Host suffering multiple defacements blames PHP-Nuke/phpBB

registered · Site Admin Joined: Jun 04, 2004 Posts: 6437

A New Zealand host whose shared server was compromised by a script kiddie blames out-of-date PHP-Nuke / phpBB version and threatens to disallow these scripts in the future.

Here's the Only registered users can see links on this board! Get registered or login!.

This brings up several questions:

Is it fair to not allow PHP-Nuke / phpBB?

Why single out PHP-Nuke and phpBB?

Which was it, PHP-Nuke or phpBB? (story says it was caused by one unprotected site)

Are there better ways for hosts to check / audit / remind clients that scripts need to be updated - or face having their accounts shut down?

Are there better ways to notify webmasters that updates are available and should be installed?

Having experienced multiple hosts, I've come to greatly respect and appreciate Raven's proactive approach to issues like this: notify, check, remind, take action.

What do YOU think?

Posted: Wed Aug 09, 2006 9:29 pm

I personally find this to be some major b/s.

Every server I have ever been on has used some sort of script protection to secure the SERVER against such attacks. Sites are one thing, Servers are a whole nother ballgame.

In my opinion, To blame a site is like blaming the battery in a car when it breaks down. And as any good mechanic knows, The battery starts the car and the alternator charges the system and runs the vehicle once the motor starts.

Basically saying the site could not have been the downfall, an insecure server would be although it is known that allowing phpnuke/phpbb forces the server to be open to exploits, These exploits are not without hope.

PHP safe mode limits the functions of a server but it does lock a LOT of exploits out and other things are designed to scan the ENTIRE server for exploits.

I'm always worried about server security and have one thing that I ask all to run, Thats Sentinel.
I may not have the most secure server but I am continuing to work at it as any good webmaster would. Deligence and watching the server like a hawk is always a must whether you have a site or a reseller or a server.

Quote:

Just recently iSERVE had reviewed its security policies and introduced many changes to PHP configuration and various firewall and system rules to ensure client content is protected as well as it can be in a virtual environment.

I believe this says it all.

registered · Posted: Sat Aug 12, 2006 2:39 pm

What really "chaps my hide" about that Host is that take a look at the numerous Secunia alerts generated every day (just for example). Every system, every scripts, every browser, every operating system, etc. are found to have exploits. To shut off the one, PHP-Nuke / phpBB, is rediculous!

I believe they could solve many of these issues with using PHP as a CGI module and use something like suexec so that the compromise of ONE client's account cannot affect that of another. However, you cannot run as many sites on the same hardware, especially if they are "busy", and so, I am sure many hosts do not run under this type of setup.

JMO.

Posted: Sat Aug 12, 2006 5:01 pm

If I may, I completely agree. But to this line:

Quote:

However, you cannot run as many sites on the same hardware, especially if they are "busy"

Too many hosts are nickel and diming the crap out of their servers as it is.
It just shows how important it is to backround a host before you get with one.

But this is kinda self driven here: dont believe all you hear.

Posted: Sun Aug 13, 2006 5:57 pm

Now they've decided it's phpNuke, and Only registered users can see links on this board! Get registered or login!.

If they did, I'd suggest opening a class action against the host for all the sites that were attacked. The $20K is what it cost the host - what about the hosts' clients who suffered poor security on the server?

Posted: Sun Aug 13, 2006 7:01 pm

ohh man.

This makes my blood boil.
If I could, Id approach the site and offer to host them.

This is some major b/s.

If php.ini is configured correctly along with being run correctly( I cant be sure but I believe cgi is recomended), it wont affect other sites on the server.

A good client for others to pick up.
Ignorance is astounding.

Posted: Sun Aug 13, 2006 7:06 pm

I think the host is really trying to save face. What will they do next - sue Linux, PHP or MySQL for being insecure? But they cannot do that... So they make some poor webmaster (poor because he chose them as a host) responsible for their weak security. I host sites on multiple servers - this is really ridiculous.

registered · Posted: Tue Aug 15, 2006 9:25 am

Its easier to blame a company or an entity rather than yourself or customers.

Posted: Tue Aug 15, 2006 3:12 pm

True, but in this case the company is blaming one of its customers.

Posted: Wed Aug 16, 2006 6:21 am

Unbelievable! This Host should be raked over the coals in WebHosting.com and other sites dedicated for exposing bad hosts!

Posted: Wed Aug 16, 2006 9:04 am

I think it is pathetic that a hosting company blames a customer for its own short-comings.

registered · Posted: Wed Aug 16, 2006 1:08 pm

On the one hand, the customer needs to be vigilant in upgrading and maintaining his site. On the other, banning certain scripts (not used for illegal purposes) seems to be a bit harsh. I don't see them getting any real business in the future with such policy in the future. Whatever customers they have will use Mambo, Joomla.. some other alternatives, eventually those will get hacked. So what they'll end up with is only users using straight HTML or custom coding.... and we know how dangerous newbie coders are with security and custom code. Smile

Hangin' Around Joined: Jul 14, 2006 Posts: 27

I think the main problem is that by default most hosting companies use the phpnuke fantastico script which installs version 7.8.

Has anyone given any thought to creating a fantastico script for RavenNuke to offer as alternative?

Posted: Wed Aug 16, 2006 2:51 pm

Some, including Raven, have spoken with the developers of fantastico about giving hosts the ability to install scripts to fantastico, rather than waiting for fantastico to do it. It was listed at the time as a future enhancement...not sure where they are with that.