Government project webcad.pgi.gov.pl hacked - how to properly secure own website?

Testing public projects on production in governmental Polish domains is a very bad idea. The Internet saves everything, so Twitter posted information about the Polish subdomain webcad.pgi.gov.pl by some hackers from the GhostSquadHack group, responsible for cyber attacks on Fox News, CNN, Central Bank, military institutions of the USA and Israel and the Afghan CEO of Twitter. Their actions can be followed on this Twitter profile.

Subdomain webcad.pgi.gov.pl belonging to the Polish Geological and Research Institute in March 2018 looked like this:

Deface rządowej strony

In fact, nothing but "hello world" was interesting. But for about a month or so, from the first weeks of June and until yesterday, the webcad.pgi.gov.pl website looked like this:

Jak zabezpieczyć stronę WWW

We have no idea what was tested or what was planned to be implemented under the subdomain webcad.pgi.gov.pl. Someone forgot about the abandoned part of the IT system or did not make every effort to update the backend. Nevertheless, the government administration of IT officers passed a visual slip. Let's just hope that no credentials have been stored on the server for other government services in text files or other documents - and that no information leakage occurred.

Quick query in search engine Shodan shows the scale of the problem. The returned response shows 47 other websites with the word "hacked" or "hacked by", of which:

  • 28 are placed on the IWS webserver, 6 on Apatche and 2 on LiteSpeed
  • 30 were parked at home.pl, 8 at ovh.pl, 4 at nazwa.pl and 2 at IQ.pl
  • 4 of the hacked sites have an SSL certificate (not necessarily valid).

1

2

These are just some of the examples found in 5 minutes from launching Shodan and Google. There is much more of it, and it is not really anything that a security practitioner would not know about. The view of the websites being exchanged does not make a big impression, but the governmental domains are completely different.

How to properly protect a website from an attack?

It's not strong for it. And it does not matter if the website is powered by Wordpress, Jomla or Drupal, considered to be very safe. Non-updated CMSs, web servers, databases and PHP are asking for trouble.

1. If possible, update the CMS core and all modules to the latest version. Wordpress is particularly interested in hackers.

2. Update the http server, database server and php server (if you manage the entire site yourself).

3. Consider masking the real IP address of the server behind the CDN network (eg CloudFlare). Thanks to this you will avoid many attacks and will automatically block the access of bots and spammers to the site.

4. Consider installing WAF based on mod_security. This way you will protect the website from "incorrect" Internet traffic.

5. If you manage the server, use the latest version of the kernel, preferably with the grsecurity patch, which protects against 0-day threats.

6. Disable logging into the root account via a password and replace it with logging using the keys.

7 If you need to use the root account, log in to the server to the account with lower privileges, and then switch to root.

8. Configure iptables or an alternative CSF.

9. Install fail2ban to protect against brute-force attacks.

10. Use a user account instead of root to log in to FTP accounts.

11. On shared hosting, use separate FTP accounts for each page.

12. For VPS servers, dedicated servers, FTP accounts, log in via SFTP.

13. Take care of very frequent backing up of the page and database files. You never know when you break something (or someone will break it) and you will need backup from an hour ago.

14. The last universal tip for all website managers - as we did, upload this simple PHP script to the FTP server, then add it to the cron (to perform eg once a day), and protect you from unauthorized modification of the page files. Notifications about deleted, added and modified files will be sent to the email:

TripWire



Add new comment

The content of this field is kept private and will not be shown publicly.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.