[MikeDVB]

It is extremely important that you keep any and all script installations in your account up to date such as WordPress, Drupal, vBulletin, etc... When these pieces of software are updated by their developers, more often than not, security patches are included and exploits are closed. This particular notice is concerning outdated WordPress installations.

Across our network over the last week we have seen a large number of outdated WordPress installations that have been compromised for the purpose of uploading a phishing site and/or a spam script. Phishing is a serious issue and is something that we take very seriously. We've audited our servers and server security both internally and externally and have determined that the security issue lies with the outdated WordPress installations themselves and not a server-wide issue. The latest WordPress version as of this post is 3.2.

We ask that you, at this time, do please check all scripts that you have installed in your account to ensure that they are up to date. With WordPress it is as simple as logging into your WordPress dashboard as you will see a notice at the top letting you know if there is a new version available. For updating WordPress you can reference this short guide: Updating WordPress (Text Tutorial) or this video tutorial: Updating WordPress (Video Tutorial).

Do keep in mind that by not updating your software installations you risk your account being used without your permission by hackers and other malicious users and that you could end up with your account suspended due to malicious misuse of your account. We do realize that this misuse would not be intentional or even conducted by yourself, however, we cannot allow our services to be used knowingly or not for illegal purposes.

As of this post here are the statistics for our standard Shared and Reseller servers. Keep in mind that these are just WordPress installations alone.

Echo Server:
Total Installations: 1351
Out-of-date Installations: 1257 (93%)

Fresco Server:
Total Installations: 1068
Out-of-date Installations: 932 (87%)

Gemini Server:
Total Installations: 702
Out-of-date Installations: 513 (73%)

[fshagan]

Wow, I'm surprised at the number of outdated Wordpress installations. Some might be the last version (3.2 came out on July 4), but still ...

I updated all my customer's installations on the 4th. Wordpress is one of the easiest to update, as your video tutorial shows. Just click a link. I think some programs still require you to download files and FTP them into your account, and that encourages procrastination. I moved my customers to Wordpress for that reason, and recommend SMF as a forum software (it is as easy to update).

[MikeDVB]

fshagan, on 11 July 2011 - 10:55 AM, said:

Wow, I'm surprised at the number of outdated Wordpress installations. Some might be the last version (3.2 came out on July 4), but still ...

The installations considered up-to-date are all 3.2.

[kuemerle5]

I am probably as shocked as fshagan is at the number. There's really no reason why your WordPress install should be out of date as it is pretty much the easiest platform to update on. You seriously click one button and it does everything else for you. Unbelievable...

[MikeDVB]

kuemerle5, on 11 July 2011 - 06:14 PM, said:

I am probably as shocked as fshagan is at the number. There's really no reason why your WordPress install should be out of date as it is pretty much the easiest platform to update on. You seriously click one button and it does everything else for you. Unbelievable...

A lot of our customers have responded to the email with things like these:

Quote

I didn't realize it didn't keep itself up to date.

Quote

I thought I was supposed to leave that alone.

Quote

I didn't want it to quit working.

Needless to say, they all know to do it now.

[kuemerle5]

Well, hopefully they continue to keep their platforms updated. Don't want any of that hacking nastiness affecting other people. Wouldn't it be fairly isolated though because isn't everyone's cPanel 'home' directory readable/writable/executable by only the account owner (and root)?

[SnakEyez]

That's a scary statistic but not surprising. And it's not just about keeping the script up to date, but also the mods and extensions of those scripts up to date. Sometimes those can be forgotten.

[MikeDVB]

kuemerle5, on 11 July 2011 - 07:06 PM, said:

Well, hopefully they continue to keep their platforms updated. Don't want any of that hacking nastiness affecting other people. Wouldn't it be fairly isolated though because isn't everyone's cPanel 'home' directory readable/writable/executable by only the account owner (and root)?

Yes, barring some major server issue an exploited account would have little to no effect on other accounts. Accounts using 777 permissions could very well end up with their data modified via a perl script or something similar but php wouldn't be able to access them even with 777 due to php_open_basedir.

[kuemerle5]

MikeDVB, on 11 July 2011 - 07:24 PM, said:

Yes, barring some major server issue an exploited account would have little to no effect on other accounts. Accounts using 777 permissions could very well end up with their data modified via a perl script or something similar but php wouldn't be able to access them even with 777 due to php_open_basedir.

