Hi,

Im just a bit concerned about quite a few posts up here referring to people hacking into sites on host monster. Im quite experienced in PHP and hosting using serivce providers in the UK and have never had a problem with hacking. To be honest i have no idea what it is?!

Can someone explain what it is ie is it someone literally getting into the scripts?

How do they do this and how do we stop it happening?

I would have thought host monster would sort this out as standard?

Regards

What you are asking is a terribly loaded question.

To begin, hacking is the act of searching for, and sometimes exploiting holes in programs, websites, scripts, code, or server access methods. That's the short definition. The tern hacker carries a negative conotation, but a hacker is nothing more than a person that attempts to understand everything there is to know about a program, script, etc.

Having said that, Hostmonster has hardened their servers against a "direct root attack" so hacker's cannot gain root access to the servers.

The thing about websites is each account is really responsible for it's own security. Any script someone installs into the site has the potential to be "hacked". This is usually done by using URL strings to circumvent access rights and gain access to the main account, or gain the ability to deface the website.

The security of each website is up to the account holder, or webmaster for each account.

I hope this helped answer a bit of your question.

~regards,
Shadmego

What scripts are the most notorious for causing problems?

One thing about Icestorm was that sites there seemed hackproof.
My php message boards were hacked and hacked again, even with the latest updates
but they weren't able to access anywhere else on my site.

I took the advice of one of the moderators here
and I am using the SMF message boards now.
I like them.

Well, it really just depends.

php scripts that are designed to use the function register globals turned on are all at risk.

There are security holes in just about every script out there. That's why most of the better ones come out with regular security updates and have an active community researching and patching these scripts.

That's why research is so important when it comes to choosing what goes into your web sites and what doesn't. SMF is a great forum program. So is phpbb, but you have to be careful with both that you follow the instrustions during install and you keep security in mind when configuring your site.

Any script can be vulnerable so it means that you have to really do your homework. Sorry I can't make a list of vulnerable scirpts, there are just too many to be listed.

If you are using php scripts a lot, your best bet would be to make sure they don't require register globals to be turned on. Hostmonster doesn't recommend it, and neither do most serious web designers.

McCoy, Seb, and probably earthman can go into more detail as to why this setting being turned on is a bad idea. I'm not very good with php so I don't fully understand the implications. I just stay away that setting.

~regards,
Shadmego

About register_globals, that setting is disabled by default in Hostmonster, and I think you can't activate it, maybe by editing the php.ini file but I don't know if it will work as I have never tried.

register_globals is of great convenience for the programmer, but it is also a big risk.

When you activate register_globals, basically all of the server, post, get, et-cetera parameters are automatically made variables and accessible from anywhere in your script.

That is, if, for example, the user subits a value named "name" via http POST method, inside the script there will be a variable named "$name" automatically, with the value the user introduced, you don't need to use $_POST['name'] like you have to do with register_globals off.

That is really convenient when you're programming because you don't have to think what comes from POST or GET or COOKIE or anything, you just use variables for everything.

Then, what is the problem? The problem is that if the attempting hacker manage to deduct the name of some internal variable of your script, they can override their value. For example, if you have a variable named "$admin", which stores wether the user is an admin or not, the hacker would only have to request the script with "scriptname.php?admin=true" and he would be admin. That's why it is a so big security risk, specially in open-source scripts because they only have to look at the code to know the variable names!!

In any case, I think no modern and decent CMS needs register_globals anymore. And if you find one, it is highly unrecommended to use it, better search for another script.

What do you think this means?

550 Username [uptwoall] cannot send email from scripts.


I just found it in my error logs.