Web Hosting and Digital Marketing Blog .

Blog

Security Issue Adobe Type Manager : CVE-2015-2426 -> PATCHED!
posted by: in Security

A few days, the hacking team released a few unknown exploits that are affecting all systems.
The security alert CVE-2015-2426 is dealing with all windows version and it involves elevated privileges through the Adobe type manager library’s DLL : atmfd.dll.

The DLL provides support for OpenType fonts and the exploit consists in a memory corruption that would give a full and hidden access to the hacker.

It is warmly recommended to perform the latest windows updates available in your update center from your control panel.

All the windows version are affected from Windows XP to Windows server 2012. As Windows XP and Windows Server 2003 aren’t currently supported any longer by Windows no updates will be patching the security issue.
At HostStage, we don’t have such versions running on our servers, but if your computer is based on an outdated Windows version it is highly recommanded to upgrade to a newer Windows.

We have patched our Windows servers on our end even though it is generally involving computers using a web browser.

Security Issue Glibc : CVE-2015-0235 -> PATCHED!
posted by: in Security

Hello,

48 hours ago a new security vulnerability has been discovered affecting most of the linux distribution running the GNU C Library. 
It is announced as very easy to exploit. You can find accurate details of the security threat quoted below : 

“A heap-based buffer overflow was found in __nss_hostname_digits_dots(), which is used by the gethostbyname() and gethostbyname2() glibc function call. A remote attacker could use this flaw to execute arbitary code with the permissions of the user running the application.”

At HostStage, we have taken actions immediately throughout all our infrastructure and patched all our servers (Shared Web Hosting, CentOS linux VPS managed and not managed, Reseller Web hosting, and all structural servers). 
We have also contacted all Debian / Ubuntu based users mentionning the steps to patch their server, as far as the patch requires a restart, we couldn’t take the liberty to apply it. 

You can find the steps below to patch your servers : 

CentOS : 

You can test whether you are vulnerable by typing the command below : 

rpm -q –changelog glibc | grep CVE-2015-0235

If it returns nothing, you must proceed with the glibc update with the following command : 

yum update glibc -y

Otherwise, it would return the line below : 

– Fix parsing of numeric hosts in gethostbyname_r (CVE-2015-0235, #1183533).

Debian / Ubuntu :

You can test whether your OS is impacted by running the following script 

/* ghosttest.c:  GHOST vulnerability tester */
/* Credit: http://www.openwall.com/lists/oss-security/2015/01/27/9 */
#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
 
#define CANARY "in_the_coal_mine"
 
struct {
  char buffer[1024];
  char canary[sizeof(CANARY)];
} temp = { "buffer", CANARY };
 
int main(void) {
  struct hostent resbuf;
  struct hostent *result;
  int herrno;
  int retval;
 
  /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/
  size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;
  char name[sizeof(temp.buffer)];
  memset(name, '0', len);
  name[len] = '';
 
  retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);
 
  if (strcmp(temp.canary, CANARY) != 0) {
    puts("vulnerable");
    exit(EXIT_SUCCESS);
  }
  if (retval == ERANGE) {
    puts("not vulnerable");
    exit(EXIT_SUCCESS);
  }
  puts("should not happen");
  exit(EXIT_FAILURE);
}


Then, you would need to compile it and run it as shown below : 

gcc ghosttest.c -o ghosttest
./ghosttest

The scripts will return either of the 2 following values : vulnerable or not vulnerable. 

If you are vulnerable you would need to run the following : 

sudo apt-get clean
sudo apt-get update
sudo apt-get upgrade
reboot
 
Sincerely Yours,
Vincent Royant
HostStage CEO 
Linux VPS : New OS available

Hello,

We have just released new versions that you can install from your VPS control panel directly.

– Ubuntu 14.04 in 32 bits and 64 Bits version
– CentOS 7 Minimal 64 bits and 64 bits.
– Suse 13.1 64 Bits

Note : CentOS 7 doesn’t support cPanel installation just yet.

