Needless to say it’s been an interesting 20 days for us on the Shared Web Hosting front as we’ve been playing detective trying to track down a hacked website that’s been spewing out UDP data over the internet attacking other sites and servers.

Due to the nature of Shared Web Hosting there’s always a chance a site will be hacked because a WebMaster or owner haven’t:

1. updated the latest security patches
2. kept on top of the latest updates for posted vulnerabilities for their CMS or
3. simply left open file permissions set to 777

allowing anyone to gain access to their hosting environment. And because it’s all shared it means that everyone on the server is affected with downtime, slow internet or potentially [*bites hand*] data loss.

It’s like leaving the front door to your home wide open with an invitation to criminals to help themselves.

You wouldn’t do it at home so why do it to potentially your next most valuable asset… your business.

20 Days – What took so long?

In a shared hosting environment with many sites on a server it makes finding the culprit (in this case a client’s hacked website) very hard to find especially when the infected site is shooting out DDOS attacks at random times of the night.

It’s like trying to find a needle in a haystack and someone keeps moving the haystack and turning out the lights. On top of that the tricky hackers cover their tracks by removing any log and temporary files they may have created in the process further complicating things.

So we were left with the best chance we had of solving the case [*puffs on pipe*] is to actually catch them in the act. Elementary my dear Watson, elementary.Or is it?

Here’s an example of data snippet we managed to catch of a temporary file being deleted while the entire DDOS process was still running

# lsof +p 31256
COMMAND   PID  USER   FD   TYPE DEVICE SIZE/OFF       NODE NAME
perl    31256 ********  300u   REG   0,27        0    1954057  (deleted)/tmp/ZCUDfn9JbR

WordPress Hacked - Who, What, and Why me?

The Who – One of our Reseller’s customer’s WordPress website was hacked.

The What – Not because WP wasn’t secure in this case but because there was an exploit found in a WP plugin called Timthumb.

It’s used to re size thumbnail images. The exploit allowed any site visitor who knew of  the plugin’s existence to upload files to a directory in your hosting space i.e. /uploads and then run malicious code – in this case the code was a script called phpRemoteView (there are many others that go by different names and Mark Maunders blog covers the Timthumb hack and a variant of phpRemoteView.

Here is the link to his blog discussing the vulnerability in more detail Technical details and scripts of the WordPress Timthumb.php hack. You can find one of the potential solutions (for non technicals) on the WordPress website.

There’s a plugin that can help scan for the Timthumb exploit and help update to a patched version – it’s called Timthumb Vulnerability Scanner.

An excellent  hack resource blog for PHP, Java & many other hacks is at Red Leg.

By no means are the 3 links above a complete solution as some hackers are craftier than Better Homes & Gardens and will modify their code so it’s harder to find (which is what we faced in our case).

Why me - because they can.

It’s fun for them and if they hack the right site there may be credit card or confidential customer data they can use in identity theft and these are just two reasons why hackers do what they do.

2,000 GB of data & $4,000 later

So what am I really getting at here?

As mentioned it’s been an interesting 20 days. We’ve had one of our shared plesk servers being used to perform  a Distributed Denial Of Service (short for DDOS) attacks on other servers around the globe.

Not to worry. The culprit site has since been identified and shut down and will be receiving a hefty data over usage invoice for roughly 2,000 GB of excess data that the infected site has been spewing out over the internet for close to 20 days now.

That’s not including the amount of time spent tracking down the hacked site. How much is that in $$? It’s roughly $4,000 of data wasted in the last 20 days. 100 GB per day on average.

Are You At Risk? Who’s Responsible For Your Site?

The simple nature of shared servers is that they make it relatively inexpensive to host a website as you share some of the server resources; Storage, CPU & day-to-day running costs with others on the same server – spreading the costs over many users.

While there is a great cost saving this is always at the expense of security which can and will effect your up time & potentially loss of data because as in today’s example a site was hacked due to lack of proper maintenance by the owner or Webmaster.

Like regularly servicing your car if it’s a crucial part of your day-to-day operations you would be a fool not to look after it and make sure its running smoothly.

So yes – in short you’re at a higher risk if by sharing the same server with many others (sounds great from the outset right?).

There will always be higher risks that could lead to much larger costs and a headache to match it so you need to carefully assess if you’re really in front when you get slapped with a $4,000 invoice.

In Summary if you’re on a Shared Server:

• There are higher risks in a shared hosting environment; and
• Ultimately it’s your responsibility

A little about VH Shared Hosting

We like to cap our shared hosting servers at roughly 100 domains. That’s 100+ X less than other providers who try to cram in as many clients (usually upwards of 1,000) onto the same server to maximise their profits.

Not us.

We limit the number of domains to keep the servers punchy and provide a premium service.

