2009 is The Year Of The Gumblar. You might not know the name but I’m sure you’ve experienced it either directly (hopefully not) or indirectly. Have you ever been surfing and come across a page with a big red sign warning against you entering the site? If you have then it’s a good chance that site was hit with Gumblar or one its variants like Nine Ball, Martuz or a host of other weird and wonderful names. If you run a successful online business can you imagine the damage such an attack could do? I actually got hit with it on a personal site I just use for storing photos. But when I thought of the damage it would have done if it had hit HostNexus……it certainly got my attention.

So what is Gumblar and how does it work? These are things EVERY webmaster MUST know! The original Gumblar used a vulnerability in Adobe Acrobat and Flash player but subsequent variants use other exploitable software but all have the same end result. I won’t go into the technicalities of how your computer gets infected but you need to know what it does. Once infected it listens in on any FTP connections and steals the connection information. Usually within minutes the virus uses your FTP account to modify files and insert some nasty code. This code is normally an iframe, javascript or some other code that triggers a malware download from another computer.

The virus will sometimes modify PHP code and insert phpshell scripts which in turn attempt to install the malware that other infected sites connect to to trigger malware downmloads to unsuspecting site visitors. This is a three-pronged nightmare that just grows exponentially. From local computer to FTP account to server infection and the wheel keeps on turning. So what’s the defence?

The virus three-pronged and therefore everyone needs to cover as many of these vulnerabilities as posible.

1) Your Computer - a decent “On-Access” anti-virus program is all you need. When I got infected I was running a cheap AV program that wasn’t On-Access. This simply means the AV program automatically scans anything that is downloaded to your computer or any file that you open on your computer. If your anti-virus just gives you a daily scan you are NOT protected. You could get infected, download some nasty stuff to your computer and proliferate the virus before you even get to your daily scan.

2) FTP over SSL. If you are on a linux server simply choose a connection option in your FTP program that is encrypted or just says “SSL”. All of our shared servers should have this working. If you find it doesn’t please contact Support and we will fix it! With this option your connection info is sent encrypted and not in plain text and the virus cannot sniff it out. We would love to implement this by default (forcing people to use it) but even though we could post about it in a newsletter, on a mail list, on our blog and on our forum we will still get hundreds of tickets asking via their FTP doesn’t work. As awareness grows maybe we will implement slowly.

If you have a dedicated server and would like FTP over SSL activated please contact Support.

Bad news for Windows clients on this front. Our Windows servers don’t currently support FTP over SSL as this is a feature included in the newer Windows 2008 OS with IIS7. It’s a huge change and one that we aren’t quite ready for. But you can still install a decent Anti-Virus program.

3) Server Infection - this is one area where Windows servers aren’t as vulnerable. The virus uses PHP which needs to be running as a global user such as Apache. PHP on Windows has run under a user’s FTP username as CGI for ages so even if files get infected the virus cannot break out of the user’s home directory. On linux though PHP has ran as Apache for aeons and it’s only with later versions of Plesk that we now have the option to run PHP as CGI or FastCGI. So if you’re on Plesk 9 I encourage you to switch PHP to a Fast CGI application under Web Host Settings for the domain. Some scripts can break with it so if you are not sure please don’t hesitate to contact support and we will advise you. Scripts tend to run faster under Fast CGI too so you are in fact doing yourself a service.

This year we’ve been dealing with Gumblar related issues almost on a weekly basis. It is very hard to convince someone that the server hasn’t been hacked when their website is showing the Reported Attack Site page. In these cases the issue almost always lies with the user’s computer being infected.

But we have also had cases where the virus has spread through Apache-owned PHP files causing malicious downloads and random page redirects to search results containing a list of infected sites. We can always track down the source but it is very frustrating for us as hosts and our users. In this case a solution would be force every domain using PHP to run as Fast CGI but as with the FTP solution there would be even more fallout. So it’s a balancing tightrope act with a bit of a dodgy safety net. All we can do as hosts is raise our own community’s awareness of this problem that doesn’t seem to be going away any time soon and hope that in the future we can implement more stricter safeguards against this menace.

I just posted this on our blog so feel free to comment there. If you’d prefer to discuss any of this in our forum that would also be most welcome.

Post from: HostNexus Blog

Gumblar - How To Avoid Getting Hacked

How would like to reduce the amount of spam coming into your mailbox by 90%?

Yes…..90%.

