amuck-landowner

Fiberhub Website has been infected....

Munzy

Active Member
I have also taken the liberty of contacting Pastebin and requesting they take down the code as well as putting a ticket in with fiberhub themselves. 
 

HalfEatenPie

The Irrational One
Retired Staff
wow thanks for stealing my thunder!  I told you on skype! /s


Haha just kidding.  But yep.  Contacted Fiberhub team, their response was:

Hello,


Thanks for letting us know. Our admin team are already working on the issue.


--
Rob
Versaweb Support

They're already on the case! 
 

Licensecart

Active Member
The fact of the matter is wordpress is not the problem. Poorly written themes / plugins are the problem.  Unlike for example solusvm.....

true but they are getting updates for the core and their lack of security as they patch up so much. But it's free :). SolusVM had a full audit back in 2013 I believe.
 
Last edited by a moderator:

Hxxx

Active Member
Title should be updated to only reflect the website in question and not fiberhub as a whole.


Also if you reported this to FIberhub I fail to see the purpose of this thread, some bad PR maybe?
 

Licensecart

Active Member
Title should be updated to only reflect the website in question and not fiberhub as a whole.


Also if you reported this to FIberhub I fail to see the purpose of this thread, some bad PR maybe?

Alerting any customers who may (or have) visit their website and get sent elsewhere 
 

HalfEatenPie

The Irrational One
Retired Staff
true but they are getting updates for the core and their lack of security as they patch up so much. But it's free :). SolusVM had a full audit back in 2013 I believe.

Haha personally I'm fine with Wordpress.  The biggest issue with wordpress is the poopily coded themes or plugins with the vulnerabilities.  It's one of those systems where people focus more on the "final result" rather than the journey to get there (e.g. they care about the end theme more rather than what resources and how they code the final theme).  Therefore, it frequently has vulnerabilities from the themes or the plugins.


Remember that Wordpress has millions if not more people using their software, whereas SolusVM is probably a few thousands, if even.  Wordpress code is also used in enterprise deployments, and more than likely has been looked over and are constantly being reported on to fix.  I doubt SolusVM can afford that level of scrutiny ;)  Remember one go-through/audit of the code can still miss some crucial bugs.  


As long as you use common sense, proper security measures (maybe even fiddling with permission more), and constantly updating/patching, you should be fine.  The only reason Wordpress is such a major target is because of it's large deployment.  Kind of like casting out the biggest net you have and seeing which hits.  It's to be expected.  


But that was me simply complaining about wordpress.  Yarr.  

Title should be updated to only reflect the website in question and not fiberhub as a whole.


Also if you reported this to FIberhub I fail to see the purpose of this thread, some bad PR maybe?

Title changed to add "website" to make sure we're stating it's just the website.  Thanks! 
 
Last edited by a moderator:

graeme

Active Member
Haha personally I'm fine with Wordpress.  The biggest issue with wordpress is the poopily coded themes or plugins with the vulnerabilities.

The main reason people use Wordpress is because it has all those themes and plugins. If you limit yourself to just the Wordpress and a handful of plugins and themes you  know are well coded then you cannot use it for a lot of the sites it is used for.
 

The only reason Wordpress is such a major target is because of it's large deployment.  Kind of like casting out the biggest net you have and seeing which hits.  It's to be expected. 

The Windows excuse. The number of attacks and vulnerabilities found seems disproportionate to even taking wide use into account. In any case, why use something you know will be a target?
 

Licensecart

Active Member
The main reason people use Wordpress is because it has all those themes and plugins. If you limit yourself to just the Wordpress and a handful of plugins and themes you  know are well coded then you cannot use it for a lot of the sites it is used for.
 


The Windows excuse. The number of attacks and vulnerabilities found seems disproportionate to even taking wide use into account. In any case, why use something you know will be a target?

Good post, but that's the same "everyone uses what's popular" they don't care about "security" WHMCS had 2 of the biggest exploits in history in 2013, because of their lack of coding experience. But they are still popular and I can't visit one webhost without seeing that. I don't use any security passwords on any company I use which uses WHMCS simply incase they get attacked I don't have to worry about the important bits in my business. The other bad thing which is popular is vBulletin forums which seems to be poorly coded not sure about security attacks lately but their vb5 is so crap people have finally seen the light and moved to IPB or Xenforo. Suppose it's life popular things are higher than security :D.
 

