-2

I've contacted 3 different hosts lately, to talk about Apache server, one of them is my current host, two of them have mysql 5.1 (One is mine), one has mysql 5.4, but none of them seems to give me a proper answer when I ask if they do update their software version.

They all seem to be using apache 2.2.23 to 2.2.27 too.

I asked my server why they won't update, they gave me no answer, I asked the two other hosts (Bluehost and ResellerClub) and they simply said they don't have an answer for that question, yes, they don't have an answer, their tech support just say stuff like "I don't know why we don't update", "I don't have any info about that subject", "No one is going to help you with that".

Isn't it weird?

My server is using mysql 5.1 and I've had two attacks last week, but there is nothing wrong with my scripts, it seems like it's a vulnerability on the mysql, so when I try to move to another one, it also uses outdated software and I'll not be safe at all!

It's about the web host business to keep the server machine updated and safe, what am I missing here?

Matt the SQuirreL
  • 11
  • 2
  • 1
    99.9% chance that the issue is with your application. Remotely-exploitable vulnerabilities in MySQL are very few and far between. Additionally, MySQL should not be exposed to the internet anyway, and if it is, you likely have far bigger issues. – EEAA Sep 02 '14 at 17:34

3 Answers3

3

MySQL 5.1 is the currently supported and safe version on e.g. RHEL/CentOS 6 and as long as there is no project-specific reason to upgrade, no hoster on this platforms will do this. The same is true for Apache.

Since RedHat etc. are backporting fixes into their versions, they are not less secure than newer releases.

Lastly, if you had attacks, you need to find out exactly what the attack vector was. Just saying "My stuff is safe" without knowing exactly doesn't help you.

Sven
  • 97,248
  • 13
  • 177
  • 225
  • Then why haven't anyone give me a concrete and clarifying answer like yours? Can't they just tell me "Mysql 5.1 is safe"? My host stopped answering my ticket 6 days ago, and I already left then other 5 messages. They all (Any web host company) seem to get in silent whenever we ask about security or updates. – Matt the SQuirreL Sep 02 '14 at 17:25
  • 2
    I'd ignore you too if you barraged me with lots of messages. Chances are the issue is on your end (SQL injection, weak passwords, etc.), not with MySQL. – ceejayoz Sep 02 '14 at 17:28
  • I don't know why they didn't answer, but I am with @ceejayoz on this. – Sven Sep 02 '14 at 17:30
  • @ceejayoz I'd sue you if you provided me a payed service and ignored my messages. – Matt the SQuirreL Sep 02 '14 at 17:30
  • 1
    @MatttheSQuirreL Not all payed-for services include support. – EEAA Sep 02 '14 at 17:31
  • Theirs include. – Matt the SQuirreL Sep 02 '14 at 17:31
  • 2
    "Safe" is very subjective. Safe in which context? What's the use cases the software is being exposed to? No company will just say "MySQL 5.1 is safe". We can safe that, if you follow what SvW said for RHEL/CentOS6, then MySQL 5.1 is relatively safer than using a newer version you compile yourself. – Giovanni Tirloni Sep 02 '14 at 17:32
  • @MatttheSQuirreL If you're making legal threats towards them as casually as you're making them to me, that's probably most of the reason they're not interested in corresponding. – ceejayoz Sep 02 '14 at 17:32
  • 1
    You come across as a somewhat unpleasant, and it appears you contacted two potential new hosts. Maybe they didn't want your business to spare them the pain? – Sven Sep 02 '14 at 17:33
  • So it means I have to pay for something that I can't even complain about if it brings me trouble? Well thought. – Matt the SQuirreL Sep 02 '14 at 17:34
  • @MatttheSQuirreL You're making assertions like "there is nothing wrong with my script" in your complaints, which is pretty much impossible (especially when you're asking stuff like http://serverfault.com/questions/625352/is-it-safe-to-allow-user-to-upload-xml-and-or-zip-files-to-an-apache-server-thro). It's far more likely you're being compromised by those scripts than by some issue with MySQL itself. They likely told you this, and from the sounds of it you likely ignored them. – ceejayoz Sep 02 '14 at 17:36
  • Ok, I'll consider changing host. – Matt the SQuirreL Sep 02 '14 at 17:37
  • Adding to the comments above, if it actually was a fault on their MySQL version all their hosted pages will be compromised. Not just your site, if that was the case, they will promptly address it. If you want to change hosting company for a nicer support, try Rackspace: http://www.rackspace.com/ and A2 Hosting: http://www.a2hosting.com/ their support is amazing. That won't really help with your issue if you are already under attack. Finally, you should only consider changing your version if there are features that you need or if there's a Security Alert for your version. – Eduardo Romero Sep 02 '14 at 17:38
  • Consider figuring out **how** you got compromised, so it doesn't happen again on that new host. – ceejayoz Sep 02 '14 at 17:38
  • 1
    @MatttheSQuirreL: So what was the point of asking this question? You had already made a decision and didn't learn anything from the answers and comments to it. – Sven Sep 02 '14 at 17:39
  • @SvW I said "Ok", and I'm answering other people too, if you're intending to pick up a fight, go ahead get in a ring, perhaps you find someone there. – Matt the SQuirreL Sep 02 '14 at 17:41
  • @EduardoRomero They just won't say anything about it. The other hosts not even know me, all I asked was if they update their software, and they didn't even say they patch it. – Matt the SQuirreL Sep 02 '14 at 17:42
  • @MatttheSQuirreL I've seen 'em do that for some sort of 'security thru obscurity' policy bs. It's safe to assume that they keep fairly well patched versions of the software they're running, else they get massive defaces/breaches. Again, if you feel like the problem is bad Client Relationships, try A2 or Rackspace, their support is Superb. I'm not affiliated with neither, I've used them both. I've also used Bluehost, and lots of others. You will probably won't get an answer other than **Yes, we keep it updated**, you might get major-minor version and maybe an advisory id if you ask specifically – Eduardo Romero Sep 02 '14 at 17:51
1

