A Soholaunch exploit has been found and there have been some problematic issues in dealing with the exploit. We don’t have much information, and some of what we do have is a bit confusing, so we’re going to try and break it down for you.

In a Nutshell: The exploit has been actively exploited for about a week. We cannot craft a signature to filter out this attempt without also breaking all Soholaunch installs (if someone has come up with a mod-security rule for it, email me. I’ll pay you. Seriously.) We can detect the exploits once found and clean them once found, though see the caveat below. We were given two patch scripts by Soholaunch and ran them on all servers. The first one didn’t work, the second one appears to potentially have worked as we did not pick up active infections last night.

We’re hopeful, at this point, things are secure from an injection standpoint. We are not comfortable assuring you of that, however.

207 of you are currently using Soholaunch licenses. We had about 125 infections, across all servers. This was a widespread exploit that was actively used, and it was more than just here.

Ok, so what’s the caveat?

The caveat is your passwords to your Soholaunch install were able to be gleaned, so even if we patch the hole and clean the infections, if your login information is not changed your site is still at a high risk of exploitation.

We are suggesting the following for all Soholaunch installations:

1. All installations should be updated. v4.9.3 r42 (which includes additional security patches) has been re-released as a “latest” build. It is highly recommended that you install it. If for some reason it breaks, simply log-in to sohoadmin and “update” to the previous build (r41), which is still listed as the “stable” build.
2. All sohoadmin logins and passwords should be reset. Logins and passwords. If you saved FTP passwords in the program, change those as well.
3. If you saved any kind of secured information in the program, like logins shared between colleagues, go change those.
4. If you do not run a firewall/virus scanner, you got notice from us that you were actively infected, and you visited your own site, go get your computer scanned.

If you leave logins and passwords the same, your site is potentially at risk. I cannot stress that highly enough.

Malware Detection by Google

We are beginning to see notices from Google that sites have been picked up by them as Malware infected. Google will send notifications to:

abuse@yoursite.com, admin@yoursite.com, administrator@yoursite.com, contact@yoursite.com, info@yoursite.com, postmaster@yoursite.com, support@yoursite.com, webmaster@yoursite.com

and as all abuse notifications come to us, so we will get the notification as well if you miss it. Once Google pegs you as dangerous, people coming from Google to your site will see the following notice in the search results:

And the following when they click through (if they click through):

If we get the email, we will send you the notification after individually scanning your site. If you do not have a WebMaster account and you have a Soholaunch site, we would suggest that you go ahead and get one now, before you potentially get the notice so that you can have your site un-pegged as soon as we’re all sure the issue is passed.

We have set up a special email for this issue so if you have any questions, email security@drak.net.

This week, DrakNet’s going to be off shmoozing at HostingCon, the once a year industry party… er, place with talks interspersed with parties.

Well, we’re not actually going to be off anywhere because lucky for us, it’s coming here to Austin.

Don’t worry, there are designated tech support folks left in charge who are strictly prohibited from becoming inebriated, and though we’re going to be meeting folks from both our data centers, there are ample grumpy people that didn’t get to go watching respective DC’s.

While we have a pretty standard “If you want to talk to the owner, we will get you to the owner a.s.a.p.” policy here, I’m going to be fairly out of pocket the next three days, so please try not to attack the staff thinking that I suddenly became completely and totally inaccessible and they’re refusing to pass you up.

Any tickets that need to go straight to me may require a tad bit longer of a wait than usual, and we’ll have a report for you when I get back in.

If you’re really good while Mom’s gone, we may even come home with new goodies for the servers.

Most web hosting companies won’t tell you about this little tool, and we are – which likely makes us either totally confident, or totally crazy.

http://loadimpact.com/ is a site that offers stress testing for sites with a graphical output so that you can see how your site handles simultaneous connections from a number of visitors.

