M-Square Systems Inc.

INFORMATION TECHNOLOGYCONSULTING FIRM

Phone# (646)-360-0890 /(212)-941-6000

Visit: http:/www.msquaresystems.com/

Protect Your Website From Hackers

Someone who successfully infects your PC can use it to get into your website. That is very common.

On any Windows PC (does not apply to Linux, Mac) that you use to administer your website, install good quality antivirus software to keep it free of viruses and Trojan downloaders that can install spyware

On a Windows system, once a month, while logged into your PC as an Administrator, visit Windows Update to install the latest security patches for Microsoft products, including Internet Explorer. 

Keep all your internet-related software such as browsers, plug-ins, and add-ons up to date with the latest security patches.

Use adequate security settings in your web browser.  On a wireless network or in a public "hot spot", your data is

transmitted by radio, and it is easy for someone nearby to monitor everything you send and receive that is not encrypted.

Maintain strong security on the computer that you use to manage your website

Use strong passwords Use a different password in every location. Only give your password to people who must have it If you give your password to someone temporarily, change

it as soon as their work is finished.

Follow accepted best practices for your website passwords

Don't load your website with every cool script, gadget, feature, function, and code snippet you can find on the web. Any one of them could let a hacker into your site.

Choose third party scripts carefully

Once you have installed a script such as WordPress, SMF, Coppermine, phpBB, or any others, find a way to make sure you are notified quickly when security updates are released. Get on a mailing list, subscribe to an RSS feed, subscribe to a forum board, create a Google Alert, whatever you need to do. When a security update is released, install it within 1 day, if possible. 

Keep third party scripts up to date

SSH, Secure SHell, gives you command line access to your server, allowing you to execute operating system commands from a remote location. Most webhosts don't allow their shared hosting customers to use SSH at all, but a few do. Resellers and those who manage dedicated servers do have SSH.

If you have SSH access and you use it, its password should be exceptionally strong, 16 random characters or more. 

If you have SSH access and you don't use it, disable SSH so nobody can use it. There is sometimes an SSH control switch in cPanel.

If you allow SSH at all, let your users ask you to enable it for them. Most never will.

Use good security practices for SSH

Each file and folder on your server has permissions settings that determine who can read or write that file, execute that program, or enter that folder. Your webhost initially created your webspace with secure permission settings on all files and folders.

Do not modify the permissions until you know what you're doing. Don't guess. One mistake can allow any other account on your shared server to put files on your site

Don't weaken your server's file and folder permissions

These precautions are also absolutely necessary, but only if you write your own program code.

For the language you use, find and read an overview about security: PHP, ASP.NET, Cold Fusion,

When you use an unfamiliar function for the first time, check the manual for security considerations.

Learn to instinctively distrust data from the outside world. Write your code so that incoming malicious input can't trick it into doing something it shouldn't. Outside data includes: incoming form submission data, HTTP query strings, cookies.

Learn how to prevent "Remote File Inclusion". Learn how to prevent "SQL Injection". There are lots of online resources for learning how to code

securely. All it takes is a web search.

Write your own scripts securely

These are extra precautions that provide an additional layer of security. If you understand what this section is talking about, the discussion and code examples should help you to put some good protections in place.

Download and examine your raw access logs. Here are some examples of how to block suspicious activity: Ban bad robots.  Ban suspicious URL query strings.  Ban IP addresses responsible for suspicious

activity. 

Block suspicious activity with .htaccess

Always have a backup copy of your entire website and its databases

Turn on log archiving in cPanel nowGet a complete list of your site files NOW while

they are known-goodExplore your website and become familiar with

what is thereUse good database connection practices in

scripts:

Preparations that will make hack diagnosis and cleanup easier

WINNING NOTIFICATION:Attn: Dear Sir/Madam

We happily announce to you the draw of the Euro - Afro Asian Sweepstake Lottery International programs held on the 1st of May 2004 in Dakar Senegal. Your e-mail address attached to ticket number: 564 75600545 188 with Serial number 5388/02 drew the lucky numbers: 31-6-26-13-35-7, which subsequently won you the lottery in the 2nd category. You have therefore been approved to claim a total sum of  US$4,500,000.00 (Four million, Five Hundred Thousand United States Dollars) in cash credited to file KPC/9080118308/03.This is from a total cash prize of US $ 45 Million dollars,

shared amongst the first Ten (10) lucky winners in this category.

CONGRATULATIONS!!!

Due to mix up of some numbers and names, we ask that you keep your winning information confidential until your claims has been processed and your money Remitted to you. This is part of our security protocol to avoid double claiming and unwarranted abuse of this program by some participants. All participants were selected through a computer ballot system drawn from over 40,000 company and 20,000,000 individual email addresses and names from all over the world.

Example of a Spam Email

This promotional program takes place every year. This lottery was promoted and sponsored by Association of software producers. we hope with part of your winning,you will take part in our next year US$20 million international lottery. To file for your claim, please contact our paying officer:Contact Person:Mr Peter MoyoFoundmoney Int.Email:pmoyo@lycos.co.uk

Remember, all winning must be claimed not later than 25th of September,2004.After this date all unclaimed funds will be included in the next stake.Please note in order to avoid unnecessary delays and complications ,please remember to quote your reference number and batch numbers in all correspondence.

Furthermore, should there be any change of address do inform our agent as soon as possible.

Congratulations once more from all members and staffs of this program. Thank you for being part of our promotional lottery program.

Sincerely,SIR T.U.QuarshieAFRO-ASIAN Zonal Coordinator

Example of a Spam Email

http//www.fliesen-stracke.de /akklpo/ jauxr/rgzhl/ xunx/ vzpty/txu.html

Example of a Spam Link – Do not click this link

Support & Partner

Getting Started or Support –

Muthu Natarajan

muthu.n@msquaresystems.com

www.msquaresystems.com

Phone: 212-941-6000