Security Councils

The security is assets in any business, mainly if it is computer science and data. In Hosting Planet we worried about its security.

Nevertheless, to take precautions is its responsibility. For that reason, we gave recommendations to him so that it is protected of the computer science frauds.

Malicious code or hostile software (Virus)
If its website shows a message that it indicates that it has a “malicious code?, as the images that appear more down, means that in the programming of its site script is some malicious that is affecting its website.
Script malicious or script with malicious code is a type of malware is a set of lines of code that is often used to redirigir the visitors from the site to a different website or so that archives nonwished unload.
These Scripts usually is inserted when using some gratuitous code of Internet (as accountants of visits, statistics, among others) or directly in sites that use gratuitous complete programs as Joomla or Wordpress and is not updated periodically.
In order to solve these problems the programmer or designer of his website must contact themselves immediately with so that he looks for and he eliminates in immediate form east type of codes.

We recommend on the matter to see following information given by Google:
http://www.google.com/support/webmasters/bin/answer.py?answer=163633#3 or
http://www.google.com/support/webmasters/bin/answer.py?answer=163634
How to avoid hackeos in Wordpress or Joomla
With the massification of the webpages in Internet, the amount of groups or gratuitous managers was amassed to generate and to administer these sitiosweb, well-known as CMS. Common examples are Wordpress, Joomla and OsCommerce, between many others.

These systems have common the fact that the users can contribute with subjects, plugins, etc. is Here where it is the greater danger.

Many Hackers pass months looking for vulnerabilities in the different types from plugins (accessories), or subjects that is only detected by their creators once the hackeo was realised.
This does not have to do with the security of the servant, but with the own webpage.

A common example is the vulnerability of timthumb, a manager of miniatures used by many subjects of wordpress or joomla. By means of old versions of timthumb it was possible to be copied remote archives to the webpage and soon to execute them in the page. With this method, thousands of webpages were hackeadas.

If you have undergone some attack of hackers and have any type of CMS or lie down virtual gratuitous, between which they can be WordPress, Joomla, Mambo, OsCommerce, Moodle, among others, we give 10 advice him exceeds what to do in case of hackeo:

1 - To verify that its system this updated.
2 - To verify that all the subjects or plugins are updated.
3 - To always realise the facilities by means of the administrator of the CMS.
4 - To use Temas and Plugins of reliable sources.
5 - To verify that the subject or plugin that it uses is updated constantly.
6 - To erase any plugin or subject of test that is not going to use.
7 - To realise many tests with its final installation of CMS, if it is possible, realises all the necessary tests, and later cleaning realises the final installation.
8 - If it is possible adds an index.html empty in each directory who does not have index, this prevents that the archives of the directory are seen and with this it is more difficult to look for vulnerable archives.
9 - It always has the computer that connects to FTP or the administrator of the clean CMS of virus. (This is applied to any webpage, not only CMS)
10 - It does not waste the time looking for guilty, probably never finds them.

Even with all the precaution, we do not have to forget that they are open systems and gratuitous that never will give to a security to the 100% him, since the own central system of Wordpresso Joomla has suffered hackeos, logically these less common and are quickly corrected.

It remembers that hardly a hackeo of this type will be something personal against you, the majority of the hackers that realise this do not worry about the page who was hackeada, but with the amount of pages that were hackeadas.
How To protect its Domain and Post office Not to be identified as Spam
In order to improve that their domain and post office are not identified as Spam please to follow the following steps:
1. To enter its Control Panel CPANEL
2. To go to the area where it says MAIL
3 Hacer click where it says Authentication Email
4. It will be able to see 2 points to activate, the one of DOMAINKEYS and the one of SPF
5. The first point to activate is the SPF
6. It clicks in Activating the SPF
7. After activating it will appear to him a long code, this code please keeps it in a safe place and leaves kept it for future references from security with us its company on watch of WEB HOSTING.
8. It clicks in the bond TO RETURN
9. It reviews again under the SPF area that says: Status: Activated & Active (Control of DNS Step the Test).
10. It goes downwards and it will be able to see a button that says To update, Clicks in this button and updates the data.
11. In this same area of MAIL they can see the DOMAINKEYS option that before in point 4 was mentioned. Please to click in ACTIVATING
12. It will appear to him a page that says: DomainKeyshavebeenenabled.
13. It clicks in Returning and it reviews that the status says this: Status: Activated & Active (Control of DNS Step the Test).

