<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Rackspace / Mosso just sent the following out to all their subscribers.
I assume they've been aware of the recent increase in security reports
about them:<br>
<br>
<i>Dear Brian,
<br>
<br>
Since we host hundreds of thousands of applications at The
Rackspace Cloud, we have a unique vantage point from which we can
identify security trends and patterns. Lately, the industry has seen an
elevated level of attempts to take advantage of code vulnerabilities in
the software powering websites. Hackers are a common and persistent
threat to any website, but there are steps you can take to protect
yourself and to make your websites and applications harder to exploit.
<br>
<br>
Please read over the important tips below. We have dedicated
security experts who work to protect our infrastructure, but since we
can't fix or upgrade code on behalf of our customers, it's important
for you to know and regularly implement security best practices in the
code you run. We need your help and involvement to ensure your own
sites are as protected as possible. If you have any questions about
security, please reply to this email and we'll be happy to help.
<br>
<br>
HERE'S WHAT OUR SECURITY TEAM HAS RECENTLY IDENTIFIED:
<br>
<br>
1. The current data that we've collected points to
application-based vulnerabilities being exploited. Hackers commonly
scan sites for insecure applications, plugins, or other pieces of code
and then work to take advantage of the software exploits they find.
<br>
<br>
2. Applications using the popular blogging software WordPress
appear to be mostly targeted, but WordPress isn't the sole target of
the malicious groups / persons.
<br>
<br>
3. Your site does not have to be high-profile to be targeted.
Hackers often scan random sites for signs of software known to be
vulnerable (older versions of popular software with publicly known
security holes, for example).
<br>
<br>
HERE'S WHAT YOU SHOULD DO NOW TO PROTECT YOUR SITES:
<br>
<br>
1. This is probably the most important tip: For any application you
use, be sure to maintain the most current stable version. Often, an
application might be updated to a new minor version solely to address a
security hole that's been discovered. Be sure to subscribe to any news
lists and feeds available for your applications to make sure you are
aware of updated versions as soon as they are released.
<br>
<br>
2. Many applications, like WordPress, have optional plugins
developed by the community. Since these add-ons are often not as well
vetted, it's extremely important to carefully evaluate and manage third
party application plugins, themes, or other functionality that is
introduced to a running web application. Most hackers are exploiting
these plug-ins
<br>
<br>
3. It's imperative to choose strong passwords. Randomly generated
strings of letters, numbers, and symbols are best. Avoid words and
phrases in your passwords. The unfortunate reality: passwords that are
easy to remember are also easy to guess. (Ex: Replacing o by the number
0 is not a recommended tactic.)
<br>
<br>
4. Change your passwords on a regular basis and change them
immediately when you have any hunch that your site may have been
attacked.
<br>
<br>
5. Be as restrictive as possible with users and file permissions.
Remove write permissions from files that aren't likely to change
frequently. Some programs have install files that should be deleted
after installation. If you've installed something or written code for
testing purposes or experimentation, it's best to remove it afterwards.
Only keep the files and code on your account that are active and
necessary.
<br>
<br>
As a site owner, you need to take an active role in guaranteeing
security of your code and applications. The good news is that our
support staff is happy to help you with any questions or concerns you
may have. Recovering from a hack or exploit is extremely time-consuming
and frustrating. The preventive steps outlined above can make a world
of difference in keeping your sites secure.
<br>
<br>
Finally, if you suspect your site has already been compromised, you
should take immediate action. This knowledge base article can help you
through the right steps:
<br>
<br>
<a class="moz-txt-link-freetext"
href="http://cloudsites.rackspacecloud.com/index.php/Recovering_from_and_Dealing_with_a_Site_Compromise">http://cloudsites.rackspacecloud.com/index.php/Recovering_from_and_Dealing_with_a_Site_Compromise</a>
<br>
<br>
<br>
Sincerely,
<br>
<br>
The Rackspace Cloud Security Team
</i>
<br>
<br>
<br>
<br>
Brian Vuyk wrote:
<blockquote cite="mid:4B620DF3.2090201@brianvuyk.com" type="cite">
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
Already done.<br>
<br>
Laura wrote:
<blockquote cite="mid:241C2086-FA4E-4F5D-A07C-50626DC9405B@gmail.com"
type="cite">
<pre wrap="">Report to Mosso support. They may have a vulnerability somewhere.
