How InterShield Works

Posted at April 18, 2018 at 3:46 pm by Ylber Popaj

You may have become familiar with our InterShield blog posts. It has become a special security series of ours which serves of high importance to us and our customers. Due to its ongoing success and popularity, we have decided to describe the step by step process of which InterShield follows.

A request to access a website comes in, someone has entered http://domain.com into a browser.

Step 1: Check IP address against known blacklists

Using litespeed web-server and the RBL rule, interserver queries our own internal RBL blacklist. This blacklist contains known bad ips; ips that have been blocked for bad activity, hacking, uploading malware and a number of other activities. The RBL updates frequently, removing IP’s that have not been seen in a while and ensuring good bots like googlebot are not blocked. The request is made without a slowdown, and the request is cached so the lookup doesn’t need to happen again for some time.

Note: If the IP is in the RBL, we log the request for review later, and deny it. Otherwise the request passed.

Step 2: Check for known hacking strings

Using request filter in litespeed, we quickly process rules without causing a delay from Atomic Got Root, a commercial mod_security ruleset, as well as interserver’s own internal rule. These update frequently and by using litespeed the rules process extremely quickly and do not cause a request delay. If the request is blocked, we log the request for review later, note the IP address that was blocked and deny it. Otherwise the request is passed.

Step 3: Check for post content, such as uploads

Any request with a post content is scanned quickly by Clamav using a cluster of servers to quickly scan the request. This will either return a pass or fail result. If malware, is detected we log request and ip for review later, otherwise we pass it. To speed up the request further a checksum of the file is used first, and if the file has been scanned before the file does not need to be scanned again. Finally, the request is sent for processing. Scripts, like PHP scripts, have secondary rules that also scan the file as running if it is not a known file checksum to search for potential malware that may exist in an account already. Notices are sent the account owner through the contact email set in the contact section of the control panel.

Further protection:

Under cpanel, all accounts are isolated from each other. No account can see the files, process or memory – including temporary files of another account.

InterServer Exlusives: Addon domains are further isolated from each other with in the cpanel account.

Additionally the option for dropping PHP privileges is available so that the php scripts being called can not modify files with in your own account.

 

7 Features That Show Your Shared Hosting Plan is Secure

Posted at April 3, 2018 at 1:05 pm by Ylber Popaj

With massive data breaches hitting the world’s largest brands, website owners may often wonder how well they’d fare against online threats: “If global corporations are having trouble keeping up with web security, how could I stand a chance?”

Fortunately, online security isn’t restricted to the wealthiest, most high-traffic sites. Web hosting companies protect themselves and customers by locking down every possible aspect of their infrastructure and clients’ environments. Here are some of the most common tools reputable hosts will offer customers:

  1. Web application firewalls
  2. File upload and script scanners
  3. Malware and antivirus detection
  4. Email monitoring and protection
  5. Regular automated backups
  6. SSL certificates
  7. Reduced PHP permissions

Fortunately, InterServer includes all the above with its standard shared hosting plan. All but the SSL certificates and backups are part of the company’s five-prong InterShield security platform, which was introduced less than a year ago. Here’s more information on the features used to protect site owners, their sensitive data, and their online properties.

1. Web Application Firewall

Slightly different from firewalls that filter traffic to and from networks, web application firewalls (WAFs) introduce specific requirements for visitors to communicate with a host’s servers. WAFs are tailored to protect particular vulnerabilities common in the programs used to operate and manage web hosting environments.

Experts behind many InterServer reviews praise the company for the all-hands-on-deck approach the company takes with security. Co-Founders Mike Lavrik and John Quaglieri still oversee the InterServer datacenters, including network security. The company enables the open-source ModSecurity web application firewall to add another layer of protection for its customers.

InterServer’s web application firewall is particularly focused on preventing cross-site scripting and SQL injections, two common vectors where attackers will inject code, execute scripts, or compromise databases within a hosting customer’s website environment.

2. Scans and Monitoring

In addition to inspecting and filtering the traffic coming to and from the company’s servers, Interserver’s standard shared hosting plan includes the file uploading and script scanners that prevent malicious code or programs from entering a customer’s web environment.

Website owners can unknowingly upload files that contain malware, a broad term that covers the range of unwanted or dangerous code. To avoid that, InterShield will scan every uploaded file for certain detectable characteristics of malware. InterServer regularly updates the scanners to account for the rapidly changing threat landscape.

