In the past, it was though Linux servers were safe from viruses but recently hackers have been taking advantage of this false sense of security. Some researchers point out that 70% of attacks on Linux honeypots were infected with a 6 year old virus (RST-B)* and used as command and control points for botnets.

ZZ Servers now offers affordable F-Prot anti-virus software for Windows, Linux, Exchange, BSD and Solaris. Protect your servers, desktops and critical infrastructure today. Contact ZZ Servers at 800-796-3574 or email support@zzservers.com to arrange for installation of anti-virus software today.

*RST-B is a backdoor malware runs on Linux/UNIX platforms and infects ELF files in the current and /bin directories. This Linux backdoor and virus compromises system security by allowing remote users to manipulate and access infected machines. If executed as root, it will start processes listening on two network interfaces which provide a remote root shell.

Are these script installers free?

Yes, and no. It depends on how you want to use them. Both packages have “Free versions” that are either ad-supported or limited in some way. See below for details.

Which script installer should I choose?

You can choose to enable either, or both on your InterWorx servers. You decide based on what makes sense for you and your customers. SimpleScripts is enabled by default.

Why is SimpleScripts enabled by default?

We choose to enable the SimpleScripts plugin by default because we felt that it provided the easiest transition for end users that are used to using ScriptWorx to install scripts.

What are my options if I don’t want myself or my customers to pay anything extra?

Both software packages have free versions, so you don’t have to do anything!

What about my old ScriptWorx installs? Can I import them?

With some scripts, you may be able to import existing script installs into the script installer software packages for management. Check the relevant documentation for details.

How are SimpleScripts and Softaculous different than one another?

As you might expect there are a number of differences. I will cover some of the important differences and similarities here.

• User interface
  Even though both script installer packages provide similar functionality, they have significantly different user interfaces. See each software package’s website for demonstrations.

• Available Scripts
  While there is a lot of overlap in script support, there are some differences as well. See the websites linked above for details.

• Service Design
  SimpleScripts is a “software as a service” solution – when the end user clicks on the SimpleScripts menu item in SiteWorx, they are sent to the simplescripts.com website. Before they get sent there, simplescripts is granted a special FTP user and API access to their SiteWorx account data, and SimpleScripts uses these tools to perform the script installation. Information about what scripts are installed where is maintained on the SimpleScripts servers. No SimpleScripts software is actually installed on the InterWorx server. The SimpleScripts software is updated on the SimpleScripts servers.

  The Softaculous software is actually installed and run on each InterWorx server. It gets installed automatically the first time the plugin is enabled. The softaculous software itself is installed under /usr/local/softaculous, and the software packages softaculous can install get placed in /var/softaculous. Softaculous also makes use of the InterWorx API to assist the user with the installs. Softaculous will install a cron job periodically check for new script updates.

• Software Administration
  With SimpleScripts, you can customize your customer’s interaction with the software by creating your own SimpleScripts “web host account.” This is not required, but it does allow you extra flexibility in managing SimpleScripts on your servers. Resellers also can have the option of using their own SimpleScripts web host account as well. SimpleScripts provides a “host key” and a “host API key”, both of which can be entered in The SimpleScripts portion of NodeWorx.

  Softaculous has an administration interface built in that is accessible via NodeWorx, that allows you to configure various options.

This is the first release of the 4.x series that will be automatically applied to all current InterWorx servers, versions 3 and higher. All InterWorx servers that have auto-updates enabled can and should receive this update.

This will be an incremental release for servers already running version 4.0.0. For servers running version 3.0, this upgrade will be significant. From version 3 to 4, virtually every aspect of the software has been improved, inside and out.

Special notes for the version 3 to version 4 upgrade

Given the magnitude of this upgrade from version 3 to version 4, there are a few things you should be on the lookout for:

1) Problems accessing InterWorx immediately following the upgrade
IF you or your customers experience any problem logging in or accessing interworx after the upgrade, the first thing to try to fix it is to login as root, and restart interworx with the command

service iworx restart
service httpd restart

If problems persist after that, please open a support ticket.

