What is the Shellshock Bash bug?

Posted by Nick Powell in News on September 26, 2014

By now you may have heard about a new bug found in the Bash shell.

This bug, nick named “Shellshock”, affects the Unix command shell “Bash,” which happens to be one of the most common applications in those systems. This vulnerability affects the shell known as Bash (Bourne Again SHell), which is installed on *Nix machines.

All of our managed dedicated, cloud and shared servers are already patched.


GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

Let’s start with your computer. If you have a Linux system, open the Terminal and run this line of code:

env x=’() { :;}; echo vulnerable’ bash -c ‘echo this is a test’

If you see the word “vulnerable” as an answer, your system is, well… vulnerable.

Your Bash shell is simply running more code after a function (the “() { :;};” part), and that shouldn’t be happening. The function is the “allowed” code, while everything after it is where the potentially “malicious” code could be installed.


A server has to listen to requests. This means that by requesting almost any data and running malicious code, an attacker can infect any affected server, which is about 60 percent of web servers out on the internet, most routers (even your home router) and many consumer devices (including security cameras and “smart” appliances — which don’t seem so smart right about now). This is because smart appliances are a form of servers.


It’s  simple to solve this problem. Many software developers have already issued patches and more are being released by the hour. Two of the most popular Linux distributions, Red Hat and Ubuntu, already have patches available. Updating a system takes almost no time. It’s a simple process and it’s a common task for most users.

Son of Magento Godzilla Server build

Posted by Nick Powell in From The NOC on September 5, 2014

We have just launched our biggest and best Magento cluster to date, nicknamed ‘Son of Godzilla’ in reference to our original Godzilla build here

godzillaThis is our most powerful and condensed Magento cluster to date. We have nick named it ‘Son of Godzilla’. This beast lets rip with 100% Samsung Pro SSD raid ten storage and the super fast Hex and Quad Core Intel Cpu’s.

This time we are using only 3u to deliver 28 Cores of Cpu at 3.5 Ghz each. Each server has 5 Samsung pro drives in a raid 10 config.
This solution can deliver a whopping maximum amount of ram up to 960GB (30 DIMM Slots)
We have used the latest Dell 12th Gen servers (as we always do).

  • 28 CPU Cores-Intel® Xeon® 3.5GHz, 20M Cache, 8.0GT/s QPI, Turbo,
  • 128 Gb Ram 1600 MHz
  • RAID 10, 1GB NV Cache hardware raid card
  • Smasung 840 Pro raid ten array
  • 540MB/sec Sequential Read
  • 520MB/sec Sequential Write
  • 100000 IOPS Random Read
  • 90000 IOPS Random Write

We delivered the solution with a mixture of Apache, Varnish and Percona. All built on our tried and tested, highly secure and optimised Magebox platform.

Images took at install time

New Data Floor Build

Posted by Nick Powell in From The NOC on August 26, 2014

We are pleased to announce that we have started work on our new data floor, adding extra capacity and resilience to our existing infrastructure. This will be a two part plan with a new build out of flooring, racks and power due for completion September 2014. These racks have been provisioned at the high specification of 16A per footprint, with dedicated N+N cooling and UPS systems.

This will add an extra 20 racks to our existing capacity and has represented a significant investment.
These new racks will be supported by Simple’s existing 24/7 on-site Network Operating Centre engineers, with a wide range of managed services and solutions available.

Phase two will bring a brand new highly resilient Juniper next generation network across our whole infrastructure with a totally new design built around speed and high availability.

Update August 19th 2014

Update August 28th 2014

Update September 5th 2014

We are pleased to announce the new data floor is now complete, with new customers already using the new racks!
Update October 13th 2014

Samsung 850 PRO SSD 256GB Review

Posted by Nick Powell in News on August 12, 2014

Despite being introduced a couple of years ago now, Samsung’s 840 PRO continues to find itself at the top of performance tree, with other manufacturers playing catch up. Samsung has now launched the 850 PRO, the replacement for the SSD 840 PRO.

The 850 PRO uses of a new type of NAND. Typically, the focus of lowering the cost of NAND and therefore SSDs has been scaling down through process and die shrinks. This process carries with it issues to do with performance and endurance that manufacturers have had to deal with in their own ways.
Samsung’s answer to this is its new NAND, specifically 32 layer 3D V-NAND, which it claims is set to break through the density (and hence capacity) barriers that we’re starting to reach with current 2D/planar NAND.

