In an earlier article entitled -  ”Are your applications secure?,” I talked about SQL injection threats. It’s a threat that refuses to simply go away.

Just this morning I stumbled upon a thread on a web hosting forum - about an OP (original poster) who had his shared account terminated by his web hosting provider for being hacked twice. He was clearly the victim of the hacks, but the host deemed the OP was responsible for keeping his sites safe, so that his sites would not affect other clients on their server.

The site in question was a WordPress site - with a couple of plug ins activated – nothing out of the ordinary. It was duly noted that WordPress sites attract a lot of hack attempts, and the more popular they are (lots of traffic), the more attempts. Obviously, the OP needs to find another web hosting provider, but his troubles are probably far from over. Should he install the same plug ins on his site at his new host, the hack will most likely reoccur. Why?

One of the plug ins the OP alluded to was - Penny Auction, on which a “hack advisory” was recently issued by ngenuity-is.com.

Recommended plug ins that help fight intrusion attempts:

Login LockDown - Login LockDown records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Admisitrators can release locked out IP ranges manually from the panel.

WordPress Firewall 2 - This is an updated version of the popular WordPress Firewall plugin, with fixes for all known bugs and a few new features!

This WordPress plugin investigates web requests with simple, WordPress-specific heuristics, to identify and stop the most obvious attacks. There are a few powerful, generic modules that do this; but they’re not always installed on web servers, and usually difficult to configure.

This plugin intelligently whitelists and blacklists pathological-looking phrases, based on which field they appear within, in a page request (unknown/numeric parameters vs. known post bodies, comment bodies, etc.). Its purpose is not to replace prompt and responsible upgrading, but rather to mitigate 0-day attacks and let bloggers sleep better at night.

WordPress Security Scan - checks your WordPress website/blog for security vulnerabilities and suggests corrective actions such as:

1. Passwords
2. File permissions
3. Database security
4. Version hiding
5. WordPress admin protection/security
6. Removes WP Generator META tag from core code

Certainly it’s the long term goal of every business to - minimize customer churn. The expense to sign on new clients way exceeds the cost to retain and resell existing clients. Every interaction with your clients, from warehouse, sales and service, to the accounting department shares a responsibility to exceed your clients expectations, by going that extra one percent – everytime.

Fix the Client and Not Your Product or Service. When I was employed as a technician by Varityper, our titles were tech rep 1, tech rep 2 and so on. That was changed to Customer Engineer. When you troubleshoot a client’s problem, you’re not fixing their typesetter, printer, broadband connection, website or whatever your business provides – you’re fixing the client. And in doing so – you need to give at least the perception of value.

Providing Value - Can this be done on the fly? Sure, but not with great results. Good customer support reps go through extensive training for the sole purpose of maximizing the client’s perception of their business. They offer benefits and solutions. This pays off in reduced advertising cost, minimized churn, customer loyalty and “branding.”

Are you rememberable? Are you rememberable in your clients eyes? Do you ‘own’ your business niche? Or are your customers simply satisfied clients? A certain level of support is expected from every vendor. On your customer surveys, do you ask the question, “Have we exceeded your expectations?”

Set yourself apart from the masses - Customer support encompasses so much more than simply responding to a service ticket, fixing the issue and closing it out without explanation. I see so many entrepreneurs asking how to develop a niche that sets them apart from the masses. Of course, the offer is KING, but great customer support keeps you on your throne.

Your accounting department has been complaining – about your network slowing to a crawl, but your sales reps are finally making cold calls – because they can’t surf the web or use email (Or they’re out on the golf course ).

What’s the problem? Could be a collision domain. Computer networks can be segmented physically as well as logically (Ethernet protocol), leading to circumstances where one single network device can send packets throughout a network segment forcing every other device to acknowledge those packets. Or it could be a group of Ethernet devices in a LAN running on CSMA/CD, connected via repeaters competing for network access. If two devices follow the exact procedure at the exact time, their transmissions will collide, and they will both become unusable. Simply put, a collision occurs when two or more network devices are trying to transmit packets at the exact same time.

As collisions increase on a network – the less efficient the network is. So how do you combat collision domain? Utilize switches and/or network bridges that filter and forward packets by their MAC address. A switch or network bridge will forward frames with addresses that are not in its domain, and will duplicate and broadcast frames to the devices inside its network.

Routers can filter, forward or drop packets – based on MAC addresses. Routers reduce collision domain by broadcasting to the LAN only packets that have addresses on that specific network. Routers are able to redirect packets not only by  IP or MAC addresses, but also by data type (email, graphics, plain text), function or port used (FTP, HTTP, SMTP, POP3) plus other variables and functions (acting like a firewall) in order to improve network performance.

