Michael D. Posted December 19, 2011 Report Share Posted December 19, 2011 --------Updated Abridged Version:Keep all of your scripts up-to-date at all times without exception. Examples of scripts: WordPress, Joomla, Magento, Drupal, etc...If you are not using a script, uninstall it. A script you are not actively using is likely to become severely outdated and, as such, become a severe secrity risk to your entire account.If you are running any plugins / themes / extensions / hacks / modifications - keep them up to date. It's a common misconception that due to a plugin being "inactive" or "disabled" it cannot be used against you - and this is incorrect. If you are not going to use it, remove it or make sure you keep it up to date at least.Services such as Sucuri are a great supplement but are not a replacement for keeping your software updated and secure. Any malware scanning service will only be able to act after the damage has been done.Here are a few examples of why you should stay up to date whenever possible:Drupal warns unless you patched within seven hours, you're hacked Millions of websites hit by Drupal hack attack Drupal Core - Highly Critical - Public Service announcement - PSA-2014-003 Such exploits/issues can occur with any software platform [not just Drupal] but this one particular incident highlights why it's important to keep things up to date.--------Hello,Many hosting customers do not realize the issues caused by running outdated scripts and insecure plugins, as most do not deal with compromised accounts on a regular basis. It's a misconception that the server has to be insecure for an account to be compromised. Any account running an outdated script, plugin, or theme can easily be exploited and then used for purposes not intended by the webmaster such as sending SPAM or outbound DoS attacks.When a script is updated, it is not only done to release new features. There are often SQL injections and other issues that give attackers the opportunity to gain access to your script, your account, and your file system that are patched with new releases and updates. When an attacker uses one of these exploits - more often than not - they are not doing it just to destroy your site. An attacker will usually leave your site alone as not to attract attention, and then will upload malicious files such as a spam script or dos script.Recently we have had a large number of accounts that have been compromised due to outdated or unused scripts, and the attackers are uploading attack scripts to the servers. As our servers have ultra-high-speed connections (1,000 megabit) this makes them a perfect tool for taking others offline - and means that our entire network and all of our customers suffer when an attacker uses one of our servers to perform outbound attacks.You may think that it's not going to happen to you or that it's a rare occurrence, and I assure you that it's not. We have suspended no less than 10 accounts over the last 24 hours due to outbound attacks and compromised scripts. We do perform a full server security audit every time we investigate one of these cases to ensure the issue isn't something on our end, and those investigations have all come back clean.Please check your account(s) and make sure that all of your scripts, plugins, and themes that you are using are UP TO DATE and that you've removed any that you are not actively making use of. Just because a plugin is "disabled" or a theme is not in use does not mean that it cannot be used against you by an attacker. Any accounts found to be sending outbound SPAM or DoS attacks can potentially be permanently suspended. If you've ever installed a script "just to test" or to mess around with it, it is VERY important that you remove that script or make sure that it's fully up to date.We are taking this issue very seriously as it's been causing network outages to individual servers periodically as an attack crops up and we have to identify the source and disable the account. This is bad for the customer whose script is exploited, bad for others on the same server as we may have to temporarily disable the network while we find the culprit, and bad for our entire network as the traffic and packet flows can cause slowness and packet loss.In the event that your account is compromised due to outdated software, you may want to look at the services offered by Sucuri Security to clean up the malware. Once the malware has been cleaned from the account - you will still need to ensure that the account is secure [i.e. software updated, strong passwords, etc].If you have any questions at all about this, please let us know. Quote Link to comment Share on other sites More sharing options...
Myati Posted December 19, 2011 Report Share Posted December 19, 2011 Thank you for this warning and for making me aware of the problem. I am one of those affected today as the server where my website is hosted seems to have been temporarily compromised this morning with negative effects on the performance of the site and in the user experience of our visitors. Fortunately this was promptly solved and everything was back to normal within minutes. I must also confess i was not aware of the problem with outdated scripts as this issue was never brought to my attention on my previous host. I do have only one script installed on my domain to handle email campaigns our company occasional does. I do not want to delete the script as it will be of use in the future but i also don't mind disabling it for the time being until the next time it is required (have no idea when this will be, last time I've used it was probably over a year and a half ago). How can i disable the script so that it is inaccessible to someone trying to set up an attack but while keeping it installed and easily enable it in the future when it is required? Can i just change the folder name where it is installed? Quote Link to comment Share on other sites More sharing options...
Michael D. Posted December 19, 2011 Author Report Share Posted December 19, 2011 Password protecting the directory would work if it's in it's own folder. Quote Link to comment Share on other sites More sharing options...
SarisIsop Posted December 20, 2011 Report Share Posted December 20, 2011 Please check your account(s) and make sure that all of your scripts, plugins, and themes that you are using are UP TO DATE and that you've removed any that you are not actively making use of. All done. Quote Link to comment Share on other sites More sharing options...
