I received this email the other day:
"Brian, Have you heard about this? Have you scanned your server for this issue?"
Thanks. Yes, this is an old type of attack, at least for responsible server admins. (old being anything more than 6 months old) The problem comes from older scripts on the server.
The general public doesn't hear about it until a big attack like this one hits, but these sql injection attacks pop up every now and then when a new exploit is found in a popular script. If you notice, even this last report is not in the 'normal' news, but on technical sites.
- Mass SQL Injection Attack Hits Sites Running IIS
- Widespread Web Attack Infects Thousands of Legitimate Sites
No server is 100% secure. Any device that connects to another device, especially over the internet, is at risk. The best protection a server admin can provide is to be vigilant on all security patches as they become available, and to have active scanning for exploits. But, even servers run by great administrators can have issues, as these types of attacks are usually based in user scripts like WordPress, Joomla, and other forums, blogs and galleries.
Basically, any website that has any type of interaction with the user can have some sort of exploit, and most weekend webmasters don't update anything. They simple upload a super cool script that makes their site interactive, like a simple guestbook. And they leave it.... never to be checked or looked at again until there is a problem.
What is a Web Server Admin to do? We can check for older scripts and notify webmasters of the issue, but what happens if they don't listen? Is it good business to disable the script on them? To disable all old scripts thru-out the whole server? Update it for them?
Patches and Upgrades for main server-wide programs.
One thing that is vital is to keep the server-wide software updated and patched, like Apache, mySQL, PHP, or IIS. But doing this has the risk of breaking some websites due to incompatible scritps. PHP caused headaches for everyone a couple years ago, and mySQL gave it's share of issues. Just like IT department in many companies, sometimes updates may be delayed for fear of messing with things. "If it ain't broke, don't fix it."
Sure, that is great, until the sludge hits the fan. Then, all that 'putting-off' seems to be short-sighted. Some of the patches and security features I added to the server recently are causing issues for some clients who have not upgraded Internet Explorer 6, which opens up even more issues. Sorry, if you are using IE6, you have bigger problems to deal with than my servers.
Updates Suck, But We Need Them
Hey, no argument here. Updates suck. You know what? So do condoms. But they are neccessary. And sometimes you have to be tough, with a 'No Glove, No Love' policy. So, maybe a server admin should prevent any interaction happening on a user's website until that webmaster applies protection.
In the past, I have disabled scripts with known exploits. There are several sites that have had their forums shut down for years, and guess what... the owners don't even know! If they don't pay attention to their website enough to know something isn't working, can they be trusted with updating the scripts? That is not to know those webmasters, as they problaby have real jobs and a real life to deal with, but should their irresponsibility threaten the rest of the websites on a server?
For all the sites I manage as webmaster, or server admin, I upgrade their Joomla for them. I know they have their business to run, and have enough on their hands just updating their anti-virus software. I also update most of the other scripts for those that were setup by other webmasters and just left the user with a site they don't know how works. "It's just there." Sometimes, a WordPress update may disrupt things. Or a Joomla update messes with one or more plugins, and we get all bent out of shape with the "If not Broke" song. But, that ounce of prevention, while unpleasant, if so much better than having a complete distruction of your website.
side note: I did have one site get compromised recently, but it was not a hack... they simply logged in and made changes. They likely got in with a weak password. How strong are your passwords? You aren't using your first name, or company name, or you? http://go-7s.com/Software-and-Tools/Remember-ALL-Your-Login-Information.html