[General] New Year Happenings
I hope everyone had a fun and safe holiday season. The year end holiday season is always interesting because you spend a lot of time with family and friends over the course of two or three weeks and then as the new year turns over we have to get back into our normal routine. We at AMS have been working on some changes to be made in the year 2009.
First, let me point out that the MySQL 5 upgrades have all been completed on our shared hosting servers. This upgrade went very smooth, with just a couple of incidents and problems surrounding the upgrade.
Next on our list of things to do is a full phase-out of PHP4. All of our servers are running PHP5 by default and your account is using PHP5 unless you have specifically written in requesting your account to use PHP4. PHP4 officially went end-of-life on August 7, 2008 with the release of PHP 4.4.9. This is the last PHP4 release. Any account that is still using PHP4 really needs to be updated to PHP5. We will be compiling a list of accounts that are still using PHP4 and sending out notices to those accounts sometime in January 2009.
We are also bouncing around an idea to start a new blog which focuses just on script updates. Internal discussions regarding this seem to indicate that this would be very useful for our customer base. This will be a way for us to inform our client base about new script updates, so that they can be made aware of them and apply the updates to their account. The discussion now is just on how best to set this up and what scripts to monitor. We won’t be able to monitor every script for updates, but hopefully some of the more popular scripts. Please feel free to send us comments or feedback concerning this.
We have spent the past several weeks doing a lot of upgrades to our internal computer systems. This is completely separate of our webhosting servers and did not affect any of your hosting accounts. These upgrades include a slight overhaul to our internal billing system and other workstations. These upgrades are still ongoing but we hope to have them completed within the next couple of weeks.
The big project that we will be working on this year consists of an upgrade to a few of our servers. Over time newer technologies become available. Faster, bigger servers become available. In order to insure that our servers stay up-to-date with these new technologies we like to keep our servers updated as much as possible. Our server updates consists really more as a server migration. We bring a new, bigger, faster server online and move your account over to this new server. Doing these types of upgrades on the same server that your account is currently on really isn’t possible, due to changes in the hardware and the resulting operating system changes, not to mention the downtime that would be necessary to perform these levels of upgrades. By moving your account to a newer and better server, we keep a full abort system in place, the old server stays around for a few days just in case problems are encountered. We have done these type of upgrades and migrations before and they all have gone very smoothly. Not all of our servers will be upgraded, some of our servers were upgraded just last year using this same procedure. Look for an e-mail soon as we begin these upgrades.
This is an overview of what has been happening at AMS and what some of our early plans for 2009 are. We hope that 2009 brings you a lot of prosperity and also a lot of fun too.
Scott
[General] MySQL Upgrade
We have had a few clients ask about MySQL 5 on our servers. All of our servers currently run MySQL 4.1. Plans were made to begin upgrading our servers to MySQL 5.0 a couple of months ago, but then a bug was discovered in MySQL 5.0. Our MySQL system is dependent on cPanel and the upgrade actually comes through them. They are currently testing the new release of MySQL 5.0 but it has not yet made it to release status.
There are rumblings that this release will happen sometime in early December. It is at that point that we will begin updating our servers to MySQL 5. The version of MySQL will then be MySQL 5.0.67 unless another update is provided before then.
We can upgrade to MySQL 5.0 right now, but it would be a version that is known to have bugs. This is why we have put off the MySQL upgrade at this time. We don’t have a specific timetable for this upgrade, but we would like to have all of our servers upgraded by the end of December. This is of course dependent on the Quality Assurance testing from the cPanel team.
The MySQL upgrade is not expected to cause any problems or require any changes on the part of our client base. You should check back on the blog for updates concerning the upgrade.
Scott
[Security] Wordpress 2.6.3 released
A minor bug has been discovered in Wordpress that affects versions less than 2.6.2. All users should upgrade to Wordpress 2.6.3 to insure that you are safe from this bug.
More information on this is available at:
http://wordpress.org/development/2008/10/wordpress-263
Steven
[General] Kernel Updates
We will be doing kernel updates on the servers this weekend. This will require a server reboot in order to load the new kernel.
This is nothing major and there are no major security issues with the current kernel on the server. We just like to periodically update the server kernel just in case new security advisories are posted.
