Ask Slashdot: What To Do When Finding a Security Breach On Shared Hosting? 168
An anonymous reader writes "A few months ago I stumbled across an interesting security hole with my webhost. I was able to access any file on the server, including those of other users. When I called the company, they immediately contacted the server team and said they would fix the problem that day. Since all you need when calling them is your username, and I was able to list out all 500 usernames on the server, this was rather a large security breach. To their credit, they did patch the server. It wasn't a perfect fix, but close enough that moving to a new web host was moved down on my list of priorities. Jump a head to this week: they experienced server issues, and I asked to be moved to a different server. Once it was done, the first thing I did was run my test script, and I was able to list out everyone's files again. The hosting company only applied the patch to old server. I'm now moving off this web host all together. However, I do fear for the thousands of customers that have no clue about this security issue. With about 10 minutes of coding, someone could search for the SQL connection string and grab the username/password required to access their hosting account. What's the best way to handle this type of situation?"
Do nothing (Score:5, Insightful)
Re:Do nothing (Score:5, Insightful)
You might want to tell them why you're moving to a new host. Explain that their security is insufficient for your needs which is why you're moving. You don't have to give them more detail than that.
Re:Do nothing (Score:5, Informative)
Re:Do nothing (Score:5, Interesting)
I always wondered why no one has tried a 2nd amendment challenge to those laws. The US officially recognizes 'cyberwarfare' so these "hacking tools" can now be classified as arms in digital warfare.
Re:Do nothing (Score:5, Insightful)
So rather than be dealt with as a civilian, you would prefer to be 'unlawfully engaged in warfare against another state'?
I don't think that would be an improvement...
Re: (Score:2)
'unlawfully engaged in warfare against another state'
a) Possession & use of arms does not constitute warfare against another state unless you are using them against another state
b) The use of such a challenge would likely have to be from a US citizen with regards to a case that happened within the US.
c) It was an 'I wonder' - like I know shit about US constitutional law.
Re: (Score:2)
If you wanted to regard a script as "arms" then running a script is equivalent to firing a gun. The 2nd amendment only protects owning and carrying weapons, not firing them. Firing them is illegal in pretty much every city in the US (with narrow exceptions). And the original poster admitted running the script.
Re: (Score:2)
True, but he doesn't have to admit that when he reports it. 5th amendment and all.
Re: (Score:2)
LOL - the poor US, they'll never live that one down.
Re: (Score:2)
I always wondered why no one has tried a 2nd amendment challenge to those laws. The US officially recognizes 'cyberwarfare' so these "hacking tools" can now be classified as arms in digital warfare.
The Second Amendment "Right to Bear Arms" might be applied profitably to unconventional weapons such as software, sure.
The Second Amendment does not specify the conditions for the legal use of such arms. The legality of the use of legally owned weapons is something determined on a case-by-case state-by-state basis in local courts, and I think the issue is whether the OP's use of security scripts would be determined to be legal.
Re: (Score:2)
Ahh, but that's the interesting part - the law in question prohibits the possession of such software if I'm not mistaken.
By admitting the possession and it's theoretical capabilities you do not have to admit that it's ever been used.... it's just a random musing though.
Re:Do nothing (Score:5, Interesting)
OK I'll post his "test script": /home/*
ls -al
huge surprise, most shared hosts run suphp with 755 on all directories inside of ~/public_html/.
COME AT ME HOSTGATOR
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Not a bad idea. He could even make it clear he had everyone's password and user name by encrypting each user name with their password after doing about 5 seconds worth of serial SHA-1 hashes on each.
Re: (Score:2)
In such an environment the only responsible thing to do is anonymous posting to something like the Full Disclosure mailing list.
Re: (Score:2)
Re: (Score:2)
The question is if the new host will be better. Make sure to not limit the price in an unreasonable way.
Which entry-level VPS provider? (Score:2)
Also, why is anyone still using shared hosting? Places charge the same for VM's now.
Go Daddy charges more for a VPS than for its bargain basement PHP-only shared hosting package. As for "so just don't use Go Daddy", I thought a VPS was more expensive in general because a VPS needs its own IPv4 address, and we've run out of those. Which VPS provider do you recommend?
Re: (Score:3, Interesting)
I've been using Linode for the last 8 months or so, and have been pretty happy with it.
$20 per month gets you 1 static ip address, 512 MB of ram, 20 GB of disk space, 200 GB of upload bandwidth, unlimited download bandwidth, and up to 4 cpu cores.
Re:Which entry-level VPS provider? (Score:5, Interesting)
I've been using Linode for the last 8 months or so, and have been pretty happy with it.
$20 per month gets you 1 static ip address, 512 MB of ram, 20 GB of disk space, 200 GB of upload bandwidth, unlimited download bandwidth, and up to 4 cpu cores.
If you don't need much bandwidth or CPU, check out an Amazon Micro instances. If you buy a reserved instance, a Micro instance ends up costing around $7/month plus $0.10/GB for disk and $0.10/GB for outbound bandwidth.
They are cheap enough to run multiple instances - I have my public website on one instance and use the other one for my mail server, and other things I don't want on the public server giving me complete separation between the two. If the webserver ever gets hacked, I can just restore it from an S3 snapshot. I had started looking at chroot'ing Apache or running it in a VM for better isolation, but spinning up a second micro instance was much easier.