It can be done and it can be done very easily but for many the price might be too high.  See, the fight against spam is kind of a catch 22.  There is no solution out there that, even if it works great, won’t aggravate some users.  For web hosts this is particularly painful.  A host’s client base often demands less spam but in my experience they are unwilling to pay the price.  This is why most hosts just let the email flow and give their clients end-user tools with which to fight spam - and on the whole it works well. By using SpamAssassin and some filters I generally don’t see much spam in my inbox. On average maybe 5-10 per day. The rest gets tagged and filtered. I can certainly live with that - but some people can’t.

So what other options are available to us as a web hosting provider? The most popular option is to use Blacklists. These are lists generated and maintained by external providers. We can set our servers to check mails against these lists and if they are listed we reject the mail. The most popular list is SpamCop which I’m sure almost everyone has heard of. There are literally hundreds of lists out there. Some are public, some are private, some are good and some are terrible. There are some lists that if you get on it you simply can’t get removed or have to pay to be removed. These are the bad ones but relays like SpamCop are good as you can delist and on some if your server doesn’t send anymore spam the entry can automatically delist. SpamCop works like this and it works well but it is far from perfect. Even with SpamCop your server can accept alot of spam.

Another great Blacklist is SpamHaus and we have this deployed on all servers. However, there are different levels of spam protection that are offered by SpamHaus:

1) The Spamhaus Block List - sbl.spamhaus.org.

In their own words:

The SBL is a realtime database of IP addresses of verified spam sources and spam operations (including spammers, spam gangs and spam support services), maintained by the Spamhaus Project team and supplied as a free service to help email administrators better manage incoming email streams.

2) The Exploits Block List - xbl.spamhaus.org.

To quote:

The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of hijacked PCs infected by illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits.

It’s basically a list that incorporates two other RBLs - cbl.abuseat.org and www.njabl.org.

We use both of these as standard and query SpamHaus using sbl-xbl.spamhaus.org.

3) The Policy Block List - pbl.spamhaus.org.

This is what sets SpamHaus apart from all the other RBLs. To quote their site:

The Spamhaus PBL is a DNSBL database of end-user IP address ranges which should not be delivering unauthenticated SMTP email to any Internet mail server except those provided for specifically by an ISP for that customer’s use. The PBL helps networks enforce their Acceptable Use Policy for dynamic and non-MTA customer IP ranges.

If you use all 3 Blacklists that is then zen.spamhaus.org. We put zen.spamhaus.org on some servers a few weeks ago but right away we got complaints from users who couldn’t send mail because their ISP was listed in pbl.spamhaus.org. Remember that most spam on the net doesn’t come from servers like we run but it comes from viruses on people’s computers that send spam via Outlook unbeknownst to the infected user. So yes, many ISP IPs are listed and for good reason - 95% of all spam originates from sources like this.

So we removed zen.spamhaus.org and kept sbl-xbl.spamhaus.org. I thought it best that all users at HostNexus get involved and we have a community discussion before implementing it again. But remember, even if you find you can’t send mail due to being listed by zen all you need do is follow the link in the bounced mail failure and delist your IP - it is really simple. To quote SpamHaus again:

IP Address Self-Service Removal Mechanism

A feature of the PBL is the elimination of ‘false positives’ with a server-identifying and automatic removal mechanism for single IP addresses. This allows end users with static IP addresses within a larger dynamic pool, and legitimate mail server operators, to assert that in their opinion their IP addresses are a trustworthy source of email and to automatically remove (suppress) their IP addresses from the PBL database. Safeguards are built in to prevent abuse of this facility by spammers (and particularly by automated bots).

I fully tested zen.spamhaus.org on our server and these are the resuts average over 3 mail accounts in a 24 hour period:

• No SpamHaus (only SpamCop): 165 spam tagged/10 spam untagged
• With sbl-xbl.spamhaus.org: 105 spam tagged/7 spam untagged

(drumroll)

• With zen.spamhaus.org: 10 spam tagged/1 spam untagged

You have to admit, that is pretty awesome.

But lets recap the downsides if we implement Zen:

1) Some people might have issues sending you mail. If they are savvy enough they can click the link in the bounced mail and delist quickly but alot of people are not going to do that. Some might contact their host or ISP to get it resolved. Some just might not send that email.

2) You (or your users) might not be able to send mail. The upside of this downside is that you are all web savvy and know to delist.

