[Webauthors] University web services under attack!

Alan Richardson alan.richardson at stir.ac.uk
Fri Sep 5 14:12:40 BST 2008 

The servers on which your web pages are hosted have been repeatedly attacked by hackers over the last few weeks.  This has resulted in several periods of unplanned downtime and a lot of maintenance work for the systems staff.  We need to take measures to improve the security of the service and require your cooperation.

One weakness we have identified is the use of insecure PHP scripts.  In particular a file called install.php (used to install applications such as bulletin boards and blogs) has been left by some web authors in locations on web servers where it can be exploited by hackers to run malicious code.  We have removed all that we have found but these may be replaced when you synchronise your website using Dreamweaver or Contribute.  THEREFORE: If you are using dreamweaver or contribute to maintain a site and have a file called install.php in your repository we request that you delete this file in order to make sure that it does not get uploaded again.

Another potentially unsafe piece of software is phpMyVisites (which installs into folder phpmv2).

In the longer term we will be implementing some other changes including:
- Splitting up static and dynamic web hosting (so that if you don't need php you can sit on a safer server).
- Proactive monitoring for insecure php files.
- Removal of third party software from departmental websites.
Departments should not be running their own versions of wordpress, phpbb or other third party software without the express permission of Information Services. We have dedicated wordpress and phpbb sites that departments should be using. Please consult us if you have instances of these that should be moved.  If you require any other similar software please ask us about hosting it.
- Introducing a staging server so that web authors are developing on a non-public system.
The non-public pages will be synchronised regularly up to the public website. Introducing an intermediate step will ensure that changes made to the public site which compromises the whole hosting service will not be synchronised back to authors' machines.

More information will be disseminated about these changes as they occur.  Once again, can I ask for your cooperation in eliminating unacceptable risks to the operation of our web services.

Alan Richardson
Systems and Network Services Manager

More information about the Webauthors mailing list