While a large part of a site under stress has to to with the server, site stress isn’t only based on server resources available – it also has to do with scripting, coding, whether a CDN is used, caching, and a whole host of factors. Poor coding can double or triple the stress on the server of a massive rush of visitors vs. the same number of visitors on a well coded and streamlined site.

http://loadimpact.com/ has serious testing of up to 50,000 users for $9.00 a day (yes, we said per day), but they have a taster stress testing offering called “Load Test Light” that will graph the load of 50 simultaneous users at no charge to you. (50,000 simultaneous users, by the way, will likely crash the server – if you’re getting that many simultaneous users on a shared hosting account, you shouldn’t be on a shared hosting account. Seriously.)

Since drak.net has its own server all to itself, we’ll stress test my personal site, jenlepp.com, which is actually housed on one of our shared servers Espeon (the box that we are currently doing new installs on). It’s a WordPress site with caching, though it’s fairly static without a blog.

And this is what we come up with:

Which is a nice, even line with barely any fluctuation between 10 clients (1.5 second load time) and 50 clients (1.6 second load time), and for us, this is what we want to see. From “How to interpret graphs?”

What if my graph is completely flat?
This usually means you are nowhere near being able to stress the target system. If you try to run a load test on google.com you will get a flat curve. Their site is powerful enough that any change in response times as a result of the load we generate is all but impossible to measure. If your site runs on powerful servers, with lots of Internet bandwidth, or if your system is very efficient you can also get a fairly flat curve.

So, we want to see a nice fairly flat curve when testing a shared hosting site – it means with 50 people slamming our site at the same time, everyone loads relatively quickly, the system isn’t stressed and our code isn’t causing any kind of bottlenecks, though we could likely shave a few fractional seconds off that response time with a CDN.

We’ll try one more time on an older box that’s been around – Espeon’s a pretty behemoth server, and it’s our newest, while Blastoid is a bit older. We’ll test my husband’s site, mrlepp.com, which lives over on Blastoid.

This is also a great way to demonstrate the difference caching can make on a WordPress blog, because while my nearly identical single-page WordPress site is running W3 Total Cache, my husband’s site is being generated from the PHP and database calls with no caching in use whatsoever so each visitor launches a number of requests and processes.

and as I suspected:

at 20 visitors is starts to go up a smidge, and at 40 to 50 you start to see a bit of a slow down of a full half a second and it’s creeping up at a fairly steady rate.  Initially, the response is relatively the same as on the larger server and with caching, but as more people pile on, the site starts to work a little harder and slow down by almost a full second, though this is still somewhat of good result as an extra second is not going to tend to be that noticeable. I’ve seen shared test results where sites slowed down to 20 seconds at 20 visitors, so there’s a yikes for you.

Generally, most shared sites don’t see 50 people at once, but it’s always good to get an idea of what your site could tolerate, and to make changes that are in your control (like caching) to help prepare for unexpected sudden popularity. This is also a great way to get a gauge of the server you’re on, and how much it can handle – if that line rockets up, there’s a problem somewhere (whether with the server, or the code) and it’s a good idea to address it before it takes you by surprise.

I have a personal blog that I don’t blog on much, but I randomly thought today I might decide to change that. I don’t have much time to devote to it so I wasn’t very interested in creating my own theme but I knew wanted something techy, dark, and simple, and I really liked this one:

So even though I didn’t get it from the WordPress site, I downloaded it out of curiosity. Things almost immediately started to look suspicious – all the PHP files were password protected, so I couldn’t extract the files from the zip file.

Well, that’s ok – I can just upload the zip file to WordPress. Maybe they just don’t want people messing with their design. It uploads fine, and it loads…wait, what’s that in the footer?

Oh my gosh – I don’t want to advertise an overseas pharmacy! People get arrested for that stuff in the U.S.! Crimeny! I’ll just take that link off…

Hmm. I guess not.

And of course, if you delete the entire encrypted footer code, the entire design breaks – and on top of that you really have no idea what code these folks have put on your site, or what else it may be capable of doing besides selling Viagra because it’s encrypted.

Just another reminder of precisely how you, sometimes, can thwart your own site’s security.

I really liked that theme, too.

Lecturing, begging, and pleading has done no good, so now we’re taking the next step.

Ok, it’s not really all your fault – sites are such a target these days that malware attempts are becoming ridiculously common, and while you sometimes (ok, a lot of the times) make it easy for them, sometimes it’s the software developers that miss a great big hole that you could drive a truck through. Once the truck’s parked, it’s sometimes hard to find – though Google’s getting good at it.