Realising these two steps it will already be able to obtain next to the systems installed in Servers Hosting.cl the Planet, as in the infrastructure systems of the IPs and the datacenter that their mail is not considered as Spam.
If it has some question or problem please contacts directly in the area of clients opening a case to us of consultation to the department of support to clients.
Considerations at the time of installing joomla
General considerations and ISPs
- Passwords changes his regularly and it always does not use the same. It uses a random combination of letters, numbers, or symbols and avoids to use names or words that can be found in a dictionary. It never uses the names of his relatives, mascots, etc.
- If you are using a shared service of hosting in his supplier, make sure that no other user in the servant can see or you accede to the archives of his site, for example through accounts shell, cpanels, etc.
- It never depends on backups of another one. Be made personally responsible for regularly endorsing the archives of his site and its data base. Many ISPs expresses in their contracts that you cannot only trust backups that she makes the supplier of hosting.
- Intrusion detection uses a system of Prevention/to block/to alert on malicious requests HTTP.
Example search in Google: http://www.google.com/search?q=Intrusion+Prevention.

Servers of development
- A local servant of development forms, and realises there all the updates and testeos. The friendly of Apache provide to XAAMP, a installer of applications LAMP easy to use and gratuitous that it works in many operating systems, including GNU/Linux and Windows.
http://www.apachefriends.org/en/index.html
- Some ISPs particular supplies of Servers of development and backups. For example, joomaboom recommends the servant of development offered in GoDaddy: http://forum.joomla.org/index.php/to...html#msg419916.

HTTP Server (Apache, etc.)
- PHP, MySQL and many other component ones base originally were designed for, and they work generally better in, Servers Apache. It avoids to use other Servers if it is possible.
- .htaccess uses archives to block attempts of exploits. It can find a very good and small tutorial in:
http://forum.joomla.org/index.php/topic,75376.0.html
- Regularly it reviews the registries of access in search of suspicious activity. It does not trust summaries and graphs. It reviews “rawlogs? (registries in crude) for more real details.
- It forms the filters of Apache mod_security and mod_rewrite so that they block attacks PHP.

MySQL
- Make sure that the account MySQL de Joomla! it is formed with limited access. This conscious one that the initial installation of MySQL is uncertain. A careful configuration manual is required after the installation.
SeeMySQL Documentation: http://dev.mysql.com/doc/refman/4.1/...rivileges.html
- In a shared servant, if you can see the names of the data bases of other users, then it can be quite safe that they see his. If they can see the data bases that you own, they are unnecessarily a step about to enter more. A good ISP strictly limited the access of each user their own data bases.

PHP
- Before that nothing PHP 4 no longer is maintained actively, it updates his code PHP to PHP 5.
- It applies all the necessary patches for PHP and applications based on PHP.
- A frequent one is recommended I scan in scopes where a great number of applications PHP is in use.
- It uses tools as Proxy Unemployments to realise automatic tests of SQL Injection against his applications PHP.
- It follows the principle of “LeastPrivilege? (the smaller privilege) to run PHP using tools as PHPsuExec, php_suexec or suPHP from suPHP.

