What administrators need to know about how attackers exploit hosting services


Experienced IT pros are unlikely to be faced by online scammers who primarily make money by tricking unsuspecting end users. However, many cyber attackers target virtual server administrators and the services they manage. Here's a look at the scams and exploits you should be aware of.

Targeted phishing email

While drinking morning coffee, open a laptop, and launch an email client. Among the usual messages, an e-mail from the hosting company informing you of a discount on the payment of the hosting fee stands out. It is the year-end and New Year holidays, or for other reasons, if you pay now, you will get a big discount.

Click the link in the email to enter. If you're lucky, you'll notice something weird at this point. There is nothing strange about the email. It looks exactly the same as the official message previously sent by the hosting provider. The font used is the same and the sender's address is correct. Links to privacy policies, rules for handling personal data, and even parts that no one reads are all in place.

However, the admin panel URL is a bit different from the actual URL, and there are some suspicious parts in the SSL certificate. Oh, is this phishing?

Attacks like this that use fake admin panels to steal login credentials have recently increased. You might want to blame service providers for leaking customer data, but don't be quick to conclude. It is not very difficult for a well-willed cybercriminal to obtain information about the administrator of a website hosted by a specific company.

An attacker could obtain an email template by simply registering on the service provider's website. In addition, many vendors offer evaluation periods. The attacker can then use an HTML editor to change the content of the email as desired.

It's not difficult to figure out the range of IP addresses used by a particular hosting provider. There are many services created for the purpose of checking a range of IP addresses. Then it is also possible to get a list of all websites for each IP address of the shared hosting. No problem except for hosting providers that use Cloudflare.

Afterward, criminals can create a mailing list by collecting email addresses from the website and adding commonly used values ​​such as 'administrator', 'admin', 'contact', and 'info'. This process can be easily automated using a Python script or a program for automatic email collection. If you enjoy using Kali, you can adjust the settings and use the Harvester for this purpose.

Various utilities can be used to find the administrator's email address as well as the name of the domain registrar. In this case, the administrator is usually lured to a fake payment system page and asked to pay for the domain name renewal. It's not difficult to notice this trick, but if you're tired or in a hurry, you're likely to be fooled.

It's not difficult to protect against various phishing attacks. It's helpful to set up multi-factor authentication for your hosting control panel login and bookmark the admin panel page. Of course, you should always pay attention to it.

CMS installation script and service folder exploitation

It is difficult to find a case where a content management system (CMS) is not used these days. Many hosting providers offer services to quickly deploy the most popular CMS engines in containers such as WordPress, Drupal, and Zoomla. Just one click of a button in the hosting control panel.

However, some administrators prefer to manually configure the CMS, so they download the distribution from the developer's site and upload it to the server via FTP. For some, this method is more familiar, more reliable, and fits the manager's habits. However, there are cases in which the installation scripts and services folders are blinking and not deleted. 

Everyone knows that the location of the WordPress installation script is wp-admin/install.php when installing the engine. An attacker can use Google Dock to get a lot of search results for this route. The search results are cluttered with links to forum posts about WordPress technical flaws, but it's possible to go through them one by one and find the appropriate option to change the settings of your site.

The structure of the WordPress script can be viewed using the following query.

inurl: repair.php?repair=1

You can also find many interesting things by searching for forgotten scripts using the following query:

inurl:phpinfo.php

You can find a working script to install the popular Joomla engine using the characteristic title of the web page. Proper use of special search operators can find incomplete installations or discarded service scripts, complete the CMS installation on behalf of this unlucky owner, and create a new administrator account on the CMS.

Administrators must delete server folders or use containerization to block these attacks. The latter is generally safer.

CMS configuration issues

Additionally, an attacker can detect security problems in other virtual hosts. For example, you can find configuration defects or basic configuration problems. WordPress, Joomla, and other CMSs have a number of plugins with known vulnerabilities.

First, an attacker can try to check the version of the CMS installed on the host. In the case of WordPress, you can search the code of the page and look for a meta tag like <meta name = "generator" content = "WordPress 5.2.5 "/>. The WordPress theme version can be obtained by searching for the following line.

https://websiteurl/wp-content/themes/theme_name/css/main.css?ver=5.7.2

The attacker can then retrieve the version of the plugin of interest. Many plugins include a readme text file located at https://websiteurl/wp-content/plugins/plugin_name/readme.txt.

Don't leave files like these in your hosting account and let curious people access them, you should delete them right after installing the plugin. An attacker who obtained versions of CMS, theme, or plugin could attempt to exploit known vulnerabilities.

In some WordPress sites, the attacker is /?author=1You can find out the administrator's name by adding a string like If the default setting is used, the WordPress engine returns a URL with the first user's valid account name, and in many cases, this account includes administrator privileges. A hacker who knows the administrator's name can attempt a brute-force attack.

Many website administrators leave some directories accessible to outsiders. In the case of WordPress, you can often find the following folders:

/wp-content/themes 
/wp-content/plugins 
/wp-content/uploads

Folders like this can contain sensitive information, including confidential information, and should never be allowed to be viewed by outsiders. You must deny access to the service folder by placing an empty index.html file in the root of each directory or by adding the Options All -Indexes line to your site's .htaccess. Many hosting providers set this option by default.

Be careful when using the chmod command, especially when granting write and script execution permissions to a large number of subdirectories. If you do this carelessly, unexpected things can happen.

Abandoned account

A few months ago, a company came to me and asked for help. The website redirects visitors every day to scam sites like Search Marquis, and the company couldn't find a clear reason. I restored the contents of the server folder from backup, but it repeated again after a few days. I looked for vulnerabilities and backdoors in the script, but nothing was found. Meanwhile, the website administrator drank about a drum of coffee buried in a server rack.

It was only after a detailed analysis of the server logs that I could find the reason. The problem was the access via a 'discarded' FTP created long ago by a fired employee who knew the hosting control panel password. All employees seem to be dissatisfied with the dismissal and decide to take revenge against the former job. When I deleted all unnecessary FTP accounts and changed all passwords, this annoying problem disappeared.

Always be careful and vigilant

In the fight for security, a website owner's primary weapon is caution, caution, and caution. You can and should use the services of your hosting provider, but don't blindly trust them. No matter how secure the underlying solution may seem, you still need to identify the most common vulnerabilities in your site configuration. Then check it again, just in case.

Post a Comment

0 Comments