Hi

I just need to ask a few questions about what has happened and what the future holds for us Plesk account holders.

I know the recent events designR had little control over and I don't want to tred over this ground, but now designR are under new management I would like to ask a few questions.

The last "hack" caused us to loose sscripts over a certain lengh, was the cause for this ever found, and more importantly, do you now have a backup procedure so that if we loose our files from our account, or they become corrupted, that they can be restored from backup, other than us having to reload them again? (I don't keep backup at home).

My other question is about Plesk, is there going to be an upgrade in the plesk software? There are aspects of the plesk service that are out of date for example the GD functions. Moving to another control panel is a lot of hassle when you have to move 10 domains, I'd rather not do that.

Thanks

Lee

The last "hack" caused us to loose sscripts over a certain lengh was the cause for this ever found

sort of, we know that initially a well documented php exploit was used, which was executed by a user using the webmail package.

the server is now considered suspect, and despite being cleanded and checked we cannot completely rely on there not being any leftover items.

do you now have a backup procedure so that if we loose our files from our account, or they become corrupted, that they can be restored from backup, other than us having to reload them again?

no, the only way to backup the Plesk information is to use their tool(s) which does not give the granularity to restore as we would like (essentially you can bring teh whole server back or nothing) and despite moving the backups off to another server and restoring it all for examination - we found the backup files also contained the corruptions.

I can only stress IT IS ALWAYS THE CLIENTS RESPONSIBILITY TO BACKUP FILES especially in a shared hosting environment. This will be the same at other hosts not just designRweb, we will / do have a backup solution where you can arrange for them to be located on multiple servers etc, however nothing quite compares to your own offsite copy, for some clients we even offer a monthly "archived to cd" option, however thats all extra to the hosting contracts.

For example, this week we have been asked if we can restore a file accidentally deleted, on investigation it turns out it was deleted in *MARCH* !

(I don't keep backup at home).

Time to fix that ?

is there going to be an upgrade in the plesk software?

the final version of Plesk5 has already been loaded we are trialling Plesk 7 in-house at present so we can offer amigration path to those wanting to stya on Plesk

Anyone wanting to "jump-ship" and move over to CPanel are welcome to do so right now, simply let me know and I'll get the support team to organise it.

Moving to another control panel is a lot of hassle when you have to move 10 domains, I'd rather not do that.

Plesk 7 is *nothing* like the CP you have anyway, so it will be a complete relearn no matter what.

If you want to volunteer to be our Plesk 7 guinea-pig sometime in the next couple of weeks, let me know :D
Thanks

the server is now considered suspect, and despite being cleanded and checked we cannot completely rely on there not being any leftover items

That's not what we wanted to here!

OK now we have 3 options as I see it Stay where we are and take our chances till the hopefully improved Plesk is ready
Move across to C Panel
Go elsewhere
The first option
Looking more dubious every day

The second option!
Seems to be the house recommendation but just what input is required from us, is it akin to moving to another provider or is the process simplified.
1. Could you explain what input is required from us to make our present websites work within C Panel.
2. How secure is C Panel
3. Will our sites then be sited in the UK
4. I have a client (who is even less computer literate then myself) who uses Frontpage - just how common is the frontpage password error quoted elsewhere on the board

The Third option
Not something I wish to consider at this stage as the present setup seems to be as friendly as the former designRweb service which does mean alot

--
Brian
(Still confused :( )

Addition....
What version of php is running on the C Panel set up?
What version of php will be running under the new Plesk set up?

Thanks

Hi Rob

Doh! I meant, I "do" do backups at home!, that was a miss-type! But my problem is if I'm at work, my files are at home, there can be an 8 hour delay before a problem can be fixed. Ok well at least I know the postion now, I'll sort something out.

I have tried the backup accounts with Jay's help, unfortuanlly they had a strange side affect which meant depending on what isp you had, depended on what account you saw, we never managed to resolve it.

Ok my problem with moving to new control panel is having to set everything up again, domains, users, email, files and most of all databases.

Can we move to a new control panel without any loss of service to my clients? If I'm going to move to a new CP then it must be done behind the scenes, but now would be a good time to do it.

