The issue does not affect vBulletin 3.x.

To improve the security of your vBulletin 4 installation please download the patch from the members area of vBulletin: http://members.vbulletin.com/
We recommend you install this security patch as soon as possible.

The upgrade process is the same as previous patch level releases – simply download the patch from the Members’ Area, extract the files and upload to your webserver, overwriting the existing files. There is no upgrade script required.

Technorati Tags: vBulletin security patch, vBulletin v4

“After much consideration, cPanel has decided to offer Enkompass free of charge beginning October 12, 2011. cPanel Vice President of Product Development Ben Thomas made an announcement today during cPanel Conference about the plans for the future of Enkompass.

Technorati Tags: Cpnel Enkompass Free, Free Enkompass

Recently we our operation team found that accounts that are running Joomla and WordPress applications are being hacked. Most start with an automated scanner tool that scans for specific versions of Joomla and specific extensions versions. (Same with wordpress and others) Once vulnerabilities are identified then one of the below is used to gain access.

Here’s the main cause of it:

The _MACOSX folder is automatically generated when files are zipped on an Apple computer. Because the use of Mac you will find them after unzipping your downloaded Zip-archive on a Windows PC. Simply forget about this folder. You don´t need it.

Whats with __MACOSX in Zip files?

Recently people are using Mac’s for development these days. Most core developers from some of the leading web frameworks use Mac as their primary development platform. Several plugin and theme authors for WordPress also develop on Mac. This is good thing but also has side effects of this development.

The easiest way to archive something on Mac is to right click on directory of choice in Finder and select “Archive as…”. This creates a Zip file, which then the developer can distribute to users. After this procedure another folder suspiciously named”%%__MACOSX%%” gets created at the root of Zip archive. Bellow is an example:

==================================================================

/funvilla/wp-content/oqey_gallery/skins/__MACOSX

/images/stories/Halloween/__MACOSX

/wp-content/plugins/uBillboard/__MACOSX

/public_html/tmp/install_4a5e043578f85/__MACOSX

==================================================================

This folder contains other things, thumbnail for images in the original archive. These kind of unwanted undesirable things are really not necessary. It’s okay, try to keep cool. Bellow we are presenting a systematic analysis of what Mac OSX does is wrong, stupid and unnecessary:

In WordPress themes directory, if each theme starts creating its own”%%__MACOSX%%” folder, then themes directory would soon get crowded with useless garbage. This, creating an entire tree structure in the archive just breaks things in more ways. Example: each WordPress theme starts creating”%%__MACOSX%%” folders in the root of the archive. As a result the new theme will also try to extract in the”%%__MACOSX%%” folder. Not only this, some programs like Gallery ( Joomla ) also have the ability to load plugins/images directly from Zip files. Hence, people end up with unwanted images, themes and plugins in setup. This might just break the installation. Again, one did not explicitly create that folder. If someone creates a virus, that just modifies the default zip program on Mac to sneak in malicious payload via the”%%__MACOSX%%” folders in any new Zip archives, it’s a security risk.

This way we encountered that all the data inside”%%__MACOSX%%” folder is created from directory itself. No external information is used / needed. Think why anyone would ever need such new folder. The zip file has been produced on a system running Mac OSX, they’re irrelevant files (mac filesystem metadata) one can just delete the directory.

Next, we also encountered the Vulnerability Found in timthumb.php

We found a vulnerability in a popular image resizing library called TimThumb, used in many WordPress and Joomla themes and plugins. This allows one ( HACKER ) to upload and execute despotic PHP code in the TimThumb cache directory. Once, PHP code is uploaded and executed, any site can be compromised as per the HACKER.
We strongly recommend deleting timthumb.php / thumb.php / createthumb.php / showthumb.php / class.img2thumb.php / action.changethumb.php like file from the account. If the file exists in a theme or plugin that you’re no longer using you may want to remove the entire theme or plugin directory.
Still, one wish to use the TimThumb, then make sure to update the file the latest version and remember to check the TimThumb site regularly for updates. One should also set ALLOW_EXTERNAL to false and find the $allowedSites array inside the file and remove the domain names to prevent remote file downloading.

