characteristic title of a Web page like intitle:Joomla! Web installer. If you use special search operators correctly, you can find unfinished installations or forgotten service scripts and help the unlucky owner to complete the CMS installation while creating a new administrator’s account in the CMS.
To stop such attacks, admins should clean up server folders or use containerisation. The latter is usually safer.
Hackers can also search for other virtual hosts’ security issues. For example, they can look for the configuration flaws or the default configuration. WordPress, Joomla, and other CMS usually have a huge number of plugins with known vulnerabilities.
First, attackers may try to find the version of the CMS installed on the host. In the case of WordPress, this can be done by examining the code of the page and looking for meta tags like <meta name = “generator” content = “WordPress 5.2.5 “/>. The version of the WordPress theme can be obtained by looking for lines like https://websiteurl/wp-content/themes/theme_name/css/main.css?ver=5.7.2.
Then crooks can search for versions of the plugins of interest. Many of them contain readme text files available at https://websiteurl/wp-content/plugins/plugin_name/readme.txt.
Delete such files immediately after installing plugins and do not leave them on the hosting account available for curious researchers. Once the versions of the CMS, theme, and plugins are known, a hacker can try to exploit known vulnerabilities.
On some WordPress sites, attackers can find the name of the administrator by adding a string like
/?author=1. With the default settings in place, the engine will return the URL with the valid account name of the first user, often with administrator rights. Having the account name, hackers may try to use the brute-force attack.
Many website admins sometimes leave some directories available to strangers. In WordPress, it is often possible to find these folders:
There is absolutely no need to allow outsiders to see them as these folders can contain critical information, including confidential information. Deny access to service folders by placing an empty index.html file in the root of each directory (or add the
Options All -Indexes line to the site’s .htaccess). Many hosting providers have this option set by default.
Use the chmod command with caution, especially when granting write and script execution permissions to a bunch of subdirectories. The consequences of such rash actions can be the most unexpected.
Several months ago, a company came to me asking for help. Their website was redirecting visitors to scams like Search Marquis every day for no apparent reason. Restoring the contents of the server folder from a backup did not help. Several days later bad things repeated. Searching for vulnerabilities and backdoors in scripts found nothing, too. The website admin drank liters of coffee and banged his head on the server rack.
Only a detailed analysis of server logs helped to find the real reason. The problem was an ‘abandoned’ FTP access created long ago by a fired employee who knew the password for the hosting control panel. Apparently, not satisfied with his dismissal, that person decided to take revenge on his former boss. After deleting all unnecessary FTP accounts and changing all passwords, the nasty problems disappeared.
Always be cautious and alert
The main weapon of the website owner in the struggle for security is caution, discretion, and attentiveness. You can and should use the services of a hosting provider, but do not trust them blindly. No matter how reliable out-of-the-box solutions may seem, to be safe, you need to check the most typical vulnerabilities in the site configuration yourself. Then, just in case, check everything again.
Professional Development for IT professionals
The mission of the Irish Computer Society is to advance, promote and represent the interests of ICT professionals in Ireland. Membership of the ICS typically reduces courses by 20%. Find out more