SteveW

If there's a timestamp for that user's access in your PHP Nuke file, you could check your HTTP access logs (thru cPanel, not PHP Nuke) for who was accessing the site at exactly that time, and maybe find the true IP that way. If the IP in your access log is just "0", that would be weird, but I think it's possible. If someone sends a request to a site with a spoofed or 0 IP address, they'll never get a page back from the site, but in the case of malicious requests, the sender wouldn't care.

SMF 1.1.8 has been released. Announcement is at http://www.simplemachines.org/community/in...?topic=290608.0 Creating a notification subscribtion to the "News and Updates" board in which that announcement is posted should normally be a good way to be notified of SMF updates. However, I haven't received the usual email notifications from that board for the release of 1.1.7 and 1.1.8. As a backup notification method, I created a daily Google Alert for: SMF 1.1.8 released site:www.simplemachines.org and it did notify me within 1 day of this release.

Is it a shared server? As Bruce said, TCH takes care of updating things like the operating system versions, PHP versions, versions of the cPanel software itself, anything that is shared by all the sites on the server. Within your site, you can do the following to be more secure: 1) Use strong, long random character, passwords, and use a different password in every location where a password is required. 2) If you use scripts like WordPress, SMF, Joomla, Coppermine, etc., keep yourself informed about when new versions are released, and always try to upgrade to the new version within 1 day of its release if possible. TCH-Thomas often posts announcements when new versions become available. You can subscribe to the subforum here where those posts are. (Sorry I don't remember exactly the name of the subforum, but you can find it easily from the main forum board list. It's under the general topic of security.) You can also check in cPanel > Fantastico for outdated versions of scripts that you installed using Fantastico. It alerts you about them. And you can go to the website that created the script and subscribe to their announcements, if they provide them. Another good place to look for any possible problems with scripts you use is http://secunia.com/advisories/search/. 3) If your pages are all plain HTML, you don't need to be concerned about coding security. They're safe. But if you write your own server side code (PHP, ASP, ASP.NET, etc.), you do need to be careful about security. Each language has lots of resources on the web for learning how to code securely in that language. Two of the most important things to guard against are "remote file inclusion" attacks and "SQL injection" attacks. Wikipedia is a good place to search for unfamiliar terms. I think it has something about both of those. As for spam attacks, if you mean that you receive spam, there are some preventive measures for preventing that (but they basically all amount to things like "don't post your email address all over the web"). Once you're getting spam, there not much you can do to turn back the clock, but you can use filters, SpamAssassin, etc., to manage the quantity. If you mean preventing anyone from using "contact forms" on your site to send spam to other people, the key there is to use a forms handler program that can't be exploited that way. If you mean preventing anyone from really hacking your site and hijacking your website's SMTP server to send out spam robotically, then the solution is covered in #s 1, 2, 3 above. That is, those hacks usually result from a real server hack that was made possible by poor passwords, outdated script code, or exploitable user-written scripts.

True, and some of the missteps have been even more embarrassing than the McAfee one. Any antivirus at all is better than none, which is what a lot of people have. That was the prevailing opinion at my renewal time for Norton in 2006. A couple hundred negative customer reviews at Amazon, some saying things like, "This is worse than a virus" are why I have experience with two paid programs. But I give them credit for gradually redeeming themselves. Either that or the fear has worn off with time. That's way off topic. Just felt like mentioning it.

