Jump to content


Photo

It is EXTREMELY IMPORTANT that you keep all of your scripts UP TO DATE!


  • Please log in to reply
13 replies to this topic

#1 MikeDVB

MikeDVB

    Forum Administrator

  • Staff Administrator
  • PipPipPipPipPip
  • 2,672 posts
  • Gender:Male
  • Location:Central Indiana, USA

Posted 19 December 2011 - 02:54 PM

--------
Updated Abridged Version:

  • Keep all of your scripts up-to-date at all times without exception. Examples of scripts: WordPress, Joomla, Magento, Drupal, etc...
  • If you are not using a script, uninstall it. A script you are not actively using is likely to become severely outdated and, as such, become a severe secrity risk to your entire account.
  • If you are running any plugins / themes / extensions / hacks / modifications - keep them up to date. It's a common misconception that due to a plugin being "inactive" or "disabled" it cannot be used against you - and this is incorrect. If you are not going to use it, remove it or make sure you keep it up to date at least.
  • Services such as Sucuri are a great supplement but are not a replacement for keeping your software updated and secure. Any malware scanning service will only be able to act after the damage has been done.

Here are a few examples of why you should stay up to date whenever possible:

Drupal warns unless you patched within seven hours, you're hacked <- ZDNet.com

Millions of websites hit by Drupal hack attack <- BBC News

Drupal Core - Highly Critical - Public Service announcement - PSA-2014-003 <- Drupal.com

 

Such exploits/issues can occur with any software platform [not just Drupal] but this one particular incident highlights why it's important to keep things up to date.

--------

Hello,

Many hosting customers do not realize the issues caused by running outdated scripts and insecure plugins, as most do not deal with compromised accounts on a regular basis. It's a misconception that the server has to be insecure for an account to be compromised. Any account running an outdated script, plugin, or theme can easily be exploited and then used for purposes not intended by the webmaster such as sending SPAM or outbound DoS attacks.

When a script is updated, it is not only done to release new features. There are often SQL injections and other issues that give attackers the opportunity to gain access to your script, your account, and your file system that are patched with new releases and updates. When an attacker uses one of these exploits - more often than not - they are not doing it just to destroy your site. An attacker will usually leave your site alone as not to attract attention, and then will upload malicious files such as a spam script or dos script.

Recently we have had a large number of accounts that have been compromised due to outdated or unused scripts, and the attackers are uploading attack scripts to the servers. As our servers have ultra-high-speed connections (1,000 megabit) this makes them a perfect tool for taking others offline - and means that our entire network and all of our customers suffer when an attacker uses one of our servers to perform outbound attacks.

You may think that it's not going to happen to you or that it's a rare occurrence, and I assure you that it's not. We have suspended no less than 10 accounts over the last 24 hours due to outbound attacks and compromised scripts. We do perform a full server security audit every time we investigate one of these cases to ensure the issue isn't something on our end, and those investigations have all come back clean.

Please check your account(s) and make sure that all of your scripts, plugins, and themes that you are using are UP TO DATE and that you've removed any that you are not actively making use of. Just because a plugin is "disabled" or a theme is not in use does not mean that it cannot be used against you by an attacker. Any accounts found to be sending outbound SPAM or DoS attacks can potentially be permanently suspended. If you've ever installed a script "just to test" or to mess around with it, it is VERY important that you remove that script or make sure that it's fully up to date.

We are taking this issue very seriously as it's been causing network outages to individual servers periodically as an attack crops up and we have to identify the source and disable the account. This is bad for the customer whose script is exploited, bad for others on the same server as we may have to temporarily disable the network while we find the culprit, and bad for our entire network as the traffic and packet flows can cause slowness and packet loss.

In the event that your account is compromised due to outdated software, you may want to look at the services offered by Sucuri Security to clean up the malware.  Once the malware has been cleaned from the account - you will still need to ensure that the account is secure [i.e. software updated, strong passwords, etc].

If you have any questions at all about this, please let us know.


  • 0
Michael Denney - MDDHosting LLC - Providing Hosting since 2007
Scalable shared hosting plans in the cloud! Check them out!
Highly Available Cloud Shared, Reseller, and VPS
http://www.mddhosting.com/

#2 Myati

Myati

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 19 December 2011 - 06:12 PM

Thank you for this warning and for making me aware of the problem. I am one of those affected today as the server where my website is hosted seems to have been temporarily compromised this morning with negative effects on the performance of the site and in the user experience of our visitors. Fortunately this was promptly solved and everything was back to normal within minutes.

