Category: Outdated Server Software

On Tuesday we looked at example of the poor state of security journalism. In that case a hack was tied to a specific version of TYPO3, despite fact that websites not running that version of TYPO3 or running TYPO3 had been hacked. There was also the larger issue that no evidence was provided as to how the websites were hacked, which would have been what would be needed to actually tie the hack to a specific version of TYPO3 and would allow people to make sure the protected their websites against it. Just a few days later we have spotted another very similar example worth highlighting. Ars Technica today put out an article “Ancient Linux servers: The blighted slum houses of the Internet” that states:

Now comes word of a new mass compromise that preys on even more neglected Web severs, some running versions of the Linux operating system kernel first released in 2007. According to a blog post published late Thursday by researchers from Cisco, the people behind the attack appear to have identified a vulnerability that has since been patched in later Linux releases that allows them to dish malicious content to unsuspecting people who visit the site.

If you read Cisco’s blog though they only state “it is possible” that a “vulnerability that has since been patched in later Linux release” was the source of the hack, while Ars Technica says that it “appears” to be the case. Here is the relevant section of Cisco’s post:

Attackers compromised legitimate websites, inserting JavaScript that redirects visitors to other compromised websites. All of the affected web servers that we have examined use the Linux 2.6 kernel. Many of the affected servers are using Linux kernel versions first released in 2007 or earlier. It is possible that attackers have identified a vulnerability on the platform and have been able to take advantage of the fact that these are older systems that may not be continuously patched by administrators.

That turns out to be less of an issue then the fact that the websites are not even all running Linux, much less the Linux 2.6 Kernel. Some websites provide information on the software running the in HTTP headers served with the page. Our Server Details web browser extension, available for Chrome and Opera, can parse those HTTP headers to provide the details in them and warn for outdated software. Using those headers we started going through the Cisco’s list of compromised websites and second compromised websites. For each we have listed below the first five websites we found not running Linux and what operating system they are running:

Compromised Websites

archive.mrpools.co.uk Windows Server 2003
blueprintbowling.com Windows Server 2008 R2
hwy65mx.com Windows Server 2003
jandjpoolspa.com Windows Server 2003
mussotra.com Windows Server 2003
Second Compromised Websites

3d2print.eu FreeBSD
7va.cc Windows Server 2008 R2
babycaust.info Windows Server 2008
banderil.com.ar Windows Server 2008 R2
c2consultores.com.ar Windows Server 2008 R2

Cisco provides no evidence of how the websites were hacked, which is the really important thing to prevent more websites from being hacked. If they had actually determined how it was hacked before jumping to speculation then they wouldn’t have tried to connect this to Linux, which it seems pretty likely it doesn’t have anything to do with. Cisco also has provided no evidence this has anything to do with outdated software, if we were to make an educated guess based on the evidence provide so far we would say it is more likely due to compromised FTP credentials, which could easily be checked for by reviewing the FTP logs for the websites.

We should also note that the use of the Linux 2.6 kernel is does not indicate that website using obsolete software, as distributions including Debian, Ubuntu, and Red Hat still have supported releases that use that version of the Linux kernel.

One of the biggest obstacles we see to improving website security is that many of the organizations that should be leading on security are not even taking basic website security measures themselves. One type of organization we see that with is news organizations that cover web security. Previously we discussed several that were running very out of date and insecure versions of Drupal. This time we will use InfoRiskToday, which describes itself as providing “credible, timely information that security leaders can put to use as they craft comprehensive information security strategies”, to highlight a security risk and several tools that we provide that can make detecting it relatively easy.

Plesk is control panel software that runs under a website and permits management of the software on the server and configuring the server. It also has had serious security vulnerabilities that have lead to many websites being hacked (one example being a major hack at Media Temple). The way to remain relatively secure against that sort of thing is to keep Plesk up to date, as should be done with all software. Unfortunately what we have seen is that there are still servers using Plesk 9, for which extended support ended back in June of last year. Since it isn’t supported anymore, if a new security vulnerability was found it wouldn’t be fixed, so Plesk should be updated to a supported version as soon possible to keep it secure.

We have created a pair of web browser extensions available for Chrome that can make checking for such an outdated Plesk installation relatively easy. The first one, Control Panel Login, looks for HTTP headers that indicate that Plesk is in use and when found displays the Plesk logo in the URL bar. Here is how looks when you visit InfoRiskToday’s website:

Clicking on the icon takes you to the standard URL for logging on to Plesk from the website. Our second extension then comes in to play. Control Panel Version Check will display an icon in the URL bar if it detects that a page with Plesk version information is being visited. Clicking on the icon will then display the version information and indicate if it is outdated. In InfoRiskToday’s case you can see that they are still using Plesk 9:

When it comes to the security of your website, your web host plays an important part but too often they are failing do what they need to do to keep your website secure. One of things they should be doing is keeping software on the server up to date as that prevents your website from being exploited due to a known vulnerability in the software.

