Friday March 2nd 2007
Good morning,
I have no idea on how some of these guys who do speaking tours travel so much. As you know, I was in Long Island for Mike and Toms event last week, now I am in San Antonio Texas this week with my whole family and I’m tired of hotels already!
Today, I am meeting with JJ Williams, a commercial real estate agent referred to me by Armando and Veronica Montelongo. (The people who do “Flip This House) on A&E network.
We are going to go through approximately 20-30 locations for our satellite office here in San Antonio. If I find one that I like Ill be sure to email you some photos.
Saturday March 3rd 2007
I also wanted to let everyone know that cpanel and our own team is working on a fix for this new Iframe php insecurity virus. At the moment there seems to be no known fix for the issue. Basically how this virus attacks is when there is someone who uploads a php script but sets permissions to 777 which is read, write an execute.
It is very dangerous to do this, and unfortunately it is also hard to let people know NOT to do this, all permissions on php files should be no greater than 755
When permissions are set to 777 it creates a huge security hole for people to upload and change the index of any website. However we are working on it very diligently.
We were able to go see a few properties yesterday for our new datacenter, today we are going to go see some more. I will definitely be in touch again later on today.
Have a wonderful Saturday, I certainly miss chatting with all of you in our conference room.
–Joel Therien
President
Kiosk.ws
Hotconference.com
Hey Joel,
This is Joel Christopher.
As you know, I live in San Antonio, Texas.
Not sure if you have time to meet with me briefly.
If so, email me a reply or give me a ring at 210-695-5627
Joel Christopher R.,
“The MasterListBuilder”
http://www.MasterListBuilder.com
Joel,
You are making it sound like it is OUR responsibility to ensure that your servers are not exploited by hackers. Since this exploit first surfaced on Hostgator’s servers in Sept/06 then I think we can assume that the patches were available and known for this exploit. Out of 2 accounts I have with Kiosk, the oldest one with 4 sites was attacked and modified and my main business site is now blacklisted by Google.
It may take several more days to correct this and remove the listing. Meanwhile my business suffers.
I have sites and scripts (with permissions set in various levels) on 5 other hosting companies and my older account on Kiosk was the only one hit. That says something.
Having your servers updated continuously with newest patches/security fixes will help keep us safer in the future.
Please either hire more IT people or enlist a PROFESSIONAL to look after your customer’s website security.
Kiosk Member since 1999
Daryl Austman
http://www.greymouse.com
Hi,
I’m a Platinum Plus member. I would like to know if security level of 644 on a PHP file is more or less or equally secure as a setting of 755.
Thank you,
SilverIngot
Hi Daryl,
The exploit you talk about at Hostgator is NOT the same exploit. This is a new exploit that does a similar function.
In no way in my post do I blame any customers, infact I am just giving the the raw facts on how they get in.
It does not matter on who’s hosting account. If your scripts are secure but someone else hosted on the same server is not set securely then it affects the whole machine.
Less than 1% of our total hosting boxes were affected, so I appologise if you feel that.
1. I am blaming others. I don’t, the actual risk was as explained partly cpanel and partly php when a php script is set to 777
2. That our security team is not professional enough.
Joel
There has been another wave of attacks.
All the files I cleaned of this script have been reinfected.
Please issue some help on how to protect against this. All of my files AFAIK have the correct protection.
I meant all files have the correct 644 level.
Hi Troy
This is what makes it so difficult. If even just one php file is 777 on the whole server then it creates a hole for everyone. Our team is making a software now to automatically change all permissions that are insecure to 644. Im getting an update now from them while in Texas, I will post againhere soon.
Thanks so much for your patience on this
Joel
Why don’t kiosk use suexec? Wouldn’t it sort our problems? I don’t want to say too much on a public forum and feel free to delete this comment once noted 🙂 but isn’t the problem that everyone on the same server runs as the same user group (including cpanel?)
(from http://www.hostmagik.info/phpsuexec.php)
PHP as a CGI with Suexec
When PHP runs as a CGI with Suexec, PHP files work under your user/group. PHP files no longer require loose permissions to function, now they will require strict permissions. Setting your directories or PHP files to 777 will cause them to produce a 500 Internal Server Error, this happens to protect your PHP files from being abused by outside sources.
Under PHPSuexec your directories and PHP files can have permissions no greater than 755 (read/write/execute by your username, read/execute by group/world). Since you own your files, your scripts can function in any directory your user has created and can’t be manipulated by any outside users, including “nobody”.
Now, when a PHP file creates or uploads a new file under your account, the new file will be owned by your username. You will no longer have to worry about the webserver taking over your files and even more important, you will no longer have to worry about a stranger reading or writing to your files either!
Hi Troy
I agree, we tried that and it caused us a ton of headaches when people did not know how to change permissions to 755. However, you are 150% correct, currently 50% are using phpsuexec and we will now enable it on all servers and then teach people how to fix their scripts. We have always used suexec for cgi. Thanks so much for your input
Joel
I would love to type more but, the internet at this Hotel in Texas is REALLY bad 🙁
Joel, I will accept the fact that this attack is not exactly the same as the one on Hostgator, but they are very similar… you must admit.
Unfortunately you misunderstood me as I put NO blame on your staff. They do the absolute best job that they are capable of doing with the knowledge they have and with the time they are given to work on such tasks.
Can you explain to me why PHPsuexec has NOT been put on the servers when it has been available for 2 yrs?
And is the problem seated more with an unpatched cPanel on an older machine with an older version of cPanel?
I’ve been with Kiosk for over 8 yrs now, almost from the beginning of the company. I believed in the company, enjoyed the fact that you were Canadian based and loved the personal touch that you and your staff offered. I want to continue doing so.
Daryl Austman
http://www.greymouse.com
The first attack 10 days ago.
Now a fresh attack, the third in those 10 days.
I thought this was being addressed?
Still, I’m getting quicker at fixing my infected files now. Perhaps I’ll write a cron job to do it for me if it’s going to be a weekly feature…
If this is only affecting 1% of your servers, why haven’t you found any 777 files on those servers and changed their permissions? (If that’s how the infection happens)
Oh, and some irony. A problem that started last Tuesday was finally fixed this morning (5 days of not being able to use phpMyAdmin) – today would have been the first time I’ve been able to work on my database.
But of course phpMyAdmin is no longer usable again because this freakin vulnerability has trashed the cpanel files again.
I despair!