[General] WordPress login attack


Thursday, January 16th, 2014 - General, Security

PLEASE READ IF YOU ARE SEEING A LOGIN PROMPT WHEN TRYING TO ACCESS YOUR WORDPRESS ADMIN AREA

Some of you may be aware that there has been a growing BOTnet across the Internet that has essentially been launching a DDOS attack on WordPress scripts throughout the Internet.

WordPress is an extremely popular blogging and CMS platform. Many people use it. It is widely installed throughout the Internet and on our web hosting servers. This makes it a very inviting target for hackers and other malicious users to take advantage of.

The attack is basically a system of thousands and thousands of IP addresses all trying to login into various site’s backend WordPress admin panel. All of these requests undermines the performance of the server, because the server has to respond to each of those requests. This is why this essentially becomes a DDOS like attack.

Up until now, we have been able to mitigate most of this with a series of IP blocks. But unfortunately this system is reaching it’s saturation and is no longer being effective. The next step to mitigating this is to employ a specific web/captcha system. With this enabled, you will see a dialog box when you go to log into your WordPress admin panel, telling you to enter a specific set of characters for a username and answering a simple arithmetic/addition problem as the password. This is becoming the standard way to mitigate this attack.

We don’t yet know if we will deploy this server-wide or if we will do it on an account-by-account basis. But it is becoming clear that we are going to have to deploy this system in some capacity.

If you see this dialog box pop up on your WordPress admin panel login screen, don’t be alarmed. It is a mitigation solution to stop this WordPress login attack.

We do apologize for having to deploy this, but if we do nothing this attack is just going to continue to undermine server performance for your site and all of the other sites on our web hosting servers.

Steven


[General] Software End of Life


Tuesday, October 15th, 2013 - General

Some of you may have recently received a notice from us regarding the end of life for PHP 5.2. If your account is using PHP 5.2, then you would have received this notice (most of our user accounts are running PHP 5.3, so this notice only went out to a small subset of our client base. Don’t be alarmed if you didn’t get a notice). We have received a lot of questions from users regarding this. Most of them center around users who want to keep using their outdated scripts that are not compatible with PHP 5.3 and higher. That is a bad idea, and I hope to answer some of the questions as to why in this post.

What is End of Life?

Over time software reaches a point to where it cannot be patched any more. Commonly used hardware changes, end-users expectations change and you just can’t “fix” software to account for all of that. When that happens, software has to be rewritten. If you’ve ever wondered why Microsoft releases a new version of Windows every few years, this is precisely why. Windows XP was a great product. But they just can’t keep adding to and patching Windows XP for all eternity. Eventually the developers at Microsoft take what was good about Windows XP, optimize that, add new features and release an updated operating system with better and more efficient code that works better with updated hardware and with end-user expectations.

All of this leads to software going end of life. Microsoft and other companies cannot support software forever. As far as they are concerned, they have released an updated and better version of their software, end-users should upgrade or switch to that product. Support for these old pieces of software eventually dies off. That software goes “end-of-life”.

Why is End of Life Important?

End of life means that the software no longer has any support. It’s no longer being developed. It’s not longer being cared for or cared about. Deficiencies found in the code of end-of-life software are met with shrugs and “who cares” responses from the developers. As far as developers are concerned, they have moved on to another project an updated code and only worry about maintaining that.

Take PHP 5.2 for example. It’s possible that a new root level security hole could be uncovered in PHP 5.2. This security hole could be extremely nasty, making it very easy for any would be malicious user to instantly gain root level or escalated privileges on the server through this security hole. If this were to happen, do you know what the developers for PHP (http://www.php.net) would do? Nothing. They would shrug their shoulders and say “well, you shouldn’t be using PHP 5.2 anyway.” This is why using end-of-life software, especially in a web environment where the applications and content is easily accessible to any user, is a dangerous idea. Monitoring for security holes in end-of-life software is very low, because it is end of life and not suppose to be used. So an exploit may be found and may not reach the mainstream community until months have passed.

Users that use Windows XP, you should be aware that your end-of-life is quickly approaching. Support for Windows XP ends on April 8, 2014. After that date there will be no more patches and no more support for Windows XP. If a security hole is found in Windows XP after April 8, 2014, it will be met with a shrug and a whimper from the developers at Microsoft.

Now, if you have a computer that is not connected to the Internet and you continue to run Windows XP, this is less of an issue. The computer is not easily accessible to just any user. Only certain people would have physical access to the computer and by doing that you can have a basic audit of who is using the system. You can’t have that audit in a web application environment. If it’s on the Internet, then anyone with an Internet connection conceivably has access to it. End-of-life means more when you cannot audit and restrict who has access to the system.

What if I don’t want to upgrade?

There’s really no tactful way to answer this question. You have to upgrade or stop using that product or run the risk of being compromised. Those are your only 3 options once a product reaches it’s end of life. If you continue to run Windows XP after April 8, 2014 and your computer gets infected via a security hole, you cannot go to Microsoft and complain to them about not fixing that security hole. Or at least you cannot be surprised when they don’t offer a solution (other than upgrading to a support version of Windows).

