Heartbleed 0-day OpenSSL security bug
On Monday, April 7th, 2014, a critical bug in OpenSSL was discovered which allows attackers to read memory information from servers with OpenSSL installed. As many of InMotion servers run OpenSSL, our system administrators have diligently patched the exploit on all affected systems.
Update: Mashable has released a list of possibly compromised sites that you will need to change your passwords to due to the Heartbleed exploit which includes Facebook, Google, and Yahoo. Even if the site is not listed here, it is always a great idea to change your password to be absolutely sure that your account has not been compromised. This is especially true of smaller websites as they may not have placed the fix as quickly as others have.
We now have a more in-depth guide that covers how to check for the OpenSSL Heartbleed bug as well.
What is the Heartbleed bug?
The Heartbleed bug takes advantage of a bug in OpenSSL which allows any normal user to read information stored in memory without any additional privileges on the server. This means that information such as usernames, passwords, SSL keys, emails, and other critical information is able to be read directly from the server without additional access.
How do I know if I am vulnerable?
OpenSSL versions 1.0.1 through 1.0.1f are vulnerable to attack. If you are currently running one of these versions of OpenSSL, you are vulnerable. We have, however, already patched our servers to ensure your security.
How do I protect myself from the Heartbleed bug?
The good news is, that if you are in InMotion Hosting customer, we have already patched it for you so that the server that houses your account cannot be exploited. If you are not hosted with us, we still want to help. To fix the issue, simply upgrade OpenSSL to the newest version available. Most Linux distributions such as CentOS and Debian have already pushed the update to their repositories.
How do I know if I have already been affected?
Unfortunately, due to the nature of this exploit, there is not a way to identify if you have been attacked. If you think you may have been attacked, we recommend that you update your SSL keys and passwords to ensure your security; not only within your hosting account, but on social media accounts like Facebook or Twitter, email accounts, and bank accounts.