HalfEatenPie

The Irrational One
Retired Staff
The main reason people use Wordpress is because it has all those themes and plugins. If you limit yourself to just the Wordpress and a handful of plugins and themes you  know are well coded then you cannot use it for a lot of the sites it is used for.
 


The Windows excuse. The number of attacks and vulnerabilities found seems disproportionate to even taking wide use into account. In any case, why use something you know will be a target?

Point 1: This depends on the intended use and purpose of the Wordpress software.  You might be shocked to hear that Wordpress was originally built to be a Blogging platform.  It simply has pretty good CMS features as well included (as well as the admin panel being really straight forward).  Additional plugins and themes simply modify these experiences to whichever specific need you have.  However, there are different software available for different purposes.  I don't think you understand that InfoSec is very very behind actual development right now, so there's no 100% guaranteed no vulnerability software available.  However, you can minimize this by taking proper actions, such as updating all software regularly and setting up proper permissions.  This would include using a piece of software for it's intended purpose, not as a bloated CMS + Podcast + RSS Feed Aggregate + Theme with 200 sliders and a dynamic widget importing facebook likes.  


There's nothing wrong with Wordpress being so popular because of their numerous themes and plugins, however with popularity (and having such a large ecosystem) comes with more developers and designers wanting to cash in/develop within that ecosystem.  This means high possibility of poorly coded themes/plugins.  Simply all I'm saying is use the software for what its intended for.  If you have other needs, look into an alternative or maybe look in-depth at what you're installing.  If you're still willing to take the risk then go for it.  However, all i was stating before was that Wordpress the software itself is fine and isn't like Swiss cheese.  It's the plugins and the themes that are usually vulnerable. 


Point 2: I don't see why you'd call it a Windows excuse.  It's not an excuse for anything.  It's not trying to prove anything.  Simply state that because it has such a large deployment, those who want to exploit it have the advantage of "reusing" their code to try and hit multiple deployments at once.  It's simply common sense.  Fish in a bigger pool with more fish.  


The bottom line is this.  In a theoretical perfect world, everything would be properly maintained, software would be coded with the highest standards to minimize potential security vulnerabilities and maximize efficiency.  However, in the real world this isn't very true.  There is no single "most optimized" method in anything.  Even in science and engineering, no single model is correct and each have different strength and weaknesses.  The way the Linux is working right now, it's not very simple and straight forward.  It's not very user friendly.  I mean it's gotten much much better, but it's not the most user friendly operating system that someone who isn't a power user would have an easy time working on.  Windows and Mac are considered easier to use and work on, especially since more people are familiar with them as well as having more resources available.  


There's no commonly accepted standard.  There has been initiatives to adopt a common standard, however if one person doesn't adopt then that's that.  The ability to communicate between a Windows environment and a Linux environment isn't that easy and very frequently requires a complex setup to do it properly.  For example, Microsoft Word uses docx standardized filetype for their word documents whereas OpenOffice/LibreOffice use odt.  odt is an open standard as well as docx being another open standard.  However, both software operate within a different ecosystem and (in the end) "convert" each file format to be readable in their native system.  If all the systems worked within the same standard, then it would be fine.  However, the effects of this means different end user experience (another example could be the different web browsers using different rendering engines).  


Geeze I use the word however a ton.  In the end, the reason I use Windows is simply because my workplace uses and using files information between each operating system doesn't 100% work properly.  Windows by itself is a very stable and a good operating system.  Similar to Linux, the largest vulnerability is usually the end user being a total idiot and not knowing what they're doing.  Just like what I said about Wordpress, you can't blame the software for being "bad" and "vulnerable" if it's usually the decision making of the end user that opens it up to such vulnerabilities.  


tldr: Wordpress is coded fine.  It's usually the end user (decision maker) that install vulnerable themes and plugins that sucks.  Just like how Windows is coded fine.  It's usually the end user (the decision maker) that install vulnerable software and go to questionable websites that sucks.  Don't blame the software for a person's stupidity.  
 

drmike

100% Tier-1 Gogent
Zero way for end user / customer of WordPress to determine what is malware, what is coded poorly, etc.   In fact WordPress is targeted at know-nothings who don't want a CompSci degree to launch their website, put our brochure for new product, etc.


