Lunarpages Web Hosting Forum

Author Topic: Update your scripts!!!  (Read 1733 times)

Offline MrPhil

  • Senior Moderator
  • Berserker Poster
  • *****
  • Posts: 6310
Update your scripts!!!
« on: May 20, 2018, 06:25:18 AM »
In a few days (Wednesday, May 23!), LP is going to start forcibly updating your scripts to current versions!!! You should have received the following emails:
===============================================

Hello,

Please read this email carefully as it contains actions items that need immediate attention from you.

As we continue to increase the security of our network, it has become necessary for us to force the upgrades of many scripts. Many of these outdated scripts create vulnerabilities that can be avoided.

Beginning on May 23, 2018, we will begin the process of updating all scripts on our shared server environment. Any scripts that were installed using Softaculous will naturally be updated. Any scripts that were installed manually will be imported into Softaculous and managed through that interface.

What does this mean for you? You will want to make sure you have backups of your site’s files, content and database. These backups should be downloaded and stored locally on your machine. Please do not store them on the server. Once your server is ready for updates, you will receive another email letting you know. We do not have a specific timeline for when your account will be updated.

Due to the nature of the updates that are needed, there will be no extensions granted. If you are unable to, or forget to create your own backups, our system does keep backups for 3-5 calendar days.  Please understand that we will not restore your account to any date prior to the updates made. Any accessible backups will be zipped up and made available to you to download locally. We will not allow any rollbacks or restores to previous versions of the scripts you are using. These backups can be accessed through our Managed Shared Hosting program if you need them.

Should you need assistance in creating backups of your account, please email us at support@lunarapages.com with the subject: Need Assistance Creating Backups of My Account, or call us Mon-Fri 7:00am – 5:00pm Pacific time. We will be happy to help.

Thank you in advance for your understanding.

Regards,
Lunarpages System Administration Team

=== and ===

Hello,
 
 
This email is regarding the outdated installation of certain PHP scripts you have installed on your account. For security reasons you must update these outdated installations as soon as possible. In the event that they are not updated within 5 business days, they will be automatically updated. Please keep in mind that if your scripts are automatically updated, you will run the risk of something on your site breaking.
 
We strongly recommend making backups of your sites content and any custom settings you may have. If you do not create your own backup, you run the risk of having to recreate content or your entire website. However, in the event that you do not have your own backups, our system keeps backups for 3-5 days. Please understand that we will not restore your account to any date prior to the updates made. Any accessible backups will be zipped up and made available to you to download locally. We will not allow any rollbacks or restores to previous versions. These backups can be accessed through our Managed Shared Hosting program if you need them.
 
The following script updates are available:
 
<new product version>:
<your backlevel installation URL>

 
To upgrade these scripts go to your Control Panel -> Softaculous -> Installations.
There you will be able to update the scripts.
 
Thanks you,
Lunarpages System Administrators -  (216.97.230.60)

===============================================
It would have been nice for LP to also post a notice in this forum (hint, hint). Anyway, the bottom line is that if you use a canned application, LP will likely attempt to update it, whether you like it or not. This applies even to old versions that you don't use any more, and are just keeping around as a backup. Needless to say, if your installation has any customizations, the odds are high that something will break. You will need to keep an eye on your site, and be ready to restore your own backup if it's broken.

Note that if you have a manually-installed application that is also found in Softaculous, LP is going to "import it into Softaculous" and update it. Who knows what this will do to customized versions. You've been warned! LP says that it keeps backups for 3 days, but I don't know if they're going to waive the normal restore fee ($75/hr, last time I looked) this one time. I wouldn't count on it.

You really should take this time to remove obsolete versions if you don't need them any more, update active versions to current levels, and back up everything (code and databases) offline. I suspect that this is not going to be a one-time event, but will be done regularly to force customers to stay reasonably up to date (for security reasons).
Visit My Site

E-mail Me
-= From the ashes shall rise a sooty tern =-

Offline rickei

  • Intergalactic Cowboy
  • *****
  • Posts: 59
Re: Update your scripts!!!
« Reply #1 on: May 20, 2018, 07:04:54 PM »
This could be the downfall of LP.

