osCommerce & WordPress Exploit

We’ve been made aware of a new exploit that appears to have been launched today that is so far targeting WordPress and osCommerce installations. If you are running either of these pieces of software we recommend that you upgrade to the latest version as soon as possible. With osCommerce we would actually recommend you switch to an alternative product such as Zen Cart, as the development process is very slow and often stagnates.

The exploit itself creates .htaccess files in any directory where it has write permissions and places the following two lines in it, or on the end of an existing .htaccess:

AddType application/x-httpd-php .php .phtml .php3 .php4 .php5 .htm .html
/tmp/25454b22bf39c75795851f39d5e347c4

The file: /tmp/25454b22bf39c75795851f39d5e347c4 claims to be mini suhosin, part of the Suhosin PHP security software, this is not the case. The exploit also tries to leave a back door shell in to infected system by leaving a shell process called minisuhosin running.


VAT Changes

Just a reminder if you didn’t know already that UK VAT rises from 17.5% to 20% on the 4th of January (first working day of the new year). This means that if you currently pay us £10 + VAT or £11.75 including VAT, your invoice will now come to £12.00 including VAT.

You’ll also need to remember to update your own shopping carts/ecommerce software if you’re using any to take account of the new rate of standard VAT from the 4th of January – if you don’t, then you’ll end up 2.5% out of pocket – as the VAT man will still want his 20% even if you only charged the customer 17.5%.



Linux Vulnerability CVE-2010-3081 – Local but serious

As many of you will no doubt be aware there has recently been a vulnerability with 64bit Linux announced that allows a local system user to gain root level system access. Whilst these things do happen from time to time, the problem at the moment is that a lot of vendors do not have a new kernel with the security hole patched. To make things worse, the exploit that is out in the wild installs a back door in to your systems as well, so even when patched they will still have root level access to your system!

Whilst many are saying this isn’t a major issue as it is only exploitable by having local machine access, it’s actually bigger than a lot of people realise in a web hosting environment as users are allowed to execute their own PHP and Perl code or install 3rd part scripts – what we’re seeing lately is that many such user and 3rd party applications have many holes in them that allow arbitrary code to be executed or even uploaded on to servers and then executed. Both situations effectively give a local user account (that of the web server user, or the account user depending on how the system is configured). One of the biggest causes of such problems are scripts that allow users to upload images or other files to a website – the vast majority of them do not check to make sure it is an image, or a PDF or a text file etc. that is uploaded – we’ve seen recently that a lot of these scripts allow users to upload PHP scripts for example instead of an image and of course once it’s in the images directory it can be executed like any other PHP.

There is currently a workaround for the specific exploit out in the wild, but they do not protect from any new exploits that may utilise the same security hole. The only solution ready at the moment appears to be that from KSplice.com – Which our managed hosting customers will be pleased to know we’ve been installing on all of your servers for the past few weeks now. For our un-managed customers you can also have KSplice but unfortunately for you there is a small charge for this, of £2.50 + VAT per copy – If you would like it installing then please open a ticket with us and we’ll get it done for you ASAP.


Phone calls about SSL renewal – Misrepresentation

Unfortunately it’s a sad sign of the times that we’ve had customers report to us that they are getting calls about renewing their SSL certificates they have purchased through ourselves – there’s nothing unusual in that you might think, but there is when they are claiming to be from either ourselves or the issuing authority for the majority of our SSL certificates (Comodo).

What we’d ask is that if you do get such a call, you find out as much information as possible i.e. telephone number from them, email address or what company they are really calling from – as obviously we don’t like people fraudulently mis-representing themselves to our customers and we don’t want our customers being sold sub-standard certificates or getting a sub-standard service for their SSL certificates.

So please, if you’ve been contacted or get contacted let us know. If you’re the company behind this and you’re reading this then I’d quit whilst you’re ahead :)


Shared vs. Dedicated Hosting

We’re asked now and again what the difference between our business class shared hosting and our managed dedicated hosting/servers is? So we thought we’d try and give a quick 5 minute run down on what the main differences are. The main thing most people notice first is the cost difference between the two services, hopefully the next few paragraphs will give you an idea of why they are so different.