We have also updated the OS list in the order form when you are purchasing a linux VPS.

Sincerely Yours,
Vincent Royant
HostStage CEO

Security Issue bash : ShellShock CVE-2014-6271 and CVE-2014-7169 -> PATCHED!
posted by: in Security

A couple of days ago, 2 severe security threats were revealed which were called ShellShock. The security issue is dealing with the bash package affecting all Red Hat based OS (including CentOS), Debian, Ubuntu and Fedora. 

At HostStage, we took the problem very seriously and we deployed updates throughout our whole network. All our servers weree patched immediately and even updated twice as far as a second injection vulnerability was discovered. 

Finally, we have also decided, giving the criticity of the situation, to proceed with pactching all our customers servers. cPanel ones being managed was included by default of course but exceptionnally, we have extended it to all OS and we did it manually for the most part. 

Shared web hosting accounts were patched during our infrastructure update. 

We have updated all linux VPS and dedicated servers. The owners of the ones we weren’t able to update dued to password issue or because of the inconvenience the update could have cuased, should have received an email including the details to perform the bash update process. 

Windows VPS weren’t impacted by Shellshock. 

If you have others servers which aren’t hosted by HostStage, you can test whether it is vulnerable with the commands below : 

TEST OF 2014-6271: 

env var='() { ignore this;}; echo vulnerable’ bash -c /bin/true

If the result of this command returns “vulnerable”, it means that your server needs to be patched and you can scroll down below to find how to fix the vulnerability. 

TEST OF CVE-2014-7169: 

cd /tmp; rm -f /tmp/echo; env ‘x=() { (a)=>’ bash -c “echo date”; cat /tmp/echo

If the result of this command returns the output below, you would need to apply the steps below : 
bash: x: line 1: syntax error near unexpected token `=’
bash: x: line 1: `’
bash: error importing function definition for `x’
Fri Sep 26 11:49:58 GMT 2014

And you should be able see a file named echo in /tmp (cat /tmp/echo) 
If it results the following, it means that your server is patched and up to date : 

cat: /tmp/echo: No such file or directory

You can find below the different steps to update the bash package according to your different linux distributions : 

CentOS: 

yum clean all && yum update bash -y


Ubuntu 11.10:

sudo sed -i ‘s/oneiric/trusty/g’ /etc/apt/sources.list && sudo apt-get update && sudo apt-get install bash -y
Ubuntu 12.10:

sudo sed -i ‘s/quantal/trusty/g’ /etc/apt/sources.list && sudo apt-get update && sudo apt-get install bash -y
Ubuntu 13.10:

sudo sed -i ‘s/saucy/trusty/g’ /etc/apt/sources.list && sudo apt-get update && sudo apt-get install bash -y


Other Ubuntu Version: 

1) You need to get the grab the Codename of your Ubuntu distribution by typing the following command : 

lsb_release-a

Which should give you the output below :

No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu X.X
Release: X.X
Codename: <codename>

2) Then you would need to type the command below without the < and >

sudo sed -i ‘s/<codename>/trusty/g’ /etc/apt/sources.list && sudo apt-get update && sudo apt-get install bash -y
Debian 6 Squeezy: 

echo ‘deb http://ftp.us.debian.org/debian squeeze-lts main non-free contrib’ > /etc/apt/sources.list

apt-get update

apt-get install bash
Debian 7 Wheezy

echo ‘deb http://security.debian.org/ wheezy/updates main contrib non-free ‘ > /etc/apt/sources.list

apt-get update

apt-get install bash

HostStage Now Accepts Bitcoins!

Finally, after numerous requests we have decided to take the plunge into the Bitcoin!
You can now pay your invoices through te Coinbase gateway and use your bitcoins. 
You’ll benefit from the instant activation, the 30 days moneyback guarantee, the automatic subscription and a conversion rate based on the current bitcoin value. 

We decided to support Bitcoin as far as it was a widely requested feature and also, we do understand that for a web hosting company, it is quite relevant to support the cryptocurrencies.