Please make sure it is as follows:

define( ‘ALLOW_EXTERNAL’, false );

Then make changes as following:

$allowedSites = array (

        'flickr.com',

        'picasa.com',

        'img.youtube.com',

        'upload.wikimedia.org',

);

Change it to look like bellow:

$allowedSites = array();

Always be sure to use the built-in WordPress functions for Themes and Plugins such as: add_image_size to resize images.

Kind Regards,
Daniel Smith
Level II Support Department
http://www.WebHost.Uk.Net
http://www.WebHosting.Uk.Net
Support Portal: https://secure.webhost.uk.net

Technorati Tags: Gallery, Joomla, Joomla Hack, Joomla Sites Hack, Joomla Vulnerability, MACOSX Vulnerability, Plugins, Themes, TimThumb Vulnerability, TimThumb.php file issue, WordPress, WordPress Hack, WordPress Plugins, WordPress Sites Hack, WordPress Themes, WordPress Vulneracility

2. A box will appear. Click Add and select Mail.

3. Enter your name as you want it to appear on your emails and click Next.

4. Put in your email address, which consists of a user you set up in webmail and @yourdomain.xyz, and then click Next.

5. Set the server type as POP3.

6. For incoming and outgoing mail servers, enter mail.yourdomain.xyz (where yourdomain.xyz is your domain name and extension such as .com).

7. Click on Next.

8. Enter your email address for the Account Name. Enter the password you set for this account. Note: Do NOT check the box “Log on using Secure Password Authentication”.

9. Click Next and then click Finish. After you click Finish, you should see the following window. If not, go to the Tools menu, and click on Accounts. After clicking Accounts the window will appear. In this window, click on your domain until it is highlighted, then click on Properties.

10. When the next screen appears, click on the Servers tab. Under Outgoing Mail Server, check the box next to My server requires authentication. Click Okay. Note: You MUST do this step so you can send mail from your domain.

11. Now, you’re ready to send and receive mail. To set up multiple accounts, follow these steps again.

Technorati Tags: Configure Outlook Express on Windows, Configure POP3 and SMTP settings in Outlook Express, Email Hosting, Email web host, My server requires authentication, POP3 and SMTP ports in Outlook Express

1.  Browse to the folder in which the message was deleted from (i.e. inbox, sent, deleted items)

2.  Expand the Tools menu and select Recover Deleted Items

3.  Select the email(s) that you would like to recover

4.  Click the envelope icon to recover the email(s)

Technorati Tags: 2011 email hosting, Email Hosting, Emails deleted in Outlook 2007, Outlook 2007 email recovery, Recover Outlook Email, UK Email Hosting

2. On the E-mail tab, click New.

3. Select Microsoft Exchange, POP3, IMAP, or HTTP and click Next.

4. Check Manually configure server settings or additional server types and click Next.

5. Select Internet E-mail and click Next.

6. Enter the requested information:

* Your Name: your name
* Email Address: the email address the messages will be sent from
* Account Type: POP3
* Incoming Mail server: mail.domainname.com
* Outgoing Mail server: mail.domainname.com
* User Name: the full email address
* Password: the password for the email address

7. Click More Settings

8. On the Outgoing Server tab, check My outgoing server (SMTP) requires authentication

9. Select Use same settings as my incoming mail server and click OK.
10. Click Test Account Settings to verify everything is configured correctly.
11. Click Next and then click Finish.

Technorati Tags: Configure Microsoft Outlook, Configure Outlook 2003, Configure Outlook 2007, email hosting 2011, email UK hosting, Email web hosting, My outgoing server (SMTP) requires authentication, Outlook Email client, POP3 settings, SMTP settings

CentOS-3 updates until Oct 31, 2010

CentOS-4 updates until Feb 29, 2012

CentOS-5 updates until Mar 31, 2014

2 . What architectures are supported ?

The following architectures are supported by each version of CentOS:

CentOS 3 currently supports x86, x86_64 (AMD64 and Intel EM64T), s390, s390x, ia64 (Intel Itanium2).

CentOS 4 currently supports x86, x86_64, s390, s390x and ia64. ppc (PowerPC), alpha (DEC Alpha) and sparc are released in beta for CentOS 4.

CentOS 5 currently supports x86 and x86_64. ia64, ppc (PowerPC) and sparc are being developed.