Learning to share

As the name may suggest to you, shared hosting is a service that shares the hardware resources of a server/servers between a number of customers – It doesn’t mean that you are sharing your hosting account with your friends/family. Quite simply, we place multiple isolated user accounts on the same server hardware, where they are free to host as many domains as the package allows, using up to the web space and data transfer allowances each month.

As it is a shared service, like all providers we do have some provisos in our terms of service that prevent a single user from using all the CPU time or all the memory on a shared hosting service – After all you wouldn’t want someone monopolising the server and your site being slow, the same as they wouldn’t want your site to cause problems for them.

At KDA we place between 50 and 100 user accounts per web server as a maximum, we like to give every user a good portion of server resources such as CPU and memory – some providers will place 10x this many on a server, which increases the potential for problems massively.

Dedicated to the task

A dedicated server, unlike shared hosting is solely for your use – no other customers will use the same hardware. You can place from 1 site to 1000 sites (although we’d not recommend that) on your server, or you can use it just for email or databases, or serving video files if you want. As long as it fits within our terms of service and is legal, you can use it for what you wish.

At KDA we only use high quality server hardware from Tyan or Supermicro, we use enterprise grade SAS hard disks – designed for 24×7 operation in a server environment and we use hardware RAID to duplicate your data over at least 2 hard disks, increasing data security and performance.

Performance

With a dedicated server you have the ability to use 100% of all CPU and memory resources all the time if you need to (although we’d be recommending some changes/upgrades if you found that happening), unlike shared hosting where you may use only a fraction of the resources for an extended period of time – You can use more, but only for limited periods to keep it fair to other customers.

Our base specification managed dedicated server comes with a single Quad Core 2.26Ghz CPU – giving you a total of 9.04Ghz of CPU dedicated to you 100%, not only that it includes a massive 12GB of RAM dedicated 100% to you.

Reliability

In theory shared hosting and dedicated hosting should be as reliable as each other, all things being equal. Whilst our own shared virtual hosting is incredibly reliable, it is inevitable that as time goes on that at some point a website will get featured on Digg, on the TV, or elsewhere that causes it to see a large increase in website traffic – which can sometimes cause problems for other users of a server, such as their sites slowing down or in very very rare circumstances the server crashing.

With a managed dedicated server the only time this will potentially be a problem is if it is your own website getting 1000s of extra users visiting it or buying from it – which if you’re getting 100s of extra sales might not be a problem in your eyes. Of course with all those extra server resources 100% dedicated to you, you might not even see any performance issues with 1000s of extra users visiting your site or buying from it.

Features and Flexibility

With a dedicated server you have the potential to run different software compared to shared hosting. If you need a specific version of PHP/Perl/MySQL/Some other software then you can have that on a dedicated server, whereas with shared hosting that just isn’t possible – as it would have an effect on all other customers on that particular server. Not only that, but if you need to run some software that integrates with one of your suppliers, or a site search engine software service then you can do those, as the server is dedicated 100% to you.

Security

When it comes to security the fewer people that have access to a system, the more secure it tends to be. With a dedicated server we can restrict who has access to FTP, who can login to any optional control panel etc. As part of our standard server setup we restrict all access inbound and outbound to your server, except for public services such as web serving, incoming email etc. and all other potentially sensitive services are restricted to a specific set of IP addresses. With shared hosting we obviously cannot do this, as the administration required to cope with end users changing IP address all the time would require several full time staff.

All of our shared hosting systems are designed to be secure and isolate users from each other, but unfortunately you can’t always guard against unknown bugs in software used (such as web servers, PHP etc.) and there is always the potential that such a bug allows users to interfere with other users or the smooth operation of the server – With a dedicated server you are the only user.