If you notice your website being down for 10 minutes or so this weekend, then the server is likely being rebooted for a kernel update.
We just wanted everyone to be informed of this.
Scott
[Security] Password Compromises
We are seeing a sharp increase in the number of accounts that are being compromised and hacked into via FTP where a hacker has gained access to the username and password of an account.
I do not know how this is being done, but it does underscore the importance of using a strong and secure password for your webhosting account.
I am encouraging all users to log into their control panel and change the password of their account now before their account is compromised. Using a strong and secure password will be beneficial in keeping your account safe. I also recommend changing your password often and storing your password in a safe and secure location. For instructions on changing your account password see:
http://manual.amstechdns.com/changepassword
It is also a good idea to insure that your anti-virus program on your computer is up-to-date and kept up-to-date. I would also recommend routinely running anti-spyware and anti-trojan detection software on your computer. It is possible that these compromises are a result of your personal or work computer being infected with something that is harvesting your account credentials.
This is just a heads up regarding this issue. We are looking for ways to minimize the affects of this from our end, but ultimately if your password is insecure or the security of your local computer is in question then there is nothing we can do to stop this type of activity.
Scott
[Security] Outdated Wordpress installs to be disabled
We still have about 82 percent of the Wordpress installs that were written a couple of weeks ago that have not been updated to 2.6.1 or later. I am going to have to begin disabling these installs because these older versions do not need to stay active indefinitely.
I will only be disabling Wordpress installs that are older than 2.5.1. If you are using Wordpress 2.5.1 or later, then you won’t have your install disabled. You really still need to upgrade to Wordpress 2.6.2, but at this time I am not going to make any changes as long as you are running Wordpress 2.5.1 or later.
If you insist on continuing to run a Wordpress install that is older than 2.5.1, then I implore you to please contact the Wordpress developers or visit their support community at:
Running anything less than 2.5.1 (really anything less than 2.6.2) is unsafe. You can discuss your options with the community at this address.
I will likely begin disabling these scripts early next week. So if you have not yet updated, now is the time to be doing so.
Scott
[General] Hurricane Ike
As some of you are aware of, there is currently a major hurricane swirling around in the Gulf of Mexico. The hurricane is expected to make landfall later tonight or early tomorrow morning around the Houston, TX area. We do not have any servers located in Houston, but we do have servers located in Dallas, TX which is about 250 miles Northwest of Houston. We are not expecting any major issues with this storm. The storm is expected to weaken quickly once it makes landfall. Dallas will probably see some rain and maybe some thunderstorms, but we are not expecting any major problems. The datacenter is equipped with backup generators, so in the event of power loss the backup generators will kick in and run the datacenter.
Obviously our foremost concern is with the people in the path of this storm and those that may be affected by the storm. Hopefully the storm will weaken further before it makes landfall and not cause much damage.
We will continue to monitor the situation. We just wanted to let everyone know that we are aware of the situation and to let everyone know that the datacenter does have measures in place to guard against problems like this.
Steven
[Security] Wordpress 2.6.2 Released
Hot off the heels of a new exploit found in Wordpress 2.6.1, the Wordpress developers have released an update to Wordpress, version 2.6.2. This release fixes an annoying security issue where a new user can register and have the password of an existing Wordpress user changed to a random password.
From the Wordpress release:
Stefan Esser recently warned developers of the dangers of SQL Column Truncation and the weakness of mt_rand(). With his help we worked around these problems and are now releasing WordPress 2.6.2. If you allow open registration on your blog, you should definitely upgrade. With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another user’s password to a randomly generated password. The randomly generated password is not disclosed to the attacker, so this problem by itself is annoying but not a security exploit. However, this attack coupled with a weakness in the random number seeding in mt_rand() could be used to predict the randomly generated password. Stefan Esser will release details of the complete attack shortly. The attack is difficult to accomplish, but its mere possibility means we recommend upgrading to 2.6.2.
I would recommend that all users, even those that are using Wordpress 2.6.1 to update to Wordpress 2.6.2 as soon as possible.