Offline MrPhil

  • Senior Moderator
  • Berserker Poster
  • *****
  • Posts: 6310
Re: Update your scripts!!!
« Reply #2 on: May 21, 2018, 04:06:57 AM »
Why's that? LP should be making customers keep up to date on their scripts, to minimize hacking vulnerabilities. To not do so is irresponsible, like a state letting unlicensed drivers on the road in uninspected cars. That said, I'm concerned about their attempt to do this in an automated manner, rather than simply telling customers to update or else their scripts will be disabled or removed. A lot of customers won't bother getting updated if it's left to them, but automated fixup scripts have a habit of breaking working code (it's happened before here). It's far too big a job for LP to do it manually, though, and a lot of customers would be unhappy to have people (even tech support) poking around in their files.

"Which way would you like to die?"
Visit My Site

E-mail Me
-= From the ashes shall rise a sooty tern =-

Offline rickei

  • Intergalactic Cowboy
  • *****
  • Posts: 59
Re: Update your scripts!!!
« Reply #3 on: May 22, 2018, 06:47:06 AM »
I don't mind LP having people update their scripts, but Softaculous is not the way to do it.

I just checked and Softaculous has the wrong version number for ALL of my sites. It shows I am at Joomla version 3.8.3(or below) when my sites are actually 3.8.7

I can only assume that Softaculous is going to try to overwrite my files to version 3.8.7 that don't need to be updated. In fact, most of my sites will be at version 3.8.8 by the end of the day as that was just released today.

Offline MrPhil

  • Senior Moderator
  • Berserker Poster
  • *****
  • Posts: 6310
Re: Update your scripts!!!
« Reply #4 on: May 22, 2018, 07:27:18 AM »
Yeah, Softaculous is probably going to break many sites, but what else can be done? The only thing I can think of is to disable (via permissions) any application that's not up to date, until the owner fixes it.

As for Softaculous having the wrong version number, I don't know whether it looks in the applications' files for places known to have version numbers, or it keeps its own list. I know it found my old SMF installation, which was done manually. I vaguely recall the app store that LP used before Softaculous (I forget the name) kept a private file with version numbers in it. You might want to poke around and look for it, and update it manually. If you are not using Softaculous to update your application, its version file won't be up to date. Hopefully you can manually sync it with your application, so Softaculous will leave it alone.

This business about "importing" applications into Softaculous, to force future automatic updates, concerns me. I hope if I keep it up to date manually, they'll leave it alone (mine are highly customized, and could easily be broken by automatic updates).
Visit My Site

E-mail Me
-= From the ashes shall rise a sooty tern =-

Offline rickei

  • Intergalactic Cowboy
  • *****
  • Posts: 59
Re: Update your scripts!!!
« Reply #5 on: May 22, 2018, 07:48:20 AM »
I'm concerned too, I have never used Softaculous but my sites are listed there.
It looks like Softaculous scans MySQL databases, as I have several sites/directories listed in Softaculous that don't exist anymore, but apparently I forgot to delete the database. Not sure why the version number is wrong though


As I was deleting the nonexistent sites that Softaculous had listed, I discovered that when you click delete, you are directed to a page that asks if you would like to delete
the directory
the database
the user
so I tried it on an actual site and unchecked those 3 options. It removed my site from Softaculous, but did not touch any files, users, or databases.
maybe that will work :?

Offline razor7

  • Newbie
  • *
  • Posts: 3
Re: Update your scripts!!!
« Reply #6 on: May 29, 2018, 12:31:01 PM »
Other hosting providers harden their servers to avoid XSS and high resource consumption, and in case of hacks, they just disable the offender account. In my case I have hosted several joomla! sites since 2005 and no one got hacked, because of manual upgrades, security plugins, CloudFlare, etc...

You lost me LP...

Offline MrPhil

  • Senior Moderator
  • Berserker Poster
  • *****
  • Posts: 6310
Re: Update your scripts!!!
« Reply #7 on: June 02, 2018, 04:48:55 AM »
https://www.lunarforums.com/index.php?topic=100630.0 a report that MediaWiki is being forced to a new version that requires a resource (FileInfo) that LP does not supply. Sounds like a problem.
Visit My Site

E-mail Me
-= From the ashes shall rise a sooty tern =-