09/18/12

ALEJANDRO PAZ, M.D., M.P.H., F.A.A.F.P.

A Personal Web Page


News Feeds
RSS

Photo Albums
Angkor Wat

Contents


My Personal Web Page Design

Web Page Design Approaches
A Malicious Javascript
A Lesson in Security
Google Shuts Me Down
No Help From My ISP
The Lessons Learned



Web Page Design Approaches

My name is Alejandro Paz, M.D. and I have observations and experiences in regards to designing web pages. There are various approaches to designing web pages. My web page approach uses only css and html for a static read and for those that require a dynamic read, I could easily include perl, php, python, or ruby code as an interface to a relational database such as mysql or object relational database such as postgresql. However, my web page is not scalable and it would be very difficult to update quickly whenever needed. There is no allowance for flexibility and adaptability. My approach is not suitable for bulletin board and blog design. E-commerce design is out of the question. The solution for these complicated designs lies in applying web page design frameworks such as drupal, joomla, typo3, and wordpress. These frameworks require an aforementioned database. There are other frameworks that work just as well, but their popularity is not established. An important reason for the above described design approach of my web page is the ubiquitous mobile phone.

Nowdays, the more popular mobile phones are blackberry and iphone. I am sure that other models are well designed and perform consistently, but i am not familiar with them. The problem readily encountered is fitting a web page on a such a small screen. Personally, I enjoy reading the basic web pages that fits well on the screen. The page is not broken or malaligned. I write many learning notes that could be read comfortably. The links that are listed on my web page are not suitable for the mobile phone. Instead, these links should be read using a fat client or a thin client. These links listed points the browser to web sites that deploy examples of my favorite web page frameworks.
Go To Contents Of Page



A Malicious Javascript

As I mentioned earlier, my name is Alejandro Paz, M.D. and I want to discuss how my web page became an attacker page. Recently, my web page became an attacker page due to a cracker who entered a malicious javascript. I was disappointed to find the firefox browser and internet explorer browser declaring my page as malicious and blocked my isp server from serving it. I looked at my index.htm code and was shocked to find a mysterious code below the ending html tag. The code was long and was an amazing mix of letters, numbers, and punctuation marks. Looking further, my php files were contaminated with this unethical code. The malicious code intermixed with the php code thereby making it useless in function. Amazingly, the perl, css, and ruby files were unaffected. What is even more disappointing is the free html and php files were infected to the point of no repair. I spent many hours studying the codes and uploading what I thought would be useful. Regretfully, I must delete all of the hundreds of files collected throughout the years. I "cleansed" my favorites files that were most informative. My frustration about security problems began last year when my page was "hijacked". It was amazing to go to my web server directory only to find that my index.htm had gone to another web server directory with no access for me. Fortunately, I have a friend who was able to return my page. To my surprise, his website was hijacked.
Go To Contents Of Page



A Lesson in Security

I queried the Google database and became overwhelmed at the number of indexes refering to these security problems. I am sure that my isp operates on the Centos GNU/Linux operating system. I understand well that linux operating systems are not secured. I understand further that the bsd family of operating systems is much more secured because these operating systems are systematically improved from the original source tree continuously. On the other hand implementing selinux policy in centos, fedora, and red hat linux have improved security in these distros. Implementing selinux in posgresql object oriented relational database is another security improvement. I never imagined that my "little" page would be attacked.

What I learned is that one should keep page code very simple. Adding ajax, javascript, and java code results in a web page being lively and dynamic. Disappointingly, this type of coding approach will open your page to an attack and become an attacker page itself or the code could break the server directory where the page file is located. Up to this moment I do not understand why my page bacame an attacker because I do not code in ajax, javascript, and java for the reasons mentioned. What I see is that the cracker used a malicious javascript cleverly to integrate into my php and html. It is explained to me that the apache webserver itself and it security problems is the center and this is the reason why my page could be open to attacks. Nowdays, the world needs fonts, images, flash, and other media technology that make web pages very attractive. In my opinion, using these types of technologies opens your web page for attacks and injections. It is clear to me that one should use drupal, wordpress, typo3 and possibly joomla. These web page design frameworks are constructed from the world communities and have updates on new security breaches.
Go To Contents Of Page



Google Shuts Me Down

Sadly, I was cracked again recently. Again, my index page was replaced by a google attack page notice. I contacted my internet service provider and they stated that nothing could be done on their behalf; that I must come to an agreement with google. The first process begins with accessing the google webmaster tools website. My website was listed as malicious and I must clean up the site. After false assurances that my site was cleaned up by my internet service provider, I come to realize that my internet service provider and google could not help me. I enlisted the services of a third party vendor that have the modern scanning equipment needed to clean a malicious toolkit thought to be somewhere in my directories. To my dismay, this company only copied what google has already anounced to me. However, if I open a ticket, then the company could scan my website. I found this type of service as misleading. Finally, after investigating further, I contacted "wewatchyourwebsite.com" and I must say that this company was very helpful to me. I am not here to advertise them, but want to say that they were very helpful. I talked to the owner of the company and he expressed good information that was meaningful to me. As it turns out, the folder that included the emoticoms was the problem. Although the folder had 0000 permissions, google would not take down the attack notice. The aforementioned company deleted the folder. Google declare my site as safe and this the reason for the update. Anyways, I do not use emoticoms.
Go To Contents Of Page



No Help From My ISP

The second part of the problem of this whole sad saga is my internet service provider itself. They declared that I was using my website as a storage site which was not my intention whatsoever. What I wanted to establish was a tutorial website about unix and linux distributions and how to use them. I envisioned using flash, pdf, txt, and possible other audio/video formats. They reminded me of an agreement that I signed stating the terms including the part about storage. Another problem was that they do not have the modern scanning equipment needed to delete the malicious software. I found this part very surprising. Instead of being proactive in preventing malicious attacks, the best that could be done is a retroactive approach that many times results in confusion. Regardless, I have decided to intall only a few pages so that I could monitor my directory better. The only good part about this whole process was the understanding of the cpanel itself.
Go To Contents Of Page



The Lessons Learned

So, what are the lessons learned. Realize nothing is secured and this includes unix and linux software. Microsoft is known for writing poorly secured software. However, I conclude Linux software is not being as secured. Possibly, Openbsd is more secured and I am learning how to use it. Change your passwords as often as possible. It is easy to use simple passwords, but try to use passwords that are case-sensitive, includes symbols, and numbers. Although I had a drupal, wordpress, typo3, and joomla web frameworks, I did not update them. Outdated software is an easy target for crackers. If there are scripts that are useful then back them up immediately. I know that these approaches results in many extra steps. The proactive way discussed above is based on my experience. It is important to say that any proactive approaches are not enough and the better advise is to include a scanning company that has modern equipment to find and delete rootkits and toolkits that are malicious.
Go To Contents Of Page





Webmaster Guidelines >>