The 850 PRO is class-leading in virtually every single benchmark, and the target audience of this drive will be particularly pleased with its improvements in write consistency, which is the main area where it could be said the SSD 840 PRO was lacking.
Benchmarks for the 256 are Read 550MB/s, Write 520MB/s, 100k/90k IOPS Max.

It’s not just performance that’s improved, as endurance and power consumption have also improved. The ten year warranty is awesome, as is the 150TB TBW limit that accompanies it, especially for the 128GB version. It’s much higher than what any other consumer SSD currently has, though it should be noted that the NAND will likely outlive 150TB TBW many times over

It’s easily the best 2.5-inch SATA SSD available today, Samsung has delivered once again here and we are expecting our first deliveries at Simple towers imminently.

Insecure Nonce Generation in WPtouch

Posted by Nick in News on July 15, 2014

wordpress-logoIf you use the popular WPtouch plugin (5m+ downloads) on your WordPress site, you should update it immediately.

This was discovered yesterday, it’s a very dangerous vulnerability that could potentially allow a user with no administrative privileges, who was logged in (like a subscriber or an author), to upload PHP files to the target server. Someone with bad intentions could upload PHP backdoors or other malicious malware and basically take over the site.

If you’re running WPtouch, then please update immediately!

This only applies to 3.x versions of WPtouch. Admin’s using 2.x and 1.x versions of the plugin will not be affected by this vulnerability.

Magento Go has gone

Posted by Nick Powell in Magento Hosting on July 3, 2014

Magento Go will close it’s doors on Feb. 1, 2015.

magento-goMagento, the e-commerce platform of eBay Inc.’s e-commerce division eBay Enterprise, will discontinue two of its products geared toward small and mid-sized e-retailers, Magento announced today. The Magento Go and ProStores platforms, which count as clients 10,000 merchants, will have the plug pulled on Feb. 1, 2015.

Magento will continue to offer the Enterprise and Community editions of its e-commerce platform, which are geared toward larger e-retailers. Craig Peasley, Magento’s senior director of marketing, says e-retailers that are growing fast and looking for more customization in the platform could consider either of those options. Help is at hand for existing Magento Go customers as Simple Servers will carry out migrations from Go to Community.

In an interview, Magento marketing head Craig Peasley said the company is making these cuts to focus on the two Magento e-commerce software products: Magento Enterprise and Community Edition offerings. Magento previously cut dozens of employees as it realigned its focus. Peasley said the company does not expect further layoffs related to the shutdown of the business.


Dell Poweredge R220 review

Posted by Nick Powell in News on June 2, 2014

We have used the Dell R200, R210, R210 II so were looking forward to getting our hands on the R220.

Externally nothing much has changed, you get a slightly different status display and a grey bezel that matches the other next gen Dell Poweredge servers.

The R210II was based on the Ivy bridge architecture and the R220 is based on Haswell this is the codename for the Intel processor microarchitecture that is the successor to the Ivy Bridge microarchitecture.

Most Haswell products are branded as 4th Generation Intel® Core™ Processors for client systems, and Intel® Xeon® v3 Processors for server systems, in addition to some Pentium and Celeron-branded processors. Haswell is built on the 22-nm manufacturing process (lithography). Intel officially announced processors with this microarchitecture in 2013. Haswell delivers significant performance advancements over previous architectures, including improved graphics, battery life, and security.

The Intel® Xeon® processor E3-1200 v3 family featuring 33 percent more cache per core. This help improve response times with up to 32GB of memory in four DIMM slots and boost data-transfer speeds with latest-generation PCIe Gen3 I/O.

We also see a new raid controller, the PERC H310, this replaces the old PERC H210. The R220 is no enterprise player thanks to the lack of redundant power and hot swap drives but represents a good mix of cost vs performance.

Magento Community Edition 1.9 Released

Posted by Nick Powell in News on May 14, 2014

magento-home-badgeMagento have announced the latest release of Magento Community Edition 1.9 today.
This latest release, which is available for download as of now, includes major improvements and represents a great step forward. The big news is that the default theme in Magento has been replaced with a fully responsive theme, reducing the time and expense required to make a Magento site responsive.

