MyPersonalVPS.com

This morning in Virginia, USA, one of the data-centers we use was caught by a total power blackout, and was off-line for approximately 94 minutes.

Fortunately, our server there rebooted cleanly when power was restored and no customers experienced any loss of service.

Now, if you think that I’m going to complain about how this should never happen, you’re wrong. I would actually like to praise the data-center staff for their rapid reaction to this incident – Serverbeach, the proprietors of the data-center, immediately flagged this up as a serious incident with their holding company, PEER1, and additional technicians from two other data-centers were dispatched by air to Virginia to assist in any server recoveries that were necessary. I can ask no more of them than that, and the fact that they all reacted so swiftly is a credit to them. Big thumbs up from me!

The BBC News web-site has been suffering outages today while its hosting location fluctuated between BBC Internet Services and the Akamai web application acceleration and performance management service.

For many users this afternoon, the front page of the BBC News site has been slow to respond, often displaying error messages such as “No suitable nodes are available to serve your request” and “an error occurred while processing this directive”. Other users found that requests to news.bbc.co.uk caused the server to continually redirect their request back to news.bbc.co.uk, causing an infinite redirection loop which would have added to the load on the servers.

Today’s performance problems coincide with apparent moves to and from the Akamai content distribution network. Prior to today, the news.bbc.co.uk site had been self-hosted by BBC Internet Services in Docklands, London.

For some periods today, the BBC News website had resolved to IP addresses belonging to Akamai, while other times it had either been pointed back to BBC Internet Services at Docklands, or did not resolve at all, thus leaving the site completely inaccessible.

Akamai transparently mirrors content stored on web servers and users then access the content from these instead of the origin server. By automatically picking a mirror server that is near to the user, performance is generally increased while decreasing the load on the origin server.

Steve Herrmann, editor of the BBC News website, has published a blog article about the site problems.

Google has fixed a vulnerability in their Gmail web based email service which would have allowed Internet attackers to steal mail messages from users without being noticed.

The attack works by forcing a logged-in user to add a mail filter to their Gmail account, thereby allowing their mail to be forwarded to an external mail address controlled by the attacker. Because the Gmail service did not adequately verify the origin of such requests, it was possible for attackers to create their own web pages that used JavaScript to automatically make such requests on behalf of their victims. In essence, a Gmail user would visit one of these pages and have their account compromised without necessarily realising anything is awry. Only close inspection of the Filters tab in the Gmail Settings menu would reveal what had happened.

Proof of concept exploits used JavaScript to make a silent POST request to the Gmail service and add the attacker’s filter. With the results of the request hidden in an iframe, it is highly unlikely that a victim will have noticed that their Gmail account would have been compromised, particularly while they are browsing a completely different website. While this attack scenario would only be successful if the victim was logged in, many Gmail users remain constantly logged in throughout the day, thus increasing the likelihood of a successful attack.

A group of hackers using a commercial hacking program (MPack) are on the loose, and causing some considerable concerns amongst web-site owners and hosting companies.

They are accessing multiple web sites to add code directly to the main index pages, which closes down the browser window and brings up a pop-up window advising the user that they have virus / spyware / porno files on their computer, and they need to download and run a cleaner (typically DiskCleaner or WinCleaner).

If the unsuspecting user takes the offer of the download they actually get a keystroke logger installed, and away goes such info as bank details, passwords, etc, etc. It also installs a cookie which returns them back to the hacker’s site at random intervals to get infested again.

The MPack software is clever – It is being sold on Russian forums at $1000 a go with a year’s support, and is being updated almost monthly to exploit new vunerabilities in various browsers and other software.

The hackers are also testing the passwords they gather to see if the same password is good for root, control panel or mail access.

Several high-profile web sites have been affected, including a USA Consulate Office web site, the Sydney Opera House, the Chinese Internet Security Response Team web site (www.cisrt.org), and the Bank of India who had to close their web site down for a week while they cleaned out the offending code.