Cost

With a dedicated server you are the only user, so you have to bear all the costs, there are no other users for those costs to be spread between – So that means we have to make sure your monthly fee covers the cost of the server itself, the power, the cooling, software licenses, staff time – which are the main reasons for the large cost differential. We realise that for many users the jump in price is quite considerable, which is why we also have an alternative that provides many of the benefits of dedicated hosting, but at a price between that of shared hosting and dedicated hosting. That solution is virtual dedicated servers which we’ll cover next time.

Please don’t let any of the above put you off of shared hosting at all, it is still suitable for the vast majority of websites, especially when implemented well and not shared between 1000s of users. As they say on Crime Watch, “Don’t have nightmares” if you’re using shared hosting, chances are it’s the correct choice for your website.


Cloud Testing: Storage Failover

As you’d expect, we’ve been extensively testing the failover and high availability features as it’s one of the key selling points of our Cloud Platform, our main area for concern has of course been data storage – without data or disk, there’s no point in having compute power really.

In terms of storage availability initially we will have a pair of SAN SUs (Storage Area Network Storage Units) with 15k RPM SAS Drives, each SU has redundant PSU and Fans, has Dual Quad Core CPUs and 32GB of RAM for Cache and boots from an SSD. Storage is configured equally over both SUs in a round-robin fashion, this balances the load over the two SUs and maximises performance – So for half of the virtual machine instances SAN SU1 will be primary and for the other half SAN SU2 will be the primary – If a failure should ever occur then each SU is configured as a mirror for the other SUs volumes, so if SU1 fails and your storage is primary on SU1 then SU2 will start serving your storage to you.

In our testing so far we’ve seen from zero seconds impact to a maximum of two seconds impact in a a failover situation – depending on the exact nature of the failure. Whilst ideally we’d like to bring this down to zero seconds impact for all failure types, unfortunately it then becomes a delicate balance between false positives (where the system things something has failed because it takes fractionally longer to respond than normal) and detecting actual failures – if we start detecting lots of failures that aren’t, then it effects the stability of the system as it flips and flops between failure and recovery – which is far worse than a second or two of actual pause in disk i/o (Note: you shouldn’t see disk i/o fail, as it is queued, it will just pause momentarily). In a maintenance situation we can take out an SU without any impact to your service at all :)

Overall the initial SAN consists of:

  • Multiple SAN SUs mirroring data for each other
  • Multiple network switches

Each SAN SU consists of:

  • Dual Quad Core CPU
  • 32GB RAM
  • SSD for Storage OS
  • Enterprise SAS 15k RPM Drives
  • RAID-10 (Disk Mirroring + Striping)
  • N+1 Redundant PSU – Fed from two separate power feeds
  • Multiple connections to multiple switches

What all this boils down to is that each SU is highly redundant on it’s own, as well as being very fast, we then add to that another SAN SU which mirrors data for it, giving even more redundancy in the system, as well as increased throughput. What it also means is that we’ll never be the cheapest for disk space – for every 1GB of disk space available on the system we have to provision 4GB of space, spread over 4 drives – RAID-10 inside the SUs, then mirrored between the SUs. For reference we are using Seagate and Hitachi 15k RPM SAS drives in 450GB capacity – considerably more expensive per GB than SATA drives, but worth every penny for the performance and reliability :)

Also, as you’d expect from us, we’re also looking at what changes can be made to see if we can bring all failover situations down to zero impact – but we’ll be doing this in our lab and it will likely appear in future revisions of our cloud hosting platform. We’re always looking to improve :)


Get an EV SSL Certificate for £99.95/year

That’s right, you can now get an Extended Validation (EV) SSL security certificate for only £99.95 + VAT per year! That’s a saving of over £250 on a 2 year certificate.

What is an EV SSL?

Extended Validation Certificates are designed to work with web browsers since Internet Explorer Version 7 (and Firefox, Chrome, Opera, Safari) and provide users with a green address bar and scrolling information next to the address bar displaying who the certificate is registered to and who issued it as well as that the business is registered with the correct government bodies. This provides instant reassurance to visitors using a compatible browser that your site is secure and trustworthy – just like they see when they login to their online banking.

