If you weren’t already aware, a bug was found in the SSL v3 protocol that could allow hackers to intercept secure traffic. This exploit renders SSL v3 insecure, and unfortunately it is not something that can be fixed. Since one of our primary goals has always been to run a secure platform, we removed SSL v3 support back in October.
If your application connects to a remote HTTP based API service (through web service, WCF service or REST API), you’ve probably already (or soon will) receive a notice from the provider that they will no longer support SSL version 3.0 due to the security bug.
As a major hosting provider, we deal with compromised sites on a daily basis, so we’ve seen just about every site compromise scenario. If your site is compromised you may wonder, “Why me? What is the benefit to the hacker?”
Chances are it’s not your site specifically that’s being targeted, but rather any site that can be compromised. You just happen to fall into that category. In general, hackers compromise websites for one of the following reasons:
- To get access to a well-connected web server to launch an attack on another network.
- To steal sensitive files or data, e.g. a database containing personal information and credit card numbers.
- To use your site to host spyware, malware or phishing pages.
- To use your site to send out spam.
How do they get through?
Based on our experience, hackers typically compromise sites in the following ways.
Through known security holes in your application
For example, if you are using a wordpress plugin that has security issue and you’ve neglected to update it, hackers can seek out your site using search engines like Google and perform an automated bot attack that will compromise your site. Last month over 50,000 WordPress site were hacked through plugin vulnerability. It can happen to anyone.
Weak Password on your third-party application
Every day we see bots coming into our network scanning for well known applications. Once one of those applications is identified, the bot attempts a brute force dictionary attack to crack the administrator password.
Insecure upload form
This is a very common problem we see virtually every day. Many websites have a photo/document upload mechanism for their users. If the upload application is not secure, hackers can easily upload a webshell. Once the webshell is uploaded, the hacker can upload more files to further compromise your site.
Compromised FTP account
If your local PC is compromised, a hacker can easily install a key logger to capture all your traffic, including email and FTP usernames and passwords. Once they have your account credentials, they can upload anything to your site. If you delete the malicious files but aren’t aware that your credentials have been compromised, they will likely upload the files again every time you delete them.
What we are doing to help
We started noticing a rapid increase in the number of compromised sites about a year ago. We also found that most of our customers needed help fixing and securing their sites. That’s not surprising, considering the lengths many hackers will go to in order to cover their tracks. So we have taken a number of steps in order to help alleviate the problem.
Regular scans for known compromises
We scan every web server looking for known exploits, and we will notify you if we find anything.
SiteLock is a third-party company that provides a daily scanning service that can automatically remove malware and alert you to weaknesses.
Site Cleaning Service
As I mentioned, a lot of people receive a notice from us that their site has been compromised and aren’t really sure what their next step should be. We recently began offering a site cleaning service that will remove malware and compromises, try to identify how they happened, and provide a 30 day follow up to make sure you aren’t compromised again. If we identify a compromise on your site we will provide details about the service.
What you can do to avoid being hacked
There are a number of things you can do to secure your web applications.
Keep your applications up to date
We have seen some customers running third-party applications that are several years old and several major versions behind. If your application doesn’t notify you of updates, make it a point to check for updates yourself every few months. This is the easiest, most effective way to keep your site secure. If you use an application that is no longer being developed or updated, find a replacement that is actively developed! It may be a pain to make that change, but it is worth the effort.
Change the default password
There are bots on the Internet that scan for software that is still using the default password, or administrative user name. WordPress, for example, creates the user “Admin” when it is installed. You should change that username, or create a different admin user and delete the default.
Install Anti-virus software on your computer, and keep it up to date
A free antivirus is better than no antivirus. There are a number of decent programs out there that you can use at no cost. Though a paid version of one of the big antivirus programs is usually going to afford more up to date and comprehensive protection.
Configure FTP to allow only your IP address to connect
You can do this in Control Panel with the ISS Tools FTP Manager. Look for the FTP IP RESTRICTION section.
Use complex password for your web applications, FTP and email (actually for everything!)
We recommend at least 8 characters with at least one upper case letter, one digit and one symbol. The longer it takes to crack your password, the more likely it is that a bot will give up and leave for greener pastures.
If you site has any upload functionality, do the following:
1) Your code should block users from uploading executable file extensions like .asp, .aspx, .php, .exe, etc.
2) Execute permissions should be disabled on the folder where you allow users to upload files. To disable execute permissions, create a web.config file in the folder and include the following:
<configuration> <system.webServer> <handlers accessPolicy="Read" /> </system.webServer> </configuration>
Protecting your site from malicious bots and hackers is more important than ever. Times have changed and a “small” site is no longer safe. They are looking for any site, anywhere, and if you don’t make it difficult for the bad guys to get in, they are going to hit you. It’s not a question of if, but when.
Getting Errors After Deploying your Application?
After deploying your application, you might see the following error message…
Could not load file or assembly ‘System.Web.Mvc, Version=220.127.116.11, Culture=neutral, PublicKeyToken=31bf3856ad364e35′ or one of its dependencies. The system cannot find the file specified.
This is due to the MVC binaries not being installed in the GAC on the server. But do not fret, the GAC is optional for MVC 3! To get your application to work properly, the necessary DLLs must be published to the application’s bin directory. Visual Studio 2010 provides a simple way to deploy the needed dlls. Here’s how:
1) Right click on your project and click on “Add Deployable Dependencies”. You should see the following dialog box:
2) Depending on your project, click the appropriate dependency. Once you click OK, you should see a new folder, _bin_deployableAssemblies in your project tree.
