Home Page
   Articles
       links
About Us    
Traders        
Recipes            
FAQMemberlistSearchView Latest PostsWho's Online
Join FREE!
Private Messages: Log in to check private messages
Login Log in
Latest Articles
I need an experienced website wrangler
Page 1, 2  Next
 
Post new topic   Reply to topic    Downsizer Forum Index -> IT Matters
Author 
 Message
sally_in_wales
Downsizer Moderator


Joined: 06 Mar 2005
Posts: 20809
Location: sunny wales
PostPosted: Wed Jun 10, 15 10:11 am    Post subject: I need an experienced website wrangler Reply with quote
    

I've had a string of attacks on my website where as best I can tell, they use random wossname generators to get past the passwords, then send pointless spam email from inside the system.

My web host helpdesk are pretty good and have helped me unpick it each time its happened, but no matter how carefully I follow their list of instructions to make sure the password is impossible for me to remember let alone anyone else, and to make sure things like wp are updated regularly, that my home computer is clear of spy stuff and things like that, it seems to happen every few weeks at the moment, and they've just sent me a message saying if it happens again they'll assume its me being negligent and will suspend the site.

I don't know what else to do to tighten it all up further, and because I have virtually no coding ability I can't spot problem areas within the guts of the system, and I need someone who knows what they are looking at to give the site a good going over looking for malicious loopholes or dodgy permissions or whatever else might be making it easy for them to get in and tighten everything up as far as humanly possible, maybe remove completely anything that isn't necessary to the functionality of the site.

I can pay, I have no idea how big a job it will be, but I'm guessing its something like an evenings work to do a proper check, tighten anything obvious, then give me a to-do list of anything I need to watch out for or do from there. The main site is run on WP, the shop is oscommerce and really could do with replacing with something more modern, but until I have time to research a new option, I'm stuck with that.

Is anyone able to bail me out here? I've got nasty cold hard cash available.

Treacodactyl
Downsizer Moderator


Joined: 28 Oct 2004
Posts: 25795
Location: Jumping on the bandwagon of opportunism
PostPosted: Wed Jun 10, 15 10:42 am    Post subject: Re: I need an experienced website wrangler Reply with quote
    

sally_in_wales wrote:
I've had a string of attacks on my website where as best I can tell, they use random wossname generators to get past the passwords, then send pointless spam email from inside the system.


I don't understand this. Doesn't the company you use lock the account after a few incorrect login attempts, like most other sites?

I would have thought a decent long password of 20 random characters would be fairly secure and could be written down without issue.

Hairyloon



Joined: 20 Nov 2008
Posts: 15438
Location: Today I are mostly being in Yorkshire.
PostPosted: Wed Jun 10, 15 10:50 am    Post subject: Re: I need an experienced website wrangler Reply with quote
    

sally_in_wales wrote:
I've had a string of attacks on my website where as best I can tell, they use random wossname generators to get past the passwords, then send pointless spam email from inside the system.

Are you sure that is what is happening?
You don't need to get inside the system to send emails appearing to come from someone else's domain: you can just change the "from" setting in your email programme.

sally_in_wales
Downsizer Moderator


Joined: 06 Mar 2005
Posts: 20809
Location: sunny wales
PostPosted: Wed Jun 10, 15 10:51 am    Post subject: Reply with quote
    

I really don't know, I have something on the wp side of things that flags up if someone has been logged out after trying to get in, but I don't know how it works in the wider system. Is it for example, possible to lock down the site so that only my ip address can access the guts of things unless I add an ip address to a whitelist, to allow, for example, anyone helping me web wrangle get in. This is why I need help, I don't know enough about how the various security options work to know if I'm missing out something beyond the most obvious things. I hate not having the skills to do this myself, makes me feel so utterly inept and helpless

sally_in_wales
Downsizer Moderator


Joined: 06 Mar 2005
Posts: 20809
Location: sunny wales
PostPosted: Wed Jun 10, 15 10:52 am    Post subject: Re: I need an experienced website wrangler Reply with quote
    

Hairyloon wrote:
sally_in_wales wrote:
I've had a string of attacks on my website where as best I can tell, they use random wossname generators to get past the passwords, then send pointless spam email from inside the system.

Are you sure that is what is happening?
You don't need to get inside the system to send emails appearing to come from someone else's domain: you can just change the "from" setting in your email programme.


The host site keep sending me messages saying they've forced a password reset because they've got verified spanning coming from inside the account, so I assume they are correct. Its usually the first I know about it as they are always madeupnames@myaccount emails, so its only once in a blue moon that I even see a bounced one coming back via the admin mailserver.

vegplot



Joined: 19 Apr 2007
Posts: 21301
Location: Bethesda, Gwynedd
PostPosted: Wed Jun 10, 15 2:57 pm    Post subject: Reply with quote
    

Wordpress has had a string of nasty vulnerabilities recently. I don't mind having a look at it the evening to see if there's anything I can do. DM me if you'd like me to take a look. I'll need your login details.

Nick



Joined: 02 Nov 2004
Posts: 34535
Location: Hereford
PostPosted: Wed Jun 10, 15 3:05 pm    Post subject: Reply with quote
    

vegplot wrote:
Wordpress has had a string of nasty vulnerabilities recently. I don't mind having a look at it the evening to see if there's anything I can do. DM me if you'd like me to take a look. I'll need your login details.