To clarify, and make matters even worse (for me), I was actually lumping Avira in with the free one I had the more serious reservations about: AVG. It was during a few weeks last summer when I ran across the flurry of forum posts. After reading so many reports of infection from AVG users, I'd start reading a new post from someone who's PC got infected, and predict they were using AVG, and they usually were. Yes, there's more than one possibility as the reason for this. If AVG has 80% of the market, you'd assume the volume of complaints would be proportionately high. Problem was, no other AV had so many failures during that period (of the random selection of posts I viewed). However it may rate usually, AVG was falling down during that period, which definitely affected my perception of it. And there always seem to be posts from people using other free AV. But viruses getting past the big name programs seems, to me at least, based on the forum posts I've seen, to be less common. The only free antimalware program I had good trust in was LavaSoft AdAware, which however wasn't for viruses. The two "big ones" I mentioned were merely the ones I've used and considered good. It bugs me that Trend Micro has basically fallen off the radar of those who test AV and don't bother to test it anymore, though it doesn't seem to bother Trend that much. Something I saw once, maybe from a Trend spokesperson, about AV rankings has stuck with me, which is that AV testers tend to use a zoo of viruses, some of which are ancient, no longer in the wild, and aren't current threats. An AV program can be optimised to rank well against the zoo and yet fail to do well with heuristic methods against more real and emerging current threats. In addition, protecting against thousands of non-real threats can make a program unnecessarily bigger and slower. That discussion no doubt influenced my decision to base my personal "ratings" on the experiences I see real people having with their AV, and I tend to take ratings and rankings with some grains of salt. Someone's AV decision would also be based on the value (real and perceived) of what's on their PC. If someone basically just browses the web, doesn't save anything important, and doesn't mind the risk that occasionally they might lose everything and have to start fresh, AV might be less important to them. As the cost, or time required, for a system restoration goes up, so does the value of good AV protection. It's true I don't trust free ones as much as the paid, but I'm perfectly happy to agree to disagree on that. One thing I like about the paid ones is that those companies tend to have active and respected research departments that work on new methods of detection. In addition to having had good experiences with paid products, I get some satisfaction from supporting that research. One thing that I do consider important, when protection is important at all, is real-time protection. Finding an infection with a manual scan after it's already gotten in doesn't make much sense to me. Good links to resources in this thread, like the MalwareBytes, and the scanforfree link that specifically addresses the TR/Crypt.xpack.gen.

Different AV companies call the same malware by different names, so it's not surprising that when I searched for xpack a lot of the results contained references to Avira, since they're the ones that use that name for it. However, a lot of those results also were complaints that Avira wasn't able to remove the threat. The Wikipedia article about Avira that I looked at mentioned that it rated poorly on threat removal. It looks like Trend Micro calls this malware WORM_BAGLE, i.e. the Bagle Worm. The next to worst thing that can happen with a malware infection is that you may have to wipe the system clean, reinstall Windows, and start from scratch. The worst thing that can happen is if the malware renders the computer unusable before you even get the chance to save your files before you wipe the system clean, reinstall Windows, etc. I think what I'd do in this situation is: 1) If you already have backups (such as on CD or DVD) of all your personal (non-system) files on your computer, leave those alone; don't touch them. Even if they're old versions of your files, at least they're uninfected. 2) Make a complete new backup set. There's some risk this set will be infected. Can't be avoided. You can scan these files later with your new AV program. 3) Buy and run a top-tier antivirus program. Not a free one. Norton, Trend Micro, one of the big ones. There is a common factor to many of the forum posts I see from people battling infections: they were using free AV programs such as AVG or Avira, so I don't think much of free AV programs. Even in the unlikely event that Norton, or whatever you select, proves unable to clean the system because too much damage was done before the AV was installed, the $50 you spend will better protect you in the future. Here is a page at Symantec about one of the Bagle variants (which it calls Beagle): hxxp://www.symantec.com/security_response/writeup.jsp?docid=2004-071912-1847-99&tabid=2 It likely isn't the variant you have, but it gives some idea of the sophistication you are up against and what locations you may need to look to find the bad programs, registry keys, etc. if you continue to try to fix the problem manually.

I agree. I doubt Shaw does all of the things listed at that Wikipedia article in the "Real-time protection" section, although if I recall correctly from earlier today, Shaw is F-Secure, so it should be possible to find out. Trend Internet Security 2009 does some of them, but I don't think it does them all, either. There is no such thing as "complete coverage". With both Windows Defender and Shaw, you have a layered protection system. One can catch what the other doesn't. That is best. I run the Microsoft Baseline Security Analyzer once in a while, too. One time my IE security settings got changed. It's still a mystery how it happened, whether I needed to do it for some reason and forgot to put them back, or whether something corrupted them. MBSA caught it. That's why I install everything Windows Update says I should even if I'm 100% sure I'll never need it (e.g. daylight savings adjustment for Australian time zones). I didn't realize WD was free and works on Windows XP. Have made a note to myself to go take a look.