Contrast your network to – data center networks that occupy entire buildings and house thousands of servers. They’re designed to host mission critical computer systems, with fully redundant subsystems and security zones. They contain routers and switches that transport traffic between those servers and the outside world. Redundancy of their Internet connection is usually provided via BGP bandwidth, blending multiple upstream providers.

Updated April 1 2011 – This is still HIGHLY relevant. See this story.

December 2009 – I just read an article this afternoon about the fastest growing security threat in the hosting industry. Apparently this threat has grown over a hundred fold in just the last year alone. What is it?

SQL Injection

Why have SQL injection attempts grown so dramatically? It was pointed out, and I agree, because the bad guys are using (very sophisticated) automated tools. More and more, we’re seeing attempts not only to be disruptive, rather to be focused on identity theft. Anyone remember Heartland Payment Systems and TJX?

Who is Susceptible?

Certainly, if you’re processing lots of credit cards, you need to guard against SQL injection, but even if you aren’t, this exploit needs to be addressed. I did a quick Google search for SQL injection prevention and stumbled upon an SQL Injection Cheat Sheet at http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet. Since most SQL injection exploits are due to lax coding and poor application design practices, prevention measures like those outlined on this site can significantly minimize your risk of being compromised.

From Owasp.org

“SQL Injection flaws are introduced when software developers create dynamic database queries that include user supplied input. To avoid SQL injection flaws is simple. Developers need to either:
a) stop writing dynamic queries; and/or
b) prevent user supplied input which contains malicious SQL from affecting the logic of the executed query.”

I just read a post on Seth’s Blog about embracing lifetime values, and was immediately able to relate this to any number of industries. When I was selling security systems in Miami, my employer had years of data highlighting the lifetime value of every new client. Think about it – who changes alarm vendors once the system is installed? Their monitoring ran $24.95/month, but clients routinely stayed with them from six to seven years. Value adds were additional motion sensors, control panels, remotes and door contacts. 

I wonder how many sales or support reps understand the real value of each shared, dedicated or colo sale, and how that drives the business as a whole? In the post, the lifetime value of new cell phone clients (on two year contracts) was estimated at $2000.00. I’ve been with my cell phone provider since 1997, and have grown from one to four phones.

Is there a lifetime value in web hosting?
What do you estimate the lifetime value is (on average) of a month-to-month dedicated server client? What about the new 2U colo client, who someday grows to a full rack, or a cage?

Could you increase your client’s lifetime value?
The answer is, absolutely – under promise and over deliver. Empower your staff, from sales reps to the billing and support departments, to go that extra one percent in every contact they have with each client. Your goal should be to exceed your client’s expectations. This is the stuff of long term business relationships.

Bottom Line
If one of your clients left in a huff, would you surmise, ‘there goes a $20 client’ or ‘we just let $2000 walk out the door.

I bought a memory enhancement program in the mid 90′s to correct for what I thought was memory leakage. I noticed my computer running slower and slower, even after defragging my huge (60MB+) hard drive. That technology has improved over the years, but memory leakage issues still persist.

Memory leakage can cause serious problems
While most memory leakage is quite small and doesn’t present any serious problem in and of itself, the accumulated effect of running programs for hours on end can compound problems, sometimes leading to disastrous results.

So what is memory leakage, exactly, and how can we resolve it?
My original understanding was that certain programs, when closed, did not release their allotted space in memory – thus reducing the amount of memory available to other problems. Memory leakage is so much more complex than that. A slight bug in one program might interact with some other program causing increased allocations of memory until some program crashes (not necessarily the program with the leak). As a consumer, how would you know where to begin to isolate the cause? I’m not a developer, as I suspect most of us aren’t. Debugging code is best suited for the programmer geeks. I started my quest for answers with searches on Google, Bing, Yahoo and Wikipedia.

From Wikipedia
In computer science, a memory leak is a particular type of unintentional memory consumption by a computer program where the program fails to release memory when no longer needed.

• From Google – over 3.4 million results
• From Bing – over 8.1 million results
• From Yahoo – over 10.6 million results

I don’t really have time to search through 22 million results, so I’ll highlight a few results here.

Some contributing causes of serious memory leaks

• Leaks inside the operating system itself
• Leaks in system critical drivers
• Leaks in embedded devices
• Leaks in programming languages
• Leaks where programs are able to request memory that hasn’t been released, even when the program terminates

Memory Managers
Most memory managers can recover memory that has become unreachable (if it’s unreachable it retains no value), but they normally cannot free memory that remains reachable. And it’s worth noting that there are levels of reach ability – with strong or weak references. Add to that, every system has a finite amount of memory anyway, so if a memory leak is not contained (possibly by a reboot), it will eventually cause problems.

A simple Google search for Memory Management Programs returned over 68 million results. Yipes! A word of caution – many of these programs are outdated and in fact, produce some overhead of their own.

