Colleges and Government Websites in Nepal Sell Sex Drugs!

I hope that educational institutes such as colleges, schools or universities in Nepal (or anywhere as a matter of fact) are into education rather than selling sex drugs. Also, that the government offices do their assigned jobs rather than selling Viagra. The point I am raising here is security issues of educational and government websites in Nepal.

Let’s do a quick search on Google for Viagra (apparently a sexual wonder drug!) within the educational websites in Nepal, which have the names followed by .edu.np. We can do this using [search term] + the ‘site:’ operator + the URL or domain. For educational sites, this would be https://www.google.com/search?&q=viagra+site%3A.edu.np

The search for Viagra in educational website resulted in over 1700 results! I won’t link such sites direct here but present a screenshot. You can do the search yourself too using the search above.

From Kathmandu University to American Language Center – and several schools, colleges universities websites are infected.

Similarly doing a search for Government sites of Nepal shows plenty of infected websites too.

Finally doing a search for a .com.np site showed over 178,000 infected web-pages. I would just share screenshot here as well.

Why do educational and government websites get exploited so much?

The easy explanation is that weak security in websites (especially quick cheap ones) allow easy access to external attackers. Another reason might also be related to a different reason called SEO (search engine optimization), which is about how Google ranks a website when somebody makes a search for a particular term. It is a common but somewhat mistaken assumption that links from educational or government site provides better ranks in search results. So the practice of inserting codes to ‘bad’ sites in educational or government or any other site with old software is a notorious practice that has been going on for a long time. Some sites may also redirect to potentially bad sites when clicked on search results rather than going to the actual result displayed.

What can be done to improve website security?

Unfortunately, there is no such thing as 100% secured and even biggest websites get hacked. If we do a similar search for overall educational or government sites around the world, the situation is no better. I wouldn’t be surprised if my own site gets hacked someday. But having said that it is upto the website owner or team to ensure that the site is safe for its visitors.

In general, it is a good practice to:

• Keep the content management system (CMS) or software up-to date on the server and on own computers
• Use antivirus
• Not use easy to guess passwords
• Choose a more secured hosting
• Backup data regularly
• Check own site on Google using the ‘site:’ operator. For example viagra site:ku.edu.np or viagra site:.gov.np
• Never open suspicious files attachments or websites
• Report websites that are infected to the website owner

Here are some additional references on better web security (don’t worry! these are trustworthy sites and open in new window.)

• 10 ways to better website security
• What to do when WordPress site is Hacked
• A presentation on how and why websites with old software are attacked by ‘bad’ sites
• Joomla website security checklist
• Some indicators on site safety if you are using Google Chrome

Suggestions are welcome!