[General] Mail Server Upgrades

As noted in this post back on June 17th, we switched some of the mail server software on one our servers due to ongoing issues. The switch to that software has yielded great performance gains on that server and as a result we are going to be pushing this upgrade out to our other servers.

We did not experience any issues nor were any support issues raised when this server was upgraded on June 17th. This leads us to believe that the migration to this new software is straightforward and users are not expected to experience any issues with the upgrade.

Still, worth mentioning, this upgrade has the potential to cause the following issues:

• Users who have their IMAP account set up to automatically purge their trash may notice issues with this with the new mail server software.
• Users who use the POP protocol to check their mail, but leave a copy of the messages on the server, may see all of their mail downloaded into their e-mail program once again.

Because we want to make sure that there are not any wide-ranging adverse effects to this upgrade, we are going to be upgrading only one server at this time, and monitoring the server and tickets for any issues, before rolling the changes out to all of our servers.

Users of the server soft2.wznoc.com will be the next users to have this upgrade. We are scheduling this upgrade to take place around 8PM CDT on Thursday, August 12th. The POP and IMAP services will be offline while this upgrade takes place, which shouldn’t take but about 30 minutes, although we are going to allocate 2 hours for this upgrade.

To see if you are on soft2.wznoc.com and will be affected by this, visit our Server Identification Page at:

http://www.amshelp.com/identify.php

and enter your domain name. If the results shows soft2.wznoc.com then you will be affected by this.

Please refer back to this post for any updates concerning this upgrade.

Steven

August 9, 2010 | Filed Under General

[Security] e107 Vulnerabilities

We have spent the last few weeks working to write a set of comprehensive script version checkers. The purpose of this is so that we can check the accounts on our servers and use it to notify our clients when they have outdated software.

As it has been pointed out in our Security Guide series, Keeping Scripts Up-To-Date is one of the best things you can do to insure that your website stays safe from hackers and other malicious users.

While these script version checkers still are not complete and are still going through quality assurance, we have found that a lot of e107 scripts are being exploited on our servers. As such, we will be using our e107 script version checker to find and identify accounts that have outdated e107 scripts and we will be sending out notices to those accounts. While we would have liked to have waited until this system was completely finished, we believe identifying outdated e107 scripts now is in everyone’s best interest.

If you receive one of these notices, please take the necessary steps to update your e107 script so that it does not lead to your account being compromised.

Because we are seeing so many e107 based accounts being exploited and compromised, we will have to disable those accounts that continue to run and use an outdated e107 script on their website. These websites that get exploited cause undue strain and affect the overall quality of our servers.

Scott

August 4, 2010 | Filed Under General

[General] Online Ticket System

We often get questions and inquiries directed to us that are e-mailed directly to us and not through our online ticket system. The online ticket system is an important aspect of the service that we provide.

Our online ticket system has recently been redesigned to make it easier to complete and submit a ticket. You can always access our Account Management Area at:

http://www.amshelp.com
(You may want to bookmark this link for future reference)

Where there are two links to our ticket system, the Contact Form and Support Ticket link. Either of these links will take you to a page where you can submit a ticket.

Sending us a direct e-mail, bypassing the online ticket system, is not recommended. The four main reasons for this are:

• Account ownership verification

• Anti-spam and spam overload

• Cataloging and referencing

• Receipt confirmation

Account ownership verification
For some tasks, whether they be support, sales, or billing related, require some form of verification that you are who you say you are. For example, if I wrote in to my host requesting that the MX records for domain name to be changed, I would be flabbergasted and upset if they did not require some form of account verification before making the changes. The MX records tells the rest of the Internet where to deliver mail that is address to your domain name. If no verification is asked for to validate the request, then potentially anyone could make this request, which is a huge security issue.

Sending your account password in plain e-mail is never recommended. Our online ticket system uses SSL to secure the connection and uses encryption to encrypt the password fields. By using the online ticket system you can enter your account password, or the last four digits of the credit card used to pay for the account, and we can verify that you are in fact the owner of the account, which can be used to validate your request.