We secure the server back end by closing unneeded ports using self adapting firewall rules and restricting root access to the server by removing the ability to run unsafe scripts.

Our Geeks proactively update OS & Plesk CP to the latest versions to safeguard your environment.

We could of course completely restrict most websites to only basic functions and features to secure the server but this won’t work for all shared hosting customers. As a client you expect a little flexibility to be able to run the latest WordPress, Joomla or eCommerce package and provide a greater visitor experience to your clients with special features or functions of your site.

So at the end of the day the responsibility rests with the site owner to ensure their site is secure and up to date; not just for your own business but for all the other users you share your server with.

Decisions, Decisions

Where do I go from here?

Here’s a few questions to work out if your business is better off on a Dedicated Virtual Server (DVS) instead of a shared server:

Step 1. Ask yourself the following questions.

1. Does my business rely heavily on maximum up time of our website?
   
   NoYes
2. Would my business lose money if the site is down due to hacking?
   
   NoYes
3. Do we store confidential client data like First & Last names, Physical addresses, Phone Numbers or other personal information?
   
   NoYes
4. Is our site secured with an SSL certificate to encrypt data between the site and visitors’ computers?
   
   NoYes

Answering YES to the majority of questions above means you should be seriously considering a managed DVS solution. Hacks happen. They happen ALL the time. It’s a matter of WHEN your business may be affected.

Reach out and speak with one of our Geeks about keeping your business online & secure with a tailored DVS solution.

Simply click on the MAX UP TIME button below to touch base with our super Geeks.

]]> http://www.velocityhost.com.au/cloud-hosting/wordpress-security-hack-thumb-php-phpremoteview/feed/ 0 http://www.velocityhost.com.au/cloud-solutions/click-frenzy-keeping-your-website-online/?utm_source=rss&utm_medium=rss&utm_campaign=click-frenzy-keeping-your-website-online http://www.velocityhost.com.au/cloud-solutions/click-frenzy-keeping-your-website-online/#comments Tue, 27 Nov 2012 10:33:31 +0000 Gerardo Altman http://velocityhost.com.au/?p=4408 The “Click Frenzy” Problem

It’s been a few days now and the dust has finally settled on the hype surrounding the Click Frenzy success (and failure). Reading many articles from SmartCompany through to Sydney Morning Herald they all tend to agree on one extremely important aspect of the Click Frenzy – it’s that retailers & brands were far from prepared for the massive surge in traffic that bought the Click Frenzy site to its knees. Partnered sites were also underprepared and shoppers’ experience was slowed to a crawl.

Why does this matter?

Excerpt from SMH

MelbourneIT had bots monitoring availability and response times for 153 websites that participated in Click Frenzy. Between 6pm and midnight on the 20th “about two thirds of the participating sites had issues, which is not good”, Melbourne IT CTO Glenn Gore said.

Gore said some sites took “minutes to load a page” and Myer was the worst performing, followed by other big brands like Dick Smith, Jeans West, Katies, Quicksilver, Kogan and Universal Music. He said big international retailers had response times in the milliseconds indicating the local brands just weren’t investing enough in technical…”

In response to claims by event organisers that they were prepared for 1 million users, Gore said “the evidence says they weren’t”.

“What the data shows is that significant numbers of Australian consumers wanted to take advantage of these sales and they couldn’t because the sites couldn’t respond; they were either generating errors or just so slow that they were unresponsive.”

“Several technical experts told Fairfax the Click Frenzy organisers and some participating retailers used software and technology platforms that were widely known to be incapable of handling the demand. Read more from SMH…

The article continues to provide quotes from Click Frenzy and others that only solidifies that very few of the retailers where prepared for the influx of site visitors.

WHAT’S THE LESSON?

How To Keep Your Website Online

Surviving such traffic bursts doesn’t need to cost you the world, nor do you need to be extremely versed in “technical”. Here’s How To Keep Your Website Online. 

Have you ever heard of reverse proxy caching?

For those who haven’t heard of the term it’s a simple solution that caches a copy of your website’s text, images, videos & other static content on multiple servers across different networks located in different geographical locations spreading the front-end load created by visitors downloading your content every time they visit a page on your website.

Where can I find it? 

It’s called CloudFlare and available from VH for any of our new Shared Web Hosting packages, VPS & DVS.

 How it Works

This helps by taking the load away from your web hosting server (VPS) or shared web hosting environment and moving it away from your host’s network, spreading the load across multiple networks and only hitting your site again for fresh or dynamic content.

• Websites can perform up to 100% (2 x) faster
• Be safeguarded from hackers, spammers & DDoS attacks
• Have high traffic loads rerouted to other servers & networks to help spread the load and keep your site up without lifting a finger

This is all delivered on much larger internet connections than most Web hosts offer and for a very low cost per website.