"WordPress.com is the easiest way to create a free website or blog."


Easy + free, what could go wrong?  I mean it's about as problematic as easy + cheap as an industry segment we all know.


WordPress needs to A. Die or B. get to auditing official on-site submitted apps / plugins to weed / police potential issues... cause a WP security issue is just that.  No one goes WP is exempt, it was some stupid plugin author.   Lord knows, there have been many intentional malwares pushed official plugin channel for WP that went undetected for years.
 

Munzy

Active Member
Title should be updated to only reflect the website in question and not fiberhub as a whole.


Also if you reported this to FIberhub I fail to see the purpose of this thread, some bad PR maybe?



Just wanted to post that there as a hack of their website. no bad pr intended. i took a look at the code lightly and didn't notice anything worse then a redirector. however it was injected into the code and could possibly have taken data. as such just a security post. do with it as you wish .
 

DomainBop

Dormant VPSB Pathogen
tldr: Wordpress is coded fine.  It's usually the end user (decision maker) that install vulnerable themes and plugins that sucks.  Just like how Windows is coded fine.

I'll disagree with both statements.  Security hasn't been a top priority for either WP or Windows developers.  WordPress and Windows both have a very long history of endless critical vulnerabilities (and in the case of Windows many times it is months, and in a few cases over a year before those gaping security holes are fixed.)  Over the years (based on CVEdetails stats), the various versions of Windows Server have had 1321 total vulnerabilities, and the Windows desktop versions track records are even worse (3277 total).  Windows Desktop (3277) + Server (1321) combined 4598 total vulnerabilities. Now compare those totals to FreeBSD (314 total) and Solaris (590), or even the Linux Kernel (1338)


WordPress: 205 vulnerabilities in WP code itself over the past 10 years (i.e. not in themes or plugins), many of those critical .  11 in 2015, 29 in 2014... For anyone who is counting, the last WP patch to fix holes in the WP code was only 19 days ago ("WordPress versions 4.4 and earlier are affected by a cross-site scripting vulnerability that could allow a site to be compromised").  WP is also written in PHP [snide PHP comments censored]...

"WordPress.com is the easiest way to create a free website or blog."

That I would agree with. Installing the frameworks/software stacks needed to run competing blog platforms like Ghost (node.js) or Publify (Ruby on Rails) requires a little more technical knowledge.  Things like Docker and cloud services like Bitnami may or may not eventually make deploying Ghost or Publify just as easy for the average person as installing WordPress

 It simply has pretty good CMS features...

If someone is looking for an industrial strength CMS for their business, they should take a look at Plone (written in Python) which has some pretty good CMS features too and has a much better security track record than WP/Joomla/Drupal (Plone has had 55 total vulnerabilities compared to WP's 205) .   Django CMS (more Python) is another good option...
 
Last edited by a moderator:

HalfEatenPie

The Irrational One
Retired Staff
Mhm fair enough.  Most of the time though, my opinion is that Wordpress would handle the job.  


However I was reading Akamai's state of the internet report (Q3 though) and their security writeup does mention Wordpress Vulnerability scanning/brute forcing/etc. has increased in Q3 2015 more than previously. 
 

GM2015

New Member
The problem with wordpress developers is that they keep adding more useless bloating features as they are fixing their previous security flaws.


Like emojiis. I mean really?


Are you developing the platform for 15 year olds?
 

wlanboy

Content Contributer
Looking at the TOP-50 providers of CVE issues:


cve-top-50-top30.jpg


You have the Who-Is-Who of software developers.
I don't think that using popular software is less secure than using that-new-shiny Phyton thing.


All that discussion reminds me of the "security by obscurity" dogma. The Hackaz don't know my software so it is secure.
 

HalfEatenPie

The Irrational One
Retired Staff
Looking at the TOP-50 providers of CVE issues:


cve-top-50-top30.jpg


You have the Who-Is-Who of software developers.
I don't think that using popular software is less secure than using that-new-shiny Phyton thing.


All that discussion reminds me of the "security by obscurity" dogma. The Hackaz don't know my software so it is secure.

That's really how I feel personally.  
 
Top
amuck-landowner