Anti-spam and spam overload
Nobody likes spam. Everybody receives spam. We receive a ton of spam messages everyday. Weeding through these spam messages can be a daunting task. Our online ticket system bypasses all of our anti-spam filters and anti-spam measures and those messages go directly to our customer service representatives. This means that if you send us an e-mail, and choose not to use our online ticket system, you run a great chance that the message will get lost in our daily spam clutter. While we try to read through all of the e-mail messages we receive and pick out what is spam/what is not spam, what was incorrectly marked as spam/what was not incorrectly marked as spam, etc, this task can be simplified if clients would just use our online ticket system, and then those messages would go directly to our customer service representatives where the issue can be looked at and resolved quickly. By choosing not to use our online ticket system you may experience delays in having your inquiry looked into, because we cannot continuously monitor the messages that bypass our ticket system. Simply put, inquiries that are raised through our online ticket system get a greater priority.

It is worth mentioning that once a ticket has been opened, you can continue to reply back on that ticket, just be sure to preserve the subject line (Having “Re:” in the subject is acceptable). Our ticket system works by recognizing and letting open ticket messages pass through our e-mail system and go directly to our customer service team. Once a ticket is opened, replies to that ticket are designed to pass through our system.

We do ask that you keep a ticket to one issue. If you open a ticket and then two weeks later experience a completely separate issue that you want looked into, please open another ticket. This helps with the third point.

Cataloging and referencing
This is more of an internal aspect. When you submit a ticket through our online ticket system it is assigned a unique ID number. This allows us to catalog and reference that ticket ID to a particular issue. If a support ticket is raised and our techs and system administrators need to collaborate on that issue, they can easily tell each other that this is in reference to ticket number xxxxxx.

This also allows us to catalog issues. If you experience an issue that perhaps we have not dealt with before, we can make a note of this and the ticket ID and catalog it. This way if someone else experiences this issue in the future, we can refer back to this ticket ID to see what steps were taken to resolve the issue.

Likewise, having the ticket ID helps you – the client – because you have something to reference later. Which brings us to our fourth reason.

Receipt Confirmation
Our online ticket system is designed to provide the submitter with a receipt, a confirmation that the ticket was received. This receipt confirmation works similar to an auto-responder, but it is not the same as an auto-responder.

We have one server that sits in our service cabinet in our office. All online ticket submissions are sent directly to that server. That server then distributes out the ticket to the appropriate customer service area. Once it has done this, it sends a confirmation message back to the ticket submitter, letting them know that the ticket has been received and dispatched to the appropriate party. This is why there may be a slight delay between submitting a ticket and receiving the ticket receipt confirmation.

This receipt confirmation serves two main purposes. One, it lets you know that we did receive your message and that we will be responding shortly. If you do not receive the receipt confirmation, then this likely means that you did not successfully complete the online ticket form or that you used an e-mail address that is unable to receive messages, in which case you won’t receive our replies from our customer service representative. You may want to check your spam box for delivery of the receipt confirmation message. If you do not receive a receipt confirmation within 10 to 15 minutes of submitting the ticket, then go ahead and submit a new ticket as we may not have received your first try.

Secondly, the receipt confirmation message provides you with details about the ticket. The receipt confirmation message will be sent to the e-mail address that we will be replying to and it also gives you the ticket ID of that request. If, for some reason, you never receive a reply back from our customer service team or if you wish to further reference the incident, you can always refer to that ticket ID.

These are all reasons why we stress using our online ticket system. Because we want to insure that you get quality and prompt service for any issue or question you might have, using the online ticket system insures that this will happen. Not using the provided online ticket system causes you to run risks in how your inquiry will be received and handled.

Scott

August 2, 2010 | Filed Under General

[General] PHP 5.2.14 Update

We are beginning the roll-out of PHP 5.2.14 on our servers. This is the latest version of the PHP 5.2 tree, and consequently the final release of the PHP 5.2 release tree.

For those interested the release notes for PHP 5.2.14 can be found at the link below

PHP 5.2.14 Released!

For the vast majority of users, you will not see any changes. These minor PHP upgrades (i.e. 5.2.13 to 5.2.14) are generally just security updates and have little or no bearing on the operation of any scripts.

