I've used Bluehost as my client testing server for a while, and I have a few GetSimple sites in development on there now. I logged into one today and noticed a bit of jquery code at the very top of every page in the admin. Here's what part of the source code is showing, which is apparently the cause (note that I had to edit out some of the source code so as not to go over the limit of allowed links in a post):
Code:
<script>
// check to see if core update is needed
jQuery(document).ready(function() {
var obj = jQuery.parseJSON('<!DOCTYPE html>
<html lang="en">
<head>
<title>Access Restricted</title>
...
<style type="text/css">
body, html {
display: block;
position: relative;
margin: 0;
padding: 0;
width: 100%;
height: 100%;
overflow: hidden;
}
iframe {
display: block;
position: relative;
margin: 0;
padding: 0;
width: 100%;
height: 100%;
}
</style>
</head>
<body>
<iframe frameborder="0" width="100%" height="100%" src="http://anti-virus.cloudflare.com/cdn-cgi/anti-virus-challenge?h=6765742d73696d706c652e696e666f2c6765742d73696d706c652e696e666f2c3137373036332c31373934343234&x=978ceedb4ef9a5dc84aba72cb2ec71a3"></iframe>
<script type="text/javascript">
(function(w, d) {
w.refresh = function() { w.location.href = '/api/start/v3.php?v=3.1.2'; };
})(window, window.document);
</script>
</body>
</html>');
...
</script>
So that iframe src url displays a page from CloudFlare warning me that my computer may be compromised by a virus. I've seen on the forums that GetSimple's website is getting some help from CloudFlare, but why are my Bluehost sites doing this, but no others are? Is Bluehost flagged as a bad hosting provider?
Thanks,
Addison
I'm going to do some research and see if I can find some information as to why that would show up. Even though it could just be a CloudFlare false positive.
Also check all of your websites for injected/hacked iframes.
However, keep in mind that.
1. BlueHost is shared hosting, meaning that that there are 1000+ sites on that server. If a single one of those sites gets hacked and starts doing nasty things, it can affect every site on the server.
2. BlueHost is a lousy hosting provider. "unlimited" doesn't exist... find me an unlimited hard drive at the store, I'll personally put it in one of my servers and provide you unlimited hosting for an unlimited time at an unlimited price... see where I'm going with this? also keep in mind that BlueHost is owned by Endurance International Group, who has a poor reputation and owns ~40 other companies, including HostMonster, JustHost, Fatcow, iPage.
shovenose Wrote:I'm going to do some research and see if I can find some information as to why that would show up. Even though it could just be a CloudFlare false positive.
Also check all of your websites for injected/hacked iframes.
However, keep in mind that.
1. BlueHost is shared hosting, meaning that that there are 1000+ sites on that server. If a single one of those sites gets hacked and starts doing nasty things, it can affect every site on the server.
2. BlueHost is a lousy hosting provider. "unlimited" doesn't exist... find me an unlimited hard drive at the store, I'll personally put it in one of my servers and provide you unlimited hosting for an unlimited time at an unlimited price... see where I'm going with this? also keep in mind that BlueHost is owned by Endurance International Group, who has a poor reputation and owns ~40 other companies, including HostMonster, JustHost, Fatcow, iPage.
Well, even if it is supposed to show up, it's not implementing correctly, is it? All I get is a stray code snippet at the top of each page in the admin...
I spent 3-4 hours yesterday combing through my server files and ultimately deleting a lot of things trying to find the culprit -- I'm down to the root files and a brand new GetSimple installation in a sub-directory. I still get the stray code snippet. I'll keep checking.
So this is now a built-in behavior for GetSimple? It appears to be happening when GetSimple calls home to check for updates.
Thanks for your help,
Addison
Well I've been unable to find anything about the issue and I've never seen it.
What settings do you have enabled in the Performance tab of CloudFlare.com?
Sorry -- I don't use CloudFlare for anything. I had never heard of it until now. The extraneous code just popped up yesterday...
GetSimple uses CloudFlare on our site to provide some enhanced security and such..
However it is not in the core of GetSimple just on our website.
I would say your problem is within the host not with GetSimple.
JWH_Matthew Wrote:GetSimple uses CloudFlare on our site to provide some enhanced security and such..
