retep
12-01-2005, 11:51 PM
RimuHosting December News
Our Xen-based VPS plans have been very popular. For the last few months we have been quite busy with setting up new customers. Our hardware vendor has been kept busy supplying us with shiny new dual Xeon (and lately dual Opteron) servers. However, despite all this activity there has not been a lot of news to add to our 'newsletter'. We do have a few things for this month's newsletter...
Web Apps Being Exploited
We have noticed, particularly over the last month or two, a number of customer's servers are being exploited via xmlrpc.php enabled applications. An attacker will probe URLs on your server to try and find that file, which then allows them to execute whatever code they wish (under the apache user id).
Basically, one can POST the exploit code directly into the vulnerable application and own the underlying server with a few clicks while only one POST request shows up in the server's access log.
Typically the attackers are then using the server to launch ssh attacks on other servers, or send out spam emails.
Quick fix: remove xmlrpc.php files.
Vulnerable applications include (per http://forum.hardened-php.net), but are not limited to:
* Serendipity Weblog (serendipity_xmlrpc.php)
* Drupal (xmlrpc.php)
* TikiWiki (xmlrpc.php)
* phpMyFAQ (xmlrpcs.php)
* Wordpress < 1.5
* phpAdsNew
* eGroupware (not yet verified)
* phpGroupware (not yet verified)
* et al.
We recommend you run this command to check if you have that xmlrpc file on your server: find / | grep xmlrpc.php
If you need any assistance with hardening your server, feel free to pop in a support ticket with us and we will see how best we can help.
/etc/resolv.conf Changes
The file /etc/resolv.conf on your server contains the IP addresses of the name servers your server uses for resolving domain names.
That file on your VPS may contain two IPs that will no longer work after 15 December. You will need to remove them. Otherwise domain lookups on your VPS may take a minute or two to run (while those non-working IPs timeout). This can cause seemingly inexplicable slowdowns in applications like mail servers and web servers (which often do a DNS lookup of the name of IPs that connect to them).
Please remove the following IPs from your /etc/resolv.conf file: 66.17.131.9 and 66.17.131.10.
We recommend you set the following values in your /etc/resolv.conf:
nameserver 72.29.96.250
nameserver 207.210.212.202
nameserver 207.99.0.2
Server Monitoring: Introducing Pingability.com
We work hard to provide a reliable hosting service. We purchase good quality hardware, we use reliable data centers and networks, and we monitor our host servers.
We do not monitor individual VPSs however. (Partly because some VPSs are intentionally setup not to be pingable, or not to have a web browser running). This can be a problem for some users. e.g. if your VPS runs out of memory then the Linux kernel out-of-memory-killer may kill off a big memory user like mysql or httpd.
If you'd like to have your VPS individually monitored for uptime, then please check out the new http://pingability.com monitoring service that we here have developed and launched. The service is separate from RimuHosting. It has free monitoring options (for infrequent checks, or if you put a 'Monitored by Pingability' button on your homepage) as well as paid monitoring options (that include URL, SMTP, DNS and FTP checks).
Ubuntu Distro Now An Option
Ubuntu is a Linux distro, based on Debian. It has become quite a popular desktop distro of late, and also holds its own as a server-based distro.
We now offer a Ubuntu based distro. If you are interested in switching to it, just pop in a VPS reinstall ticket, or you can also order a new VPS with it installed by default.
Bliki Blooming
We launched our bliki.rimuhosting.com site a few months back. It is a web site where we post howtos, install docs for commonly requested applications, and notes about some common problems that customers run into. Since the launch we have managed to add a number of new pages, so if you have not visited it lately then it may be a good resource to browse over.
Holiday Operating Hours
From 21 December to 5 January some staff will be taking vacations. We will continue to operate 24x7 for emergencies. But be aware that we may take longer than normal to respond to non-emergency tickets. If you need us to do any work for you, please consider opening a ticket before the holiday period begins.
Hosting Referrals Appreciated
One of the reasons for how well things have been going for us the last few months has been the number of referrals we have received from existing customers. Thank you to everyone who has enjoyed our service enough to recommend us.
If you have friends or colleagues that may require Linux or Java hosting and you think our service would suit them, please mention us to them. If they put your name as their referral source when they order we will pop a $15 hosting credit on your next hosting bill by way of thank you.
