Global Attack on WordPress Sites

Posted on by
1

There is an on going and highly distributed, global attack on WordPress installations at every known web host to crack open admin accounts and inject various malicious scripts.

In a detailed analysis of the attack pattern it was found out that most of the attack was originating from CMSs (mostly wordpress). Further analysis revealed that the “admin” accounts had been compromised (in one form or the other) and malicious scripts were uploaded into the directories.

Today, this attack is happening at a global level and wordpress instances across hosting providers are being targeted. Since the attack is highly distributed in nature (most of the IP’s used are spoofed), it is making it difficult for us to block all malicious data.

This is the reason why some servers have gone down in recent days.

To ensure that your websites are secure and safeguarded from this attack, we recommend the following steps:

  1. Update and upgrade your WordPress installation and all installed plugins
  2. Install the security plugin listed here
  3. Ensure that your admin password is secure and preferably randomly generated
  4. Other ways of Hardening a WordPress installation are shared athttp://codex.wordpress.org/Hardening_WordPress

These additional steps can be taken to further secure wordpress websites:

  • Disable DROP command for the DB_USER .This is never commonly needed for any purpose in a wordpress setup
  • Remove README and license files (important) since this exposes version information
  • Move wp-config.php to one directory level up, and change its permission to 400
  • Prevent world reading of the htaccess file
  • Restrict access to wp-admin only to specific IPs
  • A few more plugins – wp-security-scan, wordpress-firewall, ms-user-management, wp-maintenance-mode, ultimate-security-scanner, wordfence,http://wordpress.org/extend/plugins/better-wp-security/. These may help in several occasions

Also, we recommend using Cloudflare, which is available free with all our hosting accounts, to prevent the attack from affecting the functionality of your site.

Prevent blacklisting: Do these 3 things right now!

Posted on by
Reply

The wave of hacked email accounts is hitting some sort of terminal velocity lately. The result of this, as some of you may have seen, is servers ending up on blacklists, which ultimately prevents some of your messages from reaching  the intended recipients.

We take every precaution on this end to prevent spam from being sent through our server and staying off of blacklists, but unfortunately, the most vulnerable points of exploitation are on your end. Once your email account or computer is exploited, spam is usually sent aggressively using your credentials. It’s only a matter of time until the entire server ends up on blacklists.

For that reason, we strongly ask that you take all of the steps below. This will be our (and your) best defense against keeping the server off of blacklists:

1. Make sure every email address has a unique password.
If you use the same passwords from place to place, it’s quite easy for your a hacker to reverse engineer your email address. For this reason, we strongly recommend that each email address on your account uses a password that’s completely unique and is not used anywhere else (email or otherwise.)

Instructions for changing your email password can be found here.

2. Make sure every computer and device is sending via SSL.
This is extremely important because if you happen to be on public wi-fi and check your email, you’ll want your username and password to be encrypted to the server. If it’s not encrypted, those credentials could fall into the wrong hands and suddenly your account is being used as a source of thousands of spam messages. Please make sure that any computer or device for every email account you host with us is set to both send and receive via SSL.

Instructions for setting up SSL on Apple Mail can be found here.

General instructions for setting up SSL on your mail client can be found here.
(The above instructions can also be used for iPads, iPhones, tablets, etc.)

3. Run a virus scan on your computer.
This is just good policy – especially if you’re on a PC. This is also the source of many mass spam exploits. Many of the recent exploits have been traced to viruses, malware and trojan horses.

PC Antivirus applications:
PC Tools AntiVirus Free AntiVirus Protection
AVG Internet Security

Mac Antivirus applications:
Sophos Anti-Virus for Mac Home Edition
ClamXav 

Selma, Nelson, blacklists and shared server SSLs.

Posted on by
Reply

It’s been quite a week and it’s only Tuesday.

I apologize up front for the issues, no matter how big or small, that you may have been experiencing this week. We do our absolute best to keep things running ship shape and problem free but there are times when all of the proper maintenance & attention to detail in the world won’t stop issues from arising. Now is one of those times. When it rains, it pours – or given that it’s winter; when it snows, it blizzards.

Selma

Selma

UPDATE: (2/26/13 – 2:15 MST) Our techs were able to get incoming and outgoing mail up during this migration. 

2 days ago Selma began sending us notices that the S.M.A.R.T. status of her hard drive indicated that it may fail soon.  This is the purpose of the S.M.A.R.T. status to give us a head’s up when the drive is legitimately experiencing issues. 9 times out 10 when this happens we have at least a few days to be able to make a smooth transition to new hardware, with the ability to offer some forewarning to customers on the server that a migration to new hardware will take place. We are also usually able to keep the server running as the files are copied to the new hardware.

Unfortunately, this is not currently the case. The S.M.A.R.T. warning that occurred signaled that the issue was severe and required immediate attention.

