Michael D. Posted July 11, 2011 Report Share Posted July 11, 2011 It is extremely important that you keep any and all script installations in your account up to date such as WordPress, Drupal, vBulletin, etc... When these pieces of software are updated by their developers, more often than not, security patches are included and exploits are closed. This particular notice is concerning outdated WordPress installations. Across our network over the last week we have seen a large number of outdated WordPress installations that have been compromised for the purpose of uploading a phishing site and/or a spam script. Phishing is a serious issue and is something that we take very seriously. We've audited our servers and server security both internally and externally and have determined that the security issue lies with the outdated WordPress installations themselves and not a server-wide issue. The latest WordPress version as of this post is 3.2. We ask that you, at this time, do please check all scripts that you have installed in your account to ensure that they are up to date. With WordPress it is as simple as logging into your WordPress dashboard as you will see a notice at the top letting you know if there is a new version available. For updating WordPress you can reference this short guide: Updating WordPress (Text Tutorial) or this video tutorial: Updating WordPress (Video Tutorial). Do keep in mind that by not updating your software installations you risk your account being used without your permission by hackers and other malicious users and that you could end up with your account suspended due to malicious misuse of your account. We do realize that this misuse would not be intentional or even conducted by yourself, however, we cannot allow our services to be used knowingly or not for illegal purposes. As of this post here are the statistics for our standard Shared and Reseller servers. Keep in mind that these are just WordPress installations alone. Echo Server:Total Installations: 1351Out-of-date Installations: 1257 (93%) Fresco Server:Total Installations: 1068Out-of-date Installations: 932 (87%) Gemini Server:Total Installations: 702Out-of-date Installations: 513 (73%) Quote Link to comment Share on other sites More sharing options...
fshagan Posted July 11, 2011 Report Share Posted July 11, 2011 Wow, I'm surprised at the number of outdated Wordpress installations. Some might be the last version (3.2 came out on July 4), but still ... I updated all my customer's installations on the 4th. Wordpress is one of the easiest to update, as your video tutorial shows. Just click a link. I think some programs still require you to download files and FTP them into your account, and that encourages procrastination. I moved my customers to Wordpress for that reason, and recommend SMF as a forum software (it is as easy to update). Quote Link to comment Share on other sites More sharing options...
Michael D. Posted July 11, 2011 Author Report Share Posted July 11, 2011 Wow, I'm surprised at the number of outdated Wordpress installations. Some might be the last version (3.2 came out on July 4), but still ...The installations considered up-to-date are all 3.2. Quote Link to comment Share on other sites More sharing options...
kuemerle5 Posted July 11, 2011 Report Share Posted July 11, 2011 I am probably as shocked as fshagan is at the number. There's really no reason why your WordPress install should be out of date as it is pretty much the easiest platform to update on. You seriously click one button and it does everything else for you. Unbelievable... Quote Link to comment Share on other sites More sharing options...
Michael D. Posted July 12, 2011 Author Report Share Posted July 12, 2011 I am probably as shocked as fshagan is at the number. There's really no reason why your WordPress install should be out of date as it is pretty much the easiest platform to update on. You seriously click one button and it does everything else for you. Unbelievable...A lot of our customers have responded to the email with things like these:I didn't realize it didn't keep itself up to date.I thought I was supposed to leave that alone.I didn't want it to quit working.Needless to say, they all know to do it now. Quote Link to comment Share on other sites More sharing options...
kuemerle5 Posted July 12, 2011 Report Share Posted July 12, 2011 Well, hopefully they continue to keep their platforms updated. Don't want any of that hacking nastiness affecting other people. Wouldn't it be fairly isolated though because isn't everyone's cPanel 'home' directory readable/writable/executable by only the account owner (and root)? Quote Link to comment Share on other sites More sharing options...
SnakEyez Posted July 12, 2011 Report Share Posted July 12, 2011 That's a scary statistic but not surprising. And it's not just about keeping the script up to date, but also the mods and extensions of those scripts up to date. Sometimes those can be forgotten. Quote Link to comment Share on other sites More sharing options...
Michael D. Posted July 12, 2011 Author Report Share Posted July 12, 2011 Well, hopefully they continue to keep their platforms updated. Don't want any of that hacking nastiness affecting other people. Wouldn't it be fairly isolated though because isn't everyone's cPanel 'home' directory readable/writable/executable by only the account owner (and root)?Yes, barring some major server issue an exploited account would have little to no effect on other accounts. Accounts using 777 permissions could very well end up with their data modified via a perl script or something similar but php wouldn't be able to access them even with 777 due to php_open_basedir. Quote Link to comment Share on other sites More sharing options...
kuemerle5 Posted July 12, 2011 Report Share Posted July 12, 2011 Yes, barring some major server issue an exploited account would have little to no effect on other accounts. Accounts using 777 permissions could very well end up with their data modified via a perl script or something similar but php wouldn't be able to access them even with 777 due to php_open_basedir. *shudder* *quickly executes some derivation of 'chmod -R 755 happy_place' into SSH* lol Quote Link to comment Share on other sites More sharing options...