I looked up what Windows Defender is for at http://en.wikipedia.org/wiki/Windows_Defender. It appears that it might do a few Windows-monitoring type things that Shaw probably doesn't. However, running two antivirus/antispyware programs at the same time can cause problems, which Shaw also says at http://shawsecure.ca/answers_to_common_questions.php. If you're not experiencing any problems, is it possible you have WD installed but some of its features are turned off? On the chance that WD might be providing protection that Shaw doesn't, and if you're not experiencing conflicts, I'd recommend leaving WD installed. If you get conflicts, I'd start turning off WD features that duplicate Shaw's until the conflicts stop. If the conflicts don't stop, that is the only point at which I'd consider uninstalling WD. You could get another opinion from Shaw Secure if you have a way to contact them.

SMF 1.1.7 Released (Simple Machines Forum) Critical security update.

Yes, I've been getting these offers at least once a year ever since I first registered a domain. I don't recall if any have been from this specific company, but in all the offers the rates have been exorbitant. These are nothing but unsolicited advertising to addresses obtained from domain registration information, even if they look like a bill (which they usually do).

I am both surprised and not surprised by that. Not surprised because that's how I felt about the "PCTV Deluxe" hardware tuner and software package in 2004, which crashed constantly. A year or more later, they released rewritten drivers which solved the crashes in their TV viewing application and with Studio 8's TV capture functions. Surprised because you'd think that after more than 4 years they'd have the drivers and any other programming issues ironed out. And because for me Studio 8 has been stable since the driver upgrade, though admittedly I don't use any of its features besides cutting down and transcoding video. Why any company would keep releasing new and fancier versions of a program without first getting one core version of it completely stable is beyond me, but they're not alone in that.

Pinnacle Studio 8 was free with my TV tuner card. I like it and have seen positive comments about Studio from others. I think it is now at version 12, though currently 10, 11, 12 all appear to be available. This is their website: http://www.pinnaclesys.com. I thought they had a free trial available, but I don't see one. Windows Movie Maker isn't too bad, either. You might already have a free version of it on your PC.

I looked at the filtering options in cPanel. It should certainly be possible to create one that will discard these spam emails as long as you find something they all have in common. It's at cPanel > Mail > Account Level Filtering (or User Level Filtering if you only want this filter to apply to one mail account) > Create a new Filter. As an example of a filter, you can use the dropdown boxes to select: Any header Contains (the IP address) If it's a bunch of IP addresses, you might be able to match them with a regular expression (it might take some studying on regular expressions) Any header Matches regex (a regular expression that will match the various IP's you want to block) Actions = Discard Message Then click Activate.

Once you have the IP, you can look it up at a place like http://whois.domaintools.com/ to see what organization it's coming from and where it's located geographically. As Bruce said, it probably won't be your TCH server, which would be its origin if it were really coming from your .pl form. However, knowing this information doesn't give you any better tools to deal with the problem. As was said previously, there's really nothing you can do about this at this point. The email address has been harvested and given to a spam network. You could retire that email address and switch to using a new one. You can't use .htaccess to block email, but, come to think of it, you might be able to do it in cPanel. It would involve setting up an email "filter". The rule would be something like "any header" contains [the IP address]. That's just an idea. I haven't seen the email section of cPanel in a month or so, and don't remember what sorts of filter options are there, but it might be worth looking into. In the headers, you might also find the email address(es) from which the spam is being sent. (You might also, however, find faked or decoy email addresses. In fact, even some of the IP addresses may be faked.) If it's just one or a few email addresses, you could blacklist them in your email client so they get discarded. Or if these spam emails have other common characteristics (such as always the same subject heading), you could create a rule in your email client to discard them by that criterion. Basically, though, nothing that's been said here should be taken as an indication that you can "undo" the fact that the email address got out and is being spammed. At this point, you're just receiving spam and it's a spam-handling problem. The form has nothing to do with it anymore.

If you deleted the .pl script, they can't be sending the spam through it anymore, but if the email address was exposed in the HTML of the form on the page, they "harvested" it and can now send email directly to the address. They don't need the form anymore. The email headers might have clues about where this is really coming from.

