[development] Fully patched site hacked and cloaked
JT Justman
jjustman at uoregon.edu
Thu Jan 28 22:46:25 UTC 2010
Syscrusher wrote:
> On Wed, 2010-01-27 at 11:42 -0800, Domenic Santangelo wrote:
> I run a coop server where some of the clients are *NIX users, some
> clueful Windows users, and some clueless Windows users. The *NIX and
> clueful Windows users all use SSH and SFTP, but the clueless Windows
> users refuse to use PuTTY or anything like it because "Microsoft
> FrontPage supports FTP!!!!". (Not all the sites on the server are
> Drupal.)
>
Microsoft FrontPage FTP is just as insecure as any FTP. That's a
horrible excuse. I'm sure you'll find that the recommended practice from
any vendor if you have to use FTP is to use a VPN.
There are lots of software packages which are easier to use than PuTTY
for file transfer. I have convinced many non-technical clients to use
WinSCP over the years; it's very similar to most Windows tools.
If they're referring to "publishing" from FrontPage or another legacy
software to the site via FTP, make them use stunnel or PuTTY tunneling
or a local FTP to SFTP gateway. There are many good solutions to this
problem.
Speak up! You're responsible for the security of your servers, so don't
let anyone else make poorly-informed security decisions in your name! If
they won't do it, raise a stink and insist on a signed release of
liability for the inevitable loss of business from using bad practices.
Every compromised account gives these abusers more encouragement to keep
writing new attacks.
</fire and brimstone>
JT
More information about the development
mailing list