What operating system are they using?

Most likely they use the versions of MySQL and Apache that are in their operating system's package repos, in which case they are on old versions of the software but are getting security fixes backported (assuming they're installing those updates).

But it's definitely not a good sign that they can't give you a good answer on their software update procedures when they're managing the software..

Community
  • 1
Shane Madden
  • 112,982
  • 12
  • 174
  • 248
  • I thought about that. The biggest problem here is what you stated last "But it's definitely not a good sign that they can't give you a good answer on their software update procedures when they're managing the software.." – Matt the SQuirreL Sep 02 '14 at 17:36
  • Also, I've been checking files, mysql, php functions, logs, permissions, changing passwords, database prefix, everything I could find, running antivirus, and so far I haven't see anything suspect on the host, not even a password change, not even a different ip on the apache or in the website administration. It's like it's a vulnerability on mysql, like if it had a door opened. – Matt the SQuirreL Sep 02 '14 at 17:46
  • 2
    @MatttheSQuirreL Have you run a PCI scanner against it? There are lots of vulnerabilities you wouldn't notice from looking at the code, especially if it's your own code. – ceejayoz Sep 02 '14 at 17:51
0

You can see which vulnerabilities where discovered for each version of MySQL at the CVE Database.

See if your distribution has patched them already and asses your risk of using the 5.1 available to you versus some other version you might be considering.

It's very likely the latest version of 5.1 has received considerable more attention than the latest version of 5.5 or 6.0, so I would classify 5.1 as safer than 5.5 in that regard. It might not have all the features you need though (but you could mitigate any risks in 5.5 in other ways).

Detailed information per version is available here. You'll see it lists security advisories issues by different vendors, so you can check if your vendor (e.g. Red Hat) already acknowledged and patched their version.

Giovanni Tirloni
  • 5,693
  • 3
  • 24
  • 49
  • I got it now. Well, they should have told me that. I didn't know mysql was treated like that. Used to think the bigger the version, the better. If they had told me that, that would have saved us a lot of time and stress. – Matt the SQuirreL Sep 02 '14 at 17:52
  • Also, I don't know why, but my Mysql panel keeps saying I'm using an outdated version. – Matt the SQuirreL Sep 02 '14 at 17:54
  • It's probably just checking the version number and comparing it to the latest available. However, the one you're using might already have all the patches so it wouldn't matter in that case. It's hard to say, your provider should be able to provide more info about their installation of MySQL. – Giovanni Tirloni Sep 02 '14 at 17:56
  • They're ignoring me, and I didn't only ask about mysql, but also about apache, they're just quiet, I even gave them a change log of apache which shows all the security and bug fixes, they didn't say anything about it. Look, they're using MySQL 5.1.73, and the changes are prior to (2013-12-03), http://dev.mysql.com/doc/relnotes/mysql/5.1/en/news-5-1-73.html Should I worry? – Matt the SQuirreL Sep 02 '14 at 18:02
  • 1
    I wouldn't focus on MySQL. See how you were hacked and work it backwards step by step to identify the root cause. If you've reason to suspect your ISP got hacked and, on top of it, is not disclosing it openly, it's better to look for a better one. These days Amazon EC2, Rackspace, MS Azure or Digital Ocean are viable options if you want more control. – Giovanni Tirloni Sep 02 '14 at 18:05
  • there is not a single trace of hacking, it's like someone is just having access to mysql. – Matt the SQuirreL Sep 02 '14 at 18:16
  • @MatttheSQuirreL SQL injection attacks are both extremely common (as they're easy to mistakenly create in your code) and would look like that as an attacker can execute pretty much any query they like. – ceejayoz Sep 02 '14 at 18:27
  • @ceejayoz I'm really sorry, but I didn't understand well your answer. – Matt the SQuirreL Sep 02 '14 at 19:07
  • 1
    @MatttheSQuirreL Then you **really** have no business telling your host that your scripts are safe. SQL injection is one of the most common vulnerabilities in web code and it can give an attacker easy access to your entire database. http://en.wikipedia.org/wiki/SQL_injection – ceejayoz Sep 02 '14 at 19:13