Suggestions:

1) Check your web site(s) for a new piece of code, particularly directly under the <body> tag, or some Java code at the foot of the pages, and if it’s there remove it immediately.

2) Make sure that you use different intricate passwords unique to each part of your site(s) – Different ones for FTP, root, control panels, mail, etc, etc.

We have also heard of at least two hosting companies or server suppliers who have had their customer support software hacked, compromising customer login and password details – An ideal route for the hackers to gain access to thousands of web sites to add their code.

This isn’t a new threat, but it is suddenly picking up speed – The added code is even being picked up by search engine bots.

When did YOU last change your passwords?

Related links:

• Sophos blog – http://www.sophos.com/security/blog/2007/09/580.html
• BBC News – http://news.bbc.co.uk/1/hi/technology/6221306.stm
• The Register – http://www.theregister.co.uk/2007 ……. am_attacked

Nowadays more and more spam mail is being sent using fake email addresses and servers – Well, it’s fake as far as the spammers sending the mails are concerned but, when it’s your address they’re using, it can mean considerable inconvenience dealing with bounced messages that you never sent and trying to restore your integrity.SPF (or Sender Policy Framework) sets out to combat this practice of Sender Address Forgery by inserting an additional text record in the DNS record for each domain, labeling the mail server or servers which are authentic senders of mail for that domain.

More and more mail servers now check that the server sending mail to their users is listed as a genuine and authorized sender of mail for that domain, and will either “bounce” (return to sender, undelivered) or “drop” (delete) the incoming mail if it does not pass the SPF test.

As spam can account for well over 50% of the mail received by our mail servers on a day to day basis, we have been using SPF checking for some time on the servers which handle incoming mail to our own domains.

Adding an SPF record to your domain’s DNS record is simple – It is just a one-line text record, and there are plenty of on-line resources available to help you formulate the correct format. Once you have the correct record in place, you will find that mail is accepted far more easily by the main bulk-mail handlers, particularly Hotmail, who were one of the first services to initiate SPF checking back in 2004.

Resources:

• An introduction to SPF (Sender Policy Framework)
• An on-line tool to help work out your SPF entry
• Wikipedia entry – Sender Policy Framework

Yahoo! introduced an interesting system of mail filtering this week by introducing a grey-listing system to check that mail incoming to their servers is from ‘genuine’ mail servers, and not fake ones set up by Yahoo! introduced an interesting system of mail filtering this week by introducing a grey-listing system to check that mail incoming to their servers is from ‘genuine’ mail servers, and not fake ones set up by spammers using dynamic IPs etc.

It works in such a way that the first attempted mail delivery from an outside server gets bounced back to the sending mail server with a “try again later” message, and will then accept the mail on the next go around which (depending on your ISP’s mailserver retry settings) may be an hour or so later. It’s basically to test that your message has come from a REAL mail server, and not some hacker/spammer.

I guess that they’ve got to do something because of the ever increasing levels of spam hitting their servers.

You can read more about how Yahoo! “defer” mail, and other related information at the Yahoo! Postmaster page.

PHP has officially announced the end of support for PHP4. This will, no doubt, cause some headaches for die-hard PHP4 supporters, but the end has been coming for some time now, since the release of PHP5 and the ongoing development of PHP6.

Here’s the official announcement from the PHP team:

PHP 4 end of life announcement

[12-Jul-2007]

Today it is exactly three years ago since PHP 5 has been released. In those three years it has seen many improvements over PHP 4. PHP 5 is fast, stable & production-ready and as PHP 6 is on the way, PHP 4 will be discontinued.

The PHP development team hereby announces that support for PHP 4 will continue until the end of this year only. After 2007-12-31 there will be no more releases of PHP 4.4. We will continue to make critical security fixes available on a case-by-case basis until 2008-08-08. Please use the rest of this year to make your application suitable to run on PHP 5.

For documentation on migration for PHP 4 to PHP 5, we would like to point you to our migration guide. There is additional information available in the PHP 5.0 to PHP 5.1 and PHP 5.1 to PHP 5.2 migration guides as well.