By Brian Schaeffer, HTWFH Publisher
A little while ago a fellow Internet Marketer contacted me lamenting that thieves had gotten into her web site and downloaded all of her products! She was devastated!
All of her hard work of months... years... seemed to have gone down the drain in an agonizing instant.
We talked a bit about the whole incident and she calmed down enough to apply some reason to her situation. Actually, although someone had "done her wrong" and her business was indeed violated, it wasn't as bad as she had first thought.
The first good thing was that the thieves didn't do anything to her web site. It was still functioning and pulling in orders.
The second good thing was that together we figured out what happened and how they gained access to her products.
My article below describes the procedure the thieves used and what YOU can do to protect YOUR SITE from being victimized too!
All that hard work poured into setting up your business and your web site, investing either time or money (or both!) in products to sell, and establishing your customer base can be wasted if you don't take a few steps to protect yourself from malicious punk cyberthieves!
I told you about a fellow IMer being ripped off by internet thieves above. They easily stole her products, directly downloaded from her website!
Fortunately, after conversing with her, I was able to pinpoint what it was that allowed these despicable criminals unauthorized access to her site... something that you too might unknowingly be doing with your own web site!
As it turns out, my friend hadn't thought about her server doing an automatic directory listing (ADL).
Without an "index" or "home" file in a folder (directory), the surfer might be redirected by the server to a page called an Automatic Directory Listing which automatically lists the folder's (directory's) complete contents - with active links and all. If that folder contains your products, then the surfer has access to, and can download, them anytime he wants. (That's what happened to my friend.) Some servers, such as those used by Powweb Hosting, have a protection routine against ADLs. If you have an account using such a server, then you have nothing to worry about. Unfortunately, my friend didn't. If you're not sure about your host's server(s), I strongly recommend that you immediately investigate the situation!
Let me give you a quick concrete example.
When a surfer types in www.howtoworkfromhome.info/index.html, my web site's server automatically takes them to my index, or home page, because that directory has an index.html in it. No problem. The surfer says, "Take me there," the server responds, "Let's go" and does it. Even if the surfer types in an unspecified directory URL such as www.howtoworkfromhome.info, it's okay because the server first looks for an index file of some sort, finds it in this case, and displays my home page.
However, the problem is that if the surfer types in an unspecified directory URL AND there is no index.html or home page file in that directory, then the server says, "Gee, I'm not sure what you want, so here's a list of every file in the directory called 'howtoworkfromhome.info'," and then displays a page to the surfer which lists every single file in that directory. Those files could be .html, .txt, .php, .xml, .pdf, .zip, .jpg, .exe or any other kind of file!
It's kind of like opening the bank vault and stepping back and saying, "Here, take whatever you want!"
That's how the thieves got into my friend's web site and gained access to her products. She has a directory on her site titled, 'www.mywebsite.com/products'. Although her main directory, 'www.mywebsite.com' has an index file in it, her 'products' subdirectory did not.
The thieves simply typed in 'www.mywebsite.com/products' and because there was no index file in that directory, the server went to an Automatic Directory Listing display. Unfortunately, that listing showed every one of her products in .zip, .pdf, or .exe form! They clicked on each product in turn and 'saved' the product file to their own hard drive.
Quick, easy, and because they used proxies, there was no trace of their real IP address in her site logs and stats!
There are a number of ways to stop an automatic directory listing of a folder on your web site.
One of the easiest and most direct ways is to be sure that there is a file named "index.html" in your folder on the site; even if that index page is blank. If you have a number of folders (directories) on your server, you'll want to place an index.html into each of them.
If your folder already has an index.html, index.htm, default.htm, default.htm, home.html or home.html file in it, then there is no need for you to place another one in the folder. For example, my HTWFH site already has an index page in the main folder (it's the main subscription page), so I wouldn't place another one there.
On the other hand, if you have a folder without one of those pages, you can easily place a blank index.html by downloading one here: Blank Index Page. You may either save the web page and upload it directly, or do View--->Source and save the source as .html and upload.
And voila! You've just terminated automatic directory listing for your folder!
(TIP) - Not everybody who ends up with an automatic directory listing on their screen is a thief. Many times they just stumble onto it. Given that fact, your new blank index page can also do double duty as prime online real estate for your advertisments, subscription forms, etc. Just build the page with the displays you'd like to show and name it as your "index" page for the folder you want to protect.
Alternatively, you can place an automatic redirect script on the index.html page you're placing in the folder and have your visitor be redirected to your home page.
I've included the HTML script for you below...
___________________________________________
<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<HTML>
<HEAD>
<TITLE>File Redirect Page</TITLE>
<style type="text/css">
H1 {font:14pt "times new roman"; font-weight:bold; color:#0f0657; text-align:center}
</style>
<script language="JavaScript"> <!--
var message="Copyright © All Rights Reserved."; //
function click(e) {
if (document.all) {
if (event.button == 2) {
alert(message);
return false;
}
}
if (document.layers) {
if (e.which == 3) {
alert(message);
return false;
}
}
}
if (document.layers) {
document.captureEvents(Event.MOUSEDOWN);
}
document.onmousedown=click;
// --> </script>
<SCRIPT LANGUAGE="JavaScript">
<!-- Begin
redirTime = "3000";
redirURL = "http://www.howtoworkfromhome.info";
function redirTimer() { self.setTimeout("self.location.href = redirURL;",redirTime); }
// End -->
</script>
</HEAD>
<BODY BGCOLOR="#ffffff" topmargin="0" leftmargin="0" rightmargin="0" marginheight="0" marginwidth="0" onLoad="redirTimer()">
<BR><BR><BR><BR>
<CENTER>
<H1>The file you are trying to access is restricted.
<br><br>You are being redirected to the Home Page.</H1>
</CENTER>
</BODY>
</HTML>
___________________________________________
The time in the script is expressed in thousands, so the 3000 below is 3 seconds. That means that after 3 seconds the redirect script will automatically trigger. You can change it to whatever you want, although I would recommend that you have no more than 10 seconds.
EXAMPLE --
redirTime = "3000";
Don't forget to change the redirURL in the script above to your own home page URL; otherwise, your visitor will end up at the HTWFH web site.
EXAMPLE --
redirURL = "http://www.yourdomainname.com";
___________________________________________
The article copyright is held by the author
|
