Category Archives: Security

Imunify360 Now Available

We are pleased to announce that the Imunify360 security suite is now installed across all of our servers. We evaluated this product for some time and after an extended period of testing we are very confident in its ability to better protect our servers and our clients.

Security has always been at the forefront of our minds and Imunify360 has helped us to take this to the next level. Here are just a few things that Imunify360 provides:

  • Faster, real-time malware scanning – Each file is scanned almost as quickly as it is written. Malware uploaded via the cPanel file manager can even be blocked in real time.
  • Advanced Web Application Firewall – This helps to stop web application attacks before they even reach your website. From known vulnerabilities to more general protection, the WAF examines all traffic to your website for malicious requests.
  • Proactive Defense – Imunify360 is able to detect and block malicious code in real time as it is being executed. Malicious code is often hidden or fetched remotely and Proactive Defense is able to stop this activity in its tracks before it causes harm.
  • Automatic Cleanup – In many cases, Imunify360 is able to remove injected malware from infected files automatically. This is particularly useful for those moving their sites from another host where they may have been previously compromised.

While many of these functionalities were already present on our servers to a degree, Imunify360 has further improved upon these and added even greater security with a focus on prevention. Preventing issues before they occur allows you to better focus your time and resources where they are needed.

Critical WP Plugin Vulnerabilities – All in One SEO

With more than three million active installs, All in One SEO is a very popular WordPress plugin. Two critical vulnerabilities, one privilege escalation and one SQL injection, were recently discovered in all versions of this plugin from 4.0.0 through 4.1.5.2. We have already seen exploitation of these vulnerabilities on client websites. If you are using this plugin, please urgently make sure that you have updated it to the latest version (4.1.5.3) which addresses these vulnerabilities.

Warning: cPanel Phishing Emails

Please be advised that we’ve been seeing an increase in the number of cPanel phishing emails being reported to us. Phishing emails are those that look like legitimate emails but they often contain malicious links disguised as legitimate ones in an attempt to obtain login information from the recipient.

As an example, below is a redacted copy of an email that one of our clients received just a few days ago.

These emails will include your actual domain name and at first glance, will look like a legitimate cPanel disk quota notification. The anchor text of the links even correctly points to cPanel URLs on your domain. However, if you hover over those links, you can see in the bottom left corner that their target is a third party phishing website on an unrelated domain. If you were to enter your cPanel login information at that URL, attackers would then have your login information and use it for malicious purposes.

The best way to avoid getting phished is to not click on links in emails. Instead, visit cPanel or whatever service you need to by directly entering the address into your browser. Once you login, you may find that the details in the email (disk usage in this case) don’t align with reality which can be a good indicator that this was a phishing attempt. In this particular case, though, the client’s domain was actually quite full so that alone wasn’t helpful in distinguishing a difference.

If you ever have concerns about the legitimacy of any such email notifications just submit a ticket with the full headers and source of the message and we would be happy to take a look for you. It’s always best, though, to just assume the worst and not click on any of these links. Instead, just enter your desired destination directly in your browser.

Critical WP File Manager Plugin Vulnerability

The WordPress plugin File Manager contains a critical vulnerability that is actively being exploited by attackers to compromise WordPress sites. We saw a handful of these incidents on September 1st as the attacks were just starting to ramp up and a few more since then. Fortunately, in these cases the solution has been relatively simple: restore from a prior backup and delete the plugin.

This particular vulnerability has been present in the plugin since version 6.4, which was released in May. It was patched with the release of 6.9 on September 1st.

Due to the rate at which these attackers were occurring, we have proactively identified every single instance of a vulnerable version of this plugin being used on our servers and have removed it. Since this plugin merely offers a file management interface within the WordPress admin section, removing it doesn’t impact the functionality of the website. Users are welcome to re-install the latest version of this plugin if so desired.

This particular incident does bring to light an important topic though. It is best practice to use as a few plugins as possible, those that aren’t needed should be deleted (not just deactivated). There is certainly an argument to be made that a file manager plugin like this should never be installed but even if you disagree with that, there really isn’t strong justification for keeping a plugin like this installed beyond its intended use. It just allows another possible point of entry for attackers to exploit should a vulnerability be found.

Please keep this in mind as you continue to develop and secure your WordPress instances. If we can help in any way, please drop us a ticket and we’ll be happy to do so.

Beta: Dathorn WordPress Scanner

WordPress is not only the most popular script that we host, it is also most frequently targeted by attackers. While critical vulnerabilities in the WordPress core are relatively rare, they are fairly common in plugins and themes. It is important that these items are always kept updated to help prevent a compromise.

