Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Wed Aug 09, 2006 8:17 pm Reply with quote

A New Zealand host whose shared server was compromised by a script kiddie blames out-of-date PHP-Nuke / phpBB version and threatens to disallow these scripts in the future.

Here's the Only registered users can see links on this board! Get registered or login!.

This brings up several questions:

Is it fair to not allow PHP-Nuke / phpBB?

Why single out PHP-Nuke and phpBB?

Which was it, PHP-Nuke or phpBB? (story says it was caused by one unprotected site)

Are there better ways for hosts to check / audit / remind clients that scripts need to be updated - or face having their accounts shut down?

Are there better ways to notify webmasters that updates are available and should be installed?

Having experienced multiple hosts, I've come to greatly respect and appreciate Raven's proactive approach to issues like this: notify, check, remind, take action.

What do YOU think?

_________________
I google, therefore I exist...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
gregexp
The Mouse Is Extension Of Arm


Joined: Feb 21, 2006
Posts: 1497
Location: In front of a screen....HELP! lol

PostPosted: Wed Aug 09, 2006 9:29 pm Reply with quote

I personally find this to be some major b/s.

Every server I have ever been on has used some sort of script protection to secure the SERVER against such attacks. Sites are one thing, Servers are a whole nother ballgame.

In my opinion, To blame a site is like blaming the battery in a car when it breaks down. And as any good mechanic knows, The battery starts the car and the alternator charges the system and runs the vehicle once the motor starts.

Basically saying the site could not have been the downfall, an insecure server would be although it is known that allowing phpnuke/phpbb forces the server to be open to exploits, These exploits are not without hope.

PHP safe mode limits the functions of a server but it does lock a LOT of exploits out and other things are designed to scan the ENTIRE server for exploits.

I'm always worried about server security and have one thing that I ask all to run, Thats Sentinel.
I may not have the most secure server but I am continuing to work at it as any good webmaster would. Deligence and watching the server like a hawk is always a must whether you have a site or a reseller or a server.

Quote:
Just recently iSERVE had reviewed its security policies and introduced many changes to PHP configuration and various firewall and system rules to ensure client content is protected as well as it can be in a virtual environment.


I believe this says it all.

_________________
For those who stand shall NEVER fall and those who fall shall RISE once more!! 
View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9449
Location: Arizona

PostPosted: Sat Aug 12, 2006 2:39 pm Reply with quote

What really "chaps my hide" about that Host is that take a look at the numerous Secunia alerts generated every day (just for example). Every system, every scripts, every browser, every operating system, etc. are found to have exploits. To shut off the one, PHP-Nuke / phpBB, is rediculous!

I believe they could solve many of these issues with using PHP as a CGI module and use something like suexec so that the compromise of ONE client's account cannot affect that of another. However, you cannot run as many sites on the same hardware, especially if they are "busy", and so, I am sure many hosts do not run under this type of setup.

JMO.

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
gregexp
PostPosted: Sat Aug 12, 2006 5:01 pm Reply with quote

If I may, I completely agree. But to this line:
Quote:

However, you cannot run as many sites on the same hardware, especially if they are "busy"


Too many hosts are nickel and diming the crap out of their servers as it is.
It just shows how important it is to backround a host before you get with one.

But this is kinda self driven here: dont believe all you hear.
 
kguske
PostPosted: Sun Aug 13, 2006 5:57 pm Reply with quote

Now they've decided it's phpNuke, and Only registered users can see links on this board! Get registered or login!.

If they did, I'd suggest opening a class action against the host for all the sites that were attacked. The $20K is what it cost the host - what about the hosts' clients who suffered poor security on the server?
 
gregexp
PostPosted: Sun Aug 13, 2006 7:01 pm Reply with quote

ohh man.

This makes my blood boil.
If I could, Id approach the site and offer to host them.

This is some major b/s.

If php.ini is configured correctly along with being run correctly( I cant be sure but I believe cgi is recomended), it wont affect other sites on the server.

A good client for others to pick up.
Ignorance is astounding.
 
kguske
PostPosted: Sun Aug 13, 2006 7:06 pm Reply with quote

I think the host is really trying to save face. What will they do next - sue Linux, PHP or MySQL for being insecure? But they cannot do that... So they make some poor webmaster (poor because he chose them as a host) responsible for their weak security. I host sites on multiple servers - this is really ridiculous.
 
technocrat
Life Cycles Becoming CPU Cycles


Joined: Jul 07, 2005
Posts: 511

PostPosted: Tue Aug 15, 2006 9:25 am Reply with quote

Its easier to blame a company or an entity rather than yourself or customers.

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! / Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message
kguske
PostPosted: Tue Aug 15, 2006 3:12 pm Reply with quote

True, but in this case the company is blaming one of its customers.
 
montego
PostPosted: Wed Aug 16, 2006 6:21 am Reply with quote

Unbelievable! This Host should be raked over the coals in WebHosting.com and other sites dedicated for exposing bad hosts!
 
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6792
Location: Ha Noi, Viet Nam

PostPosted: Wed Aug 16, 2006 9:04 am Reply with quote

I think it is pathetic that a hosting company blames a customer for its own short-comings.
 
View user's profile Send private message Send e-mail
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Wed Aug 16, 2006 1:08 pm Reply with quote

On the one hand, the customer needs to be vigilant in upgrading and maintaining his site. On the other, banning certain scripts (not used for illegal purposes) seems to be a bit harsh. I don't see them getting any real business in the future with such policy in the future. Whatever customers they have will use Mambo, Joomla.. some other alternatives, eventually those will get hacked. So what they'll end up with is only users using straight HTML or custom coding.... and we know how dangerous newbie coders are with security and custom code. Smile

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
RickJ
Hangin' Around


Joined: Jul 14, 2006
Posts: 27

PostPosted: Wed Aug 16, 2006 1:41 pm Reply with quote

I think the main problem is that by default most hosting companies use the phpnuke fantastico script which installs version 7.8.

Has anyone given any thought to creating a fantastico script for RavenNuke to offer as alternative?
 
View user's profile Send private message
kguske
PostPosted: Wed Aug 16, 2006 2:51 pm Reply with quote

Some, including Raven, have spoken with the developers of fantastico about giving hosts the ability to install scripts to fantastico, rather than waiting for fantastico to do it. It was listed at the time as a future enhancement...not sure where they are with that.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©