retep
01-02-2006, 09:16 PM
January Hosting Receipt and Newsletter: RimuHosting 2005 Recap
Happy New Year! I hope 2005 was a success for you. Through the year we have been fortunate enough to set up many new customers. Thank you to everyone who referred their friends and colleagues to us, this has been a major and much appreciated source of new business.
We completed a number of key projects in 2005. They have helped us improve the service and support we offer to our customers. Some highlights:
* Our Backup MX (mail server) started relaying mail for customers who needed to use it.
* The website went through a couple of design tweaks (though someone recently compared it to 'something out of 1996', oh well)
* We added dozens of new howto articles (many on the new bliki.rimuhosting.com site).
* Our ordering pages now offer FC3, RHEL4 and Ubuntu distros.
* Huw and Essien joined our support staff ranks. Their knowledge and expertise has helped improve the depth of our support and helped extend our support coverage. The 'worst case' wait time for support tickets has reduced to just a few hours for the vast majority of support requests. With most requests being answered within the hour.
* We launched our Xen-based VPS hosting options. The dedicated server-like performance we get from Xen still amazes me and its reliability has been terrific.
* We launched a sister web site pingability.com (the website monitoring and alert service).
* We have been busy making many backend changes. Most of these are not visible to end users. But they help us to better manage our servers and they help to improve support response times and hosting reliability.
Server Exploits
December was a rough month for VPSs being hit by worms that exploit vulnerable webapps. Exploited servers randomly probe URLs and domains to find these vulnerable webapps. Then they execute whatever code they wish on those servers. Typically they turn the exploited servers into spam drones or use the targetted server to attack and exploit other servers.
Currently at the top of the list are two exploits: xmlrpc (used in many web applications) and Mambo. Please read the following in case you have installed these applications and need to fix them.
Mambo Exploits
The mambo vulnerability was uncovered on 21 November per http://forum.mamboserver.com/forumdisplay.php?f=216/
The following bash script can find and move the problematic files out of the way( to /root):
for dir in /var/www /home; do files=$(find $dir -name index.php | xargs grep -il "mambo is free software"); for i in $files ; do echo $i; mv $i /root/$(echo $i | sed 's/\//_/g'); done; done
You would then need to apply the mambo-supplied patch to those files to fix them.
Web Apps With xmlrpc Being Exploited
We have noticed, particularly over the last month or two, a number of customer's servers are being exploited via xmlrpc.php enabled applications. An attacker will probe URLs on your server to try and find that file, which then allows them to execute whatever code they wish (under the apache user id).
Basically, one can POST the exploit code directly into the vulnerable application and own the underlying server with a few clicks while only one POST request shows up in the server's access log.
Typically the attackers are then using the server to launch ssh attacks on other servers, or send out spam emails.
Quick fix: remove xmlrpc.php files.
Vulnerable applications include (per http://forum.hardened-php.net), but are not limited to:
* Serendipity Weblog (serendipity_xmlrpc.php)
* Drupal (xmlrpc.php)
* TikiWiki (xmlrpc.php)
* phpMyFAQ (xmlrpcs.php)
* Wordpress < 1.5
* phpAdsNew
* eGroupware (not yet verified)
* phpGroupware (not yet verified)
* et al.
We recommend you run this command to check if you have that xmlrpc file on your server: for dir in /var/www /home ; do find $dir | grep rpc; done
If you need any assistance with hardening your server, feel free to pop in a support ticket with us and we will see how best we can help.
Hosting Referrals Appreciated
If you have friends or colleagues that may require Linux or Java hosting and you think our service would suit them, please mention us to them. If they put your name as their referral source when they order we will pop a $15 hosting credit on your next hosting bill by way of thank you.
