Recently in Security Category

Our shared hosting server Ragnell has been compromised, and the majority of the index.php's have been replaced with a hacked version. We have disabled all copies of the compromised index files already.

We are at the moment making sure the hole used is fixed before re-enabling Apache. As part of this, PHP is being upgraded to PHP5.

We are also going to see about restoring the disabled index files, however this is going to take longer. The backup system we use is geared towards full system backups, so restoring individual files is likely to take a while. If you have an uptodate copy of your index file, it will probably be faster if you get it uploaded yourself. This can be done even while Apache is down.

Update 1430: The upgrade of php / Apache is almost complete. Once it's finished we will be able start restoring index files from backups.

Update 1515: Apache is back up and running.  We are currently restoring the index files from backup. This is going to take a long time.

UPDATE 1615: If your site's index file has been restored or if you've restored it yourself let us know if there are any issues.

UPDATE 16:52: As restoring individual index files is proving to be far too unwieldy, we are currently restoring the whole partition to another box. This will allow us to script the restore of any index files which are still showing as compromised. 

UPDATE 1910: The restoration of the index files is progressing, but it's slow, as we are checking each index file to see if it has been compromised or simply replaced from a customer's own backup. If you have a backup / replacement index file and are having issues uploading it you may need to CHMOD 644 the current index.php
UPDATE 09:30 Friday Aug 20th

After 3 failed attempts at a full restore to a machine in our offices, we have successfully done a full restore to a machine in the data centre. This morning around 9am we restored any files which had a checksum that matched that of the defaced files that were placed there during the compromise on Saturday last.

Anyone who requires other files to be restored for any reason should contact us ASAP so we can restore them for you.

On the 11th of June we will be completing the upgrade of the core access switches in Interxion. As part of this, we need to physically move the current shared firewalls in Interxion to a different position within the rack. As they are a HA pair, it should be possible to do this without affecting connectivity.

The time line will be as follows:

02:00 Fail-over all the traffic to the second firewall in the pair. Once we're sure traffic is flowing through the second firewall, power down, move it to it's new position in the rack and recable. Power it back up and ensure that it's working as expected.

02:30 Repeat the procedure with the second firewall in the pair.

03:00 Install the new switches, and start swapping over from the current switches. There should be minimal downtime involved with this as each customer and rack switch has redundant connectivity back to the core.

The maintenance window will end at 06:00 once we're sure that every thing is back up and running as expected.

UPDATE Jun 12th 06:00 This maintenance window has now completed. Unfortunately not everything was completed, but the main work of moving the firewalls and getting the new switches in has been done. The few bit remaining will be completed during a future maintenance window.

We have been contacted by the IE Domain Registry in relation to DNS servers that are vulnerable to attack and exploit.

While the Blacknight DNS servers are NOT open to exploit using the "Kaminsky exploit" unfortunately a lot of other DNS servers are.

We will be attempting to contact as many of the affected registrants as possible to warn them of the issue.

If you want to test your DNS there is a free tool available here

VZWIN06 Hardware node needs to be rebooted at 8:45 tonight

 

This will effect the following VPSs:

78.153.208.255
78.153.208.163
78.153.210.20
78.153.210.160
78.153.210.172
78.153.209.204
78.153.210.184
78.153.209.166
78.153.210.203
78.153.210.81

We apologise for any inconvenience caused

Summary: Wordpress 2.8.4-3 now available to install and upgrade your Applications. This is a security release so please ensure you update your wordpress installs asap.

If you have any problems let us know.

We have noticed a very large number of user webspaces that have been attacked by the Gumblar virus (or a derivative of it)

If you are using a Windows based PC we urge you to:

• keep your antivirus software up to date
• scan your PC thoroughly

The virus acts by infecting a user's PC and then uses their FTP login details to install files on their website

NB: If your PC or that of one of your colleagues is infected you will need to clean it properly BEFORE you attempt to fix your website, as otherwise it will simply re-infect the site

UPDATE: Some people have reported success in using this web service to scan their sites for malicious code

UPDATE 2: Some more details on what Gumblar does on an infected PC and how it stops antivirus etc., from detecting it.

