Although these Drupal vulnerabilities were posted to our script security forum, which we recommend you subscribe to, we wanted to give this situation as much visibility as possible. Over the past month there have been two critical Drupal updates released. Both of these address a remote code execution vulnerability, which is at the very top of the scale as far as severity is concerned. The most recent update was just released yesterday (April 25th) and further details on it can be found here. You need to make sure that your Drupal is updated to either version 7.59 or 8.5.3. Drupal 6 hasn’t been officially supported for more than 2 years and should be updated to at least 7.x.
The first vulnerability has been heavily targeted by bots for over a week now. We do have web application firewall (WAF) rules in place to defend against this but the WAF shouldn’t be considered a long term solution. The best option is always to update your scripts as soon as possible. Failure to do so may result in a complete compromise of the cPanel account in question. We’re still evaluating this latest vulnerability for inclusion in our WAF rules.
If you have any questions or run into any issues please drop us a ticket via our portal.
We’re happy to announce that PHP 7.2 is now available on all of our hosting servers. It is also now the default version of PHP for all newly created cPanel accounts. PHP 5.4, 5.5, 5.6, 7.0, and 7.1 remain available as alternative options using the “Select PHP Version” link from within cPanel. A short guide on the use of PHP Selector can be found here.
The PHP version for all existing cPanel accounts has not changed, though you can use PHP Selector to change this at any time.
PHP 7.2 comes with numerous improvements and new features such as
If your applications support PHP 7.2, we do recommend making the switch. PHP Selector makes this process very simple and you can easily revert to any prior version of PHP at any time, if needed.
As we reach the end of 2017, I wanted to give a quick update on what’s been happening here behind the scenes over the past few months.
In our previous post, we covered our switch from SpamTitan to SpamExperts as a paid inbound email filtering option. Over the past couple of months we’ve now also migrated all outbound email filtering from SpamTitan to a completely custom setup utilizing SpamAssassin, ClamAV, and other software. This now completes our migration away from SpamTitan and has resulted in far better email filtering accuracy.
We’ve also been working to expand our offsite backup capacity and were finally able to complete this a couple of weeks ago. This was done in preparation for our not so secret plan to once again increase all of our hosting plan limits for everyone in the near future. We hope to roll these changes out during the first quarter of 2018.
The cPanel 66 and 68 updates have come and gone as well. There really wasn’t too much included that you’d have noticed from an end user standpoint. cPanel 70 will be available soon and will be much of the same as it mainly focuses on bug fixes.
Most importantly, though, is that December 12th officially marked our 15th year in business! There aren’t many hosting companies out there that can claim that, let alone without a change in ownership. We’ve been a resource you can rely on for 15 years and fully intend to remain as such for many more years to come. Thank you all very much for your continued partnerships and we wish you all a very Happy New Year!
While the SpamTitan product has been great to us for the past four and a half years, it has become less effective at filtering out spam and the per email address pricing has always been a concern. Over the past several months, we have been hard at work preparing a better solution for you.
We are very proud to announce that we are now a SpamExperts partner. Not only has our testing shown them to be superior at spam filtering, we’re confident you’ll be pleased with the pricing as well. You no longer have to worry about how many email addresses are on your domain. In place of SpamTitan’s $1.00 per user we’re offering SpamExperts at $2.00 per domain. This has resulted in a significant cost reduction for many of our clients while also offering a better service.
We completed the migration of all SpamTitan users over to SpamExperts early last week and have since opened up the service offering for all clients. A free 30 day trial is available if you would like to give it a try, just submit a ticket to request it. Additional information can be found here.
We have quite a few other ongoing projects currently so stay tuned for more updates!
cPanel’s Web Disk feature allows you to easily manage your cPanel account files beyond what can be accomplished via FTP/SFTP or the file manager. In many cases, you can even have the account’s data show up as a local folder on your computer, making it very familiar to work with. With cPanel’s free Web Desk iOS app, you can also achieve this same connectivity from your iOS devices. Once you’ve downloaded the app, you can simply add the account that you wish to connect with.
Once you’ve saved your new server, you can simply select it to connect and you’ll immediately see the data that is on the account.
This interface allows you to perform all common tasks such as downloading, uploading, renaming, creating folders, etc. from the convenience of your phone. As iOS 11 is released with the new Files app, this should prove to be even more useful. Give it a try and let us know your thoughts!