Laura
On Jan 28, 2010, at Thu 1/28/10 3:08pm, Brian Vuyk wrote:
</pre>
<blockquote type="cite">
<pre wrap="">After seeing that, I definately checked the bootstrap.inc, but it's clean.
The host is (surprise, surprise) Rackspace / Mosso.
Brian
Laura wrote:
</pre>
<blockquote type="cite">
<pre wrap="">See this Development list thread from yesterday. <a
moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://lists.drupal.org/pipermail/development/2010-January/034894.html">http://lists.drupal.org/pipermail/development/2010-January/034894.html</a>
Look for malicious code in your filesystem -- bootstrap.inc for example was modified in some reported attacks.
What host is this site on? There might be some correlation there.
On Jan 28, 2010, at Thu 1/28/10 2:57pm, Brian Vuyk wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hi all.
I am having a strange issue with a client's site. I am hoping someone
here has had similar, so we can compare notes / find a solution.
Monday, this long-time client called me up to tell me that when he goes
to certain paths on his site, instead of showing his pages, they would
show pages from 'Canadian Pharmacy'. The pages are exactly as those
shown in this spamwiki article:
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://spamtrackers.eu/wiki/index.php/Canadian_Pharmacy">http://spamtrackers.eu/wiki/index.php/Canadian_Pharmacy</a>
At the time, I wasn't able to reproduce the issue. However, it was
affecting more and more of his visitors - soon he started forwarding
emails from his users indicating similar issues.
Eventually, it happened to me too - at certain paths, the Canadian
Pharmacy pages would come up. The attack seems to be cookie-based,
because once I cleared my browser cookies, the problem went away. The
same fix worked to clear it up on the client's machine. Unfortunately, I
haven't been able to make it happen again so I can see exactly *what*
cookies are set.
Now, I've since updated core and every module on the site to the latest
versions. I've checked all the non-Drupal files on the server, and
examined the database very closely, and can say with relative certainty
that there is no rogue code running on the site. However, the problem is
still occurring for my client's visitors on and off.
Does anyone have any idea how this is being accomplished / what we can
do to try to find a solution for this? Has anyone seen anything like
this before?
Any help or suggestions is very much appreciated.
Brian
_______________________________________________
consulting mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:consulting@drupal.org">consulting@drupal.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://lists.drupal.org/mailman/listinfo/consulting">http://lists.drupal.org/mailman/listinfo/consulting</a>
</pre>
</blockquote>
<pre wrap="">_______________________________________________
consulting mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:consulting@drupal.org">consulting@drupal.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://lists.drupal.org/mailman/listinfo/consulting">http://lists.drupal.org/mailman/listinfo/consulting</a>
</pre>
</blockquote>
<pre wrap="">_______________________________________________
consulting mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:consulting@drupal.org">consulting@drupal.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://lists.drupal.org/mailman/listinfo/consulting">http://lists.drupal.org/mailman/listinfo/consulting</a>
</pre>
</blockquote>
<pre wrap=""><!---->
_______________________________________________
consulting mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:consulting@drupal.org">consulting@drupal.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://lists.drupal.org/mailman/listinfo/consulting">http://lists.drupal.org/mailman/listinfo/consulting</a>
</pre>
</blockquote>
<br>
<pre wrap="">
<hr size="4" width="90%">
_______________________________________________
consulting mailing list
<a class="moz-txt-link-abbreviated" href="mailto:consulting@drupal.org">consulting@drupal.org</a>
<a class="moz-txt-link-freetext" href="http://lists.drupal.org/mailman/listinfo/consulting">http://lists.drupal.org/mailman/listinfo/consulting</a>
</pre>
</blockquote>
<br>
</body>
</html>