Laws Hosting's Blog

Everyone  seems to have to more passwords than close friends these days and the combinations of numbers and letters are already difficult to remember but now experts at the Georgia Tech Research Institute are suggesting anything less than 12 characters could be quickly cracked.

The issue is the additional computing now on offer, in particular the processing power of the chips now the norm on graphics cards.

The researchers have discovered that the number-crunching power of modern graphics cards could offer a new way of cracking passwords, with their power on par with multi-million dollar supercomputers built just a decade ago.

The research found seven character passwords ‘hopelessly inaccurate’ and with processing power increasing year on year, a combination of upper-case, lower-case, numerals and symbols in a 12 character password offered better protection.

Do you think passwords are becoming an unsafe security measure?

There is a hack in phpMyAdmin, we have seen various blogs and hosts in panic, thankfully Laws Hosting wasn’t affected as we take extra measures in the way we install phpMyAdmin on our servers.

What we heard is that the systems acted totally normal, except for the fact that it ran ssh brute force attacks against several randomly chosen remote servers. So what happened?

The attacker used a vulnerability in phpMyAdmin, which once had been installed, used one or two times, and then forgotten (version 2.10.xx or so..). Sadly enough, whoever installed phpMyAdmin did not remove the setup.php file (which you are encouraged to do in the readme). This setup.php was the attackers starting point. He/she injected a ssh client running as root in /tmp/dd_ssh that started about 100 child processes.

The cleanup was as follows:

• Removed phpMyAdmin
• Removed all suspicious files in /tmp
• Restarted the network interfaces
• Changed all user passwords
• Installed fail2ban
• Changed /tmp to be non-executable

Suggestions for today:

• Keep your phpMyAdmin up to date
• Search for installations on all your servers NOW!
• Do NOT install in a folder named “phpmyadmin”, “sqladmin” or similar. Use a non-guessable name.
• Protect it at least using htaccess
• Last but not least: if you can access your server via ssh, there’s no need for phpMyAdmin. Setup a ssh tunnel, use your favourite mySQL GUI, and bingo, you’re safe.

We advise our clients not to install their own phpMyAdmin on their domains, and just use our versions that we supply.