You can find the list of our different payment gateways below : 

– Paypal
– 2 checkout / Credit Cards, debit cards, master cards, Visa, American Express
– Moneybookers / Skrill
– Payza
– Bitcoins

We are still eager to receive your suggestion if you want to see some payment gateways implemented. That being said, at this time, we have fullfilled all the customers requests regarding the payment gateways over the last 4 years. 

Sincerely Yours, 
Vincent Royant
HostStage CEO

HostStage Now Accepts Bitcoins!
posted by: in Announcements

Finally, after numerous requests we have decided to take the plunge into the Bitcoin!
You can now pay your invoices through te Coinbase gateway and use your bitcoins. 
You’ll benefit from the instant activation, the 30 days moneyback guarantee, the automatic subscription and a conversion rate based on the current bitcoin value. 

We decided to support Bitcoin as far as it was a widely requested feature and also, we do understand that for a web hosting company, it is quite relevant to support the cryptocurrencies.

You can find the list of our different payment gateways below : 

– Paypal
– 2 checkout / Credit Cards, debit cards, master cards, Visa, American Express
– Moneybookers / Skrill
– Payza
– Bitcoins

We are still eager to receive your suggestion if you want to see some payment gateways implemented. That being said, at this time, we have fullfilled all the customers requests regarding the payment gateways over the last 4 years. 

Sincerely Yours, 
Vincent Royant
HostStage CEO

« Back

Various Improvements : Changelogs

Over the last few days, we have deployed a few miscanellous enhancements to increase our services quality. 
You can find the change log below :

Client Area : 

Changes / Fixes :

– New client-area security layer. We add the possibility to define a personal security question which would be required to change your client-area password. It remains optional but it is warmly recommended.
You can define it while logged in your client area from the link below : 
https://www.host-stage.net/client-area/clientarea.php?action=changesq
– Email change from client-area is now locked and shall be done exclusively through support ticket when required. We would ask for informations to confirm your identify before proceeding with the email change. 

To come:

-New website design and new client-area functionnality. 

Shared Web Hosting :

Changes / Fixes :

– Increase the Upload PHP limit from 2 Mb to 15 Mb, as per one specific customer’s request. 
– Process count tracking and allowance. It allows to go even further in the shared web hosting account isolation by avoiding any kind of server clogging from a single account. 
Processes limits are defined by your hosting offer : Starter – 20 simultenous processes, Premium – 30 simultaneous processes – Business – 40 simultaneous processes 
**For all the business accounts registered before the 9th of August 2014, a manual override remains possible according to the situations.**

To come :

– New Canadian server location soon to be available

Linux VPS :

Changes / Fixes :

– Better outgoing DDoS attack tracking with instant mitigation. We have set up a system which is tracking for VPS performing outgoing DDoS attacks at the node level. 

We used to track these abuses on the network level and we used to null route the IP once it has been detected. Unfortunately, the few minutes delay of the old system still generated some inconveniences. (packet losses, network clogging, latency increases). Now, the current system takes place at the node level and act immediately before the nasty effects of an outgoing DDoS attack from a corrupted VPS can be felt as the VPS is immediately suspended without any delay. The old tracking system remains active as a safety net. 

To come :

– VPS location selector upon order between locations available. 
– Greater control panel integration in the client-area
– VPS reseller offers (finally became a priority)

Windows VPS :

Changes / Fixes :

– Hardware upgrade of our next gen Windows VPS node. We changed the RAM from 1600 Mhz to 1866 Mhz frequency and increase the storage capacity by 30% so we can keep migrating the Windows VPS to the next gen node. 

To come:

– New next gen Windows VPS node deployement.
– Control Panel massive deployement. The control panel is currently available for our next Gen Windows VPS, we will make it available for all customers whether they are located on the newer offer or not, as far as the migration will take another 6 months. 
** The next Gen Windows VPS offer isn’t available to the public yet, it will be available once we have migrated all our current customers who are prioritized.**

Any suggestion is more than welcome to add new features, new services and more and if we can do it right away, we will!
Sincerely Yours, 
Vincent Royant
HostStage CEO

New Offer : VPS Level Freeze -> Windows and Linux VPS

Today, we introduce you one of the most requested services which would add some flexibility.
Many users wanted the possibility to freeze their VPS for a couple of months while they are on vacations or they don’t need their VPS for the time being. 
However, not loosing the data, files, and applications was mandatory while avoiding paying the VPS fees in the meantime.  

