Does Your Website Have a Backdoor You Don’t Know About?
Does YOUR website have a backdoor that you don't know about?
What is a Backdoor?
First, let’s describe what we mean by 'backdoor'. Digitally speaking, a backdoor is an entrance into a system (like a website or server) that’s typically not well-known— sometimes even secret.
Often, a website or server has what’s referred to as a legitimate backdoor. This is an entrance created by an administrator, usually for the purpose of accessing the system remotely and performing maintenance work or whatever other tasks they need to do. Legitimate backdoors aren’t malicious in intent, but they’re not harmless either. Even though they’re only meant for administrators to use, they still act as portals into the systems for anyone to access if they can figure out how.
A lot of systems are compromised this way— a backdoor is left open from the development stages of a website, or an active backdoor is too easy to break into, and attackers can gain full control of those systems. Once an attacker can access a backdoor, they can come and go as they please— they can spy on user activity, upload or inject malware, steal information and resources, or anything else they feel like doing. And, they can do it without anyone knowing there’s a problem.
Besides finding legitimate backdoors to take advantage of, attackers can install their own backdoors onto systems, if the systems aren’t secure enough. Often, attackers install backdoors with the same malware they they use to attack the system. If this happens, and a hacker installs their own backdoor, then there’s no guarantee that the system’s owner or administrator would know about it. It could be used by the hacker in secret, or your website could simply stop working one day. All of your visitors could unknowingly download ransomware, or your website could suddenly present inappropriate content meant to shock and anger your users. The list of potential threats goes on and on. If you have a backdoor you don’t know about, anything could happen.
My Latest Backdoor Adventure
The idea for this post came to me from been finding a lot of backdoors on websites and servers over the past few months. The most recent findings were on an ecommerce website that I was hired to move over to a new hosting environment. As I was moving the website, I found FOUR backdoors that no one knew were there! How did this happen?
The first thing I noticed with this website is that it had been neglected for a long time. It was roughly two years old, and it hadn’t had a single update installed during that entire period. As it was a CMS (content management system) website, it was extremely vulnerable.
(Note: CMS websites built with WordPress, Joomla, or one of the many other CMS’s out there are popular with businesses because they make website content easy to manage. But, their popularity makes them the biggest targets when it comes to website attacks. If you own a CMS website, it is vital to apply updates to everything as soon as they become available, including core and version updates, security updates, and updates to plugins or modules.)
It was the kind of website where the owners were grateful to have it, but they weren’t very concerned about maintaining it. Business owners are busy people, but negligence when it comes to website security and maintainance always has consequences. In this case, the consequences were four backdoors that were allowing intruders access to everything on the website and server.
It’s Go Time! Updates and Reviews
I couldn't even see the four backdoors until I applied all missing updates to the website, moved everything over to the new hosting platform, and performed a few standard reviews. I found the backdoors themselves when I was reviewing the website’s uploaded files. That’s how the attacker(s) gained access to the website— they had uploaded their own files, creating their own backdoors.
Obviously, an intruder shouldn’t be able to upload their own files to a website, so how did they manage it with this one? Well, the answer goes back to the website’s neglect. Not only was the website neglected over the two years it was live, but it was neglected DURING its development stages. There were best practice configurations that were skipped by the developers, and there were overlooked permissions on how the website’s file uploads worked. To cap it all, the website’s previous hosting environment was badly set up, so that was adding even more problems to the website’s security. These bad structures are what allowed the attacker(s) the ability to add their backdoors.
Moving On Too Quickly
The owners of this ecommerce website had been cutting corners since the website’s development, and they didn’t change their tune now, even after they realized the backdoors were there. Per their request, I closed the four backdoors and quickly moved on with finishing the website moving project.
And you might be thinking too, “The backdoors were closed! Everything’s fine now. The website was updated, so what could go wrong?” HERE’S the big deal about moving on too quickly and not giving extra time for a full website security scan— it turned out that those four backdoors were NOT the only backdoors on that website. We just couldn't see the other ones that were still hidden. Even now, there’s at least one more, possibly multiple, allowing intruders at least some access to the website and server.
We all found this out by a spam link mysteriously appearing on the website’s home page one day, basically telling us, “Surprise, I’m still here!” With the owners’ priorities shifting a bit from this recent development, we’re now in the process of locating the backdoor(s) and any damage that they’ve caused. But, old habits die hard, and we’re doing this assessment process very, very slowly. We’ve looked into all the user accounts, as it was possible for that website’s ecommerce shoppers to create their account through a malicious backdoor without realizing, thereby immediately giving the attacker all of their payment and billing information. We’ve also done a full code review, and now we’re ready to start searching the database for any backdoors hidden there.
Security Feels Inconvenient
For a lot of website owners, the above statement is true: security feels inconvenient. They may not feel they have the available time, effort, or budget to tighten their website’s security, and they may feel that regular security scans and update installations are a waste of their company’s time. But here’s the thing: you change your oil regularly, right? Because if you don’t, your car will break down, and you’ll end up needing a new engine, or even a new car. The same is true of your website’s security; the risks outweigh the inconvenience. You may not be able to see that someone is recording all of your users’ transactions or sending your users malware whenever they visit your website, but that doesn’t mean that it’s not happening. And eventually, if and when something explodes, the cleanup will be a lot more expensive and time-consuming than the normal maintenance would have been in the first place.
It’s always worth it to have a security review done on your website. Make sure you have an SSL certificate, and make sure everything is up-to-date. Have your hosting environment assessed for any security or development flaws. If you install your updates, you can often get cool new features too! There’s no down-side.
If you accept credit cards through your website, then you need to follow PCI compliance standards. Not only will your users’ information, and your money, stay safe, but your insurance can be lowered for selling online.
We’ve adopted a lot of PCI compliance standards as our default security standards too. That way, we create a more secure environment for our clients’ websites. Whether you’re a three-page informative website or a complex ecommerce website, you’ll get a higher level of security and a more robust setup than just deploying your website from a random third party.
We also scan our clients’ websites and hosting environments every week, just as a sanity check, to make sure nothing is changing that isn’t supposed to and routine updates are being managed.
It’s important to routinely update your website and make sure it stays secure, as well as your hosting. And every now and then, it’s good to have everything reviewed to make sure it’s secure. Assuming is NOT the best way to be secure!