As stated, this is expected to be the final release of the PHP 5.2 tree. Some security issues may be addressed if they come up with this version. But basically the PHP developers are encouraging users to upgrade to PHP 5.3. We don’t yet have a roadmap for putting PHP 5.3 on our servers, we will be investigating that in the weeks ahead.

For users that want to get a head start on this, you should e-mail or contact the vendors or developers of the scripts that you are using on your website and see if they are compatible with PHP 5.3. If they are not, point the vendor or developer to the PHP 5.2.14 release notes which states that the PHP developers are encouraging the adoption of PHP 5.3 and that every effort should be made to get the script ready for PHP 5.3.

Thank You
Scott

July 26, 2010 | Filed Under General

[Security] Joomla! 1.5.20 Released

The Joomla! developers have released a new version of their CMS software, version 1.5.20. The release notes for this new version is available at:

Joomla! 1.5.20 Released

I know we have a lot of users that use Joomla! on their website. All users are encouraged to upgrade.

Fantastico Users – If you installed Joomla! through Fantastico you should be able to upgrade it through Fantastico as well. Fantastico just released an update this week that includes Joomla! version 1.5.20.

Steven

July 23, 2010 | Filed Under Security

[Security] osCommerce admin fix

As stated in a previous post regarding the insecurities in osCommerce, we have applied a fix to all osCommerce scripts installed on our server and password protected the admin directories for these scripts.

If you had previously and already password protected your admin directory, then no changes were made to your script.

This fix only applied to users who did not have their admin directory password protected.

If you need access to your now password protected admin directory, then you will need to submit a support ticket and be sure to include either your account username and password or the last four digits of the credit card number that is used to pay for your account. We will have to be able to verify account ownership before we can give information out concerning your osCommerce admin directory.

Scott

July 19, 2010 | Filed Under Security

[Security] osCommerce Security Fix

Update July 19, 2010 1:15PM CDT – We have applied the fix to the osCommerce admin directories. For more information see our updated post.

As we stated in a previous post, lately we have had some security concerns regarding osCommerce scripts and they apparently do not want to fix their security holes. Instead they have published a work around for this. This work around involves password protecting the admin directory, which contains the administrative area that is used to make changes to your shopping catalog with your osCommerce script. This is a far cry from actually fixing the security issue, but it is better than nothing.

This essentially means that osCommerce administrative users will have to login twice in order to access the administrative side of their osCommerce script. Once for the Apache based directory protection and once for the osCommerce access. This is a less than ideal solution, but again this is the only solution that osCommerce is presenting.

It should be noted – We will be password protecting these admin directories ourselves in the next few days if you have not already password protected the area yourself. We will be using random passwords, that will essentially lock you out of accessing the administrative portion of your osCommerce install. This is meant to protect you and your website from hacking. If you want to remain in control of your osCommerce administrative area, then you should password protect your osCommerce admin directory yourself with a username and password that you are aware of. Instructions for doing so are given below. If your admin directory is already password protected when go through and perform our check, then we will not re-protect or change the password for your admin directory. If you find yourself locked out because of our password protecting of this directory, then you will need to open a support ticket with your account login credentials so that we can verify your account ownership.

To password protect your osCommerce admin directory, you will first need to log into your cPanel:

http://www.yourdomain.com/cpanel

Once you have logged in, find the section labeled Security and find the link labled Password Protect Directories

This will bring up a dialog box asking you from what directory do you want to start. Select the option for Web Root.

Now navigate your way into the directory containing your osCommerce admin directory. Click the folder icon beside the directory name to navigate into that directory. For example, if your osCommerce catalog is located in the directory:

/home/user/public_html/catalog

Then you would click on the folder beside the directory name catalog to navigate inside the catalog directory. It is important that you don’t navigate into the admin directory, you just want to navigate into the directory containing the admin directory.

Once you have done this, click on the admin directory name (not the folder icon).

This will take you to a page where you can turn on Directory Protection for that directory. This is a two part system. First you have to enable directory protection on this directory and then secondly you have to assign a username and password to access the directory under directory protection.

