ASIA: It seems that the energy crisis has a world-wide effect. Of course no-one doubted that recent increases in oil, gas and electricity prices wouldn’t have a global impact, but it seems Asia (I guess because of the sheer population numbers all using oil, gas and electricity) has felt the effects first. So it was no big surprise to us that we received an email from one of our suppliers letting us know that they were bailing out of Asia and moving to the USA. We saw it coming. We re-negotiated our services out there and are currently planning and implementing the migrations of a number of customers’ servers and VPSs  (and our own) from one data-center to another. So, from 1st October to around 14th October, we’re bracing ourselves for some overtime and a lot of “live migrations”. Kudos to our customers who have all embraced this necessary uprooting and relocation - You won’t be paying the resulting increased charges which result from this move, simply because I believe a deal is a deal regardless of whether you’re paying $2.95 or $295 for Asian services with us.

HONG KONG: Talk about a double wammy! A few months back we added some initial service in Hong Kong. Quite bluntly, the network stability we’ve experience there has been nothing short of atrocious. In fact, the word “stability” does not belong in the sentence I just typed. Service availability since the beginning of July has been 98.3296% - Not good, and not what we both guarantee and work to. So, at the end of this week, we’re uprooting our box there and moving it into another data-center. We’ve received a whole heap of promises about improved network availability, so we’re going to run with it and see how it pans out.

Enough of the doom and gloom - Since Netnibble’s inception we’ve always worked on the basis that cutting corners on the hardware and networks we deploy our services on was a bad idea. If we went that way, one day it would turn around and bite us in the bum(s). Almost 3 years later I (with some great personal pleasure) can report that this policy has worked well up to now and has led us to focus on using the services of two suppliers for our main USA hosting services. In the last 3 years we’ve shopped around, switched around, and generally caused ourselves more than a few migranes along the way as we strive to provide a quality service to our ever-growing customer base. Effective today our shared hosting, VPS, and dedicated server offerings are being realigned to be available from 3 primary USA data-centers in Los Angeles California, Clifton New Jersey and Herndon Virginia. Of course, anciliary services (support, mail, DNS fail-over, etc) will still run from other data-centers by necessity, but I’m now happy with our infrastructure and it will take a lot to drag me away from the set-up we now have. It works for us and it works for our clients, and that’s what counts.

NEW PRODUCTS: As Netnibble approaches its third real birthday in the hosting industry, the stability we’re now built upon means that we can begin to roll out new products, focusing for now on what our existing customers need, or might need in the near future. Our shared hosting customers know that we don’t over-sell our resources (rather unique in this industry!) and a number have asked how they can add extra resources to the hosting packages they already have. Well now they can - Our new EXTREME hosting package bridges the gap between shared hosting and dedicated servers, by offering a high-resource package on a shared server with a maximum of 12 customers per box. So, if you have a busy forum or on-line shop, we can now provide you with a souped-up hosting environment without the need for you to upgrade to a powerful VPS or dedicated server. Starting at just US$24.95 per month you’ll be hosted on a 12th-share of a server that has all the guts and power you need to serve your busy site, whilst allowing you to concentrate on running your business and not learning how to admin a VPS or server. Full details of this new package will be announced shortly.

Also coming up shortly are a new DNS clustering service (you might not host with us but you sure as heck need a better DNS service than the one provided by your current host!), and a rather unique style of dedicated server/VPS all rolled into one unit, where we mount a single VPS onto a server - we manage the box, you manage the sole VPS within it (you get a lot of help from us on that too), and available in the UK and USA.

Finally, I want to say a word of thanks to our customer base. It seems that we have one of the lowest churn rates (the number of people hopping from one host to another to find the best deals and service) in the industry. We are grateful to you for your loyalty! Just today I got a comment (compliment) from one of our customers describing us as a paragon within this industry (OK, I had to look that up on Wikipedia!). Your positive feedback (or otherwise) is always appreciated and acted upon where necessary. We’re now looking forward to “Year 4″ of Netnibble, and planning the roll-out of more products to suit the people who entrust their hosting to us. It’s going to be a good year!

