I have seen an increase in the number of exploited Joomla! scripts on our servers. This exploit may be through an extension, component, or addon for Joomla! but I am seeing a lot of outdated Joomla! scripts on our servers.

I am going to be going through our servers in the next few days and look for outdated Joomla! scripts. You may receive an e-mail notice with this information.

It is important that you have your contact information up-to-date so that you can receive this notice and any other notice. To insure that your contact information is up-to-date with us, use the Update your Contact Information link at:

http://www.amshelp.com

If you know for certain that you have Joomla! installed on your account, now might be a good time to make sure that it is being kept up-to-date. If you have any extensions, components, or addons for your Joomla! script make sure they are being kept up-to-date as well.

For information on how to update your Joomla! script see:

Upgrading a Joomla! installation

Attention Fantastico Users: If you installed Joomla! through Fantastico, you can upgrade your Joomla! script through the Fantastico interface in your cPanel.

The latest version of Joomla! is version 1.5.15. I am seeing a lot of Joomla! installations based on the Joomla! 1.0.x tree. Please understand that the Joomla! community is no longer supporting Joomla! 1.0.x. You can read more about this from their blog post.

Fantastico is still distributing the Joomla! 1.0.x tree. We are going to look into disabling this because Joomla! 1.0.x does not need to be used. If you are installing Joomla! please install from the 1.5.x tree. Currently there is not an upgrade mechanism in Fantastico for updating a Joomla! 1.0.x install to the Joomla! 1.5.x tree. If you are using Joomla! 1.0.x then you need to upgrade to Joomla! 1.5.15, the Joomla! community has some instructions here.

If you have questions regarding Joomla! and how to upgrade your install, I would highly recommend that you visit their forums:

http://forum.joomla.org

because they will have a much, much better understanding of their software than we will.

It may become necessary to disable Joomla! scripts if they are not updated. If you do not have your contact information up-to-date or if you ignore our notices to update your Joomla! script, then we may have no choice but to disable the scripts. A vulnerable Joomla! script affects the entire server and we must consider the security of the overall server.

For updated posts concerning this, click here.

Steven

Lately we have received a few messages from concerned users about the FTP Notification messages (mentioned in this post) and about the messages coming into the mail Inbox. First, let me state that the messages are for your information. In the past week or so we have had about 10 issues raised where users experienced hacking or malicious code being placed on their website, and these were all traced back to unauthorized FTP access. I cannot stress enough that had the users received these FTP notification messages, then some of these issues may have been avoided.

The purpose of the FTP notification messages are to let you know when someone access your account through FTP. Since the system cannot know what is legitimate and what is not legitimate, notices are always sent (once per hour, per IP, per FTP username). Reviewing these messages can greatly help you identify when your FTP information has been compromised. When you receive one of these notices and you know for a fact that you have not accessed your account via FTP, then this should set of alarms to you that something may be going on with your account.

With all of that being said, if you feel that the messages are cluttering up your Inbox, I recommend that you set up an e-mail filter or rule to deliver those messages into a separate folder in your e-mail program. Then review that folder and those messages on a regular basis. For information on how to set up an e-mail rule using Window’s new Windows Mail program see:

Organize e-mail using rules and folders

For example, you could set up a filter such that if the Subject line contains FTP Connection Alert – then move that message into a new folder named FTP Connections.

Setting up the filter is not really recommended because we feel it is best to be informed as soon as possible when there is a potential unauthorized FTP login. Setting up a filter may cause you to not recognize the login as soon as you would if it were delivered to your main Inbox. Still receiving the messages and filtering them out at least gives you a log of the incidents.

You can also find information for setting up filters for Outlook, Outlook Express, and Thunderbird.

Steven

AMS is proud to introduce a new feature for all of our cPanel accounts. Now you will be notified whenever someones logs into FTP on your account. You will be notified via e-mail at the contact address you have specified on your account. For information on updating your contact information, see our previous post on this topic.

Below we have addressed some frequently asked questions regarding this system.

Why did you start this system?

Lately we have been seeing a lot of accounts becoming compromised due to FTP hijacking. Some how, some way hackers learn your FTP login credentials. They then FTP into your account and upload malicious material or deface your website. Common ways that hackers attain this information is due to malware on an end-user’s computer or outdated scripts installed on a website. While this system will not prevent these hackings, it will serve to notify you when someone access your FTP account and can therefore notify you whenever there is unauthorized access to your FTP account.