However it is not in the core of GetSimple just on our website.
I would say your problem is within the host not with GetSimple.
So there's a problem on my Bluehost server account that's triggering the CloudFlare anti-virus when GetSimple checks the api url for and update? I understand that it's shared hosting and the problem could potentially be coming from anywhere, but I've wiped my account clean and reinstalled -- same stray code remains.
Just seems odd...
I believe you can disable communications between our sites and see if that fixes it. I'm just not sure where to disable the remote update stuff.
This output is fixed in SVN.
We used to do version check json parsing locally, they are now done on the server.
This will prevent json responses from being parsed locally but I wonder why they are failing to begin with on the server.
Heres the fix.
http://code.google.com/p/get-simple-cms/...header.php
As for the actual issue.
Someone needs to figure out why cloudflare is messing with api results, thats the real problem.
What does health status say ?
Does somebody here have a Bluehost account to test on? I mean, I'm glad if nobody does, they suck, but it would come in handy to check with!
No but we can maybe write a test file to put on their server and it will dump the output for us to read.
Only thing i can think of unless someone else sees this issue.
I'm going to contact Bluehost and see if they will help. Even though knowing EIG they won't
I am going to guess that cloudflare is detecting that incoming requests from that host or specific server is blacklisted.
If this is the case then the health check version check should also be failing.
As well as plugin lookups.
The api should not have antivirus patterns or specifically bot checks running on it, as its supposed to be serving computers not humans.
Perhaps the api can be excluded from cloudflares security.
I don't understand how the system works as I'm a fairly recent addition to the team; maybe you could explain.
Does GetSimple phone home to our website get-simple.info or what?
thanks
Thanks to everyone for checking this out. I'll see if I can get the patch posted to my Bluehost account this afternoon... I'll try to provide you with whatever info you need.
So I've updated admin > header.php with shawn_a's fixed version, and here's the header js output upon attempting installation:
Code:
<script>
// check to see if core update is needed
jQuery(document).ready(function() {
var verstatus = ;
if(verstatus != 1) {
$('a.support').parent('li').append('<span class="warning">!</span>');
$('a.support').attr('href', 'health-check.php');
}
});
</script>
The stray code is gone, but the version cannot be detected. I've attached a screenshot. I'll continue with installation and try to do a health check...
Everything installed just fine, and everything checks out on health check EXCEPT for not being able to do a version check (see attachment). Here's the header js from the health check page:
Code:
<script>
// check to see if core update is needed
jQuery(document).ready(function() {
var verstatus = ;
if(verstatus != 1) {
$('a.support').parent('li').append('<span class="warning">!</span>');
$('a.support').attr('href', 'health-check.php');
}
});
</script>
And this is all from my Bluehost account. Let me know if you'd like me to check anything else...
yup thats what i expected it to do.
The version check api is still failing cause of overzealous security on our part.
But at least it doesn't inject stuff locally now.
shawn_a Wrote:yup thats what i expected it to do.
The version check api is still failing cause of overzealous security on our part.
But at least it doesn't inject stuff locally now.
Thanks, Shawn -- let me know if you need me to do anything else.
Glad it helps, hopefully chriss or shoven can talk with cloudflare and find out why your host is a problem.
Maybe they can get the api excluded or something.
Afaik, no one else is having this issue.
Anyone looking into this or not ?
I called BlueHost they're checking if the IP of the shared server has been blacklisted.
Update: they don't know. They checked the IP of the server, it's not blacklisted and there are no known issues with that server.
So I have no clue what's going on.
I can provide you a free hosting account for a month to check if the issue goes away, would you like to try that?
shovenose Wrote:Update: they don't know. They checked the IP of the server, it's not blacklisted and there are no known issues with that server.
So I have no clue what's going on.
I can provide you a free hosting account for a month to check if the issue goes away, would you like to try that?
Thanks, shovenose -- I appreciate the offer, but I'm ok. Since I'm really only using Bluehost for testing, I'm not all that worried about it, at least now that I know that I really haven't been hacked. I've tried to check all of my other GetSimple installations on other servers and all seems well. Weird stuff just happens sometimes, especially in this business!