So long to 2020 – Welcome 2021

Takeshi EtoAs with the beginning of every new year we were excited about the prospects that 2020 would bring. But those thoughts were soon shattered with news of a rapidly spreading disease that ultimately turned into a full-blown pandemic.

Stay-at-home orders soon followed, and we took quick action to shift to a remote workforce. We were fortunate since we were already set up with the ability for our system admin staff to work remotely, so the transition to remote work for all our staff was relatively smooth.

To get through this new reality, we knew our customers would increasingly rely on their online presence so it was important for us to be able to maintain and enhance our hosting infrastructure and services while continuing to provide excellent customer support. It was a tough 2020, but I’m extremely proud that our team delivered on our hosting promises.

Highlights from 2020

At the end of most previous years, I usually reviewed the past year and posted Top 10 lists of things that we accomplished. In this post, I’ll just highlight a several things we accomplished in 2020.

Technology Enhancements

We installed PHP 7.4.x and PHP 7.3.x for our PHP users. (We also deprecated PHP 5 which had reached its end-of-life and posed serious security issues.)

We kept up with Microsoft’s .NET initiatives. We launched support for .NET 5 (ASP.NET Core 5.0) and .NET Core 3.x for Framework-Dependent Deployment (FDD). Please note that we maintain a list of .NET Core versions that are installed on our servers in our knowledge base. (If you do not see a .NET Core version that you want to use listed, we also support Self-Contained Deployment (SCD) – so you can always deploy your applications on our platform.)

We also kept open source applications updated in our Control Panel Web App Gallery.

Security Solutions at Everleap

We launched an Email Cloud Backup solution at Everleap that allows customers to securely backup email and attachments from virtually anywhere – email hosted at DiscountASP.NET or Everleap, email hosted at other hosting providers, and even Gmail and Office 365. Search tools are available as well as tools to restore emails. We offer a 30 day free trial so you can test out the service.

We launched an Office 365 Cloud Backup solution at Everleap that will automatically backup your Office 365 email, attachments, tasks, calendars, contacts as well as SharePoint, OneDrive, Groups and Teams. The higher level Office 365 Cloud Backup plan includes an Email Archiving solution that securely preserves the email archive for auditing and ensures the email archive is searchable, discoverable, and accessible should the business be subject to a third-party audit or legal motion. We offer a 30 day free trial, if you want to test out the service.

Welcome 2021

As we put 2020 behind us and usher in the start of a new decade, we continue to be hopeful. Even though our team is still working remotely, we will continue to strive to offer our customers a great hosting experience – one that you can count on.

We want to say big THANK YOU to all our customers and we wish all of you and your family a Happy New Year.

Visit DiscountASP.NET to learn more about our ASP.NET hosting services .

More on .NET 5.0

Ray Huang

On November 10, 2020, Microsoft officially released .NET 5.0. What is it exactly? If you’re confused, so am I, mainly because for a while we’ve been disciplined to accept the .NET #.# nomenclature to mean .NET Framework then we were getting used to the .NET Core #.# naming convention.

But things are changing again with .NET 5.0. .NET 5.0 is the beginning of Microsoft’s journey to unify everything in the .NET world which includes Framework, Core, Mono, etc. and provide cross-platform compatibility. Microsoft plans to release a new version of .NET each year in November and offer Long Term Support (LTS) for every even version.

In essence, .NET 5.0 appears to be ASP.NET Core 4.0 but Microsoft is skipping v4.0 and going with ASP.NET Core 5.0. According to Microsoft, they are skipping the 4.x version numbering to ASP.NET Core to lessen confusion and solidify that there will be only one .NET unified platform moving forward.

ASP.NET Core 5.0 has a lot of feature updates and performance improvements along with a few technologies (or I’d rather say programming paradigms) that WILL NOT be ported over – Web Forms, Windows Communication Foundation (WCF), and Windows Workflow (WF). Instead, Microsoft recommends that you use their alternative counterparts – ASP.NET Core Blazor/Razor pages, gRPC, and Open-source CoreWF, respectively.