I have posted a discussion thread with poll on our forum. Please comment here or in that thread and vote on that poll. This would be a great thing to implement but everyone needs to be aware of it before we do and know how to resolve any issues if they experience them.

Thanks for your time.

Post from: HostNexus Blog

The zen of SpamHaus

The webhosting industry is very different from 2001 when I started HostNexus but many things are still the same. It’s true the competition is fierce. It’s probably the most competitive industry on the internet today. But there is good news - the internet is not getting any smaller. In fact it’s always growing as more and more people get online each and every day. Since I started HostNexus ONE BILLION people have come online - a growth of over 300% in 8 years. There will always be room for more hosting companies as long as people keep putting up websites.

The Web Hosting industry literally powers the internet and is at the forefront of new technologies and new software advances. It’s a very dynamic and vibrant industry and accessible to almost anyone with a
working level knowledge of the internet. At HostNexus I’ve seen resellers graduate to servers and become very successful hosting companies in their own right. Sometimes I’m asked for advice as HostNexus has enjoyed some success over the years as it’s grown to over 3000 clients and 100 servers. So I thought I’d write a few articles about starting a hosting company and running one. I’ve done some things right, I’ve done some things wrong and I’m hoping some people will benefit from my experiences. So if you’ve
dreamt of running an internet based company, have drive and determination but no real design or coding skill - then hosting might be an option for you.

(1) GET YOUR DOMAIN

Firstly, and I can’t stress this enough (and it applies to any idea you may have), register the domain now, put up a page, get it noticed by Google. Because a few weeks/months into the project something might
happen that may cause you to delay things or in some way put it on the backburner. There is a lot of speculation about the Google sandbox and how widespread it is but most people believe there is a sandbox in some industries and some keywords. So even if you have a vague idea to set up a hosting company -
get the domain, put up a page and get it indexed. So even if you don’t start right away you are using the time to your benefit.

(2) TARGET NICHE

Before you even think about your site and how much money to spend on the business you need to do a lot of research. First thing you need to do is choose your niche. You simply have to target a niche. You can target a specific group of people or a certain type of hosting but you need to specialise at first. If you offer standard Linux Hosting or Windows Hosting you are competing with so many thousands of existing companies and it will be so much harder. If you had a large startup budget offering standard hosting could be done as you could sink a lot of money into advertising but generally this won’t be the case (lucky you if it is!).

So find your target niche and think how you are going to get clients. Just putting up a website and waiting for orders to roll in is not going to yield any results (understatement right there). For example we have a
client that specialises in hosting for Lawyer websites, another one specialises in Real Estate Agent Websites - these are examples of targeting specific groups of people that need hosting. You can expand on this by teaming up with a web designer to provide design services, website maintenance services or SEO services.

Another form of niche hosting is the software that people use to build and maintain websites. There’s still room in the Wordpress Web Hosting niche (although that is quite huge now) but there are other popular things such as Joomla Web Hosting or OSCommrce Web Hosting. A vastly untapped resource is the increasingly popular Magento ecommerce script (www.magentocommerce.com) so you could target the Magento Web Hosting niche. Anything that is open-source and popular is a winner and if you become an industry expert in a niche’s early days your success is truly inevitable. And once you have
established yourself you can expand into other areas. But if you specialise in something, rank well for it in Google and become an expert in it this will give you a most excellent foundation for a new web hosting
company and you can start small.

(3) BUDGET

Once you know your business’s direction you can start to think about your start-up budget. The more money you put into the web hosting business the quicker the returns will be. Your budget will dictate your entry level into the business (Reseller, VPS, Dedicated) and how much you will spend on designing your website. Also it will govern whether you will start off part-time, get stuck in full-time right away and if you can hire any staff.

I started HN on a budget of $10,000 AUD and that included the site design, some software, a few servers, staff costs for 3 months (2 people) and living expenses for Chris and myself. It was a very optimistic business plan that I drove through by pure bloody-mindedness and refusal to accept the possibility that it wouldn’t fail to succeed.

But you can start a Web Hosting company for as little as a few hundred dollars - especially if you are a designer and can make the site yourself. A reseller plan or VPS isn’t a huge overhead and you can use open-source software for everything from your support system to forums to live chat to billing systems.

(4) HOSTING PLATFORM

What a choice there is a available these days! Back in 2001 it was a reseller plan (with limited features) or a dedicated server (with Plesk 2 or Cpanel 6 - also both quite limited). Nowadays you can have a Reseller
account that can setup other Resellers (with the new Plesk 9), a VPS which basically gives one all the feature of a dedicated server for a fraction of the price and managed dedicated servers.

