Webmasters, this evening I came across a FAQ, which scared the **** out off me!
I came across a hackers FAQ, that shows many things that I wish would never exist.
The FAQ is at: http://www.nmrc.org/faqs/www/index.html
They explain many ways to hack a webserver with CGI, java, web browsers' command line, ... etc.
I also want Alex to take a look at this FAQ, before creating 'Links 3.0'

I knew, that "there's no security in this world", but I didn't know THAT much!

Sincerely,

Pasha

------------------
webmaster@find.virtualave.net
http://find.virtualave.net

Hi Pasha,

Thanks for the URL! It was interesting reading. I'm very confident that there are no holes in Links that a hacker could exploit provided:

1. Your admin directory is password protected.
2. It's a good password. =)

Of course, the security of the actual web server is another issues that'll have to be taken up with your ISP. =)

Cheers,

Alex

You must have missed #2. =) The program is just a brute force cracker and just repeatedly tries username/password combos looking for the right one.

Using a hard to guess password, not a dictionairy word, mix of numbers/letters, upper/lower case helps combat this type of attack. Also, this sort of attack leaves a ton of logging in your error log (1 line for each failed attempt), so you should also monitor your error log.

See:

http://web.idirect.com/...s/lists/lmdenham.txt

and see if your password is on there? =) admin/admin is..

Cheers,

Alex

The 'generator' is also included in this program, which will try for a user name and password any character from 0 to Z, If it does not find the user name or password, then it will try from 00 to ZZ, then from 000 to ZZZ, etc.
If
0000@0000:www.server.com
doesn't work then it will continue to
0000@0001:www.server.com
if this doesnot work either, then
0000@0002:www.server.com
... then ...
0001@abM4:www.server.com
... then ...
COw0@jk43:www.server.com
... etc.

You can set how many charachters it might be in the user/password, from 1 to 9. Sure it will take some time, but if the guy got nothing to do all night, then he will probably crack the server.

Server log could tell for sure, if the server was under attack. But some people just don't have an access to the server log; like me. I was asking my server administration to give me an access to the server log, but they said that it's only for administrational use, not for webmasters (or what ever they think I am)

And there are actually many 'dictionaries', that could be used with this program, but it's only if the webmaster choosed his user/password like "john/smith" or something like that The best user/password would prabobly be "h0mE2f4N/m0R3oF34t"

BTW: have you got any security information about 'Links 2.0' or 'File Manager', that we should know about?

Regards,

Pasha

------------------
webmaster@find.virtualave.net
http://find.virtualave.net

Alex, there's more!
After reading this FAQ, I decided to learn a little bit more about web servers' security. And guess what I've found:
There's actually a program which purpose is to break into secure (password protected) directories and files!
At first I thought that it's a joke, and tried it on my /admin/ directory, which is protected with Gossamers' File Manager. It found the user name AND the password, and it DID access my /admin/admin.cgi script!!!
So, as I said earlier, 'there is absolutely no security in this world'!
The program called 'Entry Lite':
URL: http://web.idirect.com/~elitesys/entry/
and it's just a demo, I bet full program could do more damage.

Let me know, what you think.

Regards,

Pasha

------------------
webmaster@find.virtualave.net
http://find.virtualave.net