Below are some of new features and improvements: 
– Updates to C#, F#, and Visual Basic
– New features of System.Text.Json
– Single file apps
– App trimming
– Performance improvements to Garbage Collection (GC), System.Text.Json, System.Text.RegularExpressions, Async ValueTask pooling, Container size optimizations, etc.

.NET 5.0 also introduces a preview for .NET MAUI (Multi-platform App UI) which is a framework for developing user interfaces. Microsoft calls it an evolution of Xamarin.Forms and hopes to complete support for it when .NET 6.0 is released next year. So, just like Star Trek movies, look forward to every even numbered release (just kidding).

Now that you have a broad overview of what .NET 5.0 is, you can read a more comprehensive list of changes here (https://devblogs.microsoft.com/dotnet/announcing-net-5-0/). And because we know a lot of developers are eager and excited to start working with .NET 5.0, we officially support it here at DiscountASP.NET.

Visit DiscountASP.NET to learn more about our .NET Core  and ASP.NET Core Hosting services.

.NET 5.0 (ASP.NET Core 5.0) hosting is now available

Takeshi EtoIn an effort to unify .NET, Microsoft has recently released a major update they are calling .NET 5.0. If you recall, the last .NET Core version was 3.X, so you may be asking what happened to .NET Core 4.X? Microsoft decided to skip that version and go straight to .NET 5.0 and drop the “Core” naming convention. They did so to avoid confusion – but they are retaining the ASP.NET Core 5.0 name. In any case, these kind of moves are always confusing even if you try to diffuse the confusion so it will probably take another version or two to iron things out.

But the point of this blog post is to announce that we support .NET 5.0 or ASP.NET Core 5.0 on our Windows 2012 and Windows 2016 servers. So feel free to experiment, learn, update and deploy your .NET 5 apps.

Visit DiscountASP.NET to learn more about our .NET Core  and ASP.NET Core Hosting services.

How to protect your WordPress login page using Cloudflare

Martin OrtegaWe have seen a few of our customers experience malicious bots making repeated efforts to break into their WordPress login page. There are a few issues that arise from this activity. Not only is it annoying but this can eventually crash your site by using up your server resources. It can also lead to your WordPress site getting hacked since that’s what the bots are trying to accomplish.

To prevent experiencing these issues, you can use Cloudflare‘s Firewall rule feature.

Let’s get started:

Assuming you have a Cloudflare account, log into your Cloudflare account.

Click on the Firewall icon

Click on the “+ Create Firewall rule” link on the upper right corner.

In the “When incoming requests match…” section select “URI” in the drop-down menu under Field. For the Operator field, select “Contains“. In the Value field, enter “/wp-login.php” as shown above.

In the “Then…” action select “Challenage (Captcha)“.

Now when someone goes to your wp-login.php page they will be met with a Captcha challenge they must enter first in order to log into your WordPress site.

The best part of using this firewall rule on your Cloudflare account is that it generally stops the bad guys from getting into your WordPress site. And, as a bonus, your server resources are also protected.

Visit DiscountASP.NET to learn more about our WordPress hosting solutions

September 2020 Web Application Gallery Updates

Ray Huang

Below is a list of applications that we updated in the DiscountASP.NET Control Panel Web Application Gallery for September 2020.

DotNetNuke (DNN) 9.6.2 Platform

Drupal 9.0.3

Joomla 3.9.20

Moodle 3.9.1

phpBB 3.3.1

Umbraco CMS 8.6.4

WordPress 5.5

Visit DiscountASP.NET to learn more about our ASP.NET hosting and PHP hosting services.

Telerik Controls Security Vulnerability

Takeshi EtoOver the past few months, we have seen a large number of hacking attempts against our customer sites using an old Telerik component vulnerability.  More specifically, the Telerik Web UI component, widely used in different applications like DotNetNuke, Sitefinity and custom built ASP.NET sites, is being targeted. One codename given to this hack is Blue Mockingbird. Hackers are finding success in compromising sites using this exploit because many site owners never patched their websites. Telerik has even recently blogged about the increase in hacking activity and provides some guidance.