2) Problems accessing webmail immediately following the upgrade
IF there are any problems accessing webmail, try the following things first:

service iworx restart
service httpd restart
~iworx/cron/iworx.pex --fively

If problems persist after that, please open a support ticket.

3) Problems running PHP scripts on client websites
We do not expect there to be significant problems with PHP scripts, but interworx version 4 does provide suphp as an optional server-wide option. In order to provide this feature, the upgrade script will have to make modifications to the clients’ apache virtualhost config files. If these files have been heavily customized, manual intervention may be required.

If needed, backups of the original virtualhost config files will be in /etc/httpd/conf.d/conf_backup/ after the upgrade.

If there are any website problems, first just try restarting the webserver and see if that helps.

As always, any other problems with or questions about this update can be sent via e-mail to support@zzservers.com, or by opening a support ticket via the web at https://www.zzservers.com/support

In 2009, there has been a significant number of new phones, such as the Palm Pre, or those based on the Google Android operating system, which either natively implement ActiveSync, or include a number of 3rd party applications to add ActiveSync support to the device. These devices are currently being tested against Kerio MailServer and may be added to the officially supported device list in the near future. However, there is an opportunity to instruct Kerio MailServer to ignore it’s supported device list and allow synchronization with any ActiveSync based device. For details regarding this configuration you can refer to the Knowledge Base article.

I was able to spend a good 1/2 an hour with the now new customer and help them understand how our approach meets the intent of PCI and is not focused only on trying to “make the sale.”  However, for those that we do not know what questions to ask of a hosting provider I have started a new project where I will be “shopping” for a new hosting provider and will post the communications I have with them, along with some additional comments on what their answers would mean to me if I was in my QSA role evaluating their solutions.  I will keep the communications anonymous to prevent any liability issues, but feel free to use any of the questions or comments I have when discussing hosting solutions with any providers you may be examining; and feel free to use my questions against us when you call and ask about PCI or Compliant based hosting with ZZ Servers.

With that in mind, here is the first discussion with a decent data-center with multiple data-centers fully owned and operated by their staff in the northern midwest.  I have highlighted items that caused me to be concerned about their understanding of PCI and what it takes for merchants or service providers to be hosted with managed PCI solutions.  Please note, anyone can take a rack of hardware and managed / deploy it in a compliant manor.  But that is not what these hosting providers are selling.  They are selling compliant solutions, leading customers who do not fully undersand the requirements to think they are meeting all of the requirements.