I understand that some software may not offer free upgrade paths. Microsoft Windows is like this. Just because you bought Windows XP doesn’t mean that you get a free copy of Windows 7. Whether that is right or wrong or the ethics involved, that’s not for me to say. But that is an understanding (or should be an understanding) that you have when you purchase Windows XP. You should be aware that you will eventually have to pay for a Windows upgrade at some point when Windows XP goes officially end-of-life.

vBulletin may be web application that many users use that may also be affected by this (I’m not really sure what their upgrade procedure is, I know it is a commercially licensed piece of software, but I do not know if you have to purchase each subsequent major vBulletin release). But this is something you need to find out before you purchase any software. What is the life cycle of that software? How long will that software be good for? Will I have to pay to upgrade to the next version when the life cycle of this particular product ends?

The good thing about free software is that it’s free to begin with and free for the upgrades. For example, Ubuntu – a popular end-user Linux distribution, is a free operating system. Ubuntu 10.04 was released in April 2010 and went end-of-life in May 2013. Ubuntu 10.04 is no longer supported by the Ubuntu developers. But when Ubuntu 10.04 was released in April 2010 it was free. When Ubuntu 12.04 was released in April 2012, it was also free. Users of Ubuntu 10.04 had to upgrade to Ubuntu 12.04 prior to Ubuntu 10.04 going end of life.

I can understand people’s frustration at having to rebuy software for upgrades. I’m not sure how a lot of commercially available web applications approach this (like vBulletin). I encourage you to discuss this with the developers of those applications if you believe it is unfair for them to charge you for an upgrade. The fairness of the that issue is really beyond the scope that I am after in this post.

I’m also not going to argue that some of the upgrades, upgrading from one major version to another, can be difficult. That is very, very true. But again, that’s an issue that needs to be discussed between you and the developer of the software. People tend to not look at this issue or the upgrade cost issue in a web application, they seem to think that they can install it on their website and it will be good forever. That’s just not the case. That is a myth. Because web applications are freely accessible to any user with an Internet connection, keeping them up to date and secure is even more important that any isolated system where an end-user accessibility audit can be done.

So all of that is the importance of why end-of-life matters. Because some of our servers continue to run PHP 5.2 and because PHP 5.2 is end-of-life, that can be a problem. If you are using a script that still requires PHP 5.2, then I’m sorry to say, but you’re really using software that is also end of life and that is leaving you vulnerable to being exploited and hacked. The security of our servers is important to us. Protecting your data and the data of every user on the server is important to us. That is why we are stressing the importance of this end-of-life notice.

Steven


[General] Yahoo! spamcop listing


Thursday, October 3rd, 2013 - General

We are receiving several support tickets from users complaining about Yahoo! users being unable to send them emails. Please be aware that Yahoo! currently has several of their IPs listed in Spam Cop, a spam blacklisting service.

Users are reporting bounce back messages that say something like:

Remote host said: 550 Blocked – see http://www.spamcop.net/bl.shtml?98.139.213.138

Please understand there is nothing we can do about this. This is an issue between Yahoo! and Spamcop. Apparently from what we have been able to find, a Yahoo! user exploited their services to send out spam messages and they hit a spam trap email address (a spam trap address is an email address that exists only for the purpose of collecting spam. Any mail that is received at a designated spam trap address is unsolicited).

I would encourage any Yahoo! user that is affected by this to voice their concerns with Yahoo! Finding a contact link for Yahoo! is difficult, so it would seem that twitter might be the best way to contact them concerning this. You can find Yahoo’s twitter account at @YahooCare.

Nobody likes to receive spam and it would appear that Yahoo!’s policies make it far to easy for spammers to use their network to send out unsolicited messages.

Steven

Update: October 3, 2013 1:17PM CDT The latest link of information on this can be found here. Apparently Yahoo! is blaming Spamcop and Spamcop is blaming Yahoo! so it may be a while before this is resolved.


[Updates] WordPress 3.6.1 released


Monday, September 16th, 2013 - Updates

Last week, WordPress released an update to their WordPress blogging platform, version 3.6.1. This is a security release. It fixes some very nasty bugs from previous versions of WordPress.

All WordPress users need to update to version 3.6.1. Failing to do so can cause your account to be hacked and compromised. You should also take this time to update and themes, plugins, or other components that are a part of your WordPress script.

For release notes and information regarding this release see:

http://codex.wordpress.org/Version_3.6.1

Steven – AMS Support


[Security] Joomla! JCE component hack


Thursday, May 30th, 2013 - General, Security, Updates

We have seen a flurry of accounts being hacked due to outdated Joomla! Content Editor components (JCE). Because of this we have made the decision to go through all of our servers are remove/disable all outdated JCE components.

The reason for this is because these accounts with outdated JCE components are being hacked into, compromised, and used to send out spam. This affects the integrity of our servers and is not fair to other users on the server that are keeping their scripts and components up to date, to have to deal with a server that is blacklisted for sending out spam.

It seems that a large portion of our users are unable or unaware of the need to keep their scripts, components, plugins, extensions, and themes up to date. Disabling these outdated JCE components will hopefully bring to light why it is so important to keep things up to date.

The latest version of the Joomla! Content Editor (as of May 30, 2013) is 2.3.2.4. If you are not using 2.3.2.4 then your version is outdated and potentially dangerous. That is why it has been disabled/removed. The website for the Joomla! Content Editor is:

http://www.joomlacontenteditor.net

We wanted our users to be aware of this.

Steven