I'm migrating a site from another host to TCH. The differences: From suPHP to non-suPHP From PHP 4.4.6 to 5.2.4 Am currently working on my TCH site using the temporary URL hxxp://xxx.xxx.xxx.xxx/~userID/ From the post at http://www.totalchoicehosting.com/forums/i...?showtopic=2056, I gather that the reason PHP $_SERVER['DOCUMENT_ROOT'] is currently not working properly is because I'm using the temporary URL, and it should start working after DNS propagation has occurred on the domain name. Some questions: 1) The site transfer to TCH preserved the previous file and folder permissions. As far as I can tell, the rules for file and folder permissions at TCH are the same as at my previous host. Are these correct? Normal file, web page (.htm), or executable PHP script (.php) = 644 Normal web accessible folder = 755 2) All my experience with PHP is with suPHP, and I'm discovering there are differences when not using it. Based on testing, it appears that a file that PHP will write to must have its own permissions set to 0666 and be in a folder that has 0777 permissions. To offset the dangers of those permissions levels, I can do the following: --Store those files in a folder outside public_html or --Put the folder inside public_html, but protect it with an .htaccess file containing the lines: order allow,deny deny from all It seems like that should compensate for the 666/777 permissions. I came up with some other methods (password protect the folder, and also use <Files></Files> directives in .htaccsss), but decided they'd be redundant. Is anything above incorrect?

I'm sorry I can't comment on any other forums, but I love SMF both as a user and administrator, and it's secure, reliable, and supported. It's light on images, so pages load fast even on dialup. Any new forum admin should expect that it will take a few hours going carefully through the admin panel before they are comfortable with it, but I find SMF's to be intuitive and relatively easy except for some advanced features like user groups with specialized permissions, which a new admin probably won't be concerned with at first, anyway. Basically, I can't think of any reason to steer someone away from SMF, and that's why I'm posting this. A place to look up security issues with any forum or other script you're considering is http://secunia.com.

Admittedly without looking closely at the rest of the code, I think the following might work for you. Ordinarily you'd do the non-www to www redirect straightaway before anything else. This sends the request back to the browser saying, "Please do it again, but with www". So I'm moving that rewrite up just after the RewriteEngine On. You'd also usually want to do that for the entire site, not just a folder like /client, so I removed /client. In addition, I suspect {http_host} only checks the parsed-out host name, and /client can't be part of that. That actually may be the reason the rewrite wasn't working, because it couldn't match /client as part of the host. I made a couple of other revisions as shown in red. You'll need to remove the extra spaces I added in the URL to prevent http... turning into a link. RewriteEngine On RewriteBase / rewritecond %{http_host} ^mysite\.com [nc] rewriterule ^(.*)$ http: //www . mysite.com/$1 [r=301,nc,L]

Note that :fail: and SpamAssassin address two completely different situations, which people sometimes confuse. :fail: addresses the situation when your server receives email to an address that does not exist at your website, such as xyzzy@yoursite or asdf@yoursite. It will discard all such mail without telling you. :fail: makes absolutely no determination as to whether an email is spam or not. The only reason it is such an effective spam fighting tool is that so much spam is sent to nonexistent addresses. However, :fail: will also discard mail where someone merely mistyped your address. SpamAssassin does make a determination about whether an email is spam or not. However, by itself, it never deletes or discards an email, ever. It only tags (labels) it as spam. What happens to an email after it has been tagged as spam depends entirely on settings that you create. If you only enable SpamAssassin and do nothing else, then your mail will be delivered as usual, with some of them labeled "Spam" in the headers. If you want special handling for spam, you should create an email filter. Go to cpanel > Email > Filters > Add Filter. There should be a "Hint" on that page: To discard all email that SpamAssassin has marked as spam, follow the hint: Condition = "SpamAssassin spam header" starts with Yes. Destination = discard. If you're worried that legitimate mail might be discarded, you should instead create a separate real email address in your account, whose only purpose is to receive spam. Then go to Add Filter and set that as the destination. Everything arriving in that inbox is something that SpamAssassin considered spam. It's presorted. You can quickly review it for legitimate mail and then delete all the rest of it. (I do not recommend using Spam Box, which is an option you see on the SpamAssassin setup page. Spam Box is not a "real" email address, so it lacks the flexibility that a real email address has. It cannot be further filtered or forwarded, for example.)

I agree that historical forum posts are a valuable resource for web searchers and shouldn't be excluded from indexing. However, I noticed a while back that this forum seems to impose a time limit for editing one's own posts. My limited experience has been that editing privileges are rarely abused, and that removing the time limit sometimes results in users appending additional useful information to their posts later, sometimes weeks or months later if they intended the original post to be useful for reference. If the time limit were removed (assuming the software permits it), it would allow the person who started this thread to go back and remove their name or initials from their old posts. Reason for edit: changed "IPB software" to "software", realizing that I wasn't sure this is IPB. ... Yes, I'm one of those who edit frequently!

