Having been seriously hacked recently, I’ve taken to checking 404s every now and then. These are files that were requested from a site but were not found in the site folder.
I used to look at 404s to see how I could improve users experience of my site. Naively, I used to think these file requests would be coming from friendly users who are looking up pages from their favourites that are no longer on my site, or that they had followed old and out of date links. This is true, to a certain extent, but closer inspection reveals a more worrying truth.
Most of the requests are trying to reach the previous insecurity, which was in the wordpress blog software implementations on my site. But now I’ve noticed pot luck requests. These requests are for files that could well exist on any website, in folders that come as standard in basic implementations of blogs or stores or contact programs that anyone can easily put on their site nowadays. Most sites come PHP enabled with MySql databases. Systems like fantasico allow any idiot to populate their web folder with powerful and sophisticated software. Sadly, understanding how to keep them secure is not so easy. Updating with security patches is time consuming and often confusing.
I sense that there are robots trawling the web for standard implementations of software by calling up files that are standard to those implementations. When they find a live website and report back, then all the known security issues with that program can be probed on that site. This is all done automatically. Many millions of attempts must be made every day, if not every hour. Someone at the moment is looking for analytics information in a multitude of languages. Is this Bing, out to get info on Google or is the a more sinister motive?
This is how the hackers find weaknesses and worm their way in to take over websites and run them for their own purposes, usually without the website owner ever knowing. This is what will bring the web down, eventually. Why bother with having a website, when website thieves and assassins are at you all the time, when there is no long arm of the law to protect you?
If hackers broke into my house and began selling drugs or running a scam to steal money, the police would be there within minutes of my call. If someone does the same on my website, it seems to be fair game. Why bother with old-fashioned crime when you can get away with cyber crime so easily?
But it is even more sophisticated than that. Hackers are probing my site, drilling down two or three folders deep, folders with uncommon names that I have chosen and often misspelt, and requesting files that might have insecurities if that is where I was hiding them, often with file extensions I’ve never heard of. Still, this is probably all automatic, but it does make one feel more paranoid, like I’m not just one of a group that they are trying to pick off, but that that they are after me personally. Paranoid? Not me – at least I wasn’t until the internet came along.
I’ve had a couple of ideas recently, for sites that I could set up, but then I think about it and can’t be bothered. It’s too much hassle – not the work putting the sites up, but the effort I’d have to put into protecting them.