Michael D. Posted July 12, 2011 Author Report Share Posted July 12, 2011 *shudder* *quickly executes some derivation of 'chmod -R 755 happy_place' into SSH* lolReplace {$user} with your username: chown -R ${user}.${user} /home/${user} chown ${user}.nobody /home/${user}/public_html chown -R ${user}.mail /home/${user}/etc chown ${user}.nobody /home/${user}/.htpasswds/ echo "Fixing folder permissions for account: ${user}" find /home/${user}/public_html/ -type d -exec chmod 755 {} \; echo "Fixing file permissions for account: ${user}" find /home/${user}/public_html/ -type f -exec chmod 644 {} \; Quote Link to comment Share on other sites More sharing options...
Michael D. Posted July 12, 2011 Author Report Share Posted July 12, 2011 Updated StatisticsEcho Server:Total Installations: 1351Out-of-date Installations as of original post: 1257 (93%)Out-of-date Installations as of this post: 1216 (90%) Fresco Server:Total Installations: 1068Out-of-date Installations as of original post: 932 (87%)Out-of-date Installations as of this post: 881 (82%) Gemini Server:Total Installations: 702Out-of-date Installations as of original post: 513 (73%)Out-of-date Installations as of this post: 462 (66%) Quote Link to comment Share on other sites More sharing options...
fshagan Posted July 12, 2011 Report Share Posted July 12, 2011 Pretty good response in a short period of time, Mike. I think its a good, proactive approach. you've taken. As SnakEyez said, it includes more than just the core script ... and in Wordpress, I would add in the theme you use as well. There is at least one exploit that uses older themes and replaces the "index.php" pages with a foreign language page and the notice "YoU HaVe bEeN HaCkeD!" (along with irritating music). That experience has led me to be more careful about the themes I install as well. BTW - how do you determine which versions are on disk (I'm thinking of my VPS). Are you just searching for files older than a certain date, or is there a function that reports the version number of the installs? Quote Link to comment Share on other sites More sharing options...
Michael D. Posted July 12, 2011 Author Report Share Posted July 12, 2011 BTW - how do you determine which versions are on disk (I'm thinking of my VPS). Are you just searching for files older than a certain date, or is there a function that reports the version number of the installs?updatedb locate wp-includes/version.php | grep -v virtfs | xargs grep "wp_version = " 2>/dev/null | wc -l locate wp-includes/version.php | grep -v virtfs | xargs grep "wp_version = " 2>/dev/null | grep -v " = '3.2'" | wc -lThis will output all WordPress installations and then all out-dated WordPress Installations (just the counts). Quote Link to comment Share on other sites More sharing options...
fshagan Posted July 13, 2011 Report Share Posted July 13, 2011 Thanks for that linux juju! WP is releasing 3.2.1 already, although I haven't seen it in my control panels yet: After more than a million downloads of WordPress 3.2, we’re now releasing WordPress 3.2.1 into the wild. This maintenance release fixes a server incompatibility related to JSON that’s unfortunately affected some of you, as well as a few other fixes in the new dashboard design and the Twenty Eleven theme. If you’ve already updated to 3.2, then this update will be even faster than usual, thanks to the new feature in 3.2 that only updates files that have been changed, rather than replacing all the files in your installation. Quote Link to comment Share on other sites More sharing options...
kuemerle5 Posted July 13, 2011 Report Share Posted July 13, 2011 Just saw this article on Softpedia. Could mean much less headaches for web hosting companies and it's just plain awesome: http://news.softpedia.com/news/WordPress-3-3-May-Get-an-Improved-Uploader-Automatic-Silent-Updates-211386.shtml Quote Link to comment Share on other sites More sharing options...
Michael D. Posted July 14, 2011 Author Report Share Posted July 14, 2011 Just saw this article on Softpedia. Could mean much less headaches for web hosting companies and it's just plain awesome: http://news.softpedia.com/news/WordPress-3-3-May-Get-an-Improved-Uploader-Automatic-Silent-Updates-211386.shtmlVery nice, but I wonder how many will disable the automatic updates due to wanting to continue running outdated plugins and themes that don't work on the newer versions. Quote Link to comment Share on other sites More sharing options...
kuemerle5 Posted July 14, 2011 Report Share Posted July 14, 2011 *sigh* You gotta love those plugins and themes that practice poor coding techniques and are never updated by their authors. I feel the WordPress plugin database is too fragmented and many of the plugins tailor to unneeded niche functionality. You can basically replicate a WordPress install and probably 10-15 plugins in Drupal with the core modules and a few, very well supported third party modules. I guess I would compare this situation to the iOS App Store and Android's Market. iOS apps (Drupal plugins) all act similar, look familiar, interact with iOS the way Apple intended, and generally are given more care from their authors. Android's apps (comparable to WordPress plugins), however, are sometimes fragmented in appearance, the manner in which they interact with the Android OS can vary greatly, and could just be sandbox type or proof-of-concept projects that won't be updated regularly by the author. It's a problem that WordPress has yet to address but I feel it's an important one. They can code the WordPress core perfectly but as long as people are using outdated, insecure plugins, that will be the weak link in the chain. Quote Link to comment Share on other sites More sharing options...
Michael D. Posted July 14, 2011 Author Report Share Posted July 14, 2011 I couldn't agree more. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.