Finding Exploits and Trojan php hacks on a website

Its always unfortunate when you are exploited, and the best method to fix a site is to wipe and restore from a known backup as well as track down the entry point they gained access and fix it.

Sometimes you need to 'clean' a site of these files before migrating things over however , or to keep the site going for a short time until you are able to do this. This is what this HOWTO is for, keeping things going for a short time until you can track down the entry point, or migrate/upgrade the site and get it back online.

I use multiple methods to identify scripts, and even doing so there will probably be things that are missed. Here are the ones i usually use
Continue reading

Posted in HOWTO, Security | Tagged , , , , , , , | 4 Comments

Servers for Hurricane Sandy refugees

Has your hosting been affected by Hurricane Sandy?  We would like to offer you free hosting.

Order a server from http://launchtimevps.com

In the order comments say "My server xyz.com is affected by Hurricane Sandy.  May I please have the $50 credit."

We will verify that server has been 'Sandy-ized', apply the credit and setup your server.

You will not be required to make any payment until after the credit runs out (typically in 1-2 months depending on what server you order).  You can cancel and shutdown the server at any time.

If you have any questions, just let us know here (in the comments) or in live chat at http://rimuhosting.com/chat.jsp

Posted in Rimuhosting | 2 Comments

Blocking malicious crawlers or scrapers in Apache

Occasionally we see a customer who has a popular website that often gets people trying to crawl it and copy the lot, This has the unfortunate side effect that its hammering the site.

Made worse only by dynamic pages and loops this can literally take down a server in some occasions. Often you can slow them down by putting something in a robot.txt in the DocumentRoot like this

User-agent: *
Crawl-delay: 5

You can even use various geoip blocking techniques and firewalls, though these are harder and more complex.

If you are unlucky then you need to take another form of action. You can manually block these when you see them in the logs, but if you are getting hit by them a lot it may pay automate blocking them.
In one such case a user had taken every option he could to block them, including firewalling entire countries from his server. This is what we ended up resorting to
I put the following code into a script called crawlerblock.sh and ran it on a crontab every 5 minutes.

#!/bin/bash
# This is the threshold they get blocked at
threshold=2500
# logfile to parse
apachelogfiles="/var/www/vhosts/site1.com/statistics/logs/access_log /var/www/vhosts/site2.com/statistics/logs/access_log"
 
if [ ! -f /tmp/cb.txt ];
then
touch /tmp/cb.txt
fi
 
timestamp=$(date)
for logfile in $apachelogfiles ; do
        /bin/cat ${logfile} | /usr/bin/awk '{print $1}' | /usr/bin/sort | /usr/bin/uniq -c | /usr/bin/sort -n | /usr/bin/tail | while read line
        do num=$(echo ${line} | /usr/bin/awk '{print $1}')
        ip=$(echo ${line} | /usr/bin/awk '{print $2}')
        # echo Num ${num} and IP ${ip}
        if [ $num -gt $threshold ];then
                if ! /bin/grep -Fxq ${ip} /tmp/cb.txt
                then
                        echo ${timestamp} detected bot from ${ip} - blocking >>/var/log/messages
                        /sbin/iptables -I INPUT -s ${ip} -j REJECT
                        echo ${ip} >>/tmp/cb.txt
                fi
        fi
        done
 
done

This script basically searches for anyone who has hit the server over 2500 times in your current log. That number is changeable if you want more or less leeway, and it would be easy to adapt that to ignore local ips or similar (just add in a grep -v 127.0.0.1 in the line under timestamp).

If you used this regularly it would probably help to remove the ip cache from /tmp/cb.txt and save the iptables every now and again.

Let us know if you need this setup at all on your VPS by dropping in an email to support.

Note: this script was made to work on debian based system, may need paths tweaked for other distros

Posted in HOWTO | Tagged , , , , , , , | Comments Off

Finding spam sending PHP scripts on your server

PHP LogoEveryone has the occasional user who may leave something on their server that may send spam, or not update things as fast as they should. Tracking down the spammer can be a real problem though.
Sometimes you can track down the domain, but not the script, other times they may have so many files that its nearly impossible.

Continue reading

Posted in HOWTO | Tagged , , , , , | 5 Comments

Installing Oracle RDBMS Server

Oracle is a very popular database.  Particularly for enterprise customers running on dedicated servers with lots of CPU and fast RAID setups.