By the time Google finds it, you’re out of the search engine, we’ve suspended you, and frankly we’d like to help you all avoid those little “all stops” to your business, or those little infections you pass on to your visitors before we’re aware.

Last night, DrakNet installed a Malware Scanner on all servers. The malware hit management is a very simple anti-virus like quarantine system that moves offending files to a quarantine container and logs the exact source path and destination file name in quarantine locker in case we need to restore any data due to false positives (though this should never happen since we are using hashed detection). In addition, the quarantine function can search the process table for running tasks that contain the file name of the offending malware and stops any processes it may be running.

The scanner will scan daily all files changed on the server within the last two days ensuring that we get a look at any file that’s been changed whatsoever. It will let us know what it found, and what it did. It is programmed to automatically quarantine the file and infection, returning the file to its original location only if the infection was able to be removed and isolating the infected version of the file in a container so we can take a look at it. Not all infections will able to be cleaned and if that’s the case, the file will simply be removed and quarantined.

Currently, we’re running scans on every server, which we started last night. This could take a few days because of the sheer number of files on each server and depending on the number of infections, it could take us a bit to contact everyone who was found to be compromised.

Simultaneous to the full scan we began, last night’s daily scan ran as well. Each morning as we go over what was found, we will prepare emails to site owners who’s sites were found with Malware outlining what was done and general steps we recommend to check to avoid infections in the future. Those who had malware installed within the past two days are already in receipt of emails outlining the issues found.

We’re hopeful that by implementing this, we can avoid automatic suspensions and catch malware before it breeds like a cell dividing on your site, as once an entry point is established, infections tend to expand exponentially as the hacker realizes the infection has gone undetected.

You can, at any time, email support for a scan on your site if you are concerned or worried that something is going on with your site. In addition, as opposed to passing the cleaning of the infections back to you, we will run the automated quarantine and cleaning scan at no charge to you hopefully securing the site and passing it back to you without malware (though some files that may be unable to be cleaned will need to be reinstalled or rebuilt by you).

Please let us know if you have any questions about this new policy.

The Sun Chronicle would love for you to read their web site. You can also pick up it’s paper in and around Attleboro, Massachusetts – but if you aren’t a local and you want to read their content, you’ll have to go to their web site.

While reading a newspaper is somewhat of an isolated experience, reading an online newspaper can be incredibly interactive allowing you to comment on local politics, national issues, and all sorts of fun stuff.

The Sun Chronicle would love for you to comment on its offerings, too. And if you’d like to, that will cost you 99 cents, please – oh, and those cute little pseudonyms that you hide behind?

Yeah, forget about that.

On July 4th, the Sun Chronicle posted its new policy for the ability to comment on its site, participate in discussions and discourse, and spout one’s opinions in general. You can read the full policy located here, but you can see a bit of what they’re going for in the following snippet:

…all posters will be required to register their name, address, phone number and a legitimate credit card number.

The credit card will be charged a one-time fee of 99 cents to activate the account.

The poster’s name as it appears on the credit card will automatically be attached to the poster’s comments, as will the name of the community in which they live. Registrants will also be required to acknowledge they understand that under existing state and federal laws they are legally responsible for any comments they post. Registration under the new policy will begin at noon Wednesday.

It’s no secret that commenting and forums on the Internet still operate a bit like the wild west with Moderators racing around like Wyatt Earp to maintain some semblance of control, with a plethora of anonymous folks who seem to develop the inability to put a break on their expounding when a keyboard and a cutesy name is hides who they really are.

Lest you think that this approach of stripping anonymity from Commentators is the province of a small local paper, the company Blizzard Entertainment (who runs this little game you may have heard of, World of Warcraft) caused a firestorm of attacks and criticism the same week when it announced its intention to identify all forum posters with their real identities and not anonymous pseudonyms or character names.

“Removing the veil of anonymity typical to online dialogue will contribute to a more positive forum environment, promote constructive conversations, and connect the Blizzard community in ways they haven’t been connected before,” the post continued.

