AKIS » Important AKIS Announcements

CubeCart Stores – Sending Spam – Urgent Information & Action

akis — Mon, 19 Jul 2010 08:57:10 +0000

URGENT ANNOUNCEMENT
Unfortunately we have found a number of CubeCart stores being exploited due to a CubeCart (3rd party software) security flaw related to the tell-a-friend feature which has recently come to light and we are now taking action on all AKIS Design+Host client CubeCart stores in order to stop this happening again in the future. Important – If you have a CubeCart store built by us then please read this announcement in full…

PROBLEM:
Installations of CubeCart v3 has a flaw which has now come to light and so is now allowing spammers/ hackers to exploit the “Tell a Friend” code contained within the script to send Junk mail to people. We have received reports from the SpamCop service that some client accounts are being used to send mass spam emails.

ACTION ALREADY TAKEN:
For those accounts confirmed as sending spam – we have disabled the files that control the sending of email via CubeCart. This will be affecting all emails sent out from those affected website stores at present and therefore we are taking urgent action to fix the problem and so reactivate site emails.

ACTION TO BE TAKEN ASAP:
Due to the exploited tell-a-friend feature we will be removing this feature from all AKIS Design+Host CubeCart ecommerce sites. This will not be reinstated.

We will keep you updated and individually advise each client if directly affected by the spam issue.

WordPress New Release – 3.0 Out Now!

akis — Thu, 17 Jun 2010 18:28:55 +0000

WordPress 3.0 has finally been released and is now available to upgrade/install – see info and download page here. We’ve now started the process of checking site themes for 3.0 compatibility and then upgrading sites – we hope to have all client sites updated over the next 7 days. Get in touch if you have any questions about this new release – or see the WordPress 3.0 info/blog page.

25% Discount to existing clients with pre-2010 websites

akis — Mon, 17 May 2010 13:30:00 +0000

Further to the announcement below regarding phasing out our revisions service for old sites, we are happy to confirm that for the duration of 2010 we are now offering a 25% discount to clients with existing ‘static’ AKIS websites built prior to 2010 if they wish to upgrade to a new website from our current range. Contact us if you are an existing client and would like to take advantage of this offer.

Advance Notice: Phasing out revisions service to pre-2010 sites

akis — Mon, 17 May 2010 13:16:27 +0000

This news post applies to all AKIS clients with websites built prior to 2010 – i.e. those with ‘static’ websites rather than a CubeCart ecommerce site or our new WordPress database driven websites. Please note that we are phasing out the provision of our update/revision services to these old style static sites at the end of 2010. From 2011 we will only be offering to carry out minor edits such as text changes or photo swaps – not the addition of new pages, major layout changes, etc. But we are now offering a 25% discount to clients with existing AKIS websites built prior to 2010 if they wish to upgrade to a new website from our current range – see separate announcement on this.

Transition to suPHP (Advance Notice/Schedule)

akis — Wed, 14 Apr 2010 19:06:29 +0000

NB: Also see the initial advance notice announcement on this subject.

This announcement is related to our upcoming work on all servers to enable suPHP. suPHP is a tool for executing PHP scripts with the permissions of their owners. It consists of an Apache module (mod_suphp) and a setuid root binary (suphp) that is called by the Apache module to change the uid of the process executing the PHP interpreter. In more general terms, enabling suphp will add an additional layer of security and remove issues related to file ownership permissions when using popular PHP based applications such as WordPress and Joomla.

The schedule for carrying out the change to servers is as follows:

US BAKER - April 26 2010 @ 12:00 AM EST [ now completed ]
UK BELLAMY – April 26 2010 – 10:00 PM GMT [ now completed ]
UK RICHARDS - April 30 2010 – 10:00 PM GMT [ now completed ]

Click “read more” below for the full details of this important announcment…

This is quite a large scale change but we’d first like to reassure all clients that in the vast majority of cases there will be no difference and the work will be un-noticable. In fact, we have been running suPHP on a test server servers for some months now with ZERO problems or issues and that test upgrade went very well. This announcement is aimed at highlighting some of the slight differences when PHP is running in a suphp environment.

1. Permissions (WILL BE HANDLED BY US)

With suphp it will not be possible to make insecure permission settings to scripts such as 777 world writable. Any PHP files should be set to 644 (or less) with directories set to 755 (or less). This is a much more secure hosting environment and any changes to permissions or ownership required on existing scripts will be handled by us as part of the work.

Any files currently set to 777, 757, etc. will be changed to 755 as a safe global change, you can change them to 644 from there, if you wish. This only changes files and directories that are currently set to group or world write permissions and ignores any other files. This changes more than php files, to be the most safe and consistent change, in case you have any CGI files or other that are too open (and insecure) with its permission. Finally, any files that need to be set to “read only” should be set to 444 or 400.

2. .htaccess php rules (WILL BE HANDLED BY US)

At the moment it is possible to change some php options by using a line in a .htaccess file such as “php_value option x” or “php_flag option x”. This will no longer be possible after the suphp install and any php options will need to be configured in a file called php.ini using the syntax ‘option_name = “value”‘. Once again, we will take care of converting lines of .htaccess files to php.ini files at the time of the work.

3. SetHandler rules

Any clients who have setup SetHander rules will need to change these as follows. Any instances of:
ForceType application/x-httpd-php
or
SetHandler application/x-httpd-php

Need to be sure they use -php5 instead of -php:

ForceType application/x-httpd-php5
and
SetHandler application/x-httpd-php5

4. Account quotas

To date, any files created using a PHP script have been under Apache ownership and not counted towards the user account quota. This will change and all quotas will be much more accurate after the work which is a major benefit for account accuracy and when clients with to modify files created using scripts via FTP which will be possible without issue with suphp.

5. Joomla

For any clients using Joomla, it is important to have the $live_site variable configured with the domain of the account. Most installs should already have this set but it’s worth taking a few seconds to check before this work is done.

If anyone has any questions please feel free to contact us via our helpdesk.

AKIS Servers – Coming Soon:”suPHP”

akis — Sat, 13 Mar 2010 17:44:15 +0000

We will soon be rolling out “suPHP” across all servers which will not only provide an added layer of security but equally importantly will enable PHP scripts to run under your account username instead of the ‘nobody’ user which is the default Apache/Web server user. This brings about many benefits which include, but is not limited to:

All files and folders generated via HTTP (such as blog and CMS content uploads and generation, including WordPress) will be owned by the correct user instead of ‘nobody’

More efficient process control (how many can run at once, how long the processes can run for, the amount of CPU and memory each process can take)

Enhanced security between user accounts

Display accurate disk usage on quota calculations

More efficient abuse tracking for processes running spam scripts or attack bots

suPHP additionally removes the requirement of using 777 permissions on files and directories that need the write permission assigned. In fact, a directory or file that is set to permission level of 777 will display an internal server 500 error when being accessed via a web browser. The top level of permissions that a user can assign in a suPHP environment is 755.

With suPHP the correct permissions should be:

Writable Folders: 755
Writable Files: 644
Files that need to be un-writable: 444

No longer will you need to submit support requests to change (chown) files to the correct user, which saves you the hassle of opening a ticket.

The most common situation, and so most common question, will be:
“What will happen to accounts/directories/files that already have 777 permissions in place?“

The answer is that we will be using scripts to automatically take care of any required permissions changes and htaccess rules conversion (to user php.ini). Files/folders with chmod 777 will be change to reflect the correct permissions.

We are currently in the final stages of testing this in a live environment and will be looking to roll this out across all servers in a few weeks time if all goes as planned and our live trials are deemed a success. As the time nears we will post additional information on what changes can be expected – stay tuned!