How am I notified?

Notifications are sent to the e-mail address or addresses you have set up as contact addresses on your account. You should insure that this information stays up-to-date so that you can be aware of any unauthorized access. If you do not have a contact address set up or if your contact address is set to an e-mail address that you no longer check, then you will not be notified of FTP connections on your account.

The message that you will receive will look something like:

The Time, IP, and FTP User may differ.

I just received an FTP notification message, should I be worried?

That depends. Did you or someone you have authorized recently connected to your FTP account? If you recently logged into your account’s FTP then you should not be alarmed by this message. If you recently logged into FTP account, then this is a legitimate FTP login and can safely be ignored. Because the system cannot determine what is a legitimate FTP connection and what is not, a message is sent for all FTP logins (hackers and malicious users do not log in any differently than you do).

If you have given your FTP information out to someone else or if you have other FTP users on your account, then you will be notified when they log into FTP. Again you have to be the judge to determine whether or not that login is legitimate or not.

One key piece of information to look at is the IP address in the FTP notification:

IP: xx.xx.xx.xx (US/United States/-Hostname-)

This gives the IP address, the hostname that the IP address resolves to, and the country that is associated with that IP address. If the country is a foreign country and nobody from a foreign country should be accessing your account, then this might be cause for concern. The hostname can usually be used to identify the ISP associated with the connecting user, again this can be used to identify whether or not a connecting user is legitimate or not. This should not be used as the sole arbiter for determining legitimacy of a connection, but it can play a role.

How do I know if a login is legitimate or not?

Again, this depends. Have you given your FTP login credentials out to anyone? Is anyone else suppose to be making changes to your website? You, as the owner of the account, are the only person that can make that determination. If you have other individuals that are suppose to be accessing your account, you may want to contact them and see if they have recently accessed your account via FTP.

I am seeing a lot of FTP connections from my IP address, but I am not FTPing into my account.

Do you have any automated systems that automatically connect to your account? For example, do you have an automated system that automatically uploads webcam images to your account? Any type of automated system that logs into your FTP account will register as an FTP login. If this is the case for you, then you can safely ignore these messages.

Are Virtual FTP users also notified?

Yes, virtual FTP users are also included in this notification. Virtual FTP users are FTP usernames that are identified as someuser@yourdomain.com. If someone logs in with one of these FTP usernames, you will receive an FTP notification message.

I connect to my FTP account several times a day, won’t this fill up my Inbox?

The system is designed to only send a notice once an hour per FTP user per IP address. This means that if you first connect to your FTP account at 8:11, then you will receive an FTP login notification. If you login from the same computer (same IP address) as the same FTP user at 8:26, 8:37, and 8:43 you will not receive a notification for those logins. You won’t receive another FTP login notification until 9:11.

Keep in mind, the purpose of this system is to keep you informed so that you will know if any unauthorized FTP activity is taking place on your account. In order to perform this service, the system has to notify you of every unique FTP login. The system cannot know who is authorized and suppose to be accessing your FTP and who is not (no matter how smart they try to make computers).

The Time of the FTP connection appears to be off.

While it is possible that the e-mail notification could be delayed somewhere along is way to you, you may want to look at the time stamp on the FTP connection:

Time: Oct 27 13:02:12 CDT

The Time is stamped with the timezone of the server, in this example CDT (Central Daylight Time) is used. If you are living on London, GB then you are likely running on GMT time. CDT is 5 hours behind GMT, so while it is 13:02 CDT it would be 18:02 GMT. This may coordinate with your time system.

Can I filter these messages out so as to not clutter my Inbox?

While this isn’t recommended, this can be done. See our post concerning this matter.

As always, any questions or concerns can be raised by submitting a support ticket at:

http://www.amshelp.com

Steven

I am seeing some reports of some issues with older versions of WordPress. Apparently there is a large hack going around that is affecting WordPress scripts that are not up-to-date. The latest version of WordPress is version 2.8.4. If you are not using WordPress 2.8.4, it is highly recommended that you upgrade.

For more information on this hack, see this WordPress blog post.

We always try to stress the importance of keeping scripts up-to-date and this hack underlines the importance of this. If you don’t believe that keeping your script’s up-to-date is a good idea, then I encourage you to read the following post directly from the WordPress Developers:

http://wordpress.org/development/2009/09/keep-wordpress-secure

Steven

The FTPeS trial has been suspended.