Therefore, we have just released the VPS Level Freeze which costs $3.50 per month (only monthly available) which would allow us to keep your VPS data for up to 3 months. 
You can retrieve the access at any time you please even during an on going VPS level Freeze billing period. 
The costs will remain the same whether you have a windows level vps 1 or a linux vps level 8. 

You’ll have the possibility to use the VPS level Freeze twice a year (so 6 months overall) but not 6 months in a row in order to minimize the amount of data retention we will have to keep backed up. However, you can opt for a 3 monhs freezing period, 1 month of subscription and then another 3 months of freezing period. 

We will even secure your data by migrating the VPS hard drive / data to a secured RAID 10 array. 

You can start freezing your VPS by upgrading your VPS from your client to the VPS Level Freeze. 

Once again, we do hope that this new offer will be warmly welcome and of course we are awaiting for your support tickets mentionning all the features and services you would like to see. 
Sincerely Yours, 
Vincent Royant
HostStage CEO

Shared Web Hosting : Various Background Improvements

Hello,

We have deployed over the last few days a couple of improvements toward the shared web hosting servers. 
We have updated our backup servers with a 250% bigger capacity so we can keep performing the 7 days backup retention for each websites plus the monthly backup. 
It allows you to be able to restore 8 different versions of any file or MySQL database over the last 7 days, even though it changed on a daily basis. 
Such backup system involves a massive storage needs as for instance a 10 Gb web hosting account takes more than 80Gb of backup storage (excluding the MySQL databases and the emails backup which comes on top of the 80 Gb). 
The backup restoration will be fully available in 3 days, but you can still restore your files over the last 5 days in the mean time. 

The second major improvement was about upgrading our mod_security rules to a most qualitative set in order to tighten the security of your websites and block some common exploits which may affect your user experience. 
Such deployement may affect some custom scripts you are using, feel free to open a support ticket, if you are facing any issue. We have a few protocols for you to be able to retrieve your scripts without being affected while we update the mod_security rules which is causing you issues. 

We sincerely hope as usual that these changes will please you. 

Sincerely yours, 
Vincent Royant 
HostStage CEO

Linux VPS : Weak Password Hunt!

Hello,

We are currently deploying an algorythm to detect weak passwords which is creating a significant vulnerability for your VPS. 

If your password is considered as too weak (included in most famous brute force dictionnary or not including a complex string) it will be changed automatically to a more secured one and we will email the concerned VPS. 

Over the last few months, we had a couple of hacked VPS which caused a serious inconvenience for their users. 

We are taking our responsabilities and we have decided to step in the security of your linux VPS. 

We sincerely hope that this policy will be welcome. 

Sincerely yours, 
Vincent Royant 
HostStage CEO

Result 21 - 30 of 39

Join Us on Facebook

Our Latest Tweets

  • 5 months ago

    PHP 5.6 & PHP 7.0 EOL, Hello PHP 7.3 https://t.co/TjVMXJFjGq

  • 5 months ago

    Microsoft Critical Security Vulnerability CVE-2019-0708 https://t.co/XShL8qyz6K

  • 1 year ago

    @Galukxy  What is the reason of your website suspension? It could be something we could help you with actually

  • 1 year ago

    The Ultimate List: 57 Online Local Business Directories https://t.co/HATo96qXrw #localseo #Leadgeneration… https://t.co/HUz7sXscHz

  • 1 year ago

    21 of the Best #Facebook Pages We've Ever Seen https://t.co/Kz0o3jhuWS #FacebookMarketing #SMM #socialmedia https://t.co/nFOwpvtGMs