What happened to Plesk6? Was it just unstable?

I'd rather stick with plesk, just for ease really, if cpanel was around when I signed up I probably would have gone with that option, but its a lot of work to change over now.

I with Brian here, very confused on what to do next, over the last year I've been very happy with designR and would like to stay.

Regards

Lee

the server is now considered suspect, and despite being cleanded and checked we cannot completely rely on there not being any leftover items
That's not what we wanted to here!


The ONLY long-term solution to a compromised server is a wipe and start again. If anyone tells you different they dont deal with server security much.

Stay where we are and take our chances till the hopefully improved Plesk is ready


the current setup on the Plesk5 server is much more secure, but due to the age of both the o/s and the control panel, it is difficult to ensure that it's not expoited again. We absoluteley must shift towards php_safe_mode being on as both recent isuses with the server and *several* attempts by malicious individuals have tried to break in using things turned off in safe_mode

sadly this does mean that poorly written and insecure scfripts used by customers will cease to function.

setting up a replacement Plesk5 server is one possibility, that we rejected as the software etc on it woudl again be "old" in relative terms and difficult to maintain securely.

Plesk 6 was similarly rejected as it is no longer supported by the authors


Move across to C Panel


this is currently the favoured choice - improved user control, more secure, gtreater functionality, new hardware etc. it is however not to everyones liking and we will continue to offer alternate control panels (Plesk, Ensim, Hsphere)


Go elsewhere


We would of course rather you didn't do that !
The server is right now more stable, and more secure than it was 3 months ago.
In that respect you are actually *better* protected that you were (it is running Plesk 5.0.5 final not 5.0.4) the firewall rules have been tightened up, various individula software packages have been updated etc.

First Option - Looking more dubious every day ...
We have Plesk 7 running in-house, a few issues with it, and there is no "automatic" upgrade path to moving the site over, so it will involve us and you in some work, we woudl hope to (a) automate a lot of it and (B) provide *detailled* instructions to minimise errors, plus we will keep the old box there incase files/db's/etc get forgotten.

Second option ...


Seems to be the house recommendation but just what input is required from us, is it akin to moving to another provider or is the process simplified.
1. Could you explain what input is required from us to make our present websites work within C Panel.
2. How secure is C Panel
3. Will our sites then be sited in the UK
4. I have a client (who is even less computer literate then myself) who uses Frontpage - just how common is the frontpage password error quoted elsewhere on the board


both 1 and 2 are *much* simpler than changing provider, as we will assist in the migrations. cutting it down to essentials, it requires
setup of secondary mx service so no mail lost
ftp to new locations of files
stop of updates to old server
change of nameservers
export and import of db files
start using new server

in answer to the specifics ...
1. changes required - to html pages - nothing, to scripts, the path to perl, sendmail and tmp
2. CPanel as a control panel is only as secure as the o/s and setup of the box. the CPanel servers are running fedora1core and security is quite tight on them. the control panle is updated regularly and contains a *lot* more features for your users and sites.
3. Yes UK based customers unless otherwise specifically requesting it will be hosted in the UK
4. frequent enough that it needed to be put on the forum, has happened 5 times out of 360 sites (1.4%)

Any specific questions reagrding the future - email them to Rob directly on rob.golding [at] designRweb.co.uk

I "do" do backups at home!,* that was a miss-type!

:D makes much more sense now :D

I have tried the backup accounts with Jay's help, unfortuanlly they had a strange side affect which meant depending on what isp you had, depended on what account you saw, we never managed to resolve it.

it will always find the "nearest" one based on your ISP's peering/connectivity/curent routing policies

It is one of the things we are redesigning at the moment, as well as adding "online-archive" facilities to keep backups at certain points of the sites on our SAN.

Ok my problem with moving to new control panel is having to set everything up again, domains, users, email, files and most of all databases.

Simon and Matthew are looking at ways of automating the processes so you literally have to fill in a form and click a button to migrate ...