Do you feel the need to tell the world about your web host? Then we invite you to place one of our 'hosted by' buttons on your web site. You can see our current selection of buttons at http://rimuhosting.com/linktous.jsp
--
Happy Hosting! Peter Bryant
http://rimuhosting.com
Our Xen-based VPS plans have been very popular. For the last few months we have been quite busy with setting up new customers. Our hardware vendor has been kept busy supplying us with shiny new dual Xeon (and lately dual Opteron) servers. However, despite all this activity there has not been a lot of news to add to our 'newsletter'. We do have a few things for this month's newsletter...
Web Apps Being Exploited
We have noticed, particularly over the last month or two, a number of customer's servers are being exploited via xmlrpc.php enabled applications. An attacker will probe URLs on your server to try and find that file, which then allows them to execute whatever code they wish (under the apache user id).
Basically, one can POST the exploit code directly into the vulnerable application and own the underlying server with a few clicks while only one POST request shows up in the server's access log.
Typically the attackers are then using the server to launch ssh attacks on other servers, or send out spam emails.
Quick fix: remove xmlrpc.php files.
Vulnerable applications include (per http://forum.hardened-php.net), but are not limited to:
* Serendipity Weblog (serendipity_xmlrpc.php)
* Drupal (xmlrpc.php)
* TikiWiki (xmlrpc.php)
* phpMyFAQ (xmlrpcs.php)
* Wordpress < 1.5
* phpAdsNew
* eGroupware (not yet verified)
* phpGroupware (not yet verified)
* et al.
We recommend you run this command to check if you have that xmlrpc file on your server: find / | grep xmlrpc.php
If you need any assistance with hardening your server, feel free to pop in a support ticket with us and we will see how best we can help.
/etc/resolv.conf Changes
The file /etc/resolv.conf on your server contains the IP addresses of the name servers your server uses for resolving domain names.
That file on your VPS may contain two IPs that will no longer work after 15 December. You will need to remove them. Otherwise domain lookups on your VPS may take a minute or two to run (while those non-working IPs timeout). This can cause seemingly inexplicable slowdowns in applications like mail servers and web servers (which often do a DNS lookup of the name of IPs that connect to them).
Please remove the following IPs from your /etc/resolv.conf file: 66.17.131.9 and 66.17.131.10.
We recommend you set the following values in your /etc/resolv.conf:
nameserver 72.29.96.250
nameserver 207.210.212.202
nameserver 207.99.0.2
Server Monitoring: Introducing Pingability.com
We work hard to provide a reliable hosting service. We purchase good quality hardware, we use reliable data centers and networks, and we monitor our host servers.
We do not monitor individual VPSs however. (Partly because some VPSs are intentionally setup not to be pingable, or not to have a web browser running). This can be a problem for some users. e.g. if your VPS runs out of memory then the Linux kernel out-of-memory-killer may kill off a big memory user like mysql or httpd.
If you'd like to have your VPS individually monitored for uptime, then please check out the new http://pingability.com monitoring service that we here have developed and launched. The service is separate from RimuHosting. It has free monitoring options (for infrequent checks, or if you put a 'Monitored by Pingability' button on your homepage) as well as paid monitoring options (that include URL, SMTP, DNS and FTP checks).
Ubuntu Distro Now An Option
Ubuntu is a Linux distro, based on Debian. It has become quite a popular desktop distro of late, and also holds its own as a server-based distro.
We now offer a Ubuntu based distro. If you are interested in switching to it, just pop in a VPS reinstall ticket, or you can also order a new VPS with it installed by default.
Bliki Blooming
We launched our bliki.rimuhosting.com site a few months back. It is a web site where we post howtos, install docs for commonly requested applications, and notes about some common problems that customers run into. Since the launch we have managed to add a number of new pages, so if you have not visited it lately then it may be a good resource to browse over.
Holiday Operating Hours
From 21 December to 5 January some staff will be taking vacations. We will continue to operate 24x7 for emergencies. But be aware that we may take longer than normal to respond to non-emergency tickets. If you need us to do any work for you, please consider opening a ticket before the holiday period begins.
Hosting Referrals Appreciated
One of the reasons for how well things have been going for us the last few months has been the number of referrals we have received from existing customers. Thank you to everyone who has enjoyed our service enough to recommend us.
If you have friends or colleagues that may require Linux or Java hosting and you think our service would suit them, please mention us to them. If they put your name as their referral source when they order we will pop a $15 hosting credit on your next hosting bill by way of thank you.
Do you feel the need to tell the world about your web host? Then we invite you to place one of our 'hosted by' buttons on your web site. You can see our current selection of buttons at http://rimuhosting.com/linktous.jsp
--
Happy Hosting! Peter Bryant
http://rimuhosting.com