Good news: Out of sheer coincidence, we were in the process of provisioning a new server specifically to replace Selma within the next week when this happened. Bad news: The current server required a reboot into rescue mode which disables all access and file modifications. From the moment the server came back up in rescue mode a copy of it’s contents to the new hardware began. It is a long process and until it completes, there will not be access to email. This is inconvenient and very close to a worse case scenario for us and we know it is for you too. We will continue to pursue other paths to migration that bring the server up in the meantime, but to be frank, it’s not looking good.

Don’t you have  a backup?

We do, but it’s an archival backup and not an exact copy of the main drive. Unfortunately, there’s no way to actually run the server software off of the backup. That’s the bad news.

The good news is that the new hardware will have more redundancy so this should be the last time we experience an issue such as this.

Can’t you just move me to a new server, then?

Yes. That’s what we are doing at this very moment with every account on Selma. At the moment, this can’t be done without downtime due to the severity of the hard drive errors.

Can you re-route my mail to a different server?

Unfortunately, no, we’re not able to do this given the current status of the server. While we know it’s not ideal, we’d recommend setting up a Gmail account and notifying your contacts to reach you there for the time being.

Nelson

160px-Nelson_Muntz

Nelson has twice experienced an issue where it has run out of memory, causing the server to stop responding. When this happens, we have rebooted the server and examined the logs looking for the errant source. Both times, so far, the findings were inconclusive.

As a result, we have added additional logging to the server to help us identify the culprit and resolve the issue. I wouldn’t say that we are out of the woods yet, (and luckily these woods are inconvenient rather than disabling), but we see some daylight and the issues on Nelson are close to being resolved.

Blacklists

Where to start on blacklists? Let me start by telling you what MacHighway does to prevent spam:

We don’t offer an open relay. This means that all mail sent through our server must be sent with a valid username and password with an email account. A spammer can’t just send through our server without either hacking an email account (to prevent this make sure all email accounts are sending and receiving via SSL – click here for instructions) or hacking a site (to prevent this keep your WordPress, Joomla, phpBB, Drupal, et al. regularly up to date).

We are on feedback loops with major providers. This means that when someone, for example, on AOL reports a message as spam that generated from our server, we’re aware of it. We can see who the sending account was and determine if it is indeed spam or if it is just an email that was incorrectly marked as spam by the recipient.

Once we can verify that spam is legitimately being sent from our servers….

We stop the spam that is being sent from our servers. We investigate all spam complaints to determine from which account it came, if it was indeed a hack or a misguided attempt from a customer to market their site. We then take the appropriate action to immediately stop the spam messages from leaving the server.

Ending up on blacklists is a fact of shared hosting in 2013. While slow to respond to removal requests, most blacklist proprietors are at least responsive to such requests and understand that even legitimate shared hosts who take all of the necessary precautions still land on lists from time to time.  Other list providers act in an almost vindictive matter, assuming that if a server ended up on the list, it must either be because they are spammy or irresponsible. These particular blacklist operators refuse to be open to communication in an effort to resolve the problem and, ultimately, any blacklisted server is at their mercy.

We take the responsibility of caring for your site and email very seriously. We are committed to making your hosting experience with MacHighway fuss free. When problems do arise (which they will – because… COMPUTERS) we do our absolute best to resolve them quickly and effectively. Being unable to remove ourselves from blacklists is as much a source of frustration for us as it is for you.

SSL Certificate issues.

It took a little bit of searching, but we’ve concluded that a cPanel update had disabled the shared SSLs for many servers, resulting in certificate errors (mostly on mail) for several customers. Once we identified the source of the issue, the fix was relatively painless. Everything should be working on this front. We don’t expect this to happen again…. unless, of course, cPanel pushes out another update that does this again. Fingers crossed.

Thanks so much for your patience on all of these matters. We recognize that it is never a good time for your email or hosting to be down and we are doing (and will continue to do) everything in our power to minimize downtime and keep your servers running without problems.

If you need us, please contact our 24/7 support department.

Problems with WordPress dashboard and widgets? Here’s a fix.

Posted on by
Reply

As of the 3.5 update to WordPress, we started receiving reports from a minority of customers that some functions simply stopped working in the WordPress dashboard. Specifically, the quick edit dashboard panel was unresponsive, under Add New Post  the toolbar above the text area wouldn’t populate, and, the drag and drop functionality in the Widgets dashboard simply stopped working.

Not being the developer of WordPress, we were short on answers, which is never the preferred position to be in. We like having answers and being able to solve problems.

Thankfully, one of our great customers was able to find a fix and was kind enough to share it with us (so we could pass it along to you.)

By installing the Google Libraries plugin, these functions were immediately restored.

If you find that you’re having the similar issues, we recommend trying this fix.

Patty.machighway.com blacklist issues 1/7/2013, 1/8/2013

Posted on by
Reply

A customer on the patty.machighway.com server had their email address compromised by a spammer. The spammer then sent several thousand messages out from patty.machighway.com which has caused the server to end up on multiple blacklists. As a result, many of our customers on that server have received bounce-back replies from servers rejecting their messages.

Once the exploit was detected, the offending email account was shut down and spam ceased to be sent from our server.