Can we move to a new control panel without any loss of service to my clients?* If I'm going to move to a new CP then it must be done behind the scenes,* but now would be a good time to do it.


to do it with minimal/no issues first you create the DB at the new location, move the data and change teh scripts to access the new db
then you move the site and leave a copy at the old location
then you change the nameservers so it resolves via teh new server
then you change teh dns so that it's only using the new serevr

takes a while but has no loss of servcie

What happened to Plesk6? Was it just unstable?
it is no longer supplied or supported by the authors who sold out to another software company. swsoft only deal with Plesk 7.

At present you can all stay on the existing setup but have to be aware that now it's been compromised the expoliters will have been telling all their friends about it and it is now a target for 12yr olds with too much time on their hands. A sad but true state of the internet.

We would be very remis if we didn't suggest you move to a new server, which in order to save a too steep learning curve etc, should probably be Plesk7. However I am led to believe that wont be available for designRweb customer use for 3 weeks.

If you *want* to move now, then CPanel is availble. If you want to stay on Plesk, we simply ask you to keep backups to hand and wait a short while.

If you're one of our resellers (forgive me if I dont know who you all are yet) then we actually recommend you move to either HSphere or WHM/Cpanel both of which are far superior in reseller control system than Plesk.

Thanks for that but could you also let us know:

Re C Panel

1) I have a client (who is even less computer literate then myself) who uses Frontpage - just how common is the frontpage password error quoted elsewhere on the board

2) What version of php is being used on the C Panel server

Think you must have missed it last time - there was a lot to go at after all.

Thanks

--
Brian

1 - see my answer :P point 4 of your original ... you might've missed it there was a lot to go over ;)

2 http://www.designrweb.co.uk/phpinfo.php
4.3.5 (currently)

Oops! - apologies
:ph34r:

Hi Rob

it will always find the "nearest" one based on your ISP's peering/connectivity/curent routing policies.

It is one of the things we are redesigning at the moment, as well as adding "online-archive" facilities to keep backups at certain points of the sites on our SAN.

I would be interested to know if you manage to solve this problem because I have a few clients who would be interested in this setup.


Simon and Matthew are looking at ways of automating the processes so you literally have to fill in a form and click a button to migrate ...

Surely can't be "that" easy :)


to do it with minimal/no issues first you create the DB at the new location, move the data and change teh scripts to access the new db
then you move the site and leave a copy at the old location
then you change the nameservers so it resolves via teh new server
then you change teh dns so that it's only using the new serevr

takes a while but has no loss of servcie

My only concern with that is "testing" how could we test the new setup before the domain switches, because to my knowledge there would be no way to access it? (unless I've completely missed something). Also cgi scripts or support for them, took me weeks to get Cron working on the plesk setup (used for database backups) again Jay helped me set them up, what a headache.


it is no longer supplied or supported by* the authors who sold out to another software company. swsoft only deal with Plesk 7.

At present you can all stay on the existing setup but have to be aware that now it's been compromised the expoliters will have been telling all their friends about it and it is now a target for 12yr olds with too much time on their hands. A sad but true state of the internet.
Ya don't we just know it, been there done that, though it was the schools network (oh the z-net days! now I'm showing my age!)

We would be very remis if we didn't suggest you move to a new server, which in order to save a too steep learning curve etc, should probably be Plesk7. However I am led to believe that wont be available for designRweb customer use for 3 weeks.

If you *want* to move now, then CPanel is availble. If you want to stay on Plesk, we simply ask you to keep backups to hand and wait a short while.

If you're one of our resellers (forgive me if I dont know who you all are yet) then we actually recommend you move to either HSphere or WHM/Cpanel both of which are far superior in reseller control system than Plesk.

Hum, ok firstly yep we're a reseller, only a handfull of clients but still. (and probably just as well!)

Ok I'll confess I've not heard of either of the systems you've mentioned and I would need to look at them, have some kind of demo or know what the heck I would be doing with them, before I moved over.

Ok so we have resigned ourselves to moving to a new cpanel, but at the end of the day we don't want to be doing this every time there is a security bretch, are the other systems upgradable, patched and supported. We don't want to be doing this again in another 12 months time,

Sorry to sound wigding and whining, but I have to answer to my clients, of whom 1 is an NHS client, who wasn't best impressed at the latest problems.