Similarly, InterServer will inspect the various scripts running on its servers for signs of malicious attacks. Scripts are essentially behind-the-scenes programs that automate various tasks that make websites more visually appealing or quicker to load. The company constantly scans servers, looking for any malicious scripts that could compromise website performance or security.

3. Regularly updated malware detection

Given how quickly attackers can adjust their methods of infiltrating a web hosting server or unsecured website, hosting providers need to remain constantly vigilant to the trends and behaviors of those criminals.

InterServer maintains a constantly evolving database of more than 155,000 examples of malware scripts, documenting each specific malicious signature and making them easier to detect and turn back. What’s more, the company transparently reports real-time information on the malware InterShield finds.

Shared hosting customers are particularly vulnerable to malware, given the audience’s general lack of technical expertise and not being aware of the best security practices. What’s more, with so many customers sharing a server, multiple users can fall prey once an attacker gains access to one compromised website. InterServer recommends that shared hosting customers remain vigilant and active when it comes to updating the software components they install — this includes WordPress, eCommerce shopping carts, plugins, and other services.

4. Email security

Although most people think of phishing and Nigerian princes when it comes to threats to email security, secure and protected communications can have a major impact on shared hosting web performance. Accounts discovered to be sending spam or bulk emails may get a server listed on a blacklist, which blocks the delivery of all emails sent from that server or IP address.

With many hosting customers sharing server space, email security is incredibly important — if one account gets blacklisted, hundreds of innocent users can no longer trust that their communications are reaching recipients. Those effects can be devastating for any site owner, but they are especially harmful to businesses relying on email marketing to build and reach their audience.

InterServer guarantees email delivery by checking the content of outgoing email messages against a database of known spam signatures. The characteristics of spam content listed in the database are updated in real time to stay ahead of malicious senders. Unusual or dangerous activity from an account will likely trigger rate limits or sending quotas, or perhaps that user will be blocked from sending outgoing messages.

5. Backups

Included free of charge with every InterServer shared hosting plan, automated weekly backups protect your data in case of an attack. The company keeps at least three copies of site owners’ archived files for at least 60 days, giving customers peace of mind that their data will remain protected in the event their server or environment is compromised.

Additionally, the company’s storage (driven by much faster solid-state drive caching) is assembled in a RAID-10 configuration for added redundancy. RAID-10 arrangements require at least four storage disks and combine disk mirroring and striping to protect data; as long as one disk in each mirrored pair is functional, site owners’ data can be recovered.

6. SSL Certificates

Separate from the InterShield protections, shared hosting customers can enjoy free access to SSL certificates. The perk actually relies on the more secure TLS protocol that uses HTTPS to privately and securely transfer data between a web server and a visitor’s browser. The difference between SSL vs. TLS protocols isn’t terribly important for most shared hosting customers, but the important feature signals to potential customers that your site is trustworthy and secure.

SSL certificates are becoming increasingly critical for all site owners and small businesses, as Google and other search engines give special SEO and user-interface treatment to websites using the secure connections.

7. Reduced PHP Permissions

Last on our list but among the newest InterServer security measures is limiting the actions website code and scripts can take when running on a server. Built with WordPress in mind, the company’s new PHPmmdrop feature prevents code from changing or uploading files and running processes.

Extra protections associated with WordPress websites can be especially beneficial to shared hosting customers who are less likely to understand website security and maintenance. Although the frequently updated WordPress Core is inherently secure, many attackers are able to gain access through poorly coded or outdated themes and plugins. Once the vulnerability is discovered, attackers can add code that compromises the website with malware. PHPmmdrop takes away that threat by restricting file uploads to only the approved administrative users when they’re logged in.

As you can tell, top-notch security is not limited to high-priced hosting or to those who know the ins and outs of technical configurations and web servers. At InterServer, customers can rest easy with the above features handling all the legwork of protecting your data.

InterShield Evolves

Posted at March 19, 2018 at 7:17 am by Ylber Popaj

InterShield Evolves

InterServer’s InterShield system is able to stop many attacks and updates daily based on new data including new possible malware, known exploits and other Common Vulnerabilities. However, sometimes even with all these a new type of malware comes up.

In a recent case a site was redirecting to a pharmacy website but only when coming from a google search engine result. The site initially passed all scans of known vulnerabilities, the url did not exist in the code or database and it was reproducible. In this cases advanced debugging is needed. So xcache with trace was enabled which determined some interesting results. Follow this brief analysis and walk-through of our debugging process!