PHP.INI
- Php.ini in www.php.net studies the official list of directives.
List of directives php.ini: http://us3.php.net/manual/en/ini.php#ini.list
- It forms register_globals In Off. This directive determines if to register or not them variable EGPCS (Environment, GET, POST, Cookie, Server) as global variables.
It sees this post: http://forum.joomla.org/index.php/topic,75990.0.html
- It uses disable_functions to deactivate dangerous functions PHP that are not necessary for their site.
- It deactivates allow_url_fopen. This option activates the URL-awarefopenwrappers that allows the access to objects URL as archives. Wrappers (envelopes) is proveídos for the access of remote archives using the FTP or protocol HTTP, some additional extensions as zlib is able to register wrappers. Note: This only can be formed in php.ini by reasons for security.
- It fits to the directive magic_gpc_quotes as it is necessary for his site. It would have to be in off using well written software, and for poorly written scripts 4 PHP 3 and PHP .magic_gpc_quotes forms the state magic_quotesstate for operations GPC (Get/Post/Cookie). When magic_quotes this on, all the ‘(single-quote/quotation mark-simple), “(doublequote/double quotation marks), \ (backslash-it sweeps inverted) and NUL's is avoided with an inverted bar \ automatically.
- Safe_mode (it would have to be activated and formed correctly)
Directives of configuration Security PHP and SafeMode (Safe Way): http://us3.php.net/manual/en/feature...#ini.safe-mode
Restricted functions PHP/deactivated by safemode: http://us3.php.net/manual/en/feature....functions.php
- Open_basedir (it would have to be activated and formed correctly)
It limits the archives that can be opened by PHP to the directory tree specified, including the same file. This directive is not affected if the SafeMode this On or In off. The restriction specified with open_basedir is in fact an area code, not a directory name. This means that “to open_basedir = /dir/incl? also allows the access “/dir/include? and “/dir/incls? if they exist. When it wants to only restrict the access to the specified directory, it closes with a/.bar.

Joomla! Core (It bases)
- It always updates to the last stable version.
It sees the post: http://forum.joomla.org/index.php/topic,33226.0.html
- Joomla unloads! only of official sites, sites of confidence, such as:
Joomla! Forge: http://forge.joomla.org/sf/sfmain/do...rojects.joomla
- Subscribe, or you review regularly: Announcements Related to the Joomla security: http://forum.joomla.org/index.php/topic,40046.0.html.
- If you discover a problem of security in Core of Joomla! , please repórtelo ASAP (Ace soon possible ace - As rapidly as possible): http://dev.joomla.org/content/view/1450/89/
- It removes all the groups (templates) that are not necessary in their site. It does not put logic of security in archives of groups (templates).
http://forum.joomla.org/index.php/to...html#msg430051
- It publishes globals.php to run register_globalsemulation in off in Joomla! . Although the Joomla emulation! she is much more safe that directive PHP register_globals, is better not to allow for anything register_globals. Beginning with PHP 6, this one not even will be an option, and is time question.
- Once its site is formed and is stable, It protects against writing the greater amount of archives and directories that can changing the permissions of directories to 755, and the permissions from archives to 644. A site characteristic exists --> Global Configuration (global configuration) --> that can place the permissions of massive form by you. It considers of which this massive function can affect the operation of the components, if the operation tests of the same. Also it considers of which it is possible that all the components or extensions of 3eros cannot be changed to the permissions in.
http://help.joomla.org/content/view/41/132/.
http://forum.joomla.org/index.php/topic,24108.0.html
Note: It would need to resetear the permissions if it wishes to install extensions later. He is conscious that in some Servers, the option of (To annul the write protect when keeping) perhaps does not work, although the warning of the system says that if, for that reason configuration.php will have to manually change to the options of the configuration giving him permissions of writing to his. (That is something good).

Extensions (Component, Modules, and Bots) of Joomla!
- It removes all the Joomla extensions! that they require register_globals ON.
- Unloading extensions only of confidence sites. The official definition of “confidence site? is that one site which YOU trust.
- Before installing extensions of 3eros (thirdpartyextensions), it reviews: Official list of extensions of vulnerable 3eros: http://forum.joomla.org/index.php/topic,79477.0.html.
- It has well-taken care of! The extensions of 3eros come in all the flavors, sizes and antiquity. Although the standards of Joomla code exist! (codingstandards), the extensions listed in the official site of Joomla! they are not reviewed to see if they fulfill these standards. It proves all the extensions in a development site before installing them in “a real? site site in production.
- It endorses his site and the data base of the same before installing new extensions.
- It reviews regularly:
Questions of security of 3eros/No Joomla: http://forum.joomla.org/index.php/board,296.0.html
- It removes any extension nonused, and reviews doubly that the directories and related files have been erased. (A contribution of joomaboom)
Blocked functions (init_set, register_globals and mod_rewrite)
It is probable that during the installation or implementation of some systems cms, is with some errors of blocked functions, which perhaps are this way since some type of vulnerability in these detects itself.