This is a very unfortunate situation and we’re doing everything we can to resolve the issue. We have been in direct contact with all of the blacklists that patty is listed on and requested removal. Sometimes these removals are immediate, while others can take up to 2 weeks to delist a server from it’s blacklist. Unfortunately, the delisting is something we have very little control over. Essentially, all we can do is request removal from the blacklist, which puts the ball in the court of the blacklist.

The best thing that you can do to help prevent issues like this in the future are to:

1) Run a virus scan on all computers. We suggest Sophos Home Edition or ClamXav (both free) for Macs.

2) Make sure that all mail apps and mobile devices are set to send and receive email via SSL. Instructions for doing this on Apple’s mail app can be found here: https://customers.machighway.com/knowledgebase.php?action=displayarticle&id=380

Taking these steps will help to prevent your email address from being exploited.

We would like to apologize for any inconvenience you experience as we await removal from these blacklists. We appreciate your patience.

Of cPanel updates and email connection limitations.

Posted on by
Reply

Fortunately, only a few of our servers yesterday were negatively effected by a cPanel update that reset our email connection limits.

Unfortunately, a few of our servers yesterday were negatively effected by a cPanel update that reset our email connection limits.

Now, we don’t want to blame cPanel. They offer a robust product and these updates were essential to closing a security gap before it was exploited. This is what good and responsible developers do and we appreciate their attention to addressing potential issues. (We hope that, as a MacHighway customer, you also appreciate that your server isn’t compromised due to a vulnerability.)

Under most circumstances, a reset of the mail connections limit would go unnoticed by an end user. In a traditional scenario, your email client will open a connection, send or receive email, and then close the connection, thus freeing it up for the next party who needs to send or receive…. Continue reading

How to setup a shared photo hub using Gallery on your hosted space.

Posted on by
Reply

I recently went to a wedding in Athens, GA for my brother-in-law. The wedding was held at an amazing location, a massive tin factory converted into an artists studio with large scale statues everywhere. Not only was the location something awe inspiring, but the bride and groom also hired a mobile petting zoo with goats and rabbits whose heads were bigger than mine. On top of all of this, a wedding was occurring. Needless to say, there were many pictures taken by friends and family who were both near and far.

So, how can we all share our pictures, with relative ease and also not having to worry about who owns the pictures once they are uploaded? What follows is my step by step walkthrough to answering to these issues. Continue reading

Scheduled Maintenance: gil.machighway.com

Posted on by
Reply

Maintenance Window:

10/05/2012 between 9:00pm and 10/7/2012 9:00pm CST.

Impacted equipment:

gil.machighway.com

On Friday, October 5, beginning at 9 PM Central time, we will be performing necessary critical maintenance on the server “gil.machighway.com” to replace a failing hard drive. We are also using this opportunity to upgrade the server hardware as well as add an additional redundant drive to ensure disk integrity and minimize downtime in the future.

For extended times during this maintenance period the server will be offline while sites are copied to the new drives. This will mean that your site and email will be inaccessible while this copying is taking place. No email messages sent to you during this period will be lost and will just be delayed in arrival.

For most customers there is nothing you need to do. However, if your the name servers for your domain are not set to “ns1.machighway.com” and “ns2.machighway.com” you will need to login to the outside provider where you host the DNS for your domain and change any records currently pointing to 74.52.144.114 to 184.173.226.69.

Typically we schedule a 48 hour window to perform this maintenance; this may result in several hours of downtime for each site during this period. Our systems engineers will do everything within their power to ensure the most minimal downtime possible.

We appreciate your patience as we make these necessary and pro-active changes. Please let us know if there are any questions regarding this maintenance =)

When is it spam? A quick guide to knowing when to mark email as spam.

Posted on by
Reply

You have 3 emails in your inbox:

Message 1 You’ve received an awful joke of the day message from your cousin. Of course you have; she sends one every day.

Message 2 You’ve received some chain letter that Snopes disproved years ago but a co-worker never checks his sources before blasting out emails to his entire address book.

Message 3 Some person with an unfortunate (and likely fake) name has sent you an email telling you how to be a better lover and asks you to click a link to find out how.

It’s safe to say that you have no use for any of these messages in your inbox. But, only one of them qualifies as spam and should be dealt with as such. Do you know which one that is? Do you know how to handle the other two messages? Read on and we’ll answer these questions. Continue reading

How to retrieve your forgotten passwords

Posted on by
Reply

At the top of this series of posts about passwords, I encouraged you to “Go ahead and forget your passwords.”  If you followed this sage advice and did in fact forget your passwords, you will find that this leads to an inevitable problem:

You’ll have forgotten a password.

As much as we’ve trusted our computers to keep our information intact and offloaded from our soft, grey brains, we find that of the hundreds, possibly thousands of passwords we’ve created, we actually need to know what it was that was entered into the “Create New Password” box so long ago.

In this article, I’ll give you tips for finding those passwords locked away in your Mac’s memory, and how to change passwords when neither you, nor your Mac can recollect your needed password. Continue reading