It is EXTREMELY IMPORTANT that you keep all of your scripts UP TO DATE!

[Michael D.]

--------
Updated Abridged Version:

• Keep all of your scripts up-to-date at all times without exception. Examples of scripts: WordPress, Joomla, Magento, Drupal, etc...
• If you are not using a script, uninstall it. A script you are not actively using is likely to become severely outdated and, as such, become a severe secrity risk to your entire account.
• If you are running any plugins / themes / extensions / hacks / modifications - keep them up to date. It's a common misconception that due to a plugin being "inactive" or "disabled" it cannot be used against you - and this is incorrect. If you are not going to use it, remove it or make sure you keep it up to date at least.
• Services such as Sucuri are a great supplement but are not a replacement for keeping your software updated and secure. Any malware scanning service will only be able to act after the damage has been done.

Here are a few examples of why you should stay up to date whenever possible:

Drupal warns unless you patched within seven hours, you're hacked

Millions of websites hit by Drupal hack attack

Drupal Core - Highly Critical - Public Service announcement - PSA-2014-003

 

Such exploits/issues can occur with any software platform [not just Drupal] but this one particular incident highlights why it's important to keep things up to date.

--------

Hello,

Many hosting customers do not realize the issues caused by running outdated scripts and insecure plugins, as most do not deal with compromised accounts on a regular basis. It's a misconception that the server has to be insecure for an account to be compromised. Any account running an outdated script, plugin, or theme can easily be exploited and then used for purposes not intended by the webmaster such as sending SPAM or outbound DoS attacks.

When a script is updated, it is not only done to release new features. There are often SQL injections and other issues that give attackers the opportunity to gain access to your script, your account, and your file system that are patched with new releases and updates. When an attacker uses one of these exploits - more often than not - they are not doing it just to destroy your site. An attacker will usually leave your site alone as not to attract attention, and then will upload malicious files such as a spam script or dos script.

Recently we have had a large number of accounts that have been compromised due to outdated or unused scripts, and the attackers are uploading attack scripts to the servers. As our servers have ultra-high-speed connections (1,000 megabit) this makes them a perfect tool for taking others offline - and means that our entire network and all of our customers suffer when an attacker uses one of our servers to perform outbound attacks.

You may think that it's not going to happen to you or that it's a rare occurrence, and I assure you that it's not. We have suspended no less than 10 accounts over the last 24 hours due to outbound attacks and compromised scripts. We do perform a full server security audit every time we investigate one of these cases to ensure the issue isn't something on our end, and those investigations have all come back clean.

Please check your account(s) and make sure that all of your scripts, plugins, and themes that you are using are UP TO DATE and that you've removed any that you are not actively making use of. Just because a plugin is "disabled" or a theme is not in use does not mean that it cannot be used against you by an attacker. Any accounts found to be sending outbound SPAM or DoS attacks can potentially be permanently suspended. If you've ever installed a script "just to test" or to mess around with it, it is VERY important that you remove that script or make sure that it's fully up to date.

We are taking this issue very seriously as it's been causing network outages to individual servers periodically as an attack crops up and we have to identify the source and disable the account. This is bad for the customer whose script is exploited, bad for others on the same server as we may have to temporarily disable the network while we find the culprit, and bad for our entire network as the traffic and packet flows can cause slowness and packet loss.

In the event that your account is compromised due to outdated software, you may want to look at the services offered by Sucuri Security to clean up the malware. Once the malware has been cleaned from the account - you will still need to ensure that the account is secure [i.e. software updated, strong passwords, etc].

If you have any questions at all about this, please let us know.

[Myati]

Thank you for this warning and for making me aware of the problem. I am one of those affected today as the server where my website is hosted seems to have been temporarily compromised this morning with negative effects on the performance of the site and in the user experience of our visitors. Fortunately this was promptly solved and everything was back to normal within minutes.

 

I must also confess i was not aware of the problem with outdated scripts as this issue was never brought to my attention on my previous host. I do have only one script installed on my domain to handle email campaigns our company occasional does. I do not want to delete the script as it will be of use in the future but i also don't mind disabling it for the time being until the next time it is required (have no idea when this will be, last time I've used it was probably over a year and a half ago). How can i disable the script so that it is inaccessible to someone trying to set up an attack but while keeping it installed and easily enable it in the future when it is required? Can i just change the folder name where it is installed?