Share This

“It’s a new MPACK trick” he told me - Now it seems that instead of inserting iframes and javascript into every page they can find on sites they manage to invade, they’re going for HTACCESS files. Basically they target referrers (typically the big 3 search engines Google, Yahoo! and MSN) and if your site gets a hit via a link on the search engine the HTACCESS file then redirects your visitor away to a malware site. And for n00bs who don’t really know (or care?) what an HTACCESS file should look like or contain, they’re inserting 30 to 40 blank lines at the top of the file in order to convince you that it’s actually empty.

Fortunately this hack is easier to fix than its predecessor as it usually only involves one file. We now have a stock of standard HTACCESS files for popular scripts like Wordpress and Joomla! that we can just drop straight in and over-write the malicious file if anyone else reports this issue.

<sigh> I wonder what they’ll think of next? </sigh>

EDIT: After writing this I noticed an article on TheRegister about what is possibly the result of one of these hacks. It’s worth a read, and thanks to the author, Jesper M. Johansson, for the time he obviously spent researching this.

Share This

Description

A flaw in the reset token validation mechanism allows for non-validating tokens to be forged. This will allow an unauthenticated, unauthorized user to reset the password of the first enabled user (lowest id). Typically, this is an administrator user. Note, that changing the first users username may lessen the impact of this exploit (since the person who changed the password does not know the login associated with the new password). However, the only way to completely rectify the issue is to upgrade to 1.5.6 (or patch the /components/com_user/models/reset.php file).

Affected Installs

All 1.5.x installs prior to and including 1.5.5 are affected.

Solution

Upgrade to latest Joomla! version (1.5.6 or newer) HERE, or patch /components/com_user/models/reset.php with the code below:

After global $mainframe; on line 113 of reset.php, add:

if(strlen($token) != 32) {
$this->setError(JText::_('INVALID_TOKEN'));
return false;
}

Many thanks to QT for the heads up on this one!

Share This

More details of the earthquake can been found HERE

Share This

Without going into huge detail here, we all need to take a look at our own ISP’s DNS setup, and also the DNS most of us run on our VPSs and servers. The vulnerability is, as yet, undisclosed, but will be announced at the Black Hat Conference on August 7th. (Read this article). After that, the vulnerability will be out in the wild and we all know that hackers will be looking to exploit it as much as possible before everyone has an opportunity to secure their set-ups.

DNS-OARC have provided a web-based tool which you can use to check your home or office ISP’s DNS resolvers for vulnerability. If either of the test results report “POOR” you need to get onto your ISP’s case, right now, and ask them what they’re doing to fix things before the 7th August deadline. Click here to run the test.

You should also check your own VPSs and servers to see if they allow recursive look-ups and, if they do and you have no need for this, turn off recursion. Our Support Team will be happy to test and advise on all customer set-ups. If you are unsure what to do simply open a support ticket. Our own DNS clusters are already secure, and our recursive name-servers are currently being modified to prevent any intrusions.

Any customers who suspect that their own ISP’s DNS is exploitable and that this will not be fixed promptly are welcome to open a ticket to support asking for details of our recursive name-servers which they may then use. Public services like OpenDNS are also available.

Share This

Date: 19 July 2008
Local Time: 1am - 2am (GMT+8)
Maintenance: This window is a follow-up check of a previous maintenance. The node may be down for up to 30 minutes and will allow us to provide a better and more stable service in the future.

Share This

Fantastico De Luxe 2.10.4 r17 (LATEST and STABLE releases) Updates:

- b2evolution: 1.10.2 -> 2.4.2
- Coppermine Photo Gallery: 1.4.16 -> 1.4.18
- Drupal: 6.2 -> 6.3
- Gallery: 2.2.4 -> 2.2.5
- Joomla 1.5: 1.5.2 -> 1.5.4
- Mambo Open Source: 4.6.3 -> 4.6.5
- Moodle: 1.9 -> 1.9.2
- SMF: 1.1.4 -> 1.1.5
- TikiWiki: 1.9.10.1 -> 1.9.11
- WordPress: 2.5.1 -> 2.6

Customers on our DirectAdmin + Installatron hosting plans also have the new Wordpress 2.6 version available to upgrade to or install.

Share This

Share This

We will update this once we have further information from our colleagues in Holland.

Share This

Update [21:15GMT]

The bulk of the DDoS traffic has now stopped or been re-routed. However, we are still experiencing some instability in network routing and will continue to monitor and intervene as necessary.

Share This