3. How can I easily compare what major package versions are in CentOS 3, CentOS 4 and CentOS 5?

On the CentOS Distro Page at DistroWatch.com you can compare Major packages and All tracked packages. DistroWatch is an good resource for comparing Linux and BSD distributions.

Technorati Tags: architectures are supported in centos, Centos 3, Centos 4, Centos 5, Compare Centos packages, EOL for Centos 3, EOL for Centos 4, EOL for Centos 5

CentOS 6.0 has been released. This is, some might say, the most anticipated release to date with CentOS pushing out the date numerous times. Finally CentOS 6.0, an Enterprise-class Linux Distribution, is available for download to the public.

CentOS-6.0 is based on the upstream release EL 6.0 and includes packages
from all variants. All upstream repositories have been combined into
one, to make it easier for end users to work with.

We highly recommend reading this announcement along with the Release Notes 

WebhostUK Limited now provides Reseller clients hosted on server with latest CentOS 6, following feature we offer with reseller hosting plan

* Free WHMCS billing Software: Allows you to automate web hosting and take care of billing for your end user clients.
* 100% private labelled end user support: Get 100% private labelled, free end user support, where your clients can now submit support requests, and our experienced staff will resolve them for you – working as YOUR own company staff.
* Free Vision Helpdesk Software: Most powerful ticket system serving as a helpdesk so that your clients can contact you for their support.
* Free Enom reseller account: Most trusted domain registrar where you can register domains under your ownership for your clients.
* Free private lablelled nameservers: Keeps you completely anonymous not letting your clients know that you are our reseller.
* Free SSL Certificates (on selected reseller plans): Securing your website for critical data that should be protected and encrypted.
* Free RvSiteBuilder: Allows you to design your website in less than 5 minutes with the selection of number of readymade templates.
* And many other things including RvSkin, Fantastico, account migration, etc..

** For More Information on Reseller Hosting plan, please click here

CentOS 6 Downloads

You can download CentOS Linux 6 via the web/ftp server or via BitTorrent (recommended) client.

CentOS 6 DVD ISO downloads

• Download CentOS 6 32 bit i386 DVD ISO image 1 (4.4 GB)
• Download CentOS 6 64 bit x86_64 DVD ISO image 1 (3.9 GB) and image 2 (1.1GB)

CentOS 6 DVD ISO Torrents

Torrent files for the DVD’s are available at the following location:

• Download 32 bit i386 torrent file
• Download 64 bit x86_64 torrent file

Technorati Tags: 100% private labelled, Centos 6.0 released, free end user support, free enom account, Free Vision HelpDesk, Free WHMCS, reseller web hosting 2011, Reseller web hosting on centos 6, UK reseller web hosting

* 4.1.4pl2
* 4.1.3pl2
* 4.1.2pl2
* 4.1.1pl2
* 4.1.0pl4
* 4.0.8pl4
* 4.0.7pl2
* 4.0.6pl3
* 4.0.5pl2
* 4.0.4pl3
* 4.0.3pl3
* 4.0.2pl6
* 4.0.1pl2
* 4.0.0pl3

Has been released.

An additional flaw within a side query that is used in the search UI has recently been discovered. This is further to a previous patch that was issued. This flaw may enable malicious individuals to inject sql that would allow you to run arbitrary queries on the db via this exploit. To resolve this issue, it has been necessary to release a patch level version on all versions of vBulletin 4.X. The issue does not affect vBulletin 3.X to the best of our knowledge. We are not aware of a website that has been compromised by this flaw.

The upgrade process is the same as previous patch level releases – simply download the patch from the Members Area, extract the files and upload to your webserver, overwriting the existing files. There is no upgrade script required.

As with all security-based releases, we recommend that all customers upgrade as soon as possible in order to prevent any potential damage resulting from the flaw being exploited.

Upgrading from 4.X

If you are already running 4.X, the process you will be required to follow to make your board immune to this flaw is very simple.

Visit the Patches section of the vBulletin Members’ Area and download the patch for the version you are using, then extract the files from the archive you downloaded, then upload the files to your board via FTP etc., overwriting the existing files. This will update your version to the PL release.