The first part is enabling directory protection. Complete the top part, under Security Settings.

and click Save. This will enable directory protection for this directory, but it does not assign a username and password to the area. Click on the link Go Back to go back to the previous page.

Now you will want to add a username and password to access this area.

You can use whatever you want for a Username and Password. I do recommend making the username and password something unique and not the same as your osCommerce administrative area username and password.

When you have this filled out click on Add/modify authorized user.

Now navigate to your osCommerce admin area, as you normally would. You should get a browser dialog box asking your for the username and password to access the Authorized Area. This is the username and password you just created with Directory Protection. You will then be presented to your osCommerce administrative login page, where you would enter your osCommerce administrative username and password.

Scott

July 12, 2010 | Filed Under Security

[Security] OSCommerce Exploits

Lately we have been seeing a lot of account compromises that have tied back to outdated and poorly coded OSCommerce scripts.

Before going any further, it should be noted that OSCommerce is not among our most favorite web applications. The project started out good and with good intentions, but it now goes through long periods of abandonment, where the developers do not actively develop the software and keep the code up-to-date. This results in security holes being discovered in the application and the OSCommerce developers take their pleasant time to resolve the issue.

An example of this is the current exploit we are seeing a lot of. This security hole was first discovered in January 2009, and now in July 2010 the OSCommerce developers still have not issued an update to the OSCommerce package to fix this security hole. They have released information on a workaround, but this is a far cry from actually fixing the security hole, and only the individuals that actively browse the OSCommerce community forums know about this.

So with all of that being said, I would highly recommend that if your shopping cart is important to you and your website and you are using OSCommerce, then I would recommend finding or moving to another shopping cart application. Unfortunately, I can’t recommend anything that makes migrating from OSCommerce to another product very easy. But since the OSCommerce developers appear to have no regard for security holes in their products, continuing to use OSCommerce may result in your account being compromised and your catalog information being hacked into.

We have heard good thing’s about Mal’s Ecommerce remote hosting solution:

http://www.mals-e.com

This takes your shopping cart application out from under your webhosting account with us and your catalog is hosted on the Mal’s Ecommerce servers. This way you do not have to worry or concern yourself with keeping the shopping cart application up-to-date since this is all handled on the Mal’s Ecommerce servers. This may not be a viable solution for some users.

I have gone through our servers and looked for OSCommerce installs. We have found that only 52% of the OSCommerce scripts that are installed on our servers by our clients are in use. This means 48% of those OSCommerce installs are abandoned for one reason or another. This represents a significant portion of the OSCommerce installs on our server that are just sitting there with no apparent purpose and perfect targets for hackers and malicious users to compromise. We will be disabling these abandoned OSCommerce installs in the near future.

For the other 52% of the OSCommerce installs that are being used, we will need to make arrangements to secure those installs. We will write those users that are affected by this with suggestions on how to secure this.

The purpose of this action is to take a proactive approach and prevent future account compromises due to these insecurities.

If you have questions regarding this or wish to inquire further regarding this, please open a support ticket.

Scott

July 7, 2010 | Filed Under Security

[Security] AMS Webhosting Security Features

This is a continuation of our Security Guide see the previous post.

AMS Computer Services tries to help in providing security tools and system checks to insure that your website remains safe. We perform many services in the background regarding the security of your webhosting account.

Routine Security Checks
We perform routine security checks to insure that the files on your account are safe and free from any known malicious code. While it is really impossible to scan for every tiny bit of malicious code, we do make the effort to try and identify malicious code to the best of our ability. Because it is impossible to know about every malicious software code, you should always practice good security behavior for your webhosting account.

Routine Script Checks
We try to perform version checks for certain popular scripts that are out there. If you are using an outdated version of the script, you should be notified and you should consider upgrading. AMS Computer Services cannot upgrade the script for you, this is an action that needs to be performed by the end-user client because that individual would be more knowledgeable of the customization that have been made to their webhosting account. We can only recommend and urge you to upgrade. We can, however, disable outdated scripts if we believe that they will be a security problem.