As Facebook gets everyone used to being “open” about everything they write (though, as Failbook proves, identification with your “real self” doesn’t necessarily translate into less stupidity), is this the next wave of internet communities?

Would you pay to post or comment on a blog, or would you pass it by? Would you comment on blogs or forums if they required you to take ownership of your words?

How about your own sites – would you charge your visitors or require them to identify themselves in the hopes that comments and discussions would be calmer, and spammers would be stopped at the gate?

And if you forget who’s lurking out there, visit this slideshow entitled “It Takes a Village Idiot: The Jerks of Online Forums” from PCWorld. It’s at least good for a chuckle.

And no, we don’t mean Google Image Search. Janice told ya’ll about that.

http://morguefile.com is a site on the web that has hundreds of free images available for you to use at absolutely no cost whatsoever.

Why is it called MorgueFile?

A morgue file is a place to keep post production materials for use of reference, an inactive job file. This morgue file contains free high resolution digital stock photography for either corporate or public use.

The term “morgue file” is popular in the newspaper business to describe the file that holds past issues flats. Although the term has been used by illustrators, comic book artist, designers and teachers as well. The purpose of this site is to provide free image reference material for use in all creative pursuits. This is the world wide web’s morguefile.

MorgueFile’s license is extremely open with regards to what you can do with the photos without payment or even attribution:

You are free:

• Remix — to adapt the work.
• Commercial — to use this work for commercial purposes.
• Without Attribution — to use without attributing the original author.

Under the following conditions:

• Stand alone basis — You can not sell, license, sublicense, rent, transfer or distribute this image exactly as it is without alteration.

• Ownership — You may not claim ownership of this image in its original state.

• Any of the above conditions can be waived if you get permission from the contributor.
• Nothing in this license impairs or restricts the author’s moral rights.

Which helps with bloggers often limited space issues on a post for credit, as well as aiding frequent bloggers with finding accent images to go with a blog post at no cost whatsoever – something that’s often fairly hard to do. While some of the photos can be a bit amateurish, some are surprisingly well done for a “free site”.

So if you’re running out of time to create your own accent graphics or are just looking for new accent images on your blog, try out http://morguefile.com – it’s free, and there’s no requirement to sign up to download.

Hope everyone had an awesome July 4th! Back to the grindstone…

Forums.

Most people don’t realize when they install software in Fantastico that even though the operations of the software isn’t generally directly supported by us (or most hosting companies, if you’re not with us), you’re not completely out in the cold without any place to learn.

Most software developing companies, groups and individuals have forums that allow you to jump in and talk to others that are using the software, ask questions, and search for common problems and solutions.

There are also web hosting forums not tied to any particular company where you can compare notes on your host, look for a new one, or get an overview on hosting specific issues as well as software issues.

General Web Hosting Forums

Web Hosting Talk

Probably the grand-daddy of all web hosting forums, Web Hosting Talk has thousands of members, is always busy, and is the web hosting industry in full display (both good and bad). Skip a day of reading web hosting talk, click “new posts”, and you’ll find dozens of subjects you missed.

Web Hosting Talk tends to be brash and a little sassy – in addition to being a place where both hosting owners and web hosting buyers come together in one place to chat, it acts quite a bit like the hosting industry’s BBB as unhappy hosters come in to vent about their issues and those in the industry on both sides take sides as the discussion goes on.

Likewise, when hosters are pleased with their hosting company they often write an in depth review letting everyone know precisely why they are happy with their hosting and it may be the best place to get a true understanding of a hosting company. Due to the nature of Web Hosting Talk, these reviews are generally much more in depth than “Hey, Company A is awesome cool!” and give you a very good overview of the hosting company’s service.

In addition to the reviews and occasional flames, you can purchase inexpensive web designs, get advice on almost anything with regard to a website, get security opinions, and much more. Anyone who is a host, or hosts, should definitely give it a look over.

Hosting Discussion

Similar to in Web Hosting Talk its scope, Hosting Discussion is less trafficked and a bit calmer hosting discussion forum, and seems to focused a little more towards hosts than host-ees, but its still a worthwhile forum for anyone with a web site, especially resellers.