This can solve it creating a file by means of text editor notepad a called file php.ini which must contain in its interior the following thing: ** funcion=parametro **
init_set= on
register_globals= on
mod_rewrite = On
safe_mode = On
(according to required function)

Keeping the changes in this configuration and soon copying this file in the directory public_html or the directories whom this active function requires.
Policies Anti Spam
It is most important to know that the shipment of e-mail masivosestá absolutely prohibited and will not be allowed under any circumstance. When they are even directed to data bases of clients or it is counted on authorization of the same.

In case Hosting Planet detects that a Client is sending e-mail massive, he is a causal one of immediate suspension of the services.

The use of services of other suppliers to carry out abusive advertising campaigns, making reference in these campaigns to services lodged in Hosting.cl Planet, also implies suspension of the service.

In case it is surprised a client for the second time, sending e-mail massive, is intentional or no, of publicity or any nature, the service is suspended in immediate form, without possibility of return of some surplus of the money paid by the benefit of the service.

The use of some of the Servers of mail of the domain and the email addresses with the aims of Spam, mail bombing, phishing, escrowfraud, scam 419, pharming, diffusion of virus (Trojans, worms, etc.), or any other type of activity realised with sabotaging, fraudulent or criminal spirit, will be causal immediate of term of the services.

Hosting planet reserves the right to demand the payment of all the resources that have been used to provide solution to the problems generated by this type of shipments.

The allowed maximum amount for the shipment of e-mail on the part of the services shared in the lapse of one hour, is of 300 e-mails by domain. In case this amount is surpassed, the sites will be disabled to continue sending to e-mail until pass the period of 1 hour.

In the eventuality that it requires to send a greater amount of e-mail per hour, communicate with our platform of Attention to Clients. It is important that it considers that Servers VPS allow the shipment of up to 1,000 e-mails per hour and, the Servers dedicated up to 5,000 e-mails per hour.
What is considered as Spam?
Spam, mail trash or message are denominated trash to the messages asked for, nonnot wished or of sender nonwell-known, habitually of advertising type, sent generally in great amounts (even massive) that harm of some or several ways to the receiver. The action to send these messages denominates Spamming. Hosting planet even considers Spam to the mail sent to lists of clients or users who have registered themselves in their website but which they have not requested specifically the shipment of certain information.
Although Spam by different routes can be done, the most used between the public generally is the cradle in the e-mail. Other technologies of Internet that have been mail object trash include groups of the news, social Usenet, web search engines, networks, webpages wiki, forums, Web logs (blogs), through emergent windows and all type of images and texts in the Web.

The mail trash can also have as objective the mobile phones (through text messages) and the systems of instantaneous mail as for example Outlook, Lotus Notes, Windowslive, etc.

Also mail nonwished is called to the virus loose in the network and filtered pages (casino, drawings, prizes, trips, drugs, software and pornography), activate by means of the page enter of communities or groups or to accede to connections in diverse pages or including without before acceding to no type of publicity pages.
What is the Phishing?
The Phishing is a deceit form by means of which the attackers send a message (hook) to one or several people, in order to convince them that they reveal his personal data. Generally, this information is used soon to conduct fraudulent battles as transferences of bottoms of its bank account, purchases with its criminal credit cards or other behaviors that require the use of such data. The means more used at the moment by the attackers to realise an attack of Phishing are the e-mail. Their messages usually are very convincing, since they simulate to be sent by a well-known and reliable organization for the user with who this one operates habitually, for example, a bank or a company with which it realises commercial transactions through Internet.
In the message diverse reasons are alleged, as technical problems, update or revision of the data of an account. Next, for – supposedly to verify or to modify its personal data, is asked for to him that it enters a certain website: its complete name, RUT, keys of access, etc. This webpage is, in fact, a falsified site that simulates to be the one of the organization at issue, but as its design usually is very similar to the one of the organization of whose identity they are had appropriate - sometimes it is practically identical, the user cannot be noticed of the deceit.
In other cases, the ruse is based on similarity between the directions Web of the authentic site and the apocryphal one. In many occasions even, the text of the connection written in the e-mail corresponds with the real address of the website and if the user clicks in this connection, redirige to a false page, controlled by the attackers.