More information here

When: Wednesday February 11th at 23:00 hours until 2am

What: Starting at approx 23:00 hours we'll be installing new ASA software versions on the two HA pairs in DEG and InterXion. We'll do DEG first which affect anyone in the following IP ranges:

81.17.244.0/22
81.17.248.0/23 (Windows Hosting, Helm)
81.17.252.0/23 (Linux Hosting, Directadmin)
78.153.222.128/27
81.17.242.104/29 (Blacknight Website Infrastructure)

InterXion will follow and the following ranges there will be affected:

78.153.212.0/24 PEM CP/Backend infrastructure (cp.blacknight.com
81.17.254.0/23 New shared linux hosting services, mysql servers, web servers, mail servers
81.17.250.0/23 New shared windows hosting servers, SQL servers etc
78.153.200.0/23
78.153.208.0/22 VPS public network block

Outage possibilities:

While outage possibilities are slim, there could be upto 5 second hits as the ASA's failover during the upgrade. Each HA pair is completely resilient in design and normally updates are hitless, but we're learned from experience that this isn't always the case.

We're classifying this notification as  none service affecting and for information purposes only but we would say that services to the above network ranges are at risk during this window.

If you have any questions please contact us ASAP.

Update: 22:00 Wednesday 11th

This is just to notify people that we'll be starting this maintenance window in approx 1 hour from now.

Update: 23:10 Wednesday 11th

This maintenance window is complete. We reloaded the standby firewalls between 22:30 and 23:00 so the reload of the live firewalls lasted around 15 seconds each. We recorded approx 19 packets to drop during each reload. However all TCP sessions stayed up and also all web requests were queued for several seconds during the reload. So all in all a hitless maintenance window as we predicted.

Three websites on three different shared servers were compromised by a hacker through weak FTP passwords.  The hacker uploaded a trojan to these hosting packages and so these three servers were placed on anti-spam blacklists.

All three website owners have been contacted now and their FTP passwords reset.  The offending files have been removed and the servers should be fully out of the blacklists soon.  In the meantime for any users of the following servers they might be seeing some emails they send bouncing back to them undeliverable:

Galahad - 81.17.248.4
Gorlois - 81.17.252.85
Rivalin - 81.17.252.145

As a note to all users, please ensure all of your passwords are relatively secure.  Some secure password tips would be:

# Don't use a dictionary word
# Don't use part of the username
# Keep the password at least 7 characters long
# Have a combination of at least three of:
- lowecase characters (a, b, c)
- uppercase characters (A, B, C)
- numbers (1, 2, 3)
- non-alphanumeric characters (!, %, *, {, £, )


Update (12.00pm):  The three servers were removed from the blacklist about 90-120 minutes ago and most, if not all, mailservers around the world should have updated their blacklists to no longer include these three IP addresses.  The IP addresses are fully removed from the blacklist itself.

If you are using the popular CMS Joomla please make sure that you are running the latest version.

Older versions of Joomla are affected by a serious security issue which can lead to your site(s) being compromised and possibly defaced.

If you installed Joomla using the auto-installer (installatron) available to users on our DirectAdmin powered servers you should be able to upgrade via the control panel.

Even the Joomla developers were affected by this security issue

The following security bulletin was issued today by Debian Linux.

http://lists.debian.org/debian-security-announce/2008/msg00152.html

This affects Debian systems and derivatives such as Ubuntu from Edgy onwards. Please install/update openssl packages on your servers where appropriate and re-generate all SSL key/cert pairs along with an openssh keys that you use for authentication purposes.

Blacknight will be apply fixes to managed customers servers and re-generating ssh keys, ssl cert cert/key pairs during the next 24 hours.

Note: This is Debian specific, CentOS, RHEL etc are not affected.