Jump to content


  • Posts

  • Joined

  • Last visited

Everything posted by SteveW

  1. As you said, it's best not to use your cPanel userID/password for database connections, for two reasons: 1) Your cPanel password is a very powerful one that allows a high level of access to your website. It should never be stored in a text file inside your website. But database connection passwords MUST be stored in a text file inside your website. Therefore, the one in the text file should not be your cPanel password. 2) When you use a separate MySQL userID/password for your database connections, you can change your cPanel password anytime you want, without breaking your database connections. For anyone who wants to migrate from using your cPanel password to a dedicated MySQL user and password, here's how: Go to cPanel > MySQL Databases. At "Add New User", create a new username. Give it a strong password. Notice that this new username actually has, before the name you just typed, a prefix consisting of several characters and an underscore. In your database configuration scripts, you should use the entire string as the database username. Near the bottom of the page, at "Add User To Database", select the user you just created. Also select the database you want that user to be associated with. Click "Add". On the resulting page, you'll see a list of privileges. Your cPanel user had ALL privileges, which was probably more than it really needed. Your new user can probably do everything it needs to do with fewer privileges, but, unfortunately, describing all the privileges here would take way too long. So just give the new user all privileges, and click "Make Changes". If you can determine later which privileges aren't needed, you can revoke them later on this same screen. Now go and edit your database configuration file (config.php, or whatever, as described in my earlier post). In it, find the location where your cPanel username is mentioned, and change it to the user you just created (using its full name, underscore and all). Also find the location where your old password is mentioned, and change it to the new MySQL user's password. Save the file. Test the application that uses this database. It should be working just the same as before, except it's now using the new user for the db connection. You can do a final test by changing your cPanel password. Your application should continue to work as before, because it's no longer dependent on your cPanel password.
  2. I think that could happen if you have been using your cPanel userID/password to connect to your database, and if you then changed your cPanel password in cPanel. Your database script would still be trying to connect to the database using the old password. Does that sound like it describes your situation? Most software applications store their database connection data in one file, called something like config.php, config.inc.php, or settings.php, in one of the folders used by that application. The solution would be to edit that file in a text editor (such as the one you can launch from cPanel > File Manager), and change the password to the new one. It's usually easy to find the right location to make the change: it's where you find the old password. (Before you make changes to the file, make a copy of the file for yourself as a backup. If something goes wrong, you can put the old one back.) This isn't the only reason you could get that error message, but it's the first one worth checking out, if you've been doing password changes.
  3. Up to now, gedit has been my favorite all-purpose text editor in Ubuntu. It came with a few plug-ins. I enabled some of them, but my memory is that most seemed fairly minor, so maybe there's a bunch more available that I'm not aware of? I like Geany, too, and Bluefish, but haven't used either of them often enough for their intended purposes to have a valid opinion. I think one of them allows selecting text and clicking a button to surround the text with HTML tags (which a Notepad++ plugin does), and the other allows clicking to create empty HTML tags which you can then fill with contents. Either way, I'm all in favor of anything that helps avoid typing <> and </> because they're awkward keystrokes that produce repetitive stress symptoms if you have to type them often enough. Come to think of it, I'm in favor of anything that reduces the keystrokes needed to get the text on the page. I'm not sure either of those can be a candidate for my go-to editor, a favorite for all types of text files. gVim looks like it has the potential. Yesterday, I opened a ".txt" file in it. It recognized from the contents that it was a "diff" listing, and applied the appropriate syntax highlighting. Very nice. For anybody who runs across this thread later, gVim is the GUI (menus and mouse) version of Vim, which in turn is a clone with enhancements of Vi that Bruce mentioned. Vi's been around since the 1970's, which is what inspired me to give it a second look. It still has lots of users and is in active development after 35 years? Had to check that out! That's like discovering there's a version of WordStar for Windows 8. In my earlier post, I made an edit that accidentally ended up saying the opposite of what I meant! You probably realized it, but I didn't. Should have been: ...without feeling deprived. except In the area of text editors, Notepad++ is a real pull back to Windows...
  4. GoodBYtes's post above (#157) expressed much the same as I was thinking, better than I can ^. Especially appreciate the prompt status announcement in the forum. The notification email was how I learned of the incident. I found it a non-jarring way to be notified. Truly amazing, skillful, and fast. Thank you.