*shudder*

*quickly executes some derivation of 'chmod -R 755 happy_place' into SSH* lol

[MikeDVB]

kuemerle5, on 11 July 2011 - 07:32 PM, said:

*shudder*

*quickly executes some derivation of 'chmod -R 755 happy_place' into SSH* lol

Replace {$user} with your username:

        chown -R ${user}.${user} /home/${user}
        chown ${user}.nobody /home/${user}/public_html
        chown -R ${user}.mail /home/${user}/etc
        chown ${user}.nobody /home/${user}/.htpasswds/
        echo "Fixing folder permissions for account: ${user}"
        find /home/${user}/public_html/ -type d -exec chmod 755 {} \;
        echo "Fixing file permissions for account: ${user}"
        find /home/${user}/public_html/ -type f -exec chmod 644 {} \;

[MikeDVB]

Updated Statistics
Echo Server:
Total Installations: 1351
Out-of-date Installations as of original post: 1257 (93%)
Out-of-date Installations as of this post: 1216 (90%)

Fresco Server:
Total Installations: 1068
Out-of-date Installations as of original post: 932 (87%)
Out-of-date Installations as of this post: 881 (82%)

Gemini Server:
Total Installations: 702
Out-of-date Installations as of original post: 513 (73%)
Out-of-date Installations as of this post: 462 (66%)

[fshagan]

Pretty good response in a short period of time, Mike. I think its a good, proactive approach. you've taken.

As SnakEyez said, it includes more than just the core script ... and in Wordpress, I would add in the theme you use as well. There is at least one exploit that uses older themes and replaces the "index.php" pages with a foreign language page and the notice "YoU HaVe bEeN HaCkeD!" (along with irritating music). That experience has led me to be more careful about the themes I install as well.

BTW - how do you determine which versions are on disk (I'm thinking of my VPS). Are you just searching for files older than a certain date, or is there a function that reports the version number of the installs?

[MikeDVB]

fshagan, on 11 July 2011 - 09:11 PM, said:

BTW - how do you determine which versions are on disk (I'm thinking of my VPS). Are you just searching for files older than a certain date, or is there a function that reports the version number of the installs?

updatedb
locate wp-includes/version.php | grep -v virtfs | xargs grep "wp_version = " 2>/dev/null | wc -l
locate wp-includes/version.php | grep -v virtfs | xargs grep "wp_version = " 2>/dev/null | grep -v " = '3.2'" | wc -l

This will output all WordPress installations and then all out-dated WordPress Installations (just the counts).

[fshagan]

Thanks for that linux juju!

WP is releasing 3.2.1 already, although I haven't seen it in my control panels yet:

Quote

After more than a million downloads of WordPress 3.2, we’re now releasing WordPress 3.2.1 into the wild. This maintenance release fixes a server incompatibility related to JSON that’s unfortunately affected some of you, as well as a few other fixes in the new dashboard design and the Twenty Eleven theme. If you’ve already updated to 3.2, then this update will be even faster than usual, thanks to the new feature in 3.2 that only updates files that have been changed, rather than replacing all the files in your installation.

[kuemerle5]

Just saw this article on Softpedia. Could mean much less headaches for web hosting companies and it's just plain awesome: http://news.softpedi...es-211386.shtml

[MikeDVB]

kuemerle5, on 13 July 2011 - 01:18 PM, said:

Just saw this article on Softpedia. Could mean much less headaches for web hosting companies and it's just plain awesome: http://news.softpedi...es-211386.shtml

Very nice, but I wonder how many will disable the automatic updates due to wanting to continue running outdated plugins and themes that don't work on the newer versions.

[kuemerle5]

*sigh* You gotta love those plugins and themes that practice poor coding techniques and are never updated by their authors. I feel the WordPress plugin database is too fragmented and many of the plugins tailor to unneeded niche functionality. You can basically replicate a WordPress install and probably 10-15 plugins in Drupal with the core modules and a few, very well supported third party modules. I guess I would compare this situation to the iOS App Store and Android's Market. iOS apps (Drupal plugins) all act similar, look familiar, interact with iOS the way Apple intended, and generally are given more care from their authors. Android's apps (comparable to WordPress plugins), however, are sometimes fragmented in appearance, the manner in which they interact with the Android OS can vary greatly, and could just be sandbox type or proof-of-concept projects that won't be updated regularly by the author.

It's a problem that WordPress has yet to address but I feel it's an important one. They can code the WordPress core perfectly but as long as people are using outdated, insecure plugins, that will be the weak link in the chain.

[MikeDVB]

I couldn't agree more.