If you are worried about diving in head-first with dedicated hosting then don’t be! We have many dedicated clients that don’t know and have no desire to learn SSH, server maintenance or security. The beauty of full server management is that we can do anything you ask so if you get a support request from a client that you can’t handle we will step in. And we can teach clients how to do simple tasks in SSH which will speed up your own support times. As you expand you will want to look into getting your own server admin just to streamline your efficiency but until you’re ready, feel free to lean on the HostNexus Support Staff.

A VPS behaves like a dedicated server so all the above applies to VPS Hosting too. If you need either access to Admin level of Plesk or access to root then a VPS could be a good entry level for you. A common misconception is that a VPS is more powerful than a reseller plan - this is not true. With a reseller plan you have access to ALL the server’s resources at any one time. And while doing so might get you into trouble if you have that usage over a long period of time the resource is still there for you to use. A VPS gives you more control but you have a set amount of RAM and CPU time that you can use.

But having said that, the servers 8 years ago had 60gb drives and 512mb ram as standard with 800MHz processors, comparable or even less powerful that your average VPS these days!

Your hosting platform options could be summed up as:

Reseller: Powerful, limited options
VPS: Limited power, more options
Dedicated: More power, more options


With a VPS you can always ramp up memory in 128mb increments and as long as you aren’t running applications with huge CPU requirements a VPS can serve a huge range of hosting environments.

(5) STAFF

You have your budget, you have a plan of attack in the hosting business and you know how much time you yourself are going to spending on the company. You are going be your company’s promoter, chief support person, main sales person. The more help you get the more time you’ll have to promote your company and get new clients. But remember no-one will care more about your clients than you so if you do hire help you always need to keep an eye on your client’s issues and review your staff’s performance in real time.

If you’re not going to hire help don’t advertise 24/7 support. Truth, honesty and integrity before sales - always! Outsourcing is great but pooling from your own network of contacts is better. Look into profit
sharing and reward programs to entice people to help you for a small sum at the start. Building a team with a vested interest in the company from day one will bring in many benefits as your company develops. If you choose this route then your first posts to fill would be a Support Manager and a Sales Manager. In a company’s early days the founding members need to where a variety of hats to maximise efficiency. Your ideal Support Manager will be taking care of tickets when you sleep but also be a developer (you’ll always need dev type work done). Your ideal Sales Manager will take care of sales and also marketing and hopefully one of you will be handy with design. Aim to build a team that covers support, sales, marketing, coding and design very early and you’ll have all the main things covered. Make sure the managers are willing to interact with your customer base via forums, blog posts, live chat and email.

So now you have a clear outline of what you’re going to do, how you’re going to support it and how much money you can invest. This is a good foundation to start building your company and if you are a beginner your staff can help you along the rest of the way so lean on their knowledge and expertise.

Next week I’ll post about Site Design, Collecting Payment, Supporting Clients and other things. Here’s to your hosting success!

Post from: HostNexus Blog

How To Start a WebHosting Company - Part 1

But what about your own personal backups? We can of course use our system to restore individual files and databases for you - no problem there but everyone should also have personal backups. Files are easy. If you’re like me you have your sites in folders on your PC/laptop and you edit files there and upload via FTP. So by default you have a copy of your files. But what about databases? A database is written on the server so special considerations have to be made. You can do backups in phpMyAdmin and download them. But who wants to do that weekly, let alone daily? And then download the backups to your computer? I’ve done it all manually and it just sucks. You will definitely forget and that daily backup becomes weekly, then monthly, then quarterly….

Wouldn’t it be awesome if all your databases were backed up daily and downloaded to your computer daily without ever having to lift a finger?

So let me share with you what I do. Small disclaimer though, this only works on Linux hosting for obvious reasons. I’ll talk with our Windows admins to see if there’s a comparable solution Windows clients.

Disclaimer #2. Please don’t try this on a shared server with a large database! If you SQL file is a few hundreds megs you should be okay. Over 300mb and with 100 people doing the same thing the server might not be so happy.

