Free Web Site Pen test?

**SimonMac** · 15 February 2012, 10:04

Originally posted by ctdctd View Post

Morning,

A mate of mine has a small site for his photography business.
It appears to have been hacked and a folder has appeared full of images - nothing nasty. There is no e-commerce on the site.

His hosting co said a remote shell appears to have been installed and shut down the site. It's all running on a LAMP box by the look of it.

He got them to reset his passwords and FTP'ed in, deleted everything and re-uploaded so it works again.

Are there any free tools he can use to test the site to try and work out if it is likely to happen again.

He's only at the FrontPage level of web authoring and I'm not much better so something with a nice big "click here to test" button is what we need!

Any advice?

Two questions, firstly is security other than for home use something you want to do on a free basis?

Secondly, if he is using FrontPage that might be the problem in itself, quite a few professional tog's are using wordpress sites which might be a better option

**ctdctd** · 15 February 2012, 10:12

Originally posted by SimonMac View Post

Two questions, firstly is security other than for home use something you want to do on a free basis?

Secondly, if he is using FrontPage that might be the problem in itself, quite a few professional tog's are using wordpress sites which might be a better option

Well, it's his site and his choice how much he wants to pay!

Yes, the original site was created with FrontPage so this could well be the problem.
However it would be nice to know how it was hacked instead of just assuming a site rewrite using a different product would fix it.
It could be his FTP password was compromised in which case it would not matter how the web site was created?

**Pondlife** · 15 February 2012, 10:20

I would start by checking who has write permissions on the files/folders the site contains.

**pmeswani** · 15 February 2012, 12:56

I hate to say this, but FrontPage Server Extensions are insecure. Here's just one article you can look at Web Server Security Issues and Front Page Server Extensions. I would suggest using some proper WebDev application, or use a template like Wordpress, Joomla or Drupal to design the website and ditch FPE.

As the web hosting company is hosting the site, it is most likely a shared site, so doing a pen test against their server without their permission, knowledge and consent could well be in violation of their terms and conditions and could also fall foul of the Computer Misuse Act, so be careful about doing a Pen Test of any form.

**ctdctd** · 15 February 2012, 13:50

Ta all,

I'll read up on FrontPages issues and see if he's using the extensions - it's a very simple site.

I'll also suggest it's time for a redesign but suspect it will fall on deaf ears!

**Sockpuppet** · 15 February 2012, 18:35

To be honest if a machine gets hacked then by default you should wipe the machine and start again you have no idea what has happened.

Free Web Site Pen test?