If you have a recommended program, please share its strengths and weaknesses with us here.

First, let me say once again how much I despise rogue programs, and Windows Police Pro is a nasty one. It’s of the same family as Windows Antivirus Pro, which I wrote about around April 1^st.

The first warning that you’re infected is an obnoxious pop up that states your computer is infected, and recommends you purchase their program.

Windows Police Pro also acts as ransomware because it prevents you from accessing websites to download anti-spyware or anti-virus programs like AVG or StopZilla. X’ing out of the pop up is impossible, but all is not lost.

How to remove this nasty beast from your computer

First, open up your Task Manager (control, alt & delete), then end the Windows Police Pro process. Also end the svchast.exe process. Then go to RUN, and type regedit to edit your registry. Do edit find Windows Police Pro and delete those entries. Then you should be able to access the AVG or StopZilla websites, download and install their programs, do a scan and remove the infection.

I used StopZilla on my grandchildren’s laptop and you could actually hear Windows Police Pro groan when StopZilla killed it off. LOL.

You can earn a Doctorate in Conflict Analysis and Resolution, but I think most of us have earned some credits for coping with conflict on the street level, and certainly in the hosting industry.

Managing Conflict

The key is learning how to manage conflict rather than have it manage you. I avoid disputes when possible, but realize they’re inevitable – so instead of reacting on an emotional level, my solution is to manage them proactively. Part of that is being solution focused versus problem focused. It’s all about communications – understanding what your personal triggers are, then mapping out the opposing positions, finding common ground, and then proposing win-win solutions.

Conflict Awareness
First, you have to understand your own conflict patterns, then develop and practice methods to listen more effectively, map out the conflicts, and learn to differentiate difficult people from difficult behavior. We all know the type. Some clients and prospects just instinctively know what hot buttons to press.

Moving Beyond Conflict
What we’re really talking about here is developing professional skill sets to increase the success of your business operations. Customer support is very much about resolving customer conflicts or problems. While the solution could be purely technical, the perception of value rests with your client. How well you communicate relates directly to customer churn. Bad communication skills = high customer churn. Great communication skills = raving fans and a loyal customer base. The key, I think, is to actively listen, showing genuine interest and concern. Clarify the problem; ask questions, then listen – separating emotions from issues. Sometimes, you just have to say NO, it won’t work. And after conflicts are managed, it’s important to solicit feedback.

How Important is Feedback
Feedback is so important that you should reach out to your clients randomly to ascertain their comfort level with your products or services. Perhaps your perception that they’re satisfied clients is completely off tract, and they’re actively searching for a new provider. How would you know until they sent in their cancellation request? At that point, you become reactive instead of proactive.  Again, it’s all about effective communications and productive interactions.

Spam is everywhere. ISP’s and corporations filter it by the billions, yet it continues to plague us. Entire IP blocks – better yet – entire countries are routinely blocked and spam marches on. I read this morning that web hosting providers are being spammed on their support tickets by non-clients.

How many of you actually read this stuff? Or click through to their sites?
I don’t get nearly as much as my wife does on her computer. Of course the grandchildren monopolize her computer when they come to visit – so they attract cookies, malware, spyware and more spam. Love them but hate the spam. Yet people must be clicking through or spam wouldn’t be profitable.

How to reduce spam?
Spam can be reduced, although probably not eliminated altogether. Here are some tips from the United States Computer Emergency Readiness Team. For the Missouri Revised Statutes related to spam, click here.

Service agreements – are legally binding documents, but saying that, I read numerous threads started on web hosting forums from OPs who can’t answer basic questions like, “Does your provider spell out limitations on using CPU or RAM resources?” Quite often, that offer of unlimited space and bandwidth is accompanied by some clause excluding this or that, and two to three months into the contract, that provider cancels your services for violating their Terms of Agreement (TOS) or Acceptable Use Policy (AUP) - driving the client to panic, wondering how he’ll save his business and clientele.

If you’re presented – with a contract, read through the fine print. If you’re unsure about anything, seek legal counsel. Contracts are necessary to protect the provider and client alike.

One of the more hotly debated topics - is Service Level Agreements (SLA). Is there a guaranteed uptime? What recourse is there for downtime? Are credits issued? Are there excluded events? Are problem resolution guarantees spelled out?

Conficker Update 
I wrote about the threat of Conficker just prior to April 1^st, the date many feared it would wreak havoc on millions of PCs. Apparently, Conficker is branching out on the sly, quietly turning an unknown number of PCs into zombies – servers of email spam via a botnet.

This worm has evolved over the past few weeks spreading malicious software and a fake anti-spyware program called Spyware Protect 2009. This program sells for $49.95, but instead of protecting your PC, it steals your credit card information, then downloads additional malicious software. Do NOT purchase this software package. 

