Hosting Provider & Customer Saved from Dangerous Security Exploit

Customer Saved from Dangerous Joomla ExploitSecurity exploits and threats to your website are everywhere – and while you might think your business isn’t big enough or important enough to be a target, you’re undoubtedly wrong. The nature of modern day attacks are such that hackers comb the Internet using automated scripts or bots looking for vulnerable websites. According to the 2016 Internet Security Threat Report by Symantec, over 430 million unique pieces of malware were discovered in 2015 – up by 36% from the year prior. In addition, a new vulnerability was discovered each week on average and 75% of legitimate websites have unpatched vulnerabilities!

The only protection against the wide variety of cyber attacks and regularly-discovered vulnerabilities is with vigorous anti-spam and anti-virus software, server hardening, secure access, and constant vigilance. One customer of ours, Scott Neader of QTH.com, realized the benefit of Liquid Web’s tough security provisions when a dangerous Joomla exploit was discovered in December 2015. As a hosting provider with thousands of customers, he was especially grateful for the protection from Liquid Web’s ServerSecure product.

A Widespread Joomla Exploit was Discovered …

It seems like there is a new exploit every other day – but this one was particularly bad. In December of 2015 a Joomla “zero day exploit” (a security exploit that is exploited by hackers before the vendor can fix it) was discovered and in the wild for multiple days before Joomla was able to release an update that patched it. That’s multiple days of websites using Joomla versions 1.5 to 3.4.6 (six years worth of Joomla releases!) that were vulnerable to an exploit rated as very easy to hack.

This security exploit was in the PHP code of Joomla and allowed remote code execution; it allowed hackers to cleverly confuse the site and submit a carefully crafted request rather than the user data that the site was expecting. Such a request could allow a hacker to take over the site and provide access to delete data – or even use it to exploit other sites.

Our Team Pushed Out Protection That Same Day …

Luckily for our customers, our security team is constantly monitoring the web for vulnerabilities just like this. We noticed this security exploit and implemented a new ModSecurity rule to protect our customers and block malicious requests. In addition to this new rule, we had two rules already in place from an exploit the previous year. The two older rules seemed to be blocking attacks from this newest exploit, but just to be safe, a new rule was created to cover all the bases and make sure every attack was blocked.

A Worried Email Came In …

Scott Neader of QTH.com received notice of the 0-day Joomla exploit from a client of his, who was inspecting their site’s logs and noticed that there seemed to be protection in place on his site. However, this client was concerned the protection wasn’t working because he could still see malicious traffic in his logs! His client came to him with his concern and Scott sent Liquid Web an email to find out if his clients were protected. He soon learned that his client was seeing a log of blocked access attempts – not successful ones! This news put Scott at ease and made him grateful for the efforts put forth by our security team.

“When I didn’t get notified of any hacked sites, I had to assume something was protecting us,” Scott said. “… I really appreciate how Liquid Web is proactive on these attacks.”

While QTH.com utilizes multiple layers of protection on their servers, he was incredibly grateful for Liquid Web’s additional protection through our ModSecurity ruleset provided by our ServerSecure product, which he calls a “huge benefit of hosting our servers with Liquid Web.”

“Liquid Web’s Security Team created rules to protect our customers from this exploit, and pushed the rules to all our servers automatically, the same day the exploit was announced,” Scott explained.“Our customers were, then, protected from this exploit, before most of them were even aware of the issue.”

Our ServerSecure and our ServerSecurePlus products were designed to provide this level of proactive security protection for all of our customers – something that Scott and his many clients were lucky to be using.