This tutorial will guide you to install Oracle database server on CentOS Linux distro.  Hopefully the steps are simple enough that even a technically minded non-DBA can get the database installed.

Oracle RDBMS can use quite a bit of server resources.  So for reliability and best performance we recommend that Oracle is installed only on one of our dedicated servers (or VPS-on-dedicated server) setup (rather than on our shared VPS hosts).

If you get stuck or just need Oracle RDBMS installed, simply pop in a support ticket for our sysadmin team to do the install for you.

1) Install openmotif.  So you will have a window manager and when a pop-up or dialog window appears during installation you will be able to switch to it or interact with it. Firefox is needed to download Oracle 11gR2 installer when you don't have the cd media installer and the rest of the other packages are required part of the software requirements. Take note some packages that will be installed are a mix of i686 and x86_64 packages as noted in the manual under Package Requirements. You can also check a screenshot below of Prerequisite Checks - Step 8

Continue reading

Posted in Rimuhosting | Tagged , , , | 1 Comment

Zonomi DNS TTL improvements

There have been a few updates to the Zonomi service (and RimuHosting's DNS as well after the next code push there).  These changes have been added to help address improve the service for a few 'niche/advanced' users.

Time To Live (TTL) edits

TTL values tell name servers how long they can cache DNS results before they need to re-query for updates.
Continue reading

Posted in Rimuhosting | 2 Comments

WordPress mass update script 3.4.2

This script will search /var/www (changeable in a variable) for any wordpress installs and make sure its upgraded to the latest version.
It will run a backup to /root/wp_upgrade/ of all files and database before doing anything with the site in case of major catastrophe (make sure you have spare disk space if your sites have a lot of uploaded files).

It pays to check each site after the upgrade to make sure plugins all worked (and upgrade plugins before the upgrade works also!)

Let me know if you have any bugs at all, or any problems.

Here’s your script to upgrade them all.

wget http://b.ri.mu/files/wordpress-upgrade.sh
bash wordpress-upgrade.sh

MD5
d2e204576652457fd543c6ae3587941a wordpress-upgrade-3.4.2.sh

SHA1
8276bec77e19ee752d2cbfe51f32310d63115bfa wordpress-upgrade-3.4.2.sh

If you find any bugs or problems, just let me know at liz at rimuhosting dot com. I have now renamed the script to wordpress-upgrade.sh for easy future memorability (using symlinks to link to the latest version)

Posted in Security | Tagged , , , | 2 Comments

Burning Man – Chris Twemlow from All Things Web

Some of you may recall us giving out or swapping shirts in previous posts, some of the shirts have been photographed in some amazing places.

Chris Twemlow from http://allthingsweb.co.nz/ has  just emailed us in this beauty of him at a recent Burning Man

Got an interesting location with one of our shirts? grab one from http://www.cafepress.com/rimuhosting , and email us the picture.

Posted in Rimuhosting | Tagged , , | 1 Comment

WordPress install script

We like wordpress, a lot of our customers love it too. WordPress is web software you can use to create a beautiful website or blog, it is normally called a CMS too.
We have created a script for automating the install of the last version of wordpress, even though installing wordpress is quite a trivial job, here are Rimu we love to automate tasks. The script is located for download at:

http://proj.ri.mu/installwordpress.sh

It has been tested in Ubuntu 12.04, Debian Squeeze and Centos 6, but should work in older systems too. It features options to try to be compatible with Virtualmin control panels installs (and it may work with Plesk too).

It is easy use to install multiples instances of wordpress. It assumes that common packages such as apache, php, are already installed. Our VPSs already come with these packages installed. Script will normally stop and prompt if it encounters problems or is about to rewrite something. It will check if mysql running and install it, configure wordpress databases and users (it will generate random ones for you), configure wordpress config file and configure an apache virtual host for the wordpress install. It tries to do its best to detect existing files or configurations.

Continue reading

Posted in Featured, Rimuhosting | Tagged , , | 3 Comments

SSH keys on new servers

You can now set your public ssh key(s) at http://rimuhosting.com/cp/sshkeys.jsp .  These keys will automatically be added to new server setups.  And the keys can be used when you enable a server's console-over-vps feature.

SSH keys are great when you want to avoid re-entering passwords every time you log into a server.  The Ubuntu team wrote a page about setting up and using SSH keys.  And SSH keys can be used with Windows SSH clients (Putty/Pageant)

 

Posted in Rimuhosting | Tagged , , , , | Comments Off