How Much?

VH offers it FREE for websites that don’t require an SSL certificate.

Want to know more? 

Check out our post CloudFlare – Secure, Fast & Easy | New (VH) Partner and watch the 1 min video, or if you’re interested in knowing how to keep your website online during high surges in traffic, take a closer look at our CloudFlare overview page where you can see some of the features available.

Classic example of size

Australian population (23 million people) -versus- American population (313 million people!).

These guys are used to high loads! What do they use?

How Storify in the US used CloudFlare to handle their click frenzy…

Social Media Storify 

Storify helps its users tell stories by curating social media. Storify sees huge spikes of traffic during major events around the world, like Hurricane Sandy or the U.S. presidential election. 

“Thanks to services like CloudFlare, we can scale Storify to more than 24 million story views per month with only 3 engineers,” said Xavier Damman, co-founder and CEO of Storify.

During Hurricane Sandy, CloudFlare saved Storify more than 75 million requests and over 470 GB of bandwidth.

“Having CloudFlare save these requests has enabled us to stay online and keep up with the surges in traffic due to significant news sharing during Hurricane Sandy,” said Xavier. Read full blog post here.

Earlier this week under the cover of darkness in the early hours of the morning our nerds uploaded some very cool updates to VH Cloud Automation services, we think you’ll love some of these new features that will make your life just that litte bit easier.

Resellers

PayPal Adaptive:

Cloud Automation resellers can now use the NEW! PayPal reoccurring payments plugin called PayPal Adaptive. The Plugin in a nutshell allows for Resellers to debit their clients’ accounts or credit cards – whatever is linked to the clients PayPal account on a reoccurring basis monthly, quarterly, half yearly & yearly.

How It Works:

• On a customer’s first purchase they are redirected to the PayPal website where they pay for the order and sign an agreement that approves automatic charges.
• Cloud Automation stores the agreement ID as a regular payment method and charges the customer using it automatically.
• Customers may purchase future additional services using the same agreement from the online store without any further redirects to PayPal.

To activate the new PayPal Adaptive plugin simply navigate to the following area in RCC > Commerce Director > Online Payments > Payment Plug-ins > New Plugin > Select PayPal Adaptive Payments from the drop down list, provide a name for the Plugin > Next and configure according to the built in HELP located top right of the current Window.

Improved Integration with Parallels Plesk Panel:

The following new, additional options are now available in Cloud Automation for Plesk Domain hosting plans in RCC: 

• PHP settings per hosting plan including performance settings, such as memory limit and common settings, such as safe mode. 
• Selection of a mail server that should be used for Linux shared hosting (previously the option was available only for Windows shared hosting plans). 
• Default log rotation settings. Available options are “by date” and “by size“. 
• New web statistics engines: SmarterStats and Urchin. 

‘Show in CP‘ and ‘Show in Store‘ controls have been added to the Applications TAB in Plesk Domain and Plesk Client hosting plans. After our recent upgrade the default controls for Applications in existing plans will be set to “Yes“. Please modify your plans if you wish to apply different settings.

Assign Custom Script to Reseller’s Events

For security reasons, resellers were not allowed to assign a custom script to events. 

From now on, the provider (that’s us) can assign custom scripts to reseller events!

Improved Custom Attributes 

• It is now possible to set translation for attributes’ names. 
• The new “description” field has been added to the attributes’ details. It’s also a multi-language field. 
• The attribute description is displayed in the online store and customer Control Panel. 

Resellers & B2B’s

EPP Auth Code Retrieval  

Customers can now request from their CP - Control Panel the registered domain’s Auth Code required for domain transfer to another registrar, right from their Control Panel.

The Auth Code is sent to the Registrants (domain owner’s) e-mail. The Send Auth Code button is shown in CP on the domain General Information TAB. 

Resellers – In RCC the “Send Auth Code” button is always shown under Service Director > Domain Manager > Domains, in the domain General Information TAB. 

This new feature is enabled by default.

Ability to Recreate a Container from Customer Control Panel

Customers can recreate Containers (VPS/ DVS) from CP – Control Panel with the ability to change host Operating System during recreation process. This option has always been available from RCC for resellers but it’s now available for all customers via their CP. (above image) 

An example of this feature in action: 

• Customer had broken his/her installation by reinstalling a wrong set of RPM packages and wants to recreate the server from scratch; he/she can do this without the need to request from provider. Thus, this feature reduces support costs. 
• Customer purchased the server with wrong OS or architecture, for example ordered CentOS 5 x86 and then realized that CentOS 6 x86_64 is needed for the specific software he/she is planning to deploy. Again, customer can recreate the server with the required OS without the need to contact provider support team. 

Please note that customers data is deleted when container is recreated.