If the log file is a .gz file, you need to decompress it first. If you don't have an extractor, the free extractor that I found simplest to install was 7-Zip. It's just a command line utility, no Windows "install" required.

If you specify an actual destination file, the server serves that file. If you specify just a folder name, the server goes to the folder and looks, in order, for file names that can be the default page to be served for that folder. That page is called the "index page" for the folder. I don't know the order used on TCH servers, but as an example, common index page names are: index.html -- If the server find that, it serves it. If not, it looks for... index.htm -- If the server find that, it serves it. If not, it looks for... index.php -- etc... If the folder contains no file in the server's search list, then, depending on whether the server is configured to do it, it might serve an automatically generated index page that shows the names of the files in that folder. It's just a list of files. If it can't do that, I don't know what it does! It might serve a blank page? As a side note, you're using a mixture of upper and lower case letters in your file names. It is best to use all lower case. Page names are case sensitive. For example, if your page or folder is called VRoom, you must be careful to always use exactly that capitalization in your links. A request for vroom or Vroom would fail. Upper/lower might be easy for you to remember, but if someone is typing a URL in their address bar, they're likely to get it wrong.

Your first tracert screenshot (all asterisks) is what I get if I don't create a firewall exception for incoming and outgoing ICMP messages. For a tracert to succeed, both the router and software firewall, if any, must be configured to allow ICMP messages to pass in both directions between your computer and any other IP address. I believe Windows XP firewall allows all ICMP traffic by default, but my PC-cillin firewall disallows all ICMP unless I configure exceptions to allow it. Other two-way firewalls like Norton probably do the same. Your second tracert screenshot looks better, but it really isn't, because the second hop timed out and it only takes one bad hop to break the whole chain. I'd suggest doing that same tracert test many times over a few days to see if you have frequent problems at that second hop, or at various points. Which ISP you are using won't make a lot of difference, since the majority of the route depends on big telecommunications companies along the way rather than your ISP. Some of those companies have frequent problems. If they are having problems often enough that a failure is likely to occur at some point during an upload, it could cause upload failures even if sometimes or most of the time the path is ok. Edit: A "network health" tool like http://www.internetpulse.net/ might also be helpful at times, though I don't see Comcast shown there. There are also some FTP settings that could interfere: Internet Options > Advanced > (Browsing) Use Passive FTP See Wikipedia on Passive FTP ( http://en.wikipedia.org/wiki/File_Transfer_Protocol ). Basically, if you want to use active FTP, your firewall/router must allow incoming TCP connections from any IP address to your FTP application, on any port on your computer. Whichever FTP client you use needs to be clear on which FTP mode it should use.

In your public_html/.htaccess, I think it will be something like this. It's a starting point, anyway: #only necessary if you haven't already turned it on RewriteEngine On RewriteCond %{REQUEST_FILENAME} ^.*/directory.*$ [NC] RewriteRule ^.*$ http://www.mywebsite.com/file.html [R=301,L] This would rewrite all requests for all pages in (and below) /directory to the single file file.html. There is a potential problem if you have any other directories with names that start the same as directory such as directory1, directory2, etc. It would rewrite them all, and preventing it doing so would require more code. If you create an .htaccess IN /directory, it's even simpler, since no tests (RewriteCond) need to be applied at all: RewriteRule ^.*$ http://www.mywebsite.com/file.html [R=301,L] ------ Heh, others beat me to it. There are differences in how each of the methods will function. Mine sends a notification back to the browser that the old address is now invalid, "now, and from now on, please request this different page instead". click's serves the alternate page, but I think it does not tell the browser that the old page is obsolete. One is a rewrite and the other is a redirect, but at the moment I'm drawing a blank on which is which.

If you want to use SpamAssassin and not use Spam Box, but have spam sent to a spam-receiving email address instead, I believe there must also be an email filter set up for that purpose. 1) Turn on SpamAssassin, but don't enable Spam Box. 2) Create an email account for spam, something like spam@yourdomain. 3) Go to cpanel > Email > Email Filtering > Add Filter. There might be "Hint" at the bottom of that page: Hint: To filter all mail that SpamAssassin has marked as spam, just choose "SpamAssassin Spam Header", "begins with", and then enter "Yes" in the box. 4) Enter your spam address as the destination, and click Activate. If you previously had a filter, at least check it's still there in case all the spam box on/off fiddling might have deleted it.