Do you feel the need to tell the world about your web host? Then we invite you to place one of our 'hosted by' buttons on your web site. You can see our current selection of buttons at http://rimuhosting.com/linktous.jsp
--
Happy Hosting! Peter Bryant
http://rimuhosting.com
Happy New Year! I hope 2005 was a success for you. Through the year we have been fortunate enough to set up many new customers. Thank you to everyone who referred their friends and colleagues to us, this has been a major and much appreciated source of new business.
We completed a number of key projects in 2005. They have helped us improve the service and support we offer to our customers. Some highlights:
* Our Backup MX (mail server) started relaying mail for customers who needed to use it.
* The website went through a couple of design tweaks (though someone recently compared it to 'something out of 1996', oh well)
* We added dozens of new howto articles (many on the new bliki.rimuhosting.com site).
* Our ordering pages now offer FC3, RHEL4 and Ubuntu distros.
* Huw and Essien joined our support staff ranks. Their knowledge and expertise has helped improve the depth of our support and helped extend our support coverage. The 'worst case' wait time for support tickets has reduced to just a few hours for the vast majority of support requests. With most requests being answered within the hour.
* We launched our Xen-based VPS hosting options. The dedicated server-like performance we get from Xen still amazes me and its reliability has been terrific.
* We launched a sister web site pingability.com (the website monitoring and alert service).
* We have been busy making many backend changes. Most of these are not visible to end users. But they help us to better manage our servers and they help to improve support response times and hosting reliability.
Server Exploits
December was a rough month for VPSs being hit by worms that exploit vulnerable webapps. Exploited servers randomly probe URLs and domains to find these vulnerable webapps. Then they execute whatever code they wish on those servers. Typically they turn the exploited servers into spam drones or use the targetted server to attack and exploit other servers.
Currently at the top of the list are two exploits: xmlrpc (used in many web applications) and Mambo. Please read the following in case you have installed these applications and need to fix them.
Mambo Exploits
The mambo vulnerability was uncovered on 21 November per http://forum.mamboserver.com/forumdisplay.php?f=216/
The following bash script can find and move the problematic files out of the way( to /root):
for dir in /var/www /home; do files=$(find $dir -name index.php | xargs grep -il "mambo is free software"); for i in $files ; do echo $i; mv $i /root/$(echo $i | sed 's/\//_/g'); done; done
You would then need to apply the mambo-supplied patch to those files to fix them.
Web Apps With xmlrpc Being Exploited
We have noticed, particularly over the last month or two, a number of customer's servers are being exploited via xmlrpc.php enabled applications. An attacker will probe URLs on your server to try and find that file, which then allows them to execute whatever code they wish (under the apache user id).
Basically, one can POST the exploit code directly into the vulnerable application and own the underlying server with a few clicks while only one POST request shows up in the server's access log.
Typically the attackers are then using the server to launch ssh attacks on other servers, or send out spam emails.
Quick fix: remove xmlrpc.php files.
Vulnerable applications include (per http://forum.hardened-php.net), but are not limited to:
* Serendipity Weblog (serendipity_xmlrpc.php)
* Drupal (xmlrpc.php)
* TikiWiki (xmlrpc.php)
* phpMyFAQ (xmlrpcs.php)
* Wordpress < 1.5
* phpAdsNew
* eGroupware (not yet verified)
* phpGroupware (not yet verified)
* et al.
We recommend you run this command to check if you have that xmlrpc file on your server: for dir in /var/www /home ; do find $dir | grep rpc; done
If you need any assistance with hardening your server, feel free to pop in a support ticket with us and we will see how best we can help.
Hosting Referrals Appreciated
If you have friends or colleagues that may require Linux or Java hosting and you think our service would suit them, please mention us to them. If they put your name as their referral source when they order we will pop a $15 hosting credit on your next hosting bill by way of thank you.
Do you feel the need to tell the world about your web host? Then we invite you to place one of our 'hosted by' buttons on your web site. You can see our current selection of buttons at http://rimuhosting.com/linktous.jsp
--
Happy Hosting! Peter Bryant
http://rimuhosting.com