  5. It makes me glad when someone seems to be having a good experience with one of the linuxes. I've been using Ubuntu Jaunty ever since first trying it about 2 1/2 years ago. It's well past its support period and feels creaky (with Firefox 3.0 when I've got FF12 in Windows XP), but, at the time, I downloaded every software package I thought might ever be of interest, 2000 of them, 2GB+, which took two weeks on dial-up. I'd like to try Debian, but am not anxious to do a two-week-installation repeat and don't want to risk having no working linux because I quickly discovered that once I had it, I needed it. For website stats I use a MySQL database that currently has over 5 million rows and still runs smoothly. There's a bunch of nifty utility programs in linux. I found Windows versions of many of them at the Sourceforge GNUWin32 project, so now I can use Windows (where I am most of the time) without feeling deprived except in the area of text editors. Notepad++ is a real pull back to Windows. It's not available for linux. Ubuntu has several very good editors, but they all have a combination of strengths and weaknesses, and no single one rivals Notepad++. My "last hope", which actually seems to have a very good chance, is gVim, which I've spent the past 2 weeks learning. It works very differently from most editors, but might be more powerful than any of the others, and has the advantage that it will work exactly the same in either Windows or linux, so I won't have to care where I am. I'd swear Ubuntu makes my sound card sound better than Windows does. Haven't thought of a reason why that could be. It's too bad there's no speech recognition in linux, but its automatic command completion (when you press TAB) is extremely useful, and in OpenOffice, once a document has a lot of words in it, the same thing (pressing TAB or another character of your choice, I think) works very well there, almost compensating for the lack of speech recognition. Sometimes I start a document with a copy of some other big document just to get the word completion feature, and then delete all the extra text when I don't need it anymore. Hope there might be some useful tips in there. I found learning Ubuntu a lot of fun, and two+ years later it still is.
  6. I don't like to let a question go unanswered, but all I know about those certificates was from some reading at their website and Wikipedia after you mentioned them. I thought I saw one comment that some of their free certificates aren't free anymore. I don't know that much about SSL, but it seems as though there are different levels of trust and corresponding differences in price. It would seem to me that all you need is something suitable for encryption, and that the question of whether you are "who you say you are" is not that important in this situation, and maybe an inexpensive certificate might be sufficient for that purpose. Thinking about it a bit, I did come up with some other ideas, although I do realize that they're probably not the kinds of solutions you're looking for. Word documents and zip files can be encrypted and sent as email attachments, secure even when the email itself is not encrypted. I think it would be possible to use JavaScript to encrypt the contents of a feedback form before it gets submitted. Because you would have to send the "secret" encryption token with the outgoing page, it's not secure at all from someone with a real interest in the contents, but it would prevent casual snoopers from seeing the contents without expending more effort than most casual snoopers would bother with. I would expect that anyone who is a regular and real correspondent in the journalistic sense and who was interested in security would be willing to use active methods like Word or Zip or PGP email encryption (which I believe is basically a private certificate that you issue to yourself, so it has no certifying authority). The real problem is providing passive security to ordinary passers-by who are not willing to use active methods. Without a standard SSL certificate, that might be impossible due to the issue you mentioned, lack of browser trust.
  7. The purpose of a privacy policy should be to state honestly what the actual situation is, not to try to instill confidence in visitors by making comforting mission statements that might not be achievable. Even an honest privacy policy like "I can't really promise that people's private information will stay private" is better than a more comforting one that is false. However, a privacy policy generally only pertains to factors under your control. Some risks of electronic communications are not under your control. It is not necessary to make a sweeping promise like "people's private information will stay private." You can, instead, describe what steps you take to try to ensure the security of their information. If you're thinking about something like doing credit card transactions by email, I don't know if it's legal, but I don't think it would be a good idea in any event. Emails can be encrypted with "PGP" ("Pretty Good Privacy") keys, but that's probably beyond the abilities or willingness of many. Other alternatives are offline communications like phone, USPS, FedEx.