Technorati Tags: best forum hosting 2011, best VPS reseller hosting 2011, Community Forum hosting, Content publishing hosting, discussion forum hosting, premium vBulletin hosting, UK fourm hosting, vBulletin hosting, vBulletin security patch

cPanel PCI Compliance Step 1

First thing first, run a package update.

yum -y update

If it installed a new kernel, reboot the server so the new kernel takes affect. If its a live production server you may want to wait until an off-peak hour to do the reboot and continue with this article.

cPanel PCI Compliance Step 2

Now that you have the OS packages secure, its time to setup a firewall if you don’t have one already.

A good free IPtables based firewall is the APF (Advanced Policy Firewall) firewall from RF-X Networks, you can download that here:

wget http://www.rfxn.com/downloads/apf-current.tar.gz

While your at it, get and install the BFD (Brute Force Detector) and LSM (Linux Socket Monitor) which are also available on the RF-X Networks site.

The main things you want to configure are the allowed ports in the APF config file, both ingress AND egress, and then you want to setup an ACL by using the allow and deny hosts files that come with APF. For the ACL’s you want to block everything you don’t want public access to, but still need certain IPs to access. For example SSH, cPanel, WHM, and maybe webmail. For example your allow line for cpanel will look like this:

tcp:in:d=2083:s=123.123.123.123

Noticed, we used port 2083 and not the insecure cpanel port 2082, which we have blocked in the APF config file. And then so you have a deny from all that are not explicitly allows, add this to the deny hosts file:

tcp:in:d=2083:s=0/0

The reasoning behind this is to not even give anyone a chance to get in, if #1, they have your password, #2, they are trying to brute force their way in, #3, there is an exploit in which they are able to bypass the authentication means.

cPanel PCI Compliance Step 3

Back to Linux hardening, you want to do a few things here, first disable any unused packages/services, for example cups and portmap, delete any unneeded users, disable shell for any users that don’t need it in /etc/passwd.

You also want to change the SSH port, disable SSH version 1, and disallow direct root login:

pico /etc/ssh/sshd_config

Remember to allow the new SSH port in the APF config file, and add an underprivileged user to the wheel group, so you can su to root. and then restart the firewall and sshd.

cPanel PCI Compliance Step 4

Run a couple cpanel scripts, the first upcp, and the second easyapache. For upcp its recommend to use the “current” build, this is set in the update config in WHM.

/scripts/upcp

Remember to run upcp before running easyapache

/scripts/easyapache

When running easyapache, select the latest apache and PHP versions, and also ensure the following PHP options are checked:
CGI
Mod suPHP
suhosin fo PHP
Mod Security

This will ensure the most secure way to run PHP.

cPanel PCI Compliance Step 5

Install a ModSecurity rule set, ModSecurity, your layer 7, Web Application Firewall (WAF) is only as good as the rule set you are using. GotRoot.com is a good place for free ModSecurity rules.

wget http://www.gotroot.com/downloads/ftp/mod_security/apache2/apache2-gotrootrules-latest.tar.gz

Download, untar and install the different rules files, and then test and edit if needed.

cPanel PCI Compliance Step 6

The next step is to disable dangerous and PCI unfriendly PHP functions. For example a phpinfo page will cause you to fail a PCI scan. You disable line should contain at least the following functions:

phpinfo,passthru,shell_exec,system,proc_open,popen,curl_multi_exec,
show_source,escapeshellarg,escapeshellcmd,inject_code

cPanel PCI Compliance Step 7

Now its time to go to WHM. There are a number of built-in WHM security features, and PCI friendly features.
Going down the list on the left hand side of WHM you want to look at:

Apache mod_userdir Tweak – Here Check “Enable mod_userdir Protection” and click save
Compiler Access – Click “Disable Compilers”
Configure Security Policies – Check the first 3 and next 2 if necessary, and click save
cPHulk Brute Force Protection – Enable cPhulk, and under White/Black list Management enter your IP(s)
Password Strength Configuration – Set this to 100
PHP open_basedir Tweak – Check “Enable php open_basedir Protection.” click save
Shell Fork Bomb Protection – Click “Enable Protection”
SMTP Tweak – Click “Disable”