[Michael D.]

Password protecting the directory would work if it's in it's own folder.

[SarisIsop]

Please check your account(s) and make sure that all of your scripts, plugins, and themes that you are using are UP TO DATE and that you've removed any that you are not actively making use of.

 

All done.

[Myati]

Password protecting the directory would work if it's in it's own folder.

 

Thank you for the prompt assistance, the folder where the script is stored is now password protected.

[DanH]

Drupal 7's Update Manager will check for out-of-date modules, but it normally doesn't check disabled modules whether disabled modules are out of date. However, you can turn this on. Go to

http://yoursite.com/admin/reports/updates/settings

, Check the box Check for updates of disabled modules and click Save Configuration. After that when it checks during cron or when you check manually, both disabled and enabled modules will be checked for new versions.

[Scott]

Drupal 7's Update Manager will check for out-of-date modules, but it normally doesn't check disabled modules whether disabled modules are out of date. However, you can turn this on. Go to

http://yoursite.com/admin/reports/updates/settings

, Check the box Check for updates of disabled modules and click Save Configuration. After that when it checks during cron or when you check manually, both disabled and enabled modules will be checked for new versions.

 

Great tip!

[Scott]

For anyone following along... Five more accounts would likely have not been hacked recently and suspended today if their scripts were all up to date. It's easy to prevent the problem, but hard (and potentially expensive) to fix. Once the damage is done, the damage is done. (/rant)

[Michael D.]

Another illustration of why it's important to keep all scripts, plugins, and themes up-to-date: Update WP Super Cache and W3TC Immediately - Remote Code Execution Vulnerability Disclosed | Sucuri Blog

 

We have rolled out updates to all WordPress installations that contain WP Super Cache or W3 Total Cache to protect our customers' accounts as well as our servers and network.

[Michael D.]

We are seeing a sharp rise in the number of outdated Joomla! installations that are getting compromised. Joomla 1.5 and 1.7 have been EOL'd [end-of-lifed] for well over a year now and, as such, have not been patched for security vulnerabilities that have been found. The result is that if you're running version 1.5 or 1.7 [or older] that your entire account is at risk of compromise / hacking / defacement / etc. Please, take a moment to check your software such as Joomla!, WordPress, Invision Power Board, vBulletin, etc to ensure it's up to date as well as all plugins/themes/hacks/extensions.

 

If you have software installed that's out of date that you're not using - please remove it. This includes plugins that are not 'active' and themes that are not 'in use'.

[Scott]

WordPress 3.6 is now available!

 

Read the announcement directly from WordPress:

http://wordpress.org/news/2013/08/oscar/

 

Then don't forget to log into your WordPress sites and update them. If you run into an error about /tmp, see our KB article: http://www.mddhosting.com/support/knowledgebase/1020/Cannot-upgrade-WordPress-or-a-WordPress-Plugin.html

[Michael D.]

Unfortunately we have a client recently that hired Sucuri but failed to update any of their software installations. While Sucuri did clean up the malware that was in the account - the account holder didn't update the installed software [outdated WordPress] and the account has been compromised again.

 

In this situation the client feels as though having Sucuri is enough and that we should have been clear that Sucuri is just a part of the bigger security picture including but not limited to: using strong passwords, connecting using secured methods [sSL/TLS/FTPS/etc] and keeping all software up-to-date including all plugins, themes, mods, hacks, etc.

 

While we do recommend Sucuri for monitoring and cleaning up malware - at the end of the day the account holder must still maintain their software installations at all times regardless.

 

Hopefully this post will save somebody else from the same misunderstanding. I did update the 'Updated Abridged Version' in the first post adding the point that Sucuri is not a replacement for maintaining your software.

[Scott]

In the last week or two, we have seen a large increase in compromises of outdated vBulletin 4 scripts. Please ensure that you are running the latest version and patches to close any known security issues. I've personally seen vB 4.2 patch 2, vB 4.2 patch 1, and vB 4.1.12 patch 1, but any outdated version is vulnerable and should be updated.

[Michael D.]

Outdated scripts, themes, and plugins continue to be the number one leading cause of compromised accounts. Just because a theme or plugin is 'disabed' or not in use does NOT mean that it cannot be used against you.