This is a general document on what happens when an account is compromised, how it is compromised, and policies pertaining to resolving an account flagged for sending spam.<\/p>\n
Accounts are compromised through a variety of clever engineering tactics. Just as personal software has become more powerful and smarter over the last decade, so too have the tools hackers use to compromise accounts.<\/p>\n
Most commonly, passwords are compromised through trial-and-error from a distributed botnet controlled by a single entity. This is called a command-and-control<\/a> system whereby thousands of infected machines carry out the request of a single user. \u00a0These machines periodically try random username\/passwords\u00a0across millions of servers and report back any successful login. Eventually, if a password is weak enough, these infected machines report back a hit and your account\u00a0falls under control of a hacker.<\/p>\n Just like e-mail, command-and-control botnets\u00a0crawl websites looking for vulnerable software. Different frameworks (WordPress, Joomla, Drupal, Ruby on Rails)\u00a0create consistent\u00a0code and use consistent login portals. Crawlers\u00a0try a variety of URL patterns to determine what a site is running.<\/p>\n Beispiel:<\/strong><\/span> if accessing Once an exploit has been successfully leveraged, the attacker has the ability to run any malicious\u00a0code, including editing files in place, where permissions permit<\/a>, to install new backdoors. Whenever a website is hacked, the only safe solution is to reinstall your software from scratch and next time keep current with software updates.<\/p>\n Backdoors are typically elusive, obfuscated code designed to confuse whoever reads it. These backdoors are almost always added at the top of infected files so as to not affect how a program, like WordPress, operates. Backdoors come in a variety of forms. Some websites below have done a great job curating backdoor samples.<\/p>\n Website backdoor resources<\/strong><\/p>\n You can easily avoid becoming a victim by being smart with your account. Always use\u00a0anti-virus software, keep your anti-virus software current, and follow these additional steps:<\/p>\n All cleanups impose a mandatory $15 fee<\/strong>. This is to reimburse\u00a0our time spent removing spam from the server and taking steps to help you secure your service. Fees are charged automatically. Failure to collect the fee will result in a suspension of service if unpaid after\u00a072 hours.<\/p>\n We participate in a variety of feedback loops<\/a>. When spam is reported from your e-mail address, we take steps to isolate and remove it from our network. This includes purging all mail in our mail queue sent by the affected user. Your password will be changed to a random password. You will be required to change the password for the affected user to a new password via Benutzer<\/strong> > Manage Users<\/strong> innerhalb der Bedienfeld<\/a>. Never reuse the same password!<\/em><\/p>\n The offending malware is removed from your site. Permissions, if too liberal, thereby allowing write-access to anywhere on your account, are tightened to prevent recurring attacks. If we cannot reasonably protect your site without your intervention, web access is revoked pending a software update.<\/p>\n If an update is necessary, permissions are changed on the Dokumentenstamm<\/a> of the offending website revoking access to the web server (0700 permission mode).\u00a0This prevents access to your website to prevent further\u00a0attacks until you can update the offending software or resolve whatever vulnerability enabled the attack (usually it is outdated software<\/a>). Once you have updated software, relax permissions<\/a> by changing it back to 0755. You can do this within the control panel or FTP<\/a>.<\/p>\n Windows<\/strong><\/p>\n Linux<\/strong><\/p>\n Mac<\/strong><\/p>\n Spam is a pervasive\u00a0problem\u00a0for our clients, as well as us. We use the same hosting servers that our clients use to\u00a0operate. It interrupts mail flow and may result in long-term reputation loss, used by some mail filtering engines (SenderScore<\/a>, Barracuda<\/a>, McAfee<\/a>, etc) to silently discard “spam” from legitimate e-mail.<\/p>\n Since e-mail is such a significant medium for\u00a0business communication now, we have very strict policies on recurring infractions:<\/p>\n Overview This is a general document on what happens when an account is compromised, how it is compromised, and policies pertaining to resolving an account flagged for sending spam. How does an account get compromised? Accounts are compromised through a variety of clever engineering tactics. Just as personal software has…<\/p>","protected":false},"author":1,"comment_status":"open","ping_status":"closed","template":"","format":"standard","meta":{"footnotes":""},"ht-kb-category":[58],"ht-kb-tag":[],"class_list":["post-8488","ht_kb","type-ht_kb","status-publish","format-standard","hentry","ht_kb_category-e-mail"],"_links":{"self":[{"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/ht-kb\/8488","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/ht-kb"}],"about":[{"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/types\/ht_kb"}],"author":[{"embeddable":true,"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/comments?post=8488"}],"version-history":[{"count":1,"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/ht-kb\/8488\/revisions"}],"predecessor-version":[{"id":8489,"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/ht-kb\/8488\/revisions\/8489"}],"wp:attachment":[{"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/media?parent=8488"}],"wp:term":[{"taxonomy":"ht_kb_category","embeddable":true,"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/ht-kb-category?post=8488"},{"taxonomy":"ht_kb_tag","embeddable":true,"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/ht-kb-tag?post=8488"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Websites<\/h3>\n
http:\/\/example.com\/wp-admin<\/code>\u00a0returns a \u00a0web page with a login form, then\u00a0example.com is probably running WordPress, because \/wp-admin is the administrative login location for WordPress. Now the attacker knows what exploits<\/a> to try.<\/p>\nWhat does a backdoor look like?<\/h4>\n
\n
Avoiding hacks<\/h2>\n
E-Mail<\/h3>\n
\n
\n
\n
\n
Websites<\/h3>\n
\n
\n
Cleanup<\/h2>\n
E-Mail<\/h3>\n
Websites<\/h3>\n
Recommended anti-virus software<\/h2>\n
\n
\n
\n
Recurring infractions<\/h2>\n
\n