What hackers are doing with compromised sites
There appears to be different individual hackers and hacker groups that are using this exploit and they are doing different things.  In our experience, we have seen the following:

  • Hacker attempts to compromise the website/database. The hacker
    • Creates a webshell file which allows the hacker to do various tasks on the site
    • Uploads phishing/malware site which can result in the site getting blocked by anti-virus software and browsers.
    • Gains access to the database which could contain sensitive information.
    • Installs scripts that attack other systems (e.g., brute force attacks)
    • Modifies scripts to skim sensitive information, like credit card numbers.
  • Hacker attempts to compromise server in order to
    • Install a cryptominer and use the server resources
    • Compromise the hosting infrastructure
    • Hijack the server and use the server for other attacks

Hacking activity mitigation
Mitigating this vulnerability has proven to be difficult, but we have been observing and learning from all the hacking activities. Now, along with our intrusion prevention detection system, we’ve made security tweaks on our webservers, and trained a diligent team. As a result, we have been able to protect our customers and our infrastructure.

Hacking activity background
We first noticed there was an issue when our intrusion detection system indicated a potentially malicious process being started on one of our servers. Our team immediately investigated and after some work we pinpointed the site that was compromised, determined how the site was compromised, and addressed the hack.

We soon started to notice similar incidents and after further investigation some of the flagged activities turned out to be false positives (legitimate activities), while others were hacking attempts. The attempts started to increase to almost daily at its peak.

Why the hack is nasty
What makes this hack nasty is that it uses built-in functionality of the Telerik control to upload a payload to the compromised site. The control functionality is used by the website so it is extremely difficult to tell which use case is legitimate and which activity is a hacking attempt.

To make things harder to detect, much of the hacking activity uploads a payload that does not interfere with the website and many times the payload appears to do nothing but sit there. Presumably, the payload will “wake up” when the hacker decides to activate it at a future time. Therefore, the website owner would never know they got hacked and the host will never know unless specifically looking for this type of activity.

Another thing we’ve seen recently is a site being compromised but the hacker did not upload anything. The hacker is just probing and logging which sites are “hackable” for some future plan. It’s like if someone breaks into a home using a key, looks around but doesn’t move anything or take anything and leaves. How are you to know someone who should not have access had entered the home?

Windows hosts beware
Windows hosting providers really need to pay attention to this hacking activity going forward. This vulnerability may be old but it’s still very much alive and hackers are exploiting it to compromise Windows servers and leaving virtually no footprint.  

What website owners should do
In order to stop this attack from occurring in the first place, website owners must patch the Telerik Web UI component within their application which is typically found within the /bin folder. 

You can check the table below on what actions to take depending on the application using the Telerik Web UI Control and where you host your website.

ApplicationWebsite hosted with DiscountASP.NETWebsite hosted elsewhere
DotNetNukeContact our technical support team and we can check if your site is vulnerable and our staff can apply a patch to secure your DNN instance.You can get more information about DNN and the Telerik vulnerability here and you will need to update your DNN instance.
SitefinityContact our technical support team and we can check if your site is vulnerable and our staff can advise you on the next steps.Check if you are using the insecure Sitefinity versions listed here, If your Sitefinity version is insecure, contact Sitefinity.
Custom Application Contact our technical support team and we can check if your site is vulnerable and provide you with guidance on the next steps.Check if you are using the insecure Telerik Web UI versions listed here. Check your website files on the server and make sure there are no weird files (that you did not upload). If you own the Telerik license, contact Telerik and patch your site. If your developer owns the Telerik license, have them contact Telerik and patch your site.

Feedback and Questions
This is a serious security issue and do not hesitate to reach out to provide feedback, comments or ask any questions.

Visit DiscountASP.NET to learn more about our ASP.NET Core  Hosting services.