Myati Posted December 20, 2011 Report Share Posted December 20, 2011 Password protecting the directory would work if it's in it's own folder. Thank you for the prompt assistance, the folder where the script is stored is now password protected. Quote Link to comment Share on other sites More sharing options...
DanH Posted September 28, 2012 Report Share Posted September 28, 2012 Drupal 7's Update Manager will check for out-of-date modules, but it normally doesn't check disabled modules whether disabled modules are out of date. However, you can turn this on. Go tohttp://yoursite.com/admin/reports/updates/settings, Check the box Check for updates of disabled modules and click Save Configuration. After that when it checks during cron or when you check manually, both disabled and enabled modules will be checked for new versions. Quote Link to comment Share on other sites More sharing options...
Scott Posted October 2, 2012 Report Share Posted October 2, 2012 Drupal 7's Update Manager will check for out-of-date modules, but it normally doesn't check disabled modules whether disabled modules are out of date. However, you can turn this on. Go tohttp://yoursite.com/admin/reports/updates/settings, Check the box Check for updates of disabled modules and click Save Configuration. After that when it checks during cron or when you check manually, both disabled and enabled modules will be checked for new versions. Great tip! Quote Link to comment Share on other sites More sharing options...
Scott Posted October 2, 2012 Report Share Posted October 2, 2012 For anyone following along... Five more accounts would likely have not been hacked recently and suspended today if their scripts were all up to date. It's easy to prevent the problem, but hard (and potentially expensive) to fix. Once the damage is done, the damage is done. (/rant) Quote Link to comment Share on other sites More sharing options...
Michael D. Posted April 25, 2013 Author Report Share Posted April 25, 2013 Another illustration of why it's important to keep all scripts, plugins, and themes up-to-date: Update WP Super Cache and W3TC Immediately - Remote Code Execution Vulnerability Disclosed | Sucuri Blog We have rolled out updates to all WordPress installations that contain WP Super Cache or W3 Total Cache to protect our customers' accounts as well as our servers and network. Quote Link to comment Share on other sites More sharing options...
Michael D. Posted July 28, 2013 Author Report Share Posted July 28, 2013 We are seeing a sharp rise in the number of outdated Joomla! installations that are getting compromised. Joomla 1.5 and 1.7 have been EOL'd [end-of-lifed] for well over a year now and, as such, have not been patched for security vulnerabilities that have been found. The result is that if you're running version 1.5 or 1.7 [or older] that your entire account is at risk of compromise / hacking / defacement / etc. Please, take a moment to check your software such as Joomla!, WordPress, Invision Power Board, vBulletin, etc to ensure it's up to date as well as all plugins/themes/hacks/extensions. If you have software installed that's out of date that you're not using - please remove it. This includes plugins that are not 'active' and themes that are not 'in use'. Quote Link to comment Share on other sites More sharing options...
Scott Posted August 2, 2013 Report Share Posted August 2, 2013 WordPress 3.6 is now available! Read the announcement directly from WordPress:http://wordpress.org/news/2013/08/oscar/ Then don't forget to log into your WordPress sites and update them. If you run into an error about /tmp, see our KB article: http://www.mddhosting.com/support/knowledgebase/1020/Cannot-upgrade-WordPress-or-a-WordPress-Plugin.html Quote Link to comment Share on other sites More sharing options...
Michael D. Posted August 16, 2013 Author Report Share Posted August 16, 2013 Unfortunately we have a client recently that hired Sucuri but failed to update any of their software installations. While Sucuri did clean up the malware that was in the account - the account holder didn't update the installed software [outdated WordPress] and the account has been compromised again. In this situation the client feels as though having Sucuri is enough and that we should have been clear that Sucuri is just a part of the bigger security picture including but not limited to: using strong passwords, connecting using secured methods [sSL/TLS/FTPS/etc] and keeping all software up-to-date including all plugins, themes, mods, hacks, etc. While we do recommend Sucuri for monitoring and cleaning up malware - at the end of the day the account holder must still maintain their software installations at all times regardless. Hopefully this post will save somebody else from the same misunderstanding. I did update the 'Updated Abridged Version' in the first post adding the point that Sucuri is not a replacement for maintaining your software. Quote Link to comment Share on other sites More sharing options...
Scott Posted September 16, 2013 Report Share Posted September 16, 2013 In the last week or two, we have seen a large increase in compromises of outdated vBulletin 4 scripts. Please ensure that you are running the latest version and patches to close any known security issues. I've personally seen vB 4.2 patch 2, vB 4.2 patch 1, and vB 4.1.12 patch 1, but any outdated version is vulnerable and should be updated. Quote Link to comment Share on other sites More sharing options...
Michael D. Posted February 24, 2014 Author Report Share Posted February 24, 2014 Outdated scripts, themes, and plugins continue to be the number one leading cause of compromised accounts. Just because a theme or plugin is 'disabed' or not in use does NOT mean that it cannot be used against you. 1 1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.