This can be a confusing process because the WP admin interface may not accurately portray certain situations. For example, if you’ve installed a plugin or theme outside of the WordPress repository, it may always show no updates being available even though that is not the case. The WP admin interface also doesn’t warn when something hasn’t received an update in a while, indicating it may no longer be actively maintained. These are both scenarios that require special attention but are easily overlooked.

Further, if a WordPress is compromised due to a vulnerability it can be very difficult to get the site back online in a secure state. Typically, we recommend a complete fresh re-install because there is no easy way to tell what attackers may have modified or left behind. Last modified dates on files can’t even be trusted once an account has been compromised. Continue reading

Hardware Upgrades Complete!

Our goal is to provide the best performing, most reliable service that we can and a lot of this comes down to the hardware that we use. Newer hardware can easily provide performance benefits but proper deployment of it is crucial as far as reliability and security is concerned. We always try to avoid any service interruption whenever possible and building redundancies into our infrastructure has allowed us to do this more easily.

Over the past five months, we’ve been working diligently to overhaul our entire hosting infrastructure.  The individual server upgrades were a big part of this process and these were all completed by the end of July. Behind the scenes, though, our work has gone far beyond just the server upgrades. We’ve also upgraded every other piece of hardware that has a role in providing our services. All switches, power distribution, and even cabling has received upgrades in some form or another.

  • Switches – All of our public and private network switches have been replaced which provides greater performance and continued security updates. This was done without impacting any services and zero downtime on our public network. Our private network has received an even bigger overhaul with it now being entirely 10G, allowing for even better backup performance.
  • Power Distribution – All of our in-rack PDUs have been replaced with new zero U PDUs. This has saved at least 4U per cabinet and cleaned them up considerably. The new PDUs also have additional control and monitoring features. Because all of our gear has redundant power, we were able to swap these out without any power loss or downtime.
  • Cabling – As a result of the PDU changes, we wanted to re-cable everything to clean it up and allow for even better airflow. New slim Cat6A cables handle 1G connectivity and most 10G connectivity is over DAC.

Many other items were upgraded over these past few months as well. I just wanted to provide a brief look behind the scenes here that you wouldn’t otherwise know about. We’re very focused on providing the best service possible and our continual hardware upgrades play a large role in this.

Forcing HTTPS Connectivity

Once you have an SSL certificate installed, it is good standard practice to make sure that all requests on your website use HTTPS. Our last post concerning mixed content covered one aspect of this. One other important element, which we’ll discuss here, is to force HTTP requests to use HTTPS instead. This way, if someone tries to visit your site via http://domain.com the request will be redirected to https://domain.com.

There are many different ways to accomplish this but if you’re using something like WordPress, for example, you might want to see if the functionality is built-in or if a plugin is available that could make this process easier. In this case, the Really Simple SSL plugin for WordPress is a great option and can even correct mixed content issues automatically.

Another common but easy way to handle this is by adding a simple mod_rewrite rule to your site’s .htaccess file. There are a lot of perfectly valid variations of these rules to get the desired result. A good generic option is:

RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Continue reading

HTTPS & Mixed Content

With Chrome now labeling sites accessed via regular HTTP as “Not Secure”, SSL/TLS support is becoming even more common. However, simply installing an SSL certificate doesn’t necessarily result in your site showing up as “Secure” (Chrome) or with a green padlock (Firefox). Instead, you might see the following in the Firefox URL bar:

And in Chrome you might see this in the security overview (Menu -> More Tools -> Developer Tools -> Security):

Although not immediately clear from the Firefox URL bar, you can see from Chrome that the issue is with mixed content being loaded. This means that although the page was accessed via HTTPS, regular HTTP content is being loaded within it. For this example, the page in question has the following code in it:

<img src="http://demo.dathorn.com/logo.png">

Continue reading

Critical Drupal Updates

Although these Drupal vulnerabilities were posted to our script security forum, which we recommend you subscribe to, we wanted to give this situation as much visibility as possible. Over the past month there have been two critical Drupal updates released. Both of these address a remote code execution vulnerability, which is at the very top of the scale as far as severity is concerned. The most recent update was just released yesterday (April 25th) and further details on it can be found here. You need to make sure that your Drupal is updated to either version 7.59 or 8.5.3. Drupal 6 hasn’t been officially supported for more than 2 years and should be updated to at least 7.x.

The first vulnerability has been heavily targeted by bots for over a week now. We do have web application firewall (WAF) rules in place to defend against this but the WAF shouldn’t be considered a long term solution. The best option is always to update your scripts as soon as possible. Failure to do so may result in a complete compromise of the cPanel account in question. We’re still evaluating this latest vulnerability for inclusion in our WAF rules.

If you have any questions or run into any issues please drop us a ticket via our portal.