I must also confess i was not aware of the problem with outdated scripts as this issue was never brought to my attention on my previous host. I do have only one script installed on my domain to handle email campaigns our company occasional does. I do not want to delete the script as it will be of use in the future but i also don't mind disabling it for the time being until the next time it is required (have no idea when this will be, last time I've used it was probably over a year and a half ago). How can i disable the script so that it is inaccessible to someone trying to set up an attack but while keeping it installed and easily enable it in the future when it is required? Can i just change the folder name where it is installed?
  • 0

#3 MikeDVB

MikeDVB

    Forum Administrator

  • Staff Administrator
  • PipPipPipPipPip
  • 2,672 posts
  • Gender:Male
  • Location:Central Indiana, USA

Posted 19 December 2011 - 06:14 PM

Password protecting the directory would work if it's in it's own folder.
  • 0
Michael Denney - MDDHosting LLC - Providing Hosting since 2007
Scalable shared hosting plans in the cloud! Check them out!
Highly Available Cloud Shared, Reseller, and VPS
http://www.mddhosting.com/

#4 SarisIsop

SarisIsop

    Member

  • Members
  • PipPip
  • 118 posts
  • Gender:Not Telling

Posted 20 December 2011 - 08:57 AM

Please check your account(s) and make sure that all of your scripts, plugins, and themes that you are using are UP TO DATE and that you've removed any that you are not actively making use of.


All done. :)
  • 0

#5 Myati

Myati

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 20 December 2011 - 09:00 AM

Password protecting the directory would work if it's in it's own folder.


Thank you for the prompt assistance, the folder where the script is stored is now password protected.
  • 0

#6 DanH

DanH

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 28 September 2012 - 07:49 AM

Drupal 7's Update Manager will check for out-of-date modules, but it normally doesn't check disabled modules whether disabled modules are out of date. However, you can turn this on. Go to
http://yoursite.com/admin/reports/updates/settings
, Check the box Check for updates of disabled modules and click Save Configuration. After that when it checks during cron or when you check manually, both disabled and enabled modules will be checked for new versions.
  • 0

#7 Scott

Scott

    MDDHosting Staff

  • Staff Administrator
  • PipPipPipPip
  • 415 posts
  • Gender:Male

Posted 02 October 2012 - 10:36 AM

Drupal 7's Update Manager will check for out-of-date modules, but it normally doesn't check disabled modules whether disabled modules are out of date. However, you can turn this on. Go to

http://yoursite.com/admin/reports/updates/settings
, Check the box Check for updates of disabled modules and click Save Configuration. After that when it checks during cron or when you check manually, both disabled and enabled modules will be checked for new versions.


Great tip! :)
  • 0
Scott S - MDDHosting LLC - Providing Hosting since 2007
Scalable shared hosting plans in the cloud! Check them out!
Highly Available Cloud Shared, Reseller, and VPS
http://www.mddhosting.com/

#8 Scott

Scott

    MDDHosting Staff

  • Staff Administrator
  • PipPipPipPip
  • 415 posts
  • Gender:Male

Posted 02 October 2012 - 03:03 PM

For anyone following along... Five more accounts would likely have not been hacked recently and suspended today if their scripts were all up to date. It's easy to prevent the problem, but hard (and potentially expensive) to fix. Once the damage is done, the damage is done. (/rant)
  • 0
Scott S - MDDHosting LLC - Providing Hosting since 2007
Scalable shared hosting plans in the cloud! Check them out!
Highly Available Cloud Shared, Reseller, and VPS
http://www.mddhosting.com/

#9 MikeDVB

MikeDVB

    Forum Administrator

  • Staff Administrator
  • PipPipPipPipPip
  • 2,672 posts
  • Gender:Male
  • Location:Central Indiana, USA

Posted 24 April 2013 - 08:25 PM

Another illustration of why it's important to keep all scripts, plugins, and themes up-to-date: Update WP Super Cache and W3TC Immediately - Remote Code Execution Vulnerability Disclosed | Sucuri Blog

 

We have rolled out updates to all WordPress installations that contain WP Super Cache or W3 Total Cache to protect our customers' accounts as well as our servers and network.


