Horde is a popular webmail software and comes installed with cPanel. We had a situation where accounts were moved across servers using WHM on a cPanel server. After the upgrade customers reported that in their horde address book entries, they see NULL with the names of their contacts.
We have removed the names for privacy from the screen shot above. We investigated the issue and found that the table turba_objects in horde database is holding literal NULL text instead of NULL datatype. We had to run multiple SQL queries like the following to get all the records updated:
UPDATE `turba_objects` set object_lastname=NULL WHERE object_lastname='NULL'
Once all the columns were updated, there were no more NULL text displaying in customer’s contacts. It looks like when cPanel/WHM did the data transfer across servers, it somehow enclosed the NULL in quotes making them literal text.
This article applies to general security of websites with emphasis on Linux cPanel based shared web hosting. These are some of the best practices that can help prevent hacking. And if the website gets hacked, some steps that should be taken to properly secure it.
First thing you should do is to check vendor/developer websites for all of the web scripts/applications (e.g. WordPress, Joomla, Drupal etc.) used in your account for any updates. This includes any addon modules you may be using in any web applications. If you are using any open source web application, that may be the prime suspect. However, you must check all and keep them up to date. Search on google or security related websites for any known exploits in public knowledge for any web application in your use. For example if you are using WordPress or Joomla, you must get yourself registered in their mailing lists and update to latest stable release or whenever they release a security patch. The window of opportunity for hackers should be kept minimum. We do this for a number of websites that we maintain and they have never been hacked in 17 years.
Once you have verified that 100% of scripts/web applications are on latest stable version, you will need to go through all files of your account and make sure none is uploaded by hackers before you audited. Remove any unattended install of any applications. For example if you installed a web app to test it out and forgot to remove it.
Go through all files in your folders and check for timestamp of file changes. There may be files in folders you would never imagine. You can use ftp or cPanel File Manager to go through all files under public_html and compare them with your local copy. [You should always maintain a local copy for this comparison as well as backup] – especially check any modified files for any code injected into it.
Typical locations for hackers to install malicious scripts is images folder or web app upload folder.
Make sure all passwords are mix of alpha-numeric and not any dictionary word. Just because you thought of a difficult word from dictionary does not make you safe. Reset all passwords if you are hacked, including email, database, web app logins, and any control panel. Hacker may have already scanned all your files to pick e.g. database password for future attacks.
The MySQL database access for a web application should be through separate database users. Do not use your main account user/pass for it. Your main login should never be stored in any file in your account. If you need to access MySQL remotely, make sure you allow only your static IP for access.
In your cPanel, activate archive option of your web logs in Raw Log Manager. This will give you the opportunity to check how the hacker exploited one of the scripts. Otherwise all raw logs are cleared after generating stat reports. If you have already been hacked, it is too late now but you can archive the logs for future attacks.
If you have customized a web application with modifications or modules, make sure it is also latest stable. Many popular web application may be stable but one of the addon mods are exploitable, which may not be maintained any more. Avoid using them. Only use well maintained code in your account.
If you have developed some code yourself, make sure all input variables are sanitised (checked for valid data before using it). Otherwise a single line of bad code can give access to your entire account. The usual mistakes are (a) to include a file based on user input (b) passing the data as it is to database or other scripts without sanitising it. Again, make sure all input to a script is checked for valid data. All exploits are based on input data. If your site does not take any input, you are 100% safe from web exploits, i.e. if you run 100% static html site with no script whatsoever anywhere in your account.
For php scripts, any application that uses register_globals to be active has more chances of being exploitable. Avoid such applications. In latest php, register_globals are no longer active so this type of exploits are going down.
If you have an email script for a contact form, make sure it is safe from header injection. In essence make sure that email address, subject and other part of data that is being submitted by user does not contain line breaks. If any line break comes in, the script should block such attempts. With such header injection spammers can use your account and server to send huge spam.
Using open source free web applications is great but you have to maintain it by regular updates or you can loose all your data and site if a new exploit is released. And as a hosting account owner, it is your responsibility that you maintain such applications and keep your account protected.
If your site has been running fine for years, it does not mean there were no security holes in it. It actually means that exploit was unknown or you were lucky that no one exploited it before.
Also avoid using open source software (including any plugin/theme) that is not well maintained or has been abandoned by the developer. Another indicator would be high number of critical exploits discovered for it in the past, meaning the code base is not very secure and more exploits could be discovered in future.
If you are on a shared hosting account, for added security, change the permissions of your configuration files (having database credentials in them) to “660”. You can do that via ftp, ssh or file manager. For example via ssh: chmod 660 config.php
Again for additional security if you can block access to certain administrative sections of your site do that by giving access to only authorized IP addresses and blocking access for everyone else. Or password protect it. This can be done using .htaccess file or Password Protected Folders.
If there is any file upload facility in your account, make sure that only authorized users can use it. It should also have some sanity check on what type of files are allowed. This is one of the easiest entry points for hackers.
Also the uploaded file should not be accessible via web URL directly. They should be stored outside of public_html unless (a) it is only uploaded by a site admin (b) checked and validated that it does not contain malicious data.
If there is any URL forwarding or Webmail facility for your site membership, make sure access is restricted. It should be allowed only with proper authorization, otherwise it could be used for spamming.
If you’re exploring something by installing a test instance of a web app, or you are in the process of developing a new app, lock it behind password or IP access right away.
Since our linux web hosting servers come with suphp, you do not need any file or folder with world write permissions. The normal folder permissions should not exceed 755. And php/html files can be 644. CGI/perl scripts can be 755.
If you download a commercial software or a plugin of a web app from suspicious website e.g. a commercial theme or plugin for WordPress, chances of that code already infected with malicious code are very high. Never download such files, and never install them on your website. Same is the case with any client software installed on your computer.
Anyone who writes web application code, should be familiar with security. Here is a book that covers the web application security particularly on php: http://www.oreilly.com/catalog/phpsec/ we recommend it to all. It covers different aspects of vulnerabilities found today in web applications. Remember, one single line of bad code can give access to your entire account. Writing code is easy but writing secure code needs awareness. This is not a problem of PHP or server. It is lack of security awareness and education. It should be high priority in a web development project.
Let us know if you would like to add more to these tips by posting them in comments section below.
We thought it would be a good idea to share photos from our operations as it is said ‘a picture is worth a thousand words’. This is the first photo we would like to share from our data center.
These are latest Supermicro servers we racked for a customer. You can see two Cisco switches on the top. One is the access switch for this particular rack and the other one is private switch for backups. The switches front is on the other side of the rack for easy access to network cabling. The four servers are 1U in size, each with four hot-swap slots for hard disks that you can see in the picture (clicking those little red buttons will open the slot to pull out the disks). Typically these servers are Intel Xeon Quad / Hex Core with 32 to 96GB RAM (memory).