Why would I want an EV SSL?

These certificates are designed to provide absolute peace of mind for their users. They are issued under strict validation by all issuers to ensure that they are only issued to the company whose name they are issued in and that the department/person requesting the certificate has authority to do so – meaning that rogue employees and criminal gangs cannot get an EV SSL issued in your company name and commit fraud.

If you’re carrying out online sales then an Extended Validation SSL is the ultimate in confidence for your users that you are whom you say you are and that their data will be safe in transit to you.

If you’d like to order an EV SSL then please email us – sales@support.kdaws.com or alternatively, if you’d just like a standard SSL certificate then we can offer those as well, you can find more information about them on our SSL certificates page.


Cloud Testing: Disk

I know quite a few of you are following the development of our new cloud hosting platform closely, so here are some very initial result from some brief disk testing. First up we have the standard Linux hdparm, nothing too strenuous, but it does give a quick idea as to disk performance:

/dev/sda1:
 Timing cached reads:   23004 MB in  1.99 seconds = 11575.07 MB/sec
 Timing buffered disk reads:  336 MB in  3.02 seconds = 111.37 MB/sec

As you can see we’re getting 111MB/s – not bad for initial test, and something confirmed by Bonnie++ – A far more strenuous disk test:

Version 1.03e       ------Sequential Output------ --Sequential Input- --Random-
                    -Per Chr- --Block-- -Rewrite- -Per Chr- --Block-- --Seeks--
Machine        Size K/sec %CP K/sec %CP K/sec %CP K/sec %CP K/sec %CP  /sec %CP
karl-test3.sheff 4G 61756  79 121058  17 50688   1 51968  54 111809   0  5428   0
                    ------Sequential Create------ --------Random Create--------
                    -Create-- --Read--- -Delete-- -Create-- --Read--- -Delete--
              files  /sec %CP  /sec %CP  /sec %CP  /sec %CP  /sec %CP  /sec %CP
                512 45927  71 315487  99  2746   2 44193  69 392805 100  2221   2

Bonnie backs up our initial numbers from hdparm, which is nice to see – and does so without using 100% CPU for either reads or writes.

These are very preliminary numbers – we’ve not even got multipath running to the SANs yet or the HA going – in theory we could get 4x those numbers with both of those items up and running. We’ve also not got all the disks running on the SAN either for those tests, in fact that’s only running off of 4 disks, in production each SAN will have 8 disks in the SAN head end plus at least 1 x 16 Bay Disk Tray as well.

We’ll have more numbers as the testing progresses, also if there is anything you’d like us to test then please do let us know.


It’s raining hardware from the cloud

As promised, we’ve got some pictures of some of the hardware we’re using in our cloud hosting platform that will be used to support our business class web hosting as well as provide cloud based solutions to you. I apologise for some of the pictures – even with 5MP the iPhone still isn’t quite the great photo taking tool it should be for the money.

First up we have some factory fresh ECC memory – 192GB to be precise:

Next up we have one of our SAN head end boxes, probably the most important component in the whole of the cloud platform:

Inside the SAN head end boxes we’re using Adaptec 5805 and 5085 SAS RAID Cards – These provide us with 8 x Internal SAS ports, as well as two x12 SAS expansion ports for connecting up disk trays to. Once we’re done testing we’ll be adding disk trays with up to 24 x 15k 450GB SAS drives per tray.

The next most important components and the ones that will actually run the cloud computing are the hypervisor boxes, here you can see two of them next to each other (minus CPUs):

Just in case anything should go wrong, we have our backup NAS system, I don’t have a picture of the 1U head end box, but we do have pictures of the 24 bay disk trays that we’ll be using for them:

That’s all for now. When we get a minute we’ll get some pictures of all the kit racked up for you, and maybe even some video (we know a lot of you like flashy lights :))