3) Deploy your application as you normally would and Visual Studio 2010 will now deploy all the listed DLLs onto the server.
Note that you can also use the same method to deploy SQL CE 4.0 dlls.
Most of our customers use FTP or Microsoft Web Deploy to upload their local application to their hosting space. In some situations, you may not be able to access your site using these methods, for instance if there are network restrictions in your workplace.
In this article, I am going to show you how to install a simple .NET file manager, FileVista, on your site. You can use this tool to upload/download files on your site.
1. Download FileVista from Gleamtech. The single user license is free.
2. On the download page, make sure you select the “Web Deploy Package.”
3. Once you download the zip file, extract it to a temporary location on your computer.
4. Within the extracted directory, you should see a directory named FileVista.
5. Upload the contents to a subdirectory of your site.
6. Once the upload process is completed, log in to Control Panel and go to the Web Application Tool.
7. In the Web Application Tool, select the directory where you uploaded FileVista, and click Install Application.
8. Now, navigate to the location where you installed FileVista, in this case, /filevista. You should see the welcome wizard:
9. Click Next. On the next screen, you can choose whether you want to use a file based database or SQL server. I highly recommend using the file based database unless you intended to have many users.
10. Click Next. You should see a Pop up displaying the preinstallation test result. Click OK.
11. On the next page, you’ll configure the following:
a. Set the administrator username and password.
b. Set the default language.
c. Set the Root Folder. The root folder is where the file manager will point when you log in. If you intend to use this tool to manage your site, set the root folder to: /
12. Click Next and you are done. You’ll be taken to the login screen.
13. Log in with the username/password you specified during installation.
14. You should now see a pop-up asking if you want to use the free version or a commercial version. Select the free license mode unless you have purchased the product.
Unlike software that includes an automatic updater that periodically checks for updates, WebMatrix doesn’t seem to have such a feature.
On Feb 18th, Microsoft released an updated version of WebMatrix which includes a number of bug fixes. See this IIS forum post for further details.
I upgraded my WebMatrix installation as suggested in the above post. Although the upgrade took a long time (over 10 minutes), WebMatrix worked just fine after the upgrade. All the settings and projects are also intact.
If you have WebMatrix installed, I recommend you upgrade as soon as you get a chance.
What is Orchard?
In the short term, the Orchard project delivers a .NET-based CMS application that allows users to quickly create content-driven Web sites, and provides an extensibility framework that will allow developers to provide additional functionality through module extensions and themes.
In the long term, the Orchard project is a free, open source project aimed at delivering applications and reusable components on the ASP.NET platform.
You can find more information at http://orchardproject.net/
What database does the Orchard CMS require?
You can use either MS SQL Server or MS SQL CE 4 as your database.
Does DiscountASP.NET hosting platform support Orchard?
Yes, we’ve tested installing Orchard on our ASP.NET Hosting platform and it works! Your site needs to be on Windows Server 2008 since Orchard requires ASP.NET 4.0.
How do I install Orchard?
Manually: You can install Orchard manually by uploading the files. Here’s a link to documentation: http://www.orchardproject.net/docs/Manually-installing-Orchard-zip-file.ashx
WebMatrix: You can deploy Orchard using WebMatrix. You may want to use our new Web Deploy Publish Settings Generator in the control panel. We have a new knowledge base article on deploying apps with WebMatrix too.
Control Panel Web App Gallery: We’ve added Orchard to the Control Panel Web Application Gallery available to customers on our Windows 2008 hosting platform for an easy one-click deployment!
Orchard Resource links:
For certain applications, you might need to write/modify files on your site, e.g., logging, file based database, etc. Recently, we have seen some customers reporting an access denied error when their application tries to write/modify files within their website.
We found that when you deploy your website using the WebDeploy feature of Visual Studio 2010, the deployment package actually contains couple of SetAcl rules
- change the aspnet user to only have read access.
- Change the aspnet user to have change (RW) access to the app_Data directory
This means that if the file you are trying to change is not within the app_Data directory, you’ll get an access denied error.
In theory, this concept is good because it makes your site more secure, however, there are some problems associated with it.
- You cannot tell VS.NET to change the rule to allow write permission to directory other than app_Data. As a result, you will need to rewrite your application to store the updatable file within the app_Data directory.
- There’s no UI configuration to tell VS.NET to not mess with permission on the server
So…what do we do?
After some research, it looks like you can configure VS.NET to not change the NTFS permission when deploying using webdeploy. The process is not very straightforward, but works nonetheless:
- Open your project file (.csproj or .vbproj) in notepad or any other text editor
- Navigate to the proper property group (you get one node for each compile configuration)
- Within this element
- <propertygroup condition=” ‘$(Configuration)|$(Platform)’ == ‘Release|AnyCPU’ “>
- Add <includesetaclproviderondestination>False</includesetaclproviderondestination>
- You’ll need to add this line for each configuration that you want SetAcl disabled.
- Save the project file
- Reopen it with VS.NET
- Note that by adding this, it will not “Fix” the permission on the server. If any previous deployment changed the permission, you’ll have to contact our support team to reset the permission.
I am sure Microsoft will make some enhancements to VS.NET in the future releases. In the meantime, you’ll have to use this rather tedious workaround.
Microsoft announced the release of MVC 3.0 earlier today. To learn more about the new features in MVC 3.0, read Scott Guthrie’s blog post.
Can you use MVC RC on your DiscountASP.NET account?
While we have not installed this assembly on our servers yet, our tests indicate that MVC 3.0 is bin deployable. So you can simply upload the MVC 3.0 dll to the application’s bin directory.