Scott
[Security] Wordpress Update Compliance
I have checked on the servers and I am seeing about 15 percent compliance with the Wordpress update. This means that 15 percent of the Wordpress installs that were outdated last week have either been updated or removed.
Our Wordpress updater program is still available to those that want to try it to upgrade their Wordpress installs. We have updated a couple of Wordpress 2.5.1 installs to Wordpress 2.6.1 and did not encounter any problems. I am not sure if the updater will work on anything less than Wordpress 2.5.1.
We have also received a few complaints and concerns from users who do not believe that they have to update their blogs. Please understand that we do not make the rules on the Internet. It is just a fact that if you run outdated software on an account then you are more likely to be hacked into. If your account is hacked into, then this can have adverse affects throughout the entire server. This is why we are pushing to these installs updated. We are trying to raise awareness that you have to keep these installs up-to-date.
If you have concerns about the new Wordpress interface or something about the new version of Wordpress then you need to contact Wordpress about this. You can reach the Wordpress forums at:
I know some users have written in saying that they are using Wordpress 2.5.1 and that Wordpress 2.6.1 does not contain any new security fixes. It is true that 2.6.1 does not fix any major security flaws in Wordpress. While I still believe that you should upgrade Wordpress 2.5.1 installs to the latest version, I am less concerned with those installs that are version 2.5.1. The main issue is with the installs that are from the 2.3 release tree. Wordpress 2.3 had a lot of security issues and these issues also affected versions prior to 2.3. These installs need to be updated. If you won’t take my word for it, then ask around on the Wordpress forum and see if anyone still believes you should be running Wordpress 2.3.
We are just trying to be proactive in regards to this. In order to make sure the servers stay secure we have to insure that the servers are secure. Any server administrator that knows that there are accounts on their servers that are running and old and outdated version of a script or application and they do nothing about it, then they are not doing a very good job administrating the server. We are just trying to keep you informed and trying to keep your data safe.
Scott
[Security] Outdated Wordpress Notice
We have sent out notices to all of the accounts that we show as having outdated Wordpress installs. You should have received one of these notices if you have an outdated Wordpress script on your hosting account and if your contact information is up-to-date in our billing database. If you did not receive a notice and you think you might have an outdated install you can always submit a support request and have our technicians take a look at your account.
We have posted instructions for upgrading Wordpress installs. You can follow these instructions if you want to upgrade your Wordpress install to the latest version. The latest version at the time of this posting is 2.6.1. If you installed Wordpress through Fantastico then you need to log into your control panel and use the Fantastico link and interface to update your Wordpress to the latest version. If you installed Wordpress through Fantastico and you try to update it through some other means then this could have potentially adverse affects on your hosting account and Wordpress install.
I have also developed an experimental Wordpress updater that I can run on your account to upgrade a given Wordpress install. At this time the software is just experimental, but I am willing to try the software on your account if you want me to and if you are aware of the risks. The updater may cause your Wordpress install to stop working, but I need to run the updater on some installs to figure out if there are any bugs or any ways to improve the system. If you want me to run the updater on your Wordpress install just submit a support request ticket with your valid username and password information and a note containing what Wordpress install to update and a note that you understand the risks involved. I will have to have the correct username and password of your account in order to validate that you are the true owner of the account before I can run the update. I also may have to turn away update requests through the Wordpress updater if problems are encountered.
If you are not using the Wordpress installs that are listed and you want them removed, you can submit a support ticket instructing us to remove the script. Again we need to know specifically what Wordpress install to remove and the valid username and password for the account. Please Note, if you tell us to remove a Wordpress script from your account then that script will be deleted and cannot be brought back. So if you tell us to remove a Wordpress script from your account, you need to be sure that this is really the action you want to take.
Some of you may be running reasonably up-to-date Wordpress scripts on your account and you may be safe from any major security exploit. However I still recommend that you upgrade to the latest version of Wordpress, version 2.6.1. You just never know when a minor flaw may escalate to a major threat. One thing is for certain, if you are always running the most up-to-date version of any actively developed script then you know that you have done the most that you can do to keep your script and website secure.
Scott
keep looking »-
Find It
-
Recently Written
-
Categories
-
Monthly Archives
-
Links
-
RSS Feeds
RSS
