[TriLUG] OT: Disinfecting a Club's Website

Aaron Joyner aaron at joyner.ws
Tue Aug 20 09:42:37 EDT 2013


A couple tips:
- As always, Alan's spot on.  use git to track your changes to the website,
either edit on your computer, test, then git push to the live site, or at
least track the changes as you make them directly on the server
- For hosting, you might consider using AppEngine.  It's free[1] and
easy[2] to host static content, you can even push it live with git[3].
- as a sanity check, you might consider pulling an archival copy from
archive.org or the google cache, as a way of looking back in time w/o
trustworthy backups

G'luck!
Aaron S. Joyner

1 - For small sites it's free, and by AppEngine standards, I'd bet good
money your site is "small".  As you scale up to enormous, it's still
relatively inexpensive.
2 - You'll have to create an basic app.yaml[4] to tell appengine how to
serve your static content, and then just plop it into a directory:
https://developers.google.com/appengine/docs/python/gettingstartedpython27/staticfiles
3 - pushing live with git is still in beta, but here's a handy link:
https://developers.google.com/appengine/docs/push-to-deploy
4 - you'll want an app.yaml that looks something like this:
# re-direct to index.html if no path is give
- url: /
  static_files: index.html
  upload: index.html

# access the static resources in the root directory
- url: /(.*)
  static_files: \1
  upload: (.*)


On Mon, Aug 19, 2013 at 9:52 PM, Kevin Hunter Kesling
<hunteke at earlham.edu>wrote:

> At 9:11pm -0400 Mon, 19 Aug 2013, Alan Porter wrote:
>
>> One thing I like to do on web sites like this is use "git" to track
>> (and revert) changes.
>>
>> Just "git init" and "git add *" and "git commit -m 'initial copy'"
>> to get started.  Then when you think your files have been hacked, you
>> can "git diff" to see, and "git checkout *" to revert back to the
>> good copies.
>>
>
> I encountered an attack on a similar setup where we only had user-level
> access awhile back.  After consulting this here group, I ended up creating
> an (absolute) kludge until we could get the hosting company to clean up
> it's act (because changing at that time was also not an option).  I
> implemented a very similar solution to Alan's: git + remote cron + md5sums.
>
>   * Git: As Alan suggested.
>
>   * Remote cron: i.e., we weren't allowed to run cron on the
>     infected machine, so we did it remotely, checking every 10
>     minutes via ssh.
>
>   * md5sums: after running the 'git reset --hard' command, the
>     ssh+cron setup also compared md5sum:
>
>         $ find . -type f -print0 | sort | xargs -0 cat | md5sum
>
> Since the attack appeared to be automated, the last step with the md5sums
> was perhaps overkill, but it gave me peace of mind (such as a comprised
> account/machine allows, of course) that I would know almost instantly if
> something went further awry.
>
> Good luck,
>
> Kevin
>
> --
> This message was sent to: Aaron S. Joyner <aaron at joyner.ws>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> address.
> TriLUG mailing list : http://www.trilug.org/mailman/**listinfo/trilug<http://www.trilug.org/mailman/listinfo/trilug>
> Unsubscribe or edit options on the web  : http://www.trilug.org/mailman/**
> options/trilug/aaron%40joyner.**ws<http://www.trilug.org/mailman/options/trilug/aaron%40joyner.ws>
> Welcome to TriLUG: http://trilug.org/welcome
>


More information about the TriLUG mailing list