Kind regards

Lee

testing :: we create you an account on one of our spare domains and you try the features

security :: is a whole ongoing issue, but normally woudlnt need you to switch control panels. it's only that the Plesk CP is now owned by a whole new company and support is dropped for all the older versions.

This is less of a problem with HSphere as it's more widely used and woudl cause more of an uproar. CPanel is the most used CP and is under constant development - we try to remain about 3 months behind on updtaes as they're constantly breaking things ...

tutorials should be online for cpanel in much the same was as plesk, if they're not, I'll get Simon to upload them in the morning, test accounts can be created for your edification :D

We've identified a few bugs so far in Plesk7 and waiting on patches from the authors, it *is* looking likely that we can have a system ready for migration and new account around the month end

Given these comments, I'll be moving my stuff off Plesk rather faster than I had originally intended. This is a pain as at the last count I had 70 active domains hosted on Plesk - though some are simply forwarding, ie the .com forwards to the.co.uk

I think we should start a "Plesk to CPanel" thread on this forum so we can share our experiences and hints making the move, not sure where to put it, probably in
designRweb Forums >> designRweb Support >> CPanel Support >> Plesk to CPanel
and I'll start it when I have something to contribute, unless somebody else wants to kick it off.

What happened to the stuff in the old forum? I had a number of items there, some of which were even pinned by Jay, which I'd quite like to refer to now ...

Roger

PS Although it says "Hello, Roger" at the top of this screen, when I try to add this it says I'm not logged in? ;)

Originally posted by Roger@May 18 2004, 11:15 AM
I think we should start a "Plesk to CPanel" thread on this forum so we can share our experiences and hints making the move, not sure where to put it, probably in
designRweb Forums >> designRweb Support >> CPanel Support >> Plesk to CPanel
and I'll start it when I have something to contribute, unless somebody else wants to kick it off.

What happened to the stuff in the old forum? I had a number of items there, some of which were even pinned by Jay, which I'd quite like to refer to now ...

Roger

PS Although it says "Hello, Roger" at the top of this screen, when I try to add this it says I'm not logged in? ;)
I'll get someone to make an appropriate forum, in the interim simply post in the standard support ones and we'll move as necessary ...

the old forums suuffered from the same problem as other sites on teh Plesk5 platform, the data is stiull tere - we keep meaning to extract it and see what can be reused, but other issues jump up - will make it a priority for next week for someone to do.

Contingency plans
Given that we suspect that vulnerabilities exist in the Plesk setup, and it's by no means certain who will find them first, us or them, should Othello/DesignR have contingency plans at the ready? It would be a good idea to share and discuss them, so we all know what to expect should it happen again.

Here's my twopennyworth:

1. Set up a "honeypot" domain - ie one that looks like all the others on the Plesk server except that it won't ever be updated and its contents are known. Then run a cron job frequently - perhaps every five minutes? - to check whether any of the timestamps have changed or files have been added. If they have, we know we've been hacked and the plan as set out at 3 onwards below would swing into action.

2. Just in case someone finds a way to hack the files while leaving the timestamp untouched, less frequently (between once an hour and once a day) run a more thorough check on the honeypot domain to check that nothing has changed. I'm thinking of checksums here.

3. If hacking is suspected, halt the Apache server so the damage can be assessed. From what has happened in the past, I infer that Plesk considers server, email and FTP as entities that are either up or down together but there are Apache commands to shut down the server while leaving the other services up. I do not want my websites to be the source of viruses or routes to porn sites and would rather no access at all in this phase.

4. After an initial assessment, email customers to let them know what has happened. It is likely there wil be a series of emails following, eg "this is the nature of the hack" "we have closed the loophole" "you may now upload your websites from the backup".

5. This is the tricky bit: how can restored sites be reactivated while those whose owners have not responded or who are still working on the problem be kept off the air?

That's what I would do if it were down to me, but we all have different priorities so I'd like to hear what others, customers and staff, have to say.

Roger

That sounds like good sound sense to me Roger but like you I think I'm jumping the plesk ship before it sinks completely!

Will email support as soon as I sign off

Wish me luck!
(Don't need as much as you though, 50 domains! - sounds horrendous)
:blink:

Hi All, good to see you back on the forum again Roger, with all those domains I bet you had a lot of work to do to clean them up.