Software Specific Forums

Software Specific Forums are designed to provide people using a particular software a place to compare notes, get opinions, get help, or post fixes that may be of use to other people.  If you ever uttered:

“How do I do ____________ in ___________?”

you likely should have been searching that question in a software forum, but someone probably asked it before you and if they didn’t, you should post it because someone probably has the answer.

Some of the most popular software (and likewise the most popular forums) are listed below. (And they are in no particular order as I am just sticking them on here as they flit into my head).

http://wordpress.org/support/

http://www.simplemachines.org/community/index.php

http://www.vbulletin.com/forum/

http://forum.soholaunch.com/

http://forums.cpanel.net/

http://forum.joomla.org/

http://drupal.org/forum

http://forum.coppermine-gallery.net/

If we didn’t list yours, just put your software name and “forum” in a search engine, and you’ll most likely find one for the software you are using.

This one’s a little trickier, and there have practically been dissertations written on what a “good social media citizen” is, what you should do, and what you shouldn’t do. For small businesses, this can be even more confusing.

Facebook

Facebook really boils down far more to privacy concerns than spam because Facebook tends to do really good on the emailed spam to message inboxes. “Spammy” things that you come into contact with usually have to do with advertisements and enticements that are attached to quizzes, games, and the like.

Your friends are usually the spammers on Facebook – Farmville, MafiaWars and all these games post a torrent of things to Facebook streams. While the posts are usually beneficial to other players of the same game, to those uninterested in adopting the 17th lost cow of the day are usually ready to tie their friends up and throw them in their Farmville Hay Wagon.

While un-friending your friends may be tempting, you can clean up your News Feed in a few days by hiding applications (or people, if they’re really getting on your nerves). This post from the SocialPMChick.com Blog tells you how.

While this is about spam and not privacy, keep in mind not every link or every application on Facebook is “clean” – there are Facebook viruses, so be careful.

Youtube

Ah, YouTube…

The comments section in YouTube is a little slice of the world on display, and sometimes, that little slice of the world is downright scary. Whether it’s spam in the form of what we traditionally think as spam or the famous YouTube trolls, a YouTube comments area can be an interesting place and has become notorious.

YouTube Comments sections are pretty much like blog sections – what you can control is what people can do. You have a multitude of choices when you upload a video regarding whether to make it private or public, allow or disable comments, and for YouTube your choices are really just how much access to give the public and whether or not you want to moderate comments.

While everyone wants their 15 minutes of fame these days, think very carefully about the possible reactions your video can get, any other people in the video that may be unhappy with it being posted, and especially consider how any children in the video would react to negative commentary before blowing an embarrassing video wide open to the world.

Twitter

Twitter is an interesting social media tool with its own inherent spam issues that are somewhat unique to the service. Twitter is home to a number of different types of spammers. Spammers on Twitter is also a bit of a misnomer because Twitter is a service that is designed to blow open engagement – some may see what I outline as spam, some may see it as good marketing.

They tend to drive me nuts, personally, so I outlined ‘em. Feel free to argue with me.

1. 24-7 Spam Account – these are accounts that may have hardly any followers and follow hardly anyone, but they exist to repeatedly spew a marketing message into the Twitterverse so that when people search, it’ll be picked up. They don’t engage, they don’t talk, they just spew. If they start following you, they’re pretty easy to avoid – just don’t follow them back.
2. Ambulance Chasing Spammers – these accounts pop out of nowhere when you are complaining about their competitors and offer to solve all your problems. It may be a follow and a reply, or just a reply, but they hang out on Twitter looking to jump into potential sales and drop you/stop following the moment they can’t sell you something.
3. Broadcasters -  they talk to only a few people (if any at all), but they constantly follow new people using automated software not to meet new people, but to get more people to listen to them and pump those follower numbers so they look like a Big Deal(tm) and hopefully sell you stuff. These people almost always have a Page Rank of 2 on their site, but offer to tweet pearls of wisdom that will get you a PR 7 if you just follow them. These folks often tweet quotes from other people just to fill their stream.
4. Follow Back DMs – Automated DMs drive me crazy – I have yet to get one that wasn’t selling me something and didn’t have a spammy feel.