A couple years ago, we published a post on the proper configuration of SPF records when sending emails through our servers. Although not a default configuration, this is very important when you’re enforcing validation of SPF using “-all”. Due to some internal changes, the required entry has changed a little. Previously, you needed to add an A record for spf.gzo.com (+a:spf.gzo.com) and now you’ll need to simply include spf.gzo.com (+include:spf.gzo.com). A screenshot of this entered correctly in cPanel is shown below.
For those with DNS hosted by us, your SPF record has already been updated with this change. If you’re not hosting your DNS with us, the existing A record will continue to function normally in the short term, but please be sure to make the necessary change. If you have any questions or concerns, please submit a ticket and we’ll be happy to assist.
It has been a little while since we posted an update on what we’re working on behind the scenes here at Dathorn, so I wanted to take a quick moment to share. While it is easy to notice new features or see us working on your helpdesk tickets, much of our work goes completely unnoticed. That is, after all, our goal. We try to perform all updates, maintenance, etc. without any impact to your service.
While software patches and security updates are an ongoing battle, there have been a few noteworthy items as of late. You may have already heard about “Stack Clash”, a local privilege escalation vulnerability present in most Linux and BSD systems. Fortunately, we were able to quickly protect our servers against this without any service interruption, thanks to KernelCare. Traditionally, such kernel updates would require a reboot of each server but that has long been a thing of the past for us.
A few security issues have also been addressed in OpenVPN, including a remote code execution vulnerability. While serious, all of our instances were patched immediately and the severity of this particular issue for us was much lower since we only use OpenVPN internally for accessing certain private resources, such as IPMI on our servers. This had a much greater impact on VPN providers. Continue reading
Office 365 has quickly become a popular option for clients requiring Exchange hosted email. As a result, we frequently see tickets seeking help with setting up the required DNS records. Even if you’re familiar with editing DNS zones, the required SRV records may throw you off.
Microsoft does provide a general guide for all of the necessary DNS records here but it doesn’t specifically address adding them via WHM or cPanel. If you have WHM access, using the “Edit DNS Zone” link under “DNS Functions” on the left menu will be the easiest option. From there you can add the necessary records at the bottom of the page. You will have to do this in batches since there aren’t enough fields to add all of the records in at once. Once you’re done, the added records should look like this:
You’ll notice we’re using “dathornexample.com” as the domain there. Your own records will instead use your own domain. The “msXXXXXXXX” value is provided by Microsoft to verify your domain, yours will have numbers instead of the placeholder X’s. When editing DNS records via WHM, you should always put quotes around TXT values, as can be seen in the SPF record above. You’ll notice the other “MS=” TXT record doesn’t have quotes shown, that’s because they were automatically removed since they were not needed in that case. With WHM, you’re best off putting quotes around the TXT values and letting WHM decide what to do. Continue reading
Back in January, cPanel released their official iOS app and have subsequently released a few updates since then. In its current form it is still rather basic but it can be useful nonetheless. Upon running the app for the first time you’re prompted to enter server and login information for cPanel, WHM or Webmail.
You’ll notice the ability to enable TouchID. This is particularly handy so that you don’t have to re-enter login information again, you can simply use TouchID to authenticate just as many other apps already take advantage of. Unfortunately, that’s pretty much the extent of this app. When you connect to WHM you’ll see the standard web interface which is not mobile friendly. Continue reading
A rather serious Linux kernel vulnerability (CVE-2017-6074) was publicized on Wednesday (2/22). This vulnerability has been present since 2006 so it affects a large number of systems and distributions, many of which are no longer maintained. Thanks to KernelCare, our servers were all patched within a few hours of this having been published without any service impact.
If you use or manage any other Linux systems, hosting related or otherwise, you should make sure that they have been patched as well. This vulnerability could ultimately result in a local user compromising the entire system. Likewise, if you’re using devices or operating systems that aren’t being maintained and thus won’t be patched at all, now would be a good time to upgrade.
While on the topic of security updates, I do also want to mention the critical WordPress 4.7.2 update that was released about a month ago. If you are running WordPress 4.7 and have some how managed to not upgrade to 4.7.2 by now, you should do so immediately.
As always, we will continue to stay on top of these security updates, keeping you safe and informed.