And mother's maiden name, PIN number, and name of your first pet.

sally_in_wales
Downsizer Moderator


Joined: 06 Mar 2005
Posts: 20809
Location: sunny wales
PostPosted: Wed Jun 10, 15 3:34 pm    Post subject: Reply with quote
    

thank you!

snowball
Downsizer Moderator


Joined: 28 Oct 2004
Posts: 6246
Location: swindon
PostPosted: Wed Jun 10, 15 6:32 pm    Post subject: Reply with quote
    

Jema is also looking.

sally_in_wales
Downsizer Moderator


Joined: 06 Mar 2005
Posts: 20809
Location: sunny wales
PostPosted: Wed Jun 10, 15 6:34 pm    Post subject: Reply with quote
    

much appreciated. Vegplot has some excellent ideas to help muck out the lingering mess from years of me muddling through, so hopefully all cureable

jema
Downsizer Moderator


Joined: 28 Oct 2004
Posts: 28248
Location: escaped from Swindon
PostPosted: Wed Jun 10, 15 6:37 pm    Post subject: Reply with quote
    

I seriously doubt that this is anything to do with passwords.

Both WP and oscommerce have poor reputations, but if you are updating and have not got a lot of add ons and are still being attacked regularly then I strongly suspect that when the first attack happened a backdoor file was planted on the system allow anyone in, whenever they like.

Someone needs to look for files updated since the site was first created, and go though all the php and other vulnerable extensions looking for a nasty, usually these start off with something that decrypts itself.

This needs to be done from a shell session, does your provider allow you login access to a command line?

sally_in_wales
Downsizer Moderator


Joined: 06 Mar 2005
Posts: 20809
Location: sunny wales
PostPosted: Wed Jun 10, 15 6:46 pm    Post subject: Reply with quote
    

jema wrote:


This needs to be done from a shell session, does your provider allow you login access to a command line?


err, I don't quite know what that means, but I expect Vegplot will and I'll see if I can find out. The current plan if I've understood it correctly is to move the good bits of the site out for a while so we can scrap everything else (there are bits of files in there left over from the old Geocities days I suspect, I've always been to afraid to delete old versions in case I scrap something important ) then put the usable bits back in a tidy way.

I do need to find a new shop option, the oscommerce one has been aging rapidly for ages now, I've tried to look up reviews of different options but they all assume one speaks a certain techie language and I get utterly boggled by the bits about installation requirements before I get to the parts about whether I can get it to do the things I need, like postage based on weight and region rather than the flat rate only that a lot of the online shop options seem to stick with.

I know its pathetic that I can't manage all this tidily in this day and age, everyone else on the planet seems to be able to converse about php and coding stuff without needing to lie down in a darkened room with a nice flint axe for comfort, but I'm failing badly at keeping up here

Nick



Joined: 02 Nov 2004
Posts: 34535
Location: Hereford
PostPosted: Wed Jun 10, 15 6:51 pm    Post subject: Reply with quote
    

Your mistake is probably trying to do it. There are some things one can do, and some one cannot. It's not a bad thing to pay an expert to do something expert. Your website is a crucial tool for the business, and worth getting right. There's no point in feeling bad, or guilty about it. Fwiw, vegplot and jema are probably awful at medieval cosmetic formulation.

sally_in_wales
Downsizer Moderator


Joined: 06 Mar 2005
Posts: 20809
Location: sunny wales
PostPosted: Wed Jun 10, 15 6:53 pm    Post subject: Reply with quote
    

that makes me feel a bit better

earthyvirgo



Joined: 24 Aug 2007
Posts: 7972
Location: creating prints in the loft, Gerlan
PostPosted: Wed Jun 10, 15 6:55 pm    Post subject: Reply with quote
    

sally_in_wales wrote:
jema wrote:


This needs to be done from a shell session, does your provider allow you login access to a command line?


err, I don't quite know what that means, but I expect Vegplot will and I'll see if I can find out. The current plan if I've understood it correctly is to move the good bits of the site out for a while so we can scrap everything else (there are bits of files in there left over from the old Geocities days I suspect, I've always been to afraid to delete old versions in case I scrap something important ) then put the usable bits back in a tidy way.

I do need to find a new shop option, the oscommerce one has been aging rapidly for ages now, I've tried to look up reviews of different options but they all assume one speaks a certain techie language and I get utterly boggled by the bits about installation requirements before I get to the parts about whether I can get it to do the things I need, like postage based on weight and region rather than the flat rate only that a lot of the online shop options seem to stick with.

I know its pathetic that I can't manage all this tidily in this day and age, everyone else on the planet seems to be able to converse about php and coding stuff without needing to lie down in a darkened room with a nice flint axe for comfort, but I'm failing badly at keeping up here


It's not pathetic at all Sally. I'm an ex-web designer, I've started describing my own website as 'vintage' and 'retro', it's so in need of an overhaul.

People still buy from it tho', so it's functional, if not a thing of great beauty.

EV

Post new topic   Reply to topic    Downsizer Forum Index -> IT Matters All times are GMT
Page 1, 2  Next
Page 1 of 2
View Latest Posts View Latest Posts

 

Archive
Powered by php-BB © 2001, 2005 php-BB Group
Style by marsjupiter.com, released under GNU (GNU/GPL) license.
Copyright � 2004 marsjupiter.com