Posts filed under 'Security'
Today, the Data Center has shut down the Gnome server (72.232.186.26) for several hours after discovering two accounts from our clients hosting a phishing website for Bank of America and Wells Fargo.
We coordinated with the DC engineers to get the server back online so we could investigate and remove the phishing sites.
It turns out that the two accounts by clients have folders that were open and allowed culprits to upload a zipped file of the fake website and extract them. We have deleted the files and secured the folders. We’re still looking into other client accounts that may have similar cases.
We request all clients to regularly and actively check their accounts for open folders (CHMOD them to 644) and update any add-on scripts or web apps they have installed so to avoid similar incidents in the future.
April 5th, 2009
Those who are running WordPress can now update their blogs to the latest version 2.7.1. This version fixes bugs and security holes in the software and everyone is advised to upgrade as soon as possible. Make sure to have a backup first before doing the updates.
February 10th, 2009
For those who are using scripts like Moveable Type and Wordpress, they have little to worry about security since they only need to wait for patches and upgrades. But for those who make their own PHP scripts from scratch, Chris Shifflet outlines some measures and guidelines.
- The
register_globals directive is a security risk, so do not rely on it as much
- Filter input and sanitize output
- Filter all foreign data
- Filter data using a whitelist approach
- Use existing functions in data filtering
- Use a sctrict naming conventions
- Try placing all modules outside the document root
- Try escaping all characters that can be escaped
For further information, download Shifflet’s PHP Security guide here. You may also want to visit the PHP Security Consortium.
November 6th, 2008
To disable directory browsing you can use a htaccess file. Open up a text editor (e.g. Notepad) and put the following line in it:
[code:1]
Options -Indexes
[/code:1]
Now select Save As… from the menu and select ‘All files’ in the Save as type bit before typing a filename. For the filename then type ‘.htaccess’ (without quote marks and remember the dot at the start).
Next simply upload this to your [b]public_html[/b] directory and the browsing of directories on your account will be disabled.
October 7th, 2008
A new version of Apache (1.3.36) was just released for Cpanel servers. We don’t recommend upgrading rightaway, because you quite often wind up with more problems than the upgrade is supposed to fix. It is a ‘fact’ that almost every new version of any software (mysql, php, etc….) that has been released by Cpanel has been unstable in the beginning first few weeks of the release. This isn’t their fault, it is just the nature of the beast. The latest version of any software that is just released quite often has bugs or some sort of problems.
This Apache update for Cpanel was just released yesterday, so we recommend to wait at least a week or two at the very least before upgrading to make sure it is stable.
As for the warning message you see when logging into WHM, naturally since the version currently installed is not the latest, the message will say your version is insecure, regardless of any actual real security threat or not.
It’s a balance between stability and security, and only you can decide what you want to side with. This decision is always controversial, because neither having an insecure nor unstable server is any good. In our opinion, we recommend to wait at least a week or two, based on past experiences and what we are already hearing from customers that already attempted this upgrade. People have already upgraded Apache without asking us and have run into problems, problems ranging from Apache not starting to Apache modules not loading to Apache crashing constantly and more. You can also read about problems others are having at the cpanel forums, there’s many complaints there already.
What makes this even worse is that there is no option to even downgrade, so it has to be manually reinstalled or recompiled which results in HTTP downtime during this process.
May 25th, 2006
The latest release for Wordpress verison 1.5.2 is now available for download here.
We request all clients to update their installation of WP the soonest possible time.
August 22nd, 2005
WordPress version 1.5.1.3 is remotely exploitable if the web server on which it runs has register_globals = on in the PHP configuration. perl and PHP code exists to automatically exploit vulnerable WP 1.5.1.3 sites, allowing the attacker to (try to) execute code on the victim’s account.
For all those with Wordpress installed on their account, please follow these instructions.
August 14th, 2005
It has been said the the users are the weakest link in the security chain. This is especially exemplified in Social Engineering. This is a practice wherein a user is lured to give in sensitive information such as password and credit card numbers. This is typically directed at the users and not on a security hole. The success of many of virus and phishing attacks are due largely to social engineering.
Let us take the case of the Love Bug worm. The worm made an international sensation because it was able to infiltrate even the Pentagon. This is not because there were known security holes in the system of the Pentagon, but because of the psychological motivation of “love” which prompted users to execute the worm. Aside from that, social engineering also plays a big part in phishing or attacks directed at getting user information through e-mail, instant messages, or websites that asks for them.
These activities are not exclusive to the Internet. This include chain e-mails, like the case of “Bill Gates giving away his money” if you forward the e-mail and made it look authentic with a signature of a lawyer at the end of the mail; scams such as the “Nigerian Scam“; and even text scams.
According to Sophos, there are measures one need to consider in order to avoid phishing scams:
- Never respond to emails that request personal financial information
- Visit banks’ websites by typing the URL into the address bar
- Keep a regular check on your accounts
- Check the website you are visiting is secure
- Be cautious with emails and personal data
- Keep your computer secure
- Always report suspicious activity
Recommended sites for more information:
http://www.fightidentitytheft.com/
http://www.windowsecurity.com/articles/Avoid-Phishing.html
Next on Security Basics: PHP
June 4th, 2005