Apache Configuration–>Global Configuration
- For SSLCipherSuite Change the + by Medium to a -, you line should look like this “ALL:!ADH:+HIGH:-MEDIUM:-LOW:-SSLv2:-EXP”
- Set TraceEnable and ServerSignature to Off
- Set ServerTokens to ProductOnly
- Set FileETag to None
- For Directory ‘/’ Options uncheck “indexes”

Now click save, then click Rebuild Configuration and Restart Apache
For Manage Service SSL Certificates, make sure all your services have a valid SSL cert
Under Service Manager, disable any services you don’t need, for example if you don’t have your database on this server, disable mySQL, if you don’t use it for email, disable the email related services

cPanel PCI Compliance Step 8

In order to pass a PCI scan your server must have at least one SSL certificate signed by a recognized certificate authority, and any services using SSL need to be using a certificate as well. Buy a decent 128 / 256 bit  SSL certificate and install it not just for Apache, but also for all of your active services. WebHost Manager has a section for installing service SSL certificates to make this process easier.

cPanel PCI Compliance Step 9

Finally document your versions. A part of your PCI docs file, you should have a screen shot of the version you are running of at least the following:
Apache, PHP, ModSecurity, Linux Kernel, CentOS, OpenSSH, and OpenSSL. Your output will look something like this:

root@server [/]# httpd -v
Server version: Apache/2.2.17 (Unix)
Server built: Dec 14 2010 17:23:57
Cpanel::Easy::Apache v3.2.0 rev5277

root@server [/]# php -v
PHP 5.3.4 (cli) (built: Dec 14 2010 17:30:39)
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
with the ionCube PHP Loader v3.3.20, Copyright (c) 2002-2010, by ionCube Ltd.
with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH

root@server [/]# uname -r
2.6.18-194.32.1.el5

root@server [/]# cat /etc/redhat-release
CentOS release 5.5 (Final)

root@server [/]# cat /home/cpeasyapache/src/modsecurity-apache_1.9.5/apache2/mod_security.c
|grep MODULE_RELEASE |head -1
#define MODULE_RELEASE “1.9.5″

root@server [/]# rpm -qa |grep openssl
openssl-devel-0.9.8e-12.el5_5.7
openssl-0.9.8e-12.el5_5.7

root@server [/]# rpm -qa |grep openssh
openssh-4.3p2-41.el5_5.1
openssh-server-4.3p2-41.el5_5.1
openssh-clients-4.3p2-41.el5_5.1

Since RedHat type operating systems, including CentOS and Fedora, use backporting for OpenSSH and OpenSSL, you may get a false positive on your PCI scan for these. If that happens to you, send the screen shots showing your OpenSSH, OpenSSL, as well as your CentOS version and kernel version to your PCI scanner and let them know your a running a seucre, backported version, and request that they test that version manually.
If your PCI ASV requests more proof you are running a secure version of OpenSSH and OpenSSL, you can send them a screen shot of the following commands, which show specifically what patches have been applied to your version.

rpm -q --changelog openssh | head -50
rpm -q --changelog openssl | head -50

This will produce output similar to:

# rpm -q --changelog openssl | head -50
* Tue Dec 07 2010 Tomas Mraz 0.9.8e-12.7
- fix CVE-2010-4180 - completely disable code for
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG (#659462)

* Fri Mar 12 2010 Tomas Mraz 0.9.8e-12.6
- fix CVE-2009-3245 – add missing bn_wexpand return checks (#570924)
(output truncated)

Another common false positive with cPanel servers, is your scan might detect Exim as an open relay, this is because the server will sending the mail headers before authentication, even though a successful authentication is needed before it will allow email to go through. If this shows up on your scan you will want to ask the scanning vendor to test this vulnerability manually.

We hope you have enjoyed this article and found it useful for helping make your cPanel Linux server PCI compliant. Please remember to try and test the steps listed here on a test server before applying them to your production cPanel servers. In addition this article does not cover everything your need to do to be PCI compliant, and it meant to be a starting point, and provide information for a cPanel, CentOS specific server. We plan on bringing your future articles and howto’s to cover the PCI compliant information missing from this article.

Technorati Tags: Best UK Web Hosting 2011, Britain Web Hosting, England Web Hosting, fasthosts Alternative, Godaddy Alternative, London Web Hosting, PCI Compliant, Top UK Web Hosting 2011, UK2 alternative, Web Hosting 2011, WebHosting UK alternative