  8. Either method could allow a brute-force password guessing attack to succeed unless all your passwords for all your MySQL database users (not just the new one you created) are very secure, an absolute minimum of 12 completely random characters, upper/lower/punct. More is better. If you don't use punct, make the password at least 2 chars longer to compensate. With the phpMyAdmin method, you'd need to make sure that your version of phpMyAdmin is always kept up to date, which could sometimes involve installing an update about once a month based on the history at http://secunia.com/a...task=advisories . You could add an additional layer of security by password protecting (in cPanel) the folder where you install phpMyAdmin. Your user will have to log in to the folder first (with the folder password), and then into phpMyAdmin (with their MySQL user password). The method of connecting directly to MySQL has the advantage that you don't have to keep software updated, but its security depends entirely on the strength of your MySQL passwords (unless you can also use the IP address restriction). With either method, "grant" to your new user only the specific permissions (SELECT, UPDATE, etc.) that they'll need for performing the actions you're allowing them to do, and only for the specific database they'll be using. If you set it up carefully, it looks to me that either method can be done quite securely. After setting it up, you could log in as the new user and browse around to make sure you're not allowing them to see or do things you'd prefer they couldn't.
  9. Glad to hear it, Bill. TCH deserves the success. You and the TCH staff do a great job. I'm very happy to be hosted here, and I'm sure many others are, as well.
  10. In addition to the other suggestions, Microsoft's successor to FrontPage is called Expression Web. There was a time when you could upgrade from FP to EW for only about $80.
  11. If you post a message to the other thread, the person who started it should get a notification that somebody replied to it. They might be willing to post how the situation turned out. What antivirus program do you use?
  12. Announcement at http://www.simplemachines.org/community/index.php?topic=452888.0
  13. Thank you for responding so quickly. I got this email today also. Would it help you to have a copy of it with all headers? If so, just let me know who to send it to.
  14. I used Trend Micro Internet Security for about 5 years and thought that it, and especially its firewall, were very good. However, at renewal time I learned that I'd be automatically upgraded to their new "Titanium" product which according to my online reading seemed to be a very much changed product with a simplified interface (it was already perhaps too simple), fewer configuration options, and, what caught my attention, no longer included a firewall. IF that's true, it could be because the standard Windows Vista/7 Firewalls are now so much improved over the old Windows XP version. But I still use WinXP. Since the Titanium conversion looked like it was going to be a drastic change in any event, I figured why not make a drastic change that I chose myself instead of one that I hadn't, so I switched to Kaspersky Internet Security 2011. Its out-of-the-box default settings for things seem to be quite secure, not requiring adjustments, but for those, like me, who appreciate having lots of configuration options, there are plenty (for both antivirus and firewall), enough to be overwhelming. The biggest firewall change I made was, using instructions from the Kaspersky forum, to block all unapproved outbound connections in addition to unwanted inbound connections. I ran an initial antivirus scan after setting all the detection settings to their highest possible levels, and KIS did not find any threats that Trend Micro had overlooked during the 5 years of use, so my confidence in TMIS seems to have been justified. The KIS reports (such as activity blocked by the firewall) can be difficult to understand, but they're more informative and better formatted than the TMIS ones were. It took me a few days to understand the firewall settings well enough to create custom settings that were what I wanted, so it's more complicated than the old TMIS was, but the fine-grained control could be useful, and it's interesting. Basically, it seems to have very good settings out of the box, fortunately. When you decide to do some tweaking, it can be very confusing. I'd recommend it as seeming to be a very good AV/firewall, though I've only been using it for a couple of weeks.
  15. Whenever you're referring to a path in your website, "user" means to substitute your_user_ID at that location. Each user on a server has their own "home" directory, which when written as a Linux filepath is /home/userID/ However, "usr" should be left as-is in the examples above. That's a different directory.
  16. It looks as though whatever local port Thunderbird opens for the transaction, the mail server, when the transaction is finished, tries to open a new connection back to the client on that port + 1. So if Thunderbird started the communication from local port 2608, the transaction takes place normally through that port, and then the mail server tries to open a connection from its port 995 back to my port 2609, and that's the one the firewall was dropping. Even though it didn't seem to make any difference, I added a firewall rule to allow the data to be received. I'll update here if I ever run across an explanation, but for now have done enough reading about POP mail to last a while.