 

Debugging Begins

Starting here we load a normal WordPress file:

 

  •                     0.2006   18215480               -> force_ssl_admin() /home/xxxxx/public_html/
  •          fanxxx/wp-includes/default-constants.php:295
  •  0.2010   18242992             -> require(/home/xxxxx/public_html/
  •          fanxxx/wp-includes/vars.php) /home/xxxxx/public_html/
  •          fanxxx/wp-                settings.php:290

 

WGET

However, here the include is for a file not found in WordPress, so we continue to debug. We soon find that the URL being called was /privacy-policy/. We then execute a ‘wget’ to a remote URL. The wget then gives this information which does the redirect:

 

 0.4207 18334192 >=> ‘HTTP/1.1 200 OK\r\nDate: Fri, 02 Mar 2018 16:17:56 GMT\r\nServer: Apache/2.2.15 (CentOS)\r\nX-Powered-By: PHP/5.3.3\r\nContent-Length:   82\r\nConnection: close\r\nContent-Type: text/html; charset=UTF-8\r\n\r\n<location>http://med-shop24x7.com/site/search?q=finast&track=all-fancou</location>’

 

In the vars file we find:

  •           * @package WordPress
  •           */@require_once(‘class.wp-includes.php’);

 

The @require_once is hidden after a comment.

 

Debugging Ends


End Notes

Using this data the our staff was able to  to create virus signatures in order to detect these. Class.wp-include.php signature is available at:

http://sigs.interserver.net/info?hash=7fee30e79473e63c6393adc6fa183a2036689e4d9b3317b25bf5166d77d23b6e.

InterServer’s virus db detects most common malware and is available from https://interserver.net​.  InterServer will continue to provide security updates to our customers so stay tuned for more on the expansion of our powerful InterShield.

 

WordPress Vulnerability Secured

Posted at February 21, 2018 at 8:46 am by Ylber Popaj

 

WordPress Vulnerability

The month of February brought yet another scare to the hosting world. A WordPress vulnerability was exposed which allowed hackers to initiate what is known as a denial of service (DoS) attack on ones website. Ultimately, under a DoS attack, your website becomes unreachable by anyone including you. The technical understanding of performing the DoS attack is rather simple.The flaw begins under the well-known “/wp-admin” directory. Every WordPress site is assigned this path as an administrative source. It was discovered that while loading this path there exists a script which fetches a number of JS/CSS files. This can be a heavy load on the server when performed repeatedly. Of course, DoS attacks found their roots and hackers began exposing this exact flaw. Due to its simplicity, the population of attempts are greatly increased and essentially adds more to the scare. Fortunately, any downtime is not acceptable by InterServer.

InterServer Response

InterServer was able to mitigate these attacks through mod_sucurity. Therefore, it is NOT possible to exploit this on our shared hosting services. While there is an alternative for individuals who may not have their site hosted with InterServer, it is not guaranteed success. The alternative is to modify the “/wp-admin” as a sub-directory which will free you against common WordPress admin scans.

As an InterServer customer, you can rest assured that your WordPress site will be safe from the newly exploited DoS attack flaw.

InterServer Patches Meltdown And Spectre

Posted at January 12, 2018 at 12:07 pm by Ylber Popaj

 

InterServer takes customer security with pride. Hear our story on how we tackled the recent security scare which targeted end-users nation wide.

 

What is Meltdown and Spectre?

You may have heard of terms like Meltdown and Spectre in recent tech news. Both exhibit a hardware vulnerability exposed by a small team in Austria. Through software, both are able to access private data on a server, but how is this possible? The vulnerability begins at the most inner core of a computer, the Central Processing Unit (CPU). By observing micro processes and transactions, these programs were able to access other parts of the computer that may not be relevant to the actual programs running. For instance, e-mails, files, browsing history, etc. were all subject to vulnerability.  While the technical understanding of Meltdown and Spectre is extremely high level, it is important to understand that InterServer took immediate action.

 

InterServer Reacts

InterServer CTO, John Quaglieri kept up to date with all Linux distributions and their kernel updates that would directly target Meltdown and Spectre. Fortunately, John was able to update our Linux machines immediately and efficiently to ensure that all data is secure. From our Shared Hosting to VPS, all kernels have been updated up to par based on their respective Linux distributions. He allowed our customers to keep track with his progress in a frightening situation by logging any updates on our forum page.

 

Forum Posts

Here is the forum URL link which tracks any updates regarding Meltdown and Spectre in InterServers infrastructure – click here.