We have come across cases that some of the users uploaded the php scripts for the website, which write in older version of php, not secure, and exploitable to be execute by "nobody" user. To prevent server attack from vulnerabilities, we have strengthen the security layer and upgrade the server to run in SuPHP mode on yesterday midnight (8/9/2009).

What is SuPHP?

It runs all PHP scripts as the user in whose account they reside - rather than running all scripts as user "nobody". It also prevents scripts that have insecure permissions from running.

What problem with regular PHP, and how SuPHP benefits over?

1. SuPHP does not allow files/folders to run where they have group and world write permissions; only the account owner can write to files/folders. This forces all users to ensure that their files/folders have correct permissions and prevents hackers uploading malicious content into vulnerable folders.
2. SuPHP allows all PHP scripts to be run under the user account ownership, instead of running under the "nobody" user. This is particularly helpful in tracking down scripts which send out SPAM as the "nobody" user.

Regular PHP installation on a web server runs as the user nobody and it doesn't require the execute flag to be enabled. The problem with regular PHP installation is that if mod_openbasedir is not installed, every user on the server will be able to read your php files because practically everyone shares the same username (nobody).
PHP Files are not meant to be read, but parsed, otherwise everyone who is able to read your php file will able to view settings that you would want to keep private, such as your MySQL username and password.

SuPHP fixes this issue because it requires PHP scripts to be executed with the permissions of their owners. SuPHP also fixes common file ownership issues that mostly occur with few Content Management Systems such as Joomla and also on the popular blog software: WordPress.

Is SuPHP will have any affect on my website?

Most PHP scripts will run well within a SuPHP environment.
However, some older not well-maintained scripts that rely on insecure permissions (like 777) may experience issues in a SuPHP environment.

 - .htacccess

SuPHP is not reading .htaccess, it does not support the php_value/php_admin_value directive known by mod_php to parse configuration options to scripts for certain virtual hosts or directories. All the php_flags in your .htaccess will have to be moved to php.ini, which you will have to create in your public_html directory.

For example, you might have a value as "php_flag register_globals on" in your .htacess file, you will need to move it as "register_globals=on" into your php.ini file.
You will have to move every command on .htaccess that starts with php_flag. into  php.ini file.

- File permission of 777

Directories that require writable permissions will no longer require 777 as permissions and SuPHP will refuse to write or read on directories exposed with such permissions, make sure you chmod them to 755.

The highest level of permissions that a user can use on a SuPHP enabled server is 755. This permission setting is sufficient enough for any directories/files that need to be written to.

My Website shown: Troubleshooting Internal Server Errors (Error 500):

You may move the command in .htacess to php.ini file under your public_html folder, you may create it if its not exist. Check your folder permission, the highest level of permissions that a user can use on a SuPHP enabled server is 755.

Many of our customers set their email accounts to forward a copy of the incoming email to the free email service providers. If the email account receives lot of incoming mail and forwards to the free email service providers, they might treat this as an attack or SPAM sending and consequently block us from sending email to their email accounts

In order to secure our mail server, we decided to disallow customers from forwarding their email to the email service providers. If you have any of your user email accounts forward any incoming email to any free email service providers, please request them to remove the email forwarding.

We thank you for your kind cooperation and tolerance.

As part of our ongoing commitment to security, we are continually reviewing security measures to protect your website and email. Most of these changes happen behind the scenes and do not require any action on your behalf.

You will need to make the changes to your mail software settings. If you do not make the changes you may be unable to send mail.

Please read below to see if you will be required to make any changes. If you are required to make any changes, step-by-step instructions are provided on how to make the changes.

•  Microsoft Outlook
•  Microsoft Outlook Express
• Apple Mail
• Netscape 7.1
• Eudora (for Windows)

3 December 2007 - part of Klang Valley
5 December 2007 - Klang Valley
7 December 2007 - all states in Malaysia Please click here to read more.

Are you affected? You will be affected if you are using TM's dynamic IP address.

Solution 1

For those who hosted their mail server with us, please refer to the below Tutorial Movie for How to change Port 26 for your Outgoing (SMTP) server:

•  Microsoft Outlook Express
•  Microsoft Outlook

Solution 2

Change to use alternative ISP such as Maxis, Jaring, TimeNet, NTT etc.

Solution 3

Upgrade your TM-Net ISP from dynamic IP address to dedicated IP address.