***Chat Information*You are now chatting with ‘Paul’
*Paul: *Greetings, my name is Paul. Welcome to <HOSTING PROVIDER> Sales. With
whom am I speaking? How may I be of assistance?
*you: *Hello, i saw your VPS servers have a $50/mo PCI certification?
what does that provide? Does that mean i’ll be compliant? do i need
anything else? does that include my scanning, pen test,
internal/external? log monitoring?
*you: *hello?
*Paul: *Hello, sorry about that
*Paul: *the PCI certification will include all scans for your server to
be entirely compliant
– This is common, many people belive that if you get your ASV scanning & answer questionairre you are compliant..if it was only that simple
*you: *so it is only the scans?
*you: *not the rest of the compliance needs?
*you: *internal & external scans then?
*Paul: *it covers all services needed
*you: *external logging/monitoring, firewalls, IDS, 2 factor remote
access, pen-testing (internal/eternal), asv scanning & internal scanning
(& other stuff i can’t remember atm)??
*Paul: *Yes, it is the complete service
– how can he say it’s scanning, then a complete service? At this point I really believe the sales guy does not know what he is selling
*you: *applicatoin & network penetration testing? how do you have that
for $50/mo? the best quote I have from a professional pen-testing
company is 5000/year
*Paul: *let me double check
*Paul: *yes, it does, I have confirmed
– confirmed? if you can’t tell by now that I am asking questions above his knowledge level; why not conference in someone who knows the answer..
– Many hosting providers want you to email or fill in a form so they can manage their response, if they can’t answer your quetions at all hours
– then are you sure they can manage your compliance needs at any hour?? Get them to bring the expert on the phone while you are asking questions!
*you: *interesting, do you have a detailed whitepaper or pdf on the
complete services offereed?
*you: *and i assume i’ll have to get more than 1 server
*Paul: *No, you can have PCIC with one server
– big big red flag!! If you are only using paypal/google for payments then yes this is right but if you are not then the requirement for “single use” is pretty important
*you: *and that includes firewalls too right? do i have a dedicated
rfc1918 address space?
*you: *you can?
*you: *how do you satisfy the “single purpose” requirement?
*you: *where a server can not be a web & database server
*Paul: *we do not require a cluster for pcic
– I wasn’t asking about a cluster. This is a typical issue, the sales team is use to selling hosting of servers but does not understand PCI. I guess they have not had
– any PCI training (which you merchants & service providers are required to have annually)
*you: *you do not, but PCI requires that
*you: *pci has something somewhere that requires each server have a
single function
*you: *do you have any documentation? or details about what is included
in your PCI services?
*Paul: *I do not have a detailed outline, but I know these are the
standards we follow
– Another warning…PCI is documentation heavy, if they do not have documentation, have they really done all thats required?
*Paul:
*https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
*you: *yes i am familiar with that
*you: *our QSA has ingrained tht into us
*you: *i was just curious because some of your answers do not jibe with
what the PCI-DSS requires
*you: *ok i think i have enough for now; thank you for your time
*you: *Have a great night..oh one last question; where are your
data-centers located?
*Paul: *My pleasure, they are in <LOCATION>
*you: *any other geographic areas?
*Paul: *they are all located in <ONE LOCATION>
*you: *thank you have a great night
*you: *oh one other questoin
*you: *what technology do you use for your remote 2 factor auth & vpn
technology?
*you: *rsa/certificates/?
*Paul: *The only vendors I have info on at the moment are control scan,
security metrics, trustkeeper, and clone systems
*you: *so it’s not included w/the pci service?
*you: *it’s a 3rd party vendor we have to engage?
*Paul: *Send me an email to <SALES-EMAIL> and I will find out for sure
– Remember earlier they said it included all required services? Again, lack of documentation & training lead me to think they just do not know what the requirements are or what they are selling
*you: *ok thank you, have a great night/morning

One such example would be Amazon EC2.  In a recent discussion at amazonwebservices.com forum and slashdot.org users were discussing a desire to move to Amazon EC2 and maintain PCI compliance.  While not surprising, at least there was a concrete answer to were Amazon stands with regards to its role in its customer’s compliance.  In an email from Taimur Rashid, an account manager at Amazon Web Services, he states “We do not and will not provide a written agreement attesting compliance and assuming responsibility for cardholder data.”

PCI requires all merchants maintain a written agreement between the merchant and service provider that outlines responsibility for cardholder data.  “Requirement 12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.” Without this simple agreement, you cannot be compliant.

In addition to not allowing a written agreement, Amazon also will not allow on site audits required for Level 1 and now Level 2 merchants.  Cindy S from Amazon Web Services states “If you have a data breach, you automatically need to become level 1 compliant which requires on-site auditing; that is something we cannot extend to our customers.”

Based on the 2 statements above, Amazon EC2/S3 is currently not capable of providing the level of service required for PCI compliance on any level.  If you are a merchant and require PCI compliance, avoid the cloud and find a reputable service provider which specializes in PCI compliance such as GSI, Rackspace or ZZ Servers.

InterWorx 4.0 is available now for all new installations. Existing InterWorx 3.0 installations should begin to be automatically updated within the next few weeks. It is recommended that ALL users upgrade their existing InterWorx installations when the update becomes available.

New Features & Improvements