  • 0
Michael Denney - MDDHosting LLC - Providing Hosting since 2007
Scalable shared hosting plans in the cloud! Check them out!
Highly Available Cloud Shared, Reseller, and VPS
http://www.mddhosting.com/

#10 MikeDVB

MikeDVB

    Forum Administrator

  • Staff Administrator
  • PipPipPipPipPip
  • 2,672 posts
  • Gender:Male
  • Location:Central Indiana, USA

Posted 28 July 2013 - 10:54 AM

We are seeing a sharp rise in the number of outdated Joomla! installations that are getting compromised.  Joomla 1.5 and 1.7 have been EOL'd [end-of-lifed] for well over a year now and, as such, have not been patched for security vulnerabilities that have been found.  The result is that if you're running version 1.5 or 1.7 [or older] that your entire account is at risk of compromise / hacking / defacement / etc.  Please, take a moment to check your software such as Joomla!, WordPress, Invision Power Board, vBulletin, etc to ensure it's up to date as well as all plugins/themes/hacks/extensions.

 

If you have software installed that's out of date that you're not using - please remove it.  This includes plugins that are not 'active' and themes that are not 'in use'.


  • 0
Michael Denney - MDDHosting LLC - Providing Hosting since 2007
Scalable shared hosting plans in the cloud! Check them out!
Highly Available Cloud Shared, Reseller, and VPS
http://www.mddhosting.com/

#11 Scott

Scott

    MDDHosting Staff

  • Staff Administrator
  • PipPipPipPip
  • 415 posts
  • Gender:Male

Posted 02 August 2013 - 12:54 PM

WordPress 3.6 is now available!

 

Read the announcement directly from WordPress:

http://wordpress.org.../2013/08/oscar/

 

Then don't forget to log into your WordPress sites and update them. If you run into an error about /tmp, see our KB article: http://www.mddhostin...ess-Plugin.html


  • 0
Scott S - MDDHosting LLC - Providing Hosting since 2007
Scalable shared hosting plans in the cloud! Check them out!
Highly Available Cloud Shared, Reseller, and VPS
http://www.mddhosting.com/

#12 MikeDVB

MikeDVB

    Forum Administrator

  • Staff Administrator
  • PipPipPipPipPip
  • 2,672 posts
  • Gender:Male
  • Location:Central Indiana, USA

Posted 16 August 2013 - 03:05 PM

Unfortunately we have a client recently that hired Sucuri but failed to update any of their software installations.  While Sucuri did clean up the malware that was in the account - the account holder didn't update the installed software [outdated WordPress] and the account has been compromised again.

 

In this situation the client feels as though having Sucuri is enough and that we should have been clear that Sucuri is just a part of the bigger security picture including but not limited to: using strong passwords, connecting using secured methods [SSL/TLS/FTPS/etc] and keeping all software up-to-date including all plugins, themes, mods, hacks, etc.

 

While we do recommend Sucuri for monitoring and cleaning up malware - at the end of the day the account holder must still maintain their software installations at all times regardless.

 

Hopefully this post will save somebody else from the same misunderstanding.  I did update the 'Updated Abridged Version' in the first post adding the point that Sucuri is not a replacement for maintaining your software.


  • 0
Michael Denney - MDDHosting LLC - Providing Hosting since 2007
Scalable shared hosting plans in the cloud! Check them out!
Highly Available Cloud Shared, Reseller, and VPS
http://www.mddhosting.com/

#13 Scott

Scott

    MDDHosting Staff

  • Staff Administrator
  • PipPipPipPip
  • 415 posts
  • Gender:Male

Posted 16 September 2013 - 08:37 AM

In the last week or two, we have seen a large increase in compromises of outdated vBulletin 4 scripts. Please ensure that you are running the latest version and patches to close any known security issues. I've personally seen vB 4.2 patch 2, vB 4.2 patch 1, and vB 4.1.12 patch 1, but any outdated version is vulnerable and should be updated.


  • 0
Scott S - MDDHosting LLC - Providing Hosting since 2007
Scalable shared hosting plans in the cloud! Check them out!
Highly Available Cloud Shared, Reseller, and VPS
http://www.mddhosting.com/

#14 MikeDVB

MikeDVB

    Forum Administrator

  • Staff Administrator
  • PipPipPipPipPip
  • 2,672 posts
  • Gender:Male
  • Location:Central Indiana, USA

Posted 24 February 2014 - 05:34 AM

Outdated scripts, themes, and plugins continue to be the number one leading cause of compromised accounts.  Just because a theme or plugin is 'disabed' or not in use does NOT mean that it cannot be used against you.


  • 1
Michael Denney - MDDHosting LLC - Providing Hosting since 2007
Scalable shared hosting plans in the cloud! Check them out!
Highly Available Cloud Shared, Reseller, and VPS
http://www.mddhosting.com/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users