I'll stop winging about my meesly 10 domains then sounds like you guys have a lot more to deal with than me.

Roger and Brian, with all your domains are you not considering the "HSphere" option, I just wonder what advantage HSphere has over cpanel?

If I'm going to jump "cpanel" ship then I want to know I'm not leaping from teh frying pan into a fire!

So we have 4 choices

1, stay on plesk5, which I don't think anyoen will be doing!
2, Got to Plesk 7
3, go to Cpanel
4, go to HSphere

I think before I can make a choice I will to know more about the products and what advantages one has over the other.

Thanks Rob for allowing us Test accounts, when I decide on a cpanel to switch to I will certainly need to take you up on that offer.

Thanks

lee

1. Set up a "honeypot" domain - ie one that looks like all the others on the Plesk server except that it won't ever be updated and its contents are known. Then run a cron job frequently - perhaps every five minutes? - to check whether any of the timestamps have changed or files have been added. If they have, we know we've been hacked and the plan as set out at 3 onwards below would swing into action.


the exploit didn't care if it was s iet or not, it simply rewrote files starting with "index" erevr wide - we actuially retrieve a file from the old designrweb site with wget and compare the contents at the byte level every 60 seconds to a known copy - have done since the day of the problem to see if further executionsof teh file/script happen

closing it is altogether a differnet matter, whilst suexec etc can be diabled, and the directory tree accessible to php can be restricted, a lot of the "holes" can only be closed by a new o/s and php in safe-mode which we knwo causes customers (bought-in and open source) indsecure scripts issues. the replacement server will *NOT* be running php in exploitable fashion, and probably run linux in se mode too as we have no wish to be hacked or put you all through this again.

fedora se with plesk 7 is our setup of test at the moment.

Sadly the "email all users" feature which we did actually invoke to let people know to upload doesn't appear to work :(

good suggestions, and we ill try to implement as much as possible over the coming days

Hi

For thsoe interested in H-sphere I found an interesting thread on theWebhosting Talk Forums (http://www.webhostingtalk.com/showthread.php?threadid=268308)

I'm unsure what options would be best for me, would like to take a look at plesk 7 too, so if there is a test account ready I'd like to take a look at it

Regards

Lee

These demos of H-Sphere may also help:

Admin
http://cp.demo.psoft.net/psoft/servlet/pso...soft.hsphere.CP (http://cp.demo.psoft.net/psoft/servlet/psoft.hsphere.CP)

User: admin
Pass: admin

Once logged in as admin, you should be able to create a standard account and login with the username/ password you set up. This is just the standard demo and Rob can give you the tech specs as to which version is running, features...etc

If you are happy with Plesk, I would look into sticking with it and having a look at Plesk 7 here: https://plesk7.demo.sw-soft.com:8443/login....ious_page=index (https://plesk7.demo.sw-soft.com:8443/login.php3?previous_page=index)

Demo Plesk 7 as an Administrator
Login: admin
Password: plesk

Demo Plesk 7 from a Client perspective
Login: client
Password: plesk

Demo Plesk 7 from a Domain Owners perspective
Login: demo.sw-soft.com
Password: plesk

Demo Plesk 7 from a Mail Users perspective
Login: mailuser@demo.sw-soft.com
Password: plesk

Again, as for the standard add-on's for plesk 7, Rob can give some more details on this.


Jay

Hi

Thanks Jay your too quick for me again :) was just editing my last post to ask that very question!

Great this will give me somthing to look it and compare and see which way I'd like to go.

Plesk might be the eaisest and of course I'm farmilar with it, but I'm worried about future support.

Thanks again jay for the info.

Lee

Thanks again jay for the info.

Your welcome Lee. Personally, I think Plesk is quite stable where as Cpanel has more standard features as default. However, as of Plesk version 7, they have also added on some great fetaures also.

If you are familiar with Plesk and used to it's interface, I would take a closer look at the new Plesk 7.

Jay

Is there any chance that we could see a version of phpinfo() on Plesk 7?

Would be nice to know what we would be dealing with in terms of a move such as register globals and safe mode etc.

Cheers
Matt