Magento Community 1.9 also includes the PHP 5.4 patch to make sure that your Magento site will run well under PHP 5.4, and our initial testing shows that this patch also allows Magento to operate under PHP 5.5, which brings some nice performance gains. The Simple dev team will continue to test this and update their findings on our blog.

PayPal integration has been overhauled in Magento Community 1.9, with an eye on conversions optimisation by streamlining the PayPal Express Checkout process and adding support for Bill Me Later.

There are also a large number of security enhancements and fixes, including closing potential cross-site scripting (XSS) vulnerabilities, improving file system security and addressing a potential session fixation vulnerability during checkout.

This latest update to Magento Community means that after upgrading, your site will be more secure and should experience higher conversion rates thanks to the improvements to the payment options.
See the official Magento release

Samsung launches enterprise 3-bit SSD drives

Posted by Nick Powell in News on May 1, 2014

Samsung Electronics have said today that it has begun mass producing the industry’s first high-performance, three bit NAND-based SSD for servers and data centers. Installations of the 3-bit MLC (multi-level-cell) NAND SSDs, initially in large-scale data centers, are expected to begin in the next few months.

The new PM853T SSD, available in 240GB, 480GB and 960GB capacities, claims high levels of random IOPS, performance and quality of service. The new drive promises a sequential read speed of 530 megabytes per second, while writing sequentially at 420MB/s. It also will read data randomly at 90,000 IOPS and handle sustained random writes at 14,000 IOPS, through a SATA 6Gb/sec interface.

The big advantage of 3-bit MLC is a lower cost per bit. Samsung says the new drives deliver a 30 percent increase in manufacturing efficiency compared to SSDs that use 2-bit NAND flash components.

Samsung’s first 3-bit NAND-based 840 EVO SSD, introduced in 2012, has been successful in and powers many of our existing customers. We will be running a test install soon!

Heartbleed bug in OpenSSL made public

Posted by Nick Powell in News on April 8, 2014


UPDATE  10th April 2014

We are aiming to have all managed and shared customers secured by the end of business today. We have seen issues with Litespeed needing a separate fix, this is now resolved


Administrators should patch a severe flaw in a software library used by millions of websites to encrypt sensitive communications.

The flaw, called “Heartbleed,” is contained in several versions of OpenSSL. Most websites use either SSL or TLS.

The flaw, which was introduced in December 2011, has been fixed in OpenSSL 1.0.1g, which was released on Monday.

The vulnerable versions of OpenSSL are 1.0.1 through 1.0.1f with two exceptions: OpenSSL 1.0.0 branch and 0.9.8, according to a special website set up by researchers who found the problem.

If exploited, the flaw could allow attackers to monitor all information passed between a user and a Web service or even decrypt past traffic they’ve collected.

“This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users,” the researchers wrote.

The bug was discovered by three researchers from Codenomicon, a computer security company, and Neel Mehta, who works on security for Google.

Operating systems that may have a vulnerable version of OpenSSL include Debian Wheezy, Ubuntu 12.04.4 LTS, CentOS 6.5, Fedora 18, OpenBSD 5.3, FreeBSD 8.4, NetBSD 5.0.2 and OpenSUSE 12.2, they wrote.

OpenSSL also underpins two of the most widely used Web servers, Apache and nginx. The code library is also used to protect email servers, chat servers, virtual private networks and other networking appliances, they wrote.

The problem, CVE-2014-0160, is a missing bounds check in the handling of the TLS heartbeat extension, which can then be used to view 64K of memory on a connected server, according to another advisory.

It allows attackers to obtain the private keys used to encrypt traffic. With those keys, it is also possible for attackers to decrypt traffic they’ve collected in the past.

Attacks using the flaw “leaves no traces of anything abnormal happening to the logs,” .

Also see http://heartbleed.com/

Simple Servers administrators are actively applying this patch on shared and managed servers as a priority.


Magento Hosting Back to Top

2014 © SimpleServers Ltd | Vat No. 974629277 | Company No. 06813119 Terms and Conditions| Part of the Tier9 Group

Cloud Computing: Compute, SAN, CDN