A special alert – if you use USB memory sticks, this worm can be transported from PC to PC via that stick.

How many computers are currently infected by Downadup/Conficker?
About 1-2 million.

Can Conflicker be detected and blocked? Yes. We recommend F-Secure.

Currently the worm is only affecting Windows-based machines, so if you’re running a Mac or Linux box, you’re safe.

I recently ran across a simple Visual Basic script that schedules and deletes old Microsoft Internet Information Services (IIS) log files from any of your servers. Like home computers slow down in-between reboots, or clearing of temp files and cookies – server logs eat up all of the free space on their hard drives, especially on those with highly utilized websites, possibly your line-of-business application.

How are you clearing your IIS logs today?

My guess is that you’re checking and clearing IIS logs manually. Enter a VB script that schedules and deletes those old logs automatically! Simply save the script below with the extension of .vbs, e.g., delete_old_logs.vbs. Create a directory on your server to save that file – possibly C:Program FilesScripts – whatever makes sense to you.

This script does need to be edited to specify the exact path to be cleaned and how many days of log files to leave behind. (See line that starts with Call CleanDirectory) In the example, default IIS logs older than seven days are scheduled to be deleted. The folder path needs to be inside the quotation marks.

What if you want to delete logs from several sources on the same server simultaneously?

Simply insert multiple Call CleanDirectory lines. After making changes to the script, be sure to save the file.

Ok, I’ve modified the script. How do I schedule a task to run it?

It’s best to create a special account (local or domain) in the local server administrations group, setting up permissions on the folder where the log files are located. This will allow your script to run in any location on the server. When you create this task, browse to the location where you saved the file to ensure the path is enclosed in quotation marks (if it contains any spaces).

How often should I run this script?

This would depend on activity, but for best results I recommend scheduling this task to run daily.

In Summary

Using simple Visual Basic scripts is a proactive solution to managing your IIS logs. You could use this script to cleanup lots of other log files as well.

‘++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
‘ delete_old_files.vbs
‘ Based on original script here:
‘
http://www.microsoft.com/technet/scriptcenter/csc/scripts/files/files/cscfi006.mspx
‘++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
‘ Clean the listed directories of old backup files
Call CleanDirectory(“C:WINDOWSsystem32LogFilesW3SVC1″, 7)
‘ Delete old backup files
Function CleanDirectory(strPathtoFiles, intDaystoKeep)
   Dim fso, f, fc, f1, strFiles, intFiles
   strFiles = “”
   intFiles = 0
   Set fso = CreateObject(“Scripting.FileSystemObject”)
   If (fso.FolderExists(strPathtoFiles)) Then
      Set f = fso.GetFolder(strPathtofiles)
      Set fc = f.Files
      ‘– Determine if file is older than defined days
      For Each f1 in fc
         If DateDiff(“d”, f1.DateLastModified, Now) > intDaystoKeep Then
            strFiles = strFiles & f1.Name & vbCrLf
            intFiles = intFiles + 1
            f1.Delete(True)
         End If
      Next
      Set f1 = Nothing
      Set fc = Nothing
      Set f = Nothing
   End if
   set fso = Nothing
End Function
‘ Stop the script in case it doesn’t automatically WScript.Quit

Kudos to Will Schmied.

Will Schmied is a senior systems administrator for a world renowned children’s research hospital. He holds numerous Microsoft MCITP, MCTS and older certifications and is experienced with Exchange and Blackberry. Will has been actively involved with the certification and training side of IT for many years, writing or contributing to several dozen books. He is a founder of the certification portal MCSE World. Having passed the reigns to a good friend from down under, Will maintains a smaller presence today with his blog, Tales of a Systems Administrator.

The value of telephone support should be obvious - but apparently not as I read questions on forums every week of whether to offer this, or email support or livechat, or a mixed solution. Cross-industry, if I have a problem with any vendor, the first contact information I look for is a phone number.

In the web hosting industry, all too often – support is only handled via support tickets or live chat. Typically, live chat is handled by lower echelon support personnel, who often must recommend going the route of a support ticket, as they don’t have the access or knowledge required answer questions beyond a basic nature. Why is that? Technical support is not cheap.

Many web hosts are run by – fewer than five individuals – the founder (normally a geek), one sales rep, an admin type (HR, billing, collections), a sysadmin and maybe another tech. There’s nothing wrong with that. It’s how most web hosts start, then grow if they have a good business plan and work that plan.

Your questions – should be, “How important is my data to my business? Is it mission critical? Will my web host be available to answer any issues, and if they are available, how qualified are they to resolve those issues?” If I have a problem with my Maytag washing machine, and I call them for service, I’m reasonably sure their techs will be able to resolve any problem I have. But if I have XYZ brand, and they have no phone support, my comfort level drops substantially.