  17. I have Thunderbird configured to retrieve POP mail by connecting to my server's port 995 using SSL/TLS for a secure connection. That's been working fine for a long time. While experimenting with my new antivirus program's firewall, I put it into "stealth" mode by creating rules to block all inbound TCP/UDP connection attempts initiated by a remote computer. In the firewall log, I'm now seeing that whenever Thunderbird fetches my mail, my firewall is blocking at least one inbound connection attempt from my website's port 995, addressed to various ports on my PC: 3582, 2609, 2607, 1101, 4963, and others... However, I'm still able to send and receive email just fine, so it seems like these refused connections are something not essential to the email retrieval process. Does anyone know what's the purpose of these reverse-direction connections back to my computer? ...and why blocking them doesn't seem to make any difference?
  18. The replacement for Matt's Script is called "NMS FormMail", and it is very good. If this link is allowed, it is here (the "compat" package at top of page): http://nms-cgi.sourceforge.net/scripts.shtml Set up the configuration section carefully. By using an email alias, you can set it up so your email address is not exposed in the HTML code. You specify the allowed recipients hard-coded in the script, so even if the form is used to send spam, it can only go to you, no one else. And it is possible (not described in the instructions) to add a fake CAPTCHA (not quite as good as a real one, but good enough) to prevent bogus submissions, of which I've never received a single one, ever.
  19. marlene, Website applications like WordPress, SMF, etc. usually come with an install.php or setup.php script that actually does the installation. When installation is finished, the install.php or setup.php is supposed to be deleted from the server. The exploit lines you posted are searching for websites where somebody forgot to delete the install scripts. All the requests you posted are getting 404 (Not Found) responses, so they can't do any harm. The 404's mean those scripts don't exist in your site. You can ban the IP in cPanel or .htaccess, but the only thing that will do is change the 404's to 403's. The entries will still keep appearing in your log until the would-be hacker stops trying.
  20. Thanks for posting the solution you found. That's information that could very likely help someone with a similar problem in the future.
  21. Try looking at Latest Visitors in addition to the Error Log. There are occasionally some situations (it has varied with server configuration) where the user gets one response, but that response triggers a different error, and only the last response is logged. As a made-up example (because I can't recall a specific real one), let's say a 500 error occurs, but there is no file (page) set up on the server for sending a response of 500. That would cause a 404-Not Found, and the log would only show the 404. The page the user sees probably says something like "...in addition, a 404 error occurred..." So: request the page and compare what (if anything) is in the Error Log for that request against what's shown in Latest Visitors for that exact same request and for any of its dependency files, also compared against what you actually saw in your browser. Comparing the 3 could shed some light on what's going on. Is there any chance that the way you call the file on your home page is different from how you do it everywhere else, such as if there's a typo in the home page link but it's fine on all other pages? Or the link is specified by an absolute path on the home page and a relative path everywhere else? Or the link in the script is specified by a relative path that is correct for most pages but isn't a valid path relative to the home page location? Or other things along those lines?
  22. SMF 1.1.14, a security and compatibility update, has been released. At the same time, SMF 2.0 has been released as the new officially current SMF version. Support for 1.1.x is expected to continue for about a year, security updates only. http://www.simplemachines.org/community/index.php?topic=437305.0
  23. If you run the script with permissions at 755 and it doesn't work, but it does work when they're 777, I'd consider that sufficient indication that you need the 777. Sorry I missed that even though you stated it clearly. Entirely possible. Dedicated can be configured differently from how they do the shared accounts. Yes, that's all it is. If you trust your other users, it's not that big a deal. The one thing it gives you less control over is that if one account gets hacked, the hackers can get access, using PHP, to folders in the other accounts. There are 2 ways to install PHP. Each has pros and cons. With mod_PHP (which is non-suPHP), this 777 is just the necessary configuration when you want PHP to be able to write to a folder. It's not a misconfiguration; it's just how you have to do it in that case.
  24. 755 will do what you want. With suPHP, PHP runs with the same permissions as your userID (the folder's "owner"), so the first 7 in 7xx is the one that applies to it. That is, that first 7 is what allows the owner to write to the folder, and if the owner (you) can write to the folder, so can PHP. With the first digit 7, the other two can be the more secure 5's, giving 755. Without suPHP, PHP has its own userID and it runs with those permissions. In that case, it's not the same as your userID; it's "other", whose permissions are determined by the last digit of the permissions number. For it to write to the folder, that last digit must be a 7. So in that case the 777 is needed. Unfortunately, in that case, granting the 777 to PHP has the side effect of granting the same permissions to all other accounts on the same server, which is why it's a security risk.
  • Create New...