So the first thing to do is setup a task in your domain’s Crontab. Choose a time in Minute and Hour. Day, Month and Day Of The Week will be * meaning everyday. The command to backup a database via cron is:

/usr/bin/mysqldump --opt --host=localhost --user=[USER] --password=[PASS]  [DB NAME] > /home/httpd/vhosts/domain.com/httpdocs/backup/whatever.sql

Just substitute your database name, user and pass and the path to where you want the sql file to be written. If it’s a backup folder obviously make sure you create that folder. For instance the following image shows 30 3 * * * which means the job runs at 3.30am every day:

If you want to backup more than one database stagger them a few minutes apart. This image shows one running at 3.30am and another at 3.40am:

You can backup databases from any domain to any domain so you could backup databases from 5 domains to one backup folder on a domain of your choice.

REMEMBER!! You are backing up your SQL files to a place they can be read. I advise you choose a random name for your backup folder and random names for your SQL files.

After you’ve added all the database cronjobs you can then add a cron that tars (or zips) the whole backup directory. The following command makes a .tgz file (gunzip compressed tar file) in httpdocs and is tarring up a directory called “backup”. But do use a more random name as mentioned above. Run this after all databases have been backed up:

/bin/nice -n 19 /bin/tar -czvf /home/httpd/vhosts/domain.com/httpdocs/your_backup.tgz /home/httpd/vhosts/domains.com/httpdocs/backup

You can use zip (note that zip lives in /usr/bin/zip):

/bin/nice -n 19 /usr/bin/zip -r /home/httpd/vhosts/domain.com/httpdocs/your_backup.tgz /home/httpd/vhosts/domains.com/httpdocs/backup

And thus your crontab might look like this:

So now you have all your MySQL databases being backed every day and also tarred/zipped to a location of your choosing. The last thing to do is have that tarball/zipfile downloaded to your computer automatically everyday.

There are various programs available but I use one called GetRight. It has a 90 day trial and costs $19.95 which is pretty cheap considering the value.  It’s a full download manager and has a huge array of features but I just use for it’s ability to download a URL at a certain time every day.  It can also override the old backup so you don’t accumulate a huge number of backup files.  If you decide to try this program you’ll need to go to Tools > Daily Downloads and configure from there.  I also timed mine with the 24h timer option as I had issues with the am/pm.

I’ve been very happy with this program. It downloads a tarball containing our forum, ticket system and blog databases at 5am every morning. Our ticket system sql file is over 2gb and backing that up and tarring it does cause some load and we have a nice Core2Quad machine with fast 10k drives all to ourselves so definitely don’t try the above if your databases are huge!

I’m interested to hear if anyone does things differently so please do post a comment if you have other ideas.

Post from: HostNexus Blog

Easy MySQL Backups

Last week Theta had a bit of a meltdown. Theta is one of our older servers and has RAID 1 compared to the Dual Quad Core RAID 10 servers we currently deploy. RAID 1 is two drives mirrored and if one fails you simply take the server down, switch out the failed drive, boot up server and rebuild the array. Pretty simple stuff and 9 times out of 10 it does go this way (yep, only 9/10). Theta got hit by that 1 out of 10 chance last week. It all started with a simple and standard RAID notification:

20090805200803 - Controller 0
ERROR - (0×0F:0×0002): Unit degraded: Unit #0

I scheduled a maintenance window 24 houts later, the server was taken down, drive swapped out but when the server came up the RAID controller didn’t recognise any drives. Suspecting a faulty controller it was swapped out but the result was the same. No drives, nada, zip, nilch. Hmmm, okay, so back in goes the original drive. The RAID card does show one drive this time and the server is fully booted. The original drive then starts to make very nasty noises and the server crashes. The RAID array has died catastrophically and all data has been kissed good-bye.

It’s the server admin’s nightmare. A system designed to protect against 100% data loss has failed. But all is not lost, Bacula has got your back. Bacula is open source network backup software and we’ve been using it since January this year (2009). We found our old system was somewhat unreliable but Bacula has performed really well for us. This was our first real bare-metal restore (meaning restoring a server in its entirety). Theta was rebuilt, reloaded with a new OS and we started the restore. It’s not super-fast but it is solid. It took about 6 hours to restore the whole server which is not bad across a network.

All in all it was a good experience. Clients did suffer extra downtime but everyone was VERY supportive. After a severe server meltdown with 100% data loss were able to get everything up in about 8 hours and our backup system passed a hardcore test with flying colours. And if you’re on any of our cheap web hosting plans you are covered by Bacula.

Post from: HostNexus Blog

Much Love For Backups