To make it easier to spot when web hosts are using outdated control panel software we released the Control Panel Version Check extension, available for Firefox and Chrome, back in December. Using it you can see that HostGator is using an outdated version of cPanel:

The version of cPanel they are running, 11.36, has only been unsupported for a week now so the situation isn’t nearly as bad as many of the hosts we highlight for running years out of date software. But what makes it worth highlighting is that on HostGator’s website they say that they provide the “Latest cPanel Control Panel”:

The latest version at this point is 11.42, which was released a couple of weeks ago. If you are going to tout that you are using the latest version of cPanel then it is really unacceptable to not even be using a supported version.

In addition to the outdated cPanel, HostGator is using a year out of date version of phpMyAdmin:

There have been a number of serious security vulnerabilities fixed in subsequent versions of phpMyAdmin.

In the past we have mentioned a number of web hosts who were not keeping the MySQL  administration software phpMyAdmin running on their servers up to date. In addition to the risk that directly poses to the websites hosted with them, due to the fact that the web host is running software with known vulnerabilities, it is indication that the web host might not be handling other parts of the security properly either.

Go Daddy is yet another web host who hasn’t kept phpMyAdmin up to date on their system. They are currently running phpMyAdmin 2.11.11.3. Support, including security updates, for the 2.11.x series ended on July 12, 2011. While running software that hasn’t been supported for two and half years is pretty bad, it pales in comparison to other web hosts who we have seen running up to seven years out of date versions. What makes Go Daddy worth mentioning is they promoted that they were using 2.11.11.3 after support had ended.

On the day after support for 2.11.x ended they put out notification about the need to update newer versions of phpMyAdmin to fix several vulnerabilities. The notification reads in part (the emphasis is theirs):

The developers of the popular browser-based MySQL tool, phpMyAdmin, recently released updates to patch multiple critical security vulnerabilities in phpMyAdmin 3.4.3 and earlier. The vulnerabilities could let attackers overwrite session information to bypass authentication, inject malicious code, or perform other actions.

Good news, though. The 2.11.x versions aren’t affected. We use phpMyAdmin version 2.11.11.3, so you don’t need to worry if you’re using our shared hosting. (But, it’s a good time to make sure all your other hosting apps are up to date. For more information, see Upgrading to a New Version of a Hosting Quick-Install Application.)

If you use phpMyAdmin 3.4.3 or earlier on a virtual or dedicated server, you must download and install the patch or latest version.

That shows that Go Daddy was aware that phpMyAdmin could contain security vulnerabilities and that it needs to be kept up to date. Yet they were touting that they were running a version that was no longer supported with security updates.

It does appear that Go Daddy made attempt to upgrade their phpMyAdmin installation around a year ago, as the phpMy Admin documentation on the server is for phpMyAdmin 3.5.5, which was released on December 20, 2012. Other web hosts are able to handle upgrading phpMyAdmin in timely manner, so it would appear Go Daddy has some serious problems if they are not even able to complete an upgrade.

We have found that web hosts often prominently advertise their focus on security while not actually caring about security enough to even taking basic security measures. Lets take a quick look at Rackspace to see that in action. Rackspace has a whole section of their website dedicated to security. If you look over that you would probably be impressed. Though if look closely you might see warning signs. For example, they have a PDF about their “holistic approach to security” that was written by their Director of Product Marketing. Why is a product marketing person writing a security guide?

You don’t have to look hard to see that Rackspace don’t actually have much concern for security. A really basic security measure is keeping software running up to date. That way the software isn’t vulnerable to known security vulnerabilities that have been fixed in the software. An important component of many hosting services is phpMyAdmin, which allows administration of MySQL databases. If someone can exploit phpMyAdmin they can gain access to the database underlying a website. With that they could collect customer information stored in the database, they could create a new administrator account for a website to gain further access, or do other harmful things. If you believed Rackspace’s claims about their focus on security you would certainly expect they would be keeping their installation of phpMyAdmin up to date. Unfortunately for their customers they don’t:

The version they are running is over a year and half out of date (as the next version of phpMyAdmin was released in February of 2012). It gets even worse, Rackspace only upgraded to that version after a customer alerted them that they were running an outdated and insecure version of phpMyAdmin and took them six months after being alerted to that to do that upgrade.

According to the information on phpMyAdmin’s security page the version Rackspace is running contains a number of security vulnerabilities. The version they are using is so out of date that phpMyAdmin no longer lists if vulnerabilities impact that version, so it isn’t clear exactly how many there are.

When it comes to website security even institutions that you would think would be among the best able to able to protect themselves get hacked. In January the Massachusetts Institute of Technology’s (MIT) website was hacked on multiple occasions. While that seems surprising itself, what is more surprising is that more than six months after that happened MIT is still not taking care of the security of their website.

With our Server Details web browser extension you can see that MIT is using an outdated version of the Apache HTTP Server to run their website:
The version they are using is not just a little out date. Support for Apache HTTP Server 1.3 ended back in February of 2010, so MIT should have upgraded to a newer version three and half years ago.

What does it say that even after getting hacked multiple times a major institution is not taking the security of their website seriously?