For the most part on Twitter, you follow and unfollow and block as you go.

If you are trying to pump your follower count (hopefully not by being one of the above) and don’t want to drop even the spammy, ambulance chasing, broadcasting auto-DMers, we recommend you use a Twitter client that has the ability to hide Tweeters, like Yoono.

And if you have another social media spam example I overlooked (or haven’t been the victim of yet), chime in and let us know what makes you crazy on social media.

Three of the most popular forums are PHPBB, SMF, and VBulletin. VBulletin comes with a hefty fee so generally people running hobby forums will be using SMF and PHPBB since they’re open source and come at no cost to use.

So, what we learned about dofollow and nofollow links back in the blog spam post begins to actually come into play here – SMF allows dofollow by default, as does PHPBB, as does VBulletin (at least as far as I could check when digging a bit), though all appear to have plugins and hacks that can make links in forums and signatures “nofollow”.

Obviously, since the most popular blogging software default to “nofollow” and the most popular forums appear to default to “do follow”, you would probably guess the forums are going to be targeted heavily form spamming to get SEO juice and are they going to see an enormous amount of spam.

Your guess would be correct.

What We Do

Again, going back to the blog spam post, we can filter some signatures that are prevalent.

But again pointing out the resource issue, we have to hit a balance because while we probably could filter out a lot more, it will cost both in resources, and in inconvenience for you all.

Wanna do a blog post on Viagra! Ha! Can’t because you can’t post it the word Viagra through your browser! Not only does it become a resource issue, it becomes a censorship issue, so we try and walk a very fine line.

What You Can Do

This again falls on you – how you configure your software, what plugins you use, how you manage your forum.

Out of the box for anything, even Fantastico software, is generally never the greatest idea, and you should always spend some time checking out your options. Since we’re dealing with forums in general and not specific software, we’ll give you a general idea of options usually available that you should look for and utilize.

1. Don’t Rely on Captcha – Captcha, the generated image of random letters and numbers that has to be input, has long since been cracked. While you should still use it, don’t rely on it because it won’t stop everything by a long shot.
2. Humans are still smarter than machines, most of the time – use human validation. Many forums and plugins for forums can set up a question that has to be answered using actual thought like “What doesn’t belong: a car, a boat, a bus, a leaf?” These type of human validation questions are still very difficult for automated spammers to crack and so you should use them whenever possible and there is an option to do so.
3. Email Validation – A lot of spammers do still use fake or throwaway addresses, so you should still make them validate before you let them post anything, even a profile.
4. “No follow” links – personally, I’d do no follow links with a plugin or hack – if you get popular, and get a good page rank, someone will find you and list you on a list of “do follow” forums and you will be pummeled with spammers. Do a search for “do follow” forums on a search engine and you’ll see what I mean.
5. Limit Post Edit Time – Those spammy spammers know all the tricks – you may let someone in, see a perfectly legitimate post, and come back a day or a week later to see that they edited it into the spam.
6. Watch Your Member List – memberlist spamming is a technique where the spammers don’t even bother to spam a post, they simply sign up for a large number of profiles and put the spamvertised URL in their profile. Look especially at those user names with punctuation, numbers, or the letter a as the first character as they often sign up for these to rank higher on the member listing page. To help reduce memberlist spamming you can tell your forum to not display the memberlist at all to guests or only to guests with a certain number of posts.
7. Block, block, block – block words, IP addresses, and members that behave badly. If someone puts a spammy post on your forum, don’t just delete it – delete it, then ban them, then ban the IP that signed up for the account.
8. Get a good group of moderators – Nothing replaces a team of vigilant, eagle-eyed human beings. Spam is much like porn – you may not be able to define the difference between an ad and spam in the same way it may be hard to actually define the difference between Michelangelo’s David and some naked guy, but human beings know the difference when they see it.

There are more suggestions, but this is a good group to get you started. Check your specific software’s site and their forums for plugins, tips and tricks, and hacks that can help you keep the spammers off your forum and your visitors happily chatting away.