Technical Tidbits™

If you are reading this, then your ISP has cleared its cache!

I know, “WHAT?”

Over the weekend, LunarPages has had its DNS (Domain Name Server) compromised, which resulted in a redirect nightmare for thousands of shared hosting customers – including MICE!

I feel for LunarPages. Honestly I do!

They are one of the best, secure, shared web hosting companies that I’ve been affiliated with since our company went online around 1997 with our first web site.  And within a few years, our website was hacked also.  That’s the price you pay for declaring you’re more secure than others. It’s an open invitation to the creeps.

The point is, however, there are no guarantees. Even if you are capable of running your own server and you know how to lock it down, you’re still vulnerable.  That’s why I don’t run my own server. It’s too time consuming keeping up with these idiots!

So, in case you missed it, our website was redirecting to a German hosting provider.

I had it easy by comparison from what I’ve been reading on the support forum.  Many sites had been redirected to malware providers that attempted to download an executable file. Others, have become victims of Cross-site Scripting attacks (XSS) and have no idea how to remove it from their pages.  Many of these sites were using WordPress, Joomla, or other PHP pages.

In order to understand what I said in the first sentence of this post, you have to understand that when you type in a web address, such as mice.org, there is a server on the Internet that takes that address and translates it into an IP address for the server it is located on.  That server is called a DNS or Domain Name Server.

It’s sort of like a database that collects all the web addresses and connects them to their hosting server. So, when you type in an address in your browser, the address is sent to the DNS on your Internet Service Provider (ISP) and the browser then knows where to go look for the site.

Every so many hours – usually 24 – the ISPs flush their DNS cache.  I know, another, huh????

Let’s look at it in another way to help you understand.

Your computer – and I’ll use a Windows example – actually holds a storage or cache of the DNS addresses. That’s how you’re able to get to websites so quickly!  If you’ve ever gotten redirected or had problems accessing sites, you may have to flush or erase your computers DNS cache by typing in the run command the following: ipconfig /flushdns

That clears the stored – and possibly wrong – information on where websites are located.  By flushing the information, your computer is forced to go out to the Internet and get a new list. Hopefully, the new list is corrected from errors you might have been experiencing.

ISPs need to do the same from time-to-time, and if they don’t, well, you wouldn’t be reading this because you’d be redirected to the German hosting site, like some of my readers are!

Comcast appears to have flushed everything.  Verizon has not and if they did, then my friend Anthony needs to flush his DNS!

So, if you are reading this, your ISP has flushed the DNS cache and all is good.

I am still double-checking to make sure that there has been no cross-site scripting attack on my site or blog, but it looks good thus far.

If you are a victim of the XSS attack on LunarPages, use the contact link above to contact me and I will help you out.  This is a terrible situation that needs to be remedied immediately.

More about security in another post soon.

To your online peace of mind, Debbie

I would like to extend an invitation to all my readers to join me in the discussion of this very important topic on Frontline Results with Louise Barnes-Johnston.

As Louise states on her BlogTalk Radio page for the radio show Monday, 10 AM CDT (4 PM BST):

Would you know what to do if it happened to you? Do you have a WordPress website? If your business depends on getting enquiries or sales through your website then people being warned not to visit could have serious consequences – to put it mildly! This show is about what happened when my friend and colleague Sam McArthur of Forty First Internet Marketing suffered this awful experience. I’ll be speaking with Sam (in the UK) and with PC Security expert Debbie Mahler of MICE Technology & Training (in the USA) to find out what steps they took to resolve the problems and secure the site again. Join us if you want to avoid being a victim of hacking.

As you may remember, I’ve discussed this hack with you on this blog before.  First in the post: WP Blog Owners! Check Your .htaccess Files! and then again in a follow-up post: Follow-up on WP .htaccess Hack.

If you have a WP blog site, or know someone who does, I really recommend that you join Louise, Sam, and myself by calling into the show (347) 202-0208 or listening online live at the show page on BlogTalk Radio by clicking here.  Remember, it’s 10 AM Central Daylight Time (Chicago Time) or 4 PM British Standard Time on Monday, March 29.

If you call in or chat live, you can ask questions! Now’s your chance to get your WP security questions answered!

Again, the show page is: http://www.blogtalkradio.com/louisebj/2010/03/29/flr-48–help–my-website-has-been-hacked

Here at MICE, we don’t publicly advertise our security clients because it’s an open invitation to hackers.

However, I do need to tell you that I was recently hired to look over a self-hosted WordPress blog site that had been hacked.  I didn’t get to see the actual hacked message, but the client described it as a defacement of the main blog page saying, “You’ve been hacked.”

I am still trying to find out from the blog owner a few minor details to determine how it was actually done, but the .htaccess file had been modified giving the hacker permission to rewrite to all the files on the blog.

As soon as I find out the remaining information, I will post more details including screen shots of the website that the file redirected to.

I am blocking the actual redirect website with Xs in the line I found in question in the .htaccess file because I don’t want anyone going there, but if you see this code, delete it and re-upload the file.

RewriteRule .* http://xxx-xxxxx.xx/xx.cgi?4&parameter=ku [R,L]

The R stands for Redirect and the L means Last so it stops processing the rule after the condition is matched.

You can open the .htaccess file in a textpad or notepad document if you right mouse click and choose open with.

More later but this your heads up!