FTP Login Notifications
This is one of our newer services. We noticed a lot of account hackings taking place via FTP. One way to help in this aspect is to notify you when someone logs in via FTP. You, the account owner, then have to decide the legitimacy of that FTP login. While this does not stop an outright hacking via FTP, it can serve to notify you if and when an unauthorized FTP login occurs and this can warn to you that your login information has been compromised in some way. More information about our FTP login notification system can be found in this post.

Password Strength
One issue we had previously seen was that a lot of users were using simple and easy to guess passwords. A password can be the only thing that distinguishes you from an unauthorized person. If your password is easy to guess, then someone else that is not authorized to make changes to your account, can then become authenticated and authorized to make changes to your hosting account. For this reason a strong account password is encouraged. The more difficult it is for a password to be guessed at, the more secure your account is.

Steven

June 19, 2010 | Filed Under Security

[Security] Password Security

This is a continuation of our Security Guide see the previous post.

What else can you do to protect yourself from hacking? In addition to securing your personal computer from malware and other malicious software, you should practice good overall security on your computer.

Are you storing your passwords on your computer? Are you saving your account’s password in your FTP client’s site manager? Are you saving login information in your browser? If you never have to manually type your password when connecting via FTP or to your cPanel or any other secure area, then you may be at risk. If you are never entering your password, then this means it is being stored somewhere on your computer. If it is stored somewhere on your computer, then it is free for the taking should any malware or malicious software exist on your computer.

Securing Passwords
You may have heard that writing down your password is a bad idea. This depends on your environment. If you work in an office cubicle, then having a piece of paper with your passwords written on it sitting next to your computer is probably not a good idea. But if you work from home, or only access your secure areas at home on your personal computer. Then having your passwords written down beside your computer is less of a security risk, as long as your house and the room that your computer is in stays secure and you do not have any unwanted visitors. Keeping your passwords written down, completely separate from your computer, is probably the best way to keep your passwords secure (I suppose memorizing your passwords completely would be the best way!) But if you work in a cubicle environment and need your passwords, perhaps keeping the password sheet in your wallet or some other item that you always have with you is best. In any case, making an effort to obscure your password, by placing the password sheet in a drawer or underneath something, is probably a good idea.

Why is this a better option than saving your passwords on your computer? By keeping your passwords separate from your computer you are preventing malware from learning of your passwords. Malware may get installed on your computer and it may be able to tell that you are the webmaster for your website, but it can only guess at what your password might be. Because if the password isn’t on your computer, it can’t know what your password is.

If you consider the ideal situation where you only access your website administrative side from your home computer, then generally you would be more trustworthy of any family members that might run across your password sheet. Compare this to the threat of malware stealing your login credentials from your computer and decide for yourself which is the higher risk.

Encrypt your passwords
If you must store your passwords on your computer, then it makes sense to secure these passwords as much as possible. Avoid using built-in site managers or browsers to store and save your passwords, as these can be easily compromised. Instead, I recommend the program KeePass. This is a program that can store password information with, and it encrypts the data, to make it more difficult for hackers and malware to read your password information.

With KeePass you create a single file that has all of your different password information. You can save this file, and encrypt it with a public/private key encryption system and also with a passphrase. The passphrase is not required, but I like having it just because it gives an extra layer of security. Here you can use an easy to remember password, which can then unlock the program to list all of your passwords.

I would recommend that you install this program and give it a try.

Secure your programs
Keeping scripts and applications that are on your website up-to-date is important. But it is also important that you keep the software installed and running on your computer up-to-date. One way to accomplish this is with Secunia’s Personal Software Inspector Program.

Secunia PSI works by scanning your computer to see what programs you have installed and what version. It then compares this information with a list of known software applications and their latest version. Any software that is found to be on your computer, but not up-to-date, it will warn you about. You can then take steps to remove or update the software to the latest version.

Secunia PSI keeps itself up-to-date so that it always has an updated list of application versions. If you keep it running in your System Tray, it will let you know when a new version of software is available.

Keeping the software applications on your computer up-to-date helps to insure that hackers, malware, and malicious software cannot take advantage of known security holes in that outdated software.

Steven

Next Post AMS Webhosting Security Features

June 18, 2010 | Filed Under Security

keep looking »