If you need to use significant CPU, a micro instance is probably not going to be a good choice, as I've heard that Amazon throttles back CPU to Micro instances that use a lot of sustained CPU. But it runs my PHP based photo gallery software pretty well (shared only to family/friends, so it's not super busy).
The bandwidth costs could get expensive quickly at 10 cents/GB if you have a busy website. I run a script that checks my bandwidth utilization and if I hit more than 10GB in one day it shuts down Apache and notifies me so I don't end up with a huge bandwidth bill if my site ever slashdotted.
Even with multiple S3 snapshots, my total hosting bill is always less than $20/month, less than I was paying for a single VPS server (that was having performance issues due to being oversubscribed so heavily by the ISP)
Re: (Score:2)
They make that as complex and undecipherable as possible. I want it capped at a maximum amount preferably with a warning and a request to authorize more. I would really like them to translate that in to a language spoken casually somewhere on the planet.
I get the features I need at my current service and I don't have to play Russian roulette with my finances. So far the service I use works without issue.
Re: (Score:2)
Host the static images from S3. You might be able to save on bandwidth that way.
Note that I've just started working with AWS, and I haven't double checked that S3 bandwidth is cheaper than E2 bandwidth.
Re: (Score:2)
Note that I've just started working with AWS, and I haven't double checked that S3 bandwidth is cheaper than E2 bandwidth.
The pricing rules aren't the same for the two services. IIRC, one charges by the GB and the other by the "million GET requests" (or something like that). Converting requires knowledge of your average data sizes.
Re: (Score:2)
Thanks. I'm still serving all content from EC2 myself!
Re: (Score:2)
Did the hackers get access to the bitcoin VM by hacking in through XenServer/VMWare?
Because if they didn't, then it has nothing to do with Linode. Linode's only responsibility is to secure the hypervisor. The security of your VM is your problem.
Re: (Score:3)
http://status.linode.com/2012/03/manager-security-incident.html [linode.com]
ok.. apparently it was their fault
Re: (Score:2)
I pay $72 for 3 years for my shared host for my small business. I might upgrade to $180 per 3 / yr for a high service account. The cheapest I've seen is $360 for a low service low bandwidth VPS.
Re: (Score:3)
I have several 512mb vps I run several services on, which cost me a whopping $6/mo. The services are non-critical, and if not for this price-point, would not be running on a vps. I was having a problem with one of them where the vps os would randomly reboot itself. I asked the vendor to check the vps host to make sure there wasn't something amiss. They claimed there wasn't, and I could find nothing amiss on the Debian slice OS. I finally came to the realization that since these vps are OpenVZ, it was likel
Re: (Score:2)
Viewers have to have IPv6 too (Score:2)
Wasn't the point of IPV6 to replace IPV4? Give the VPS an IPV6 address. (visibility problems are its problems)
If you're expecting to host a web site on this sort of VPS, you won't be able to reach viewers behind IPv4-only home ISPs or using IPv4-only customer premise equipment. Or do you expect home IPv6 to be widely deployed before April 2014, when Windows XP reaches its announced end of life?
Re: (Score:2)
IE for XP does not support SNI (Score:3)
A good hosting company would have a smart load balancer or somesuch at the gateway that could route internally to whatever based on hostname.
You can't route HTTPS based on hostname until Internet Explorer for Windows XP reaches its end of life in 18 more months. If multiple sites are hosted on port 443 of a given IP address, IE for XP can't see the certificate for any site other than the first because IE for XP doesn't support SNI [wikipedia.org]. To me, at least, getting a dedicated IPv4 address on which to run HTTPS is one of the main reasons to upgrade from shared hosting to a VPS, especially for web site administrators who are concerned about security. Beca
Re: (Score:3)
"why is anyone still using shared hosting?"
Because people with no knowledge they can set up a web site on shared hosting. Some of them will even set up a shop for you, you do not need any knowledge... ... you especially do not need the knowledge to set up and run a script to get the details of all the other users. If you do that you will realise how overloaded the server is and why you SQL queries time out all the time.
Re: (Score:2)
Or because shared hosting is a lot cheaper and is good enough for many purposes. I use shared hosting for a website that basically acts like a poor-man's Akamai cache of photographs for my real website. For $9 a month, it makes my home DSL connection fast enough to host my photo server, because I only have to push each photo out over the slow link exactly once.
Why would I pay more for a VPS when there's no content on the site that isn't publicly available and no databases to protect?
Re: (Score:2)
You pay how much???
http://www.cinfu.com/ [cinfu.com]
Re: (Score:2)
I originally tried a shared hosting plan that was down around that price point. It was a horrific experience involving a massively overloaded server that periodically stopped serving traffic for a half a minute at a time. I'd rather pay a little more for a reliable server with a reliably fast connection, shared or not.
Re: (Score:2)
nonsense, there are plenty of bargin shared hosting companies that are great even for people with knowledge. For $7/month (with static IP address, $4 a month if you don't need that), I'm on a server where the load average is 5%, I can ssh to my account, I can run ruby, perl, python scripts and have cron jobs. Great for personal domain at a remote location from home.
Re: (Score:2)
Because with shared hosting, keeping on top of OS updates is Somebody Else's Problem.
Re:Do nothing (Score:4, Insightful)
Which is great, until you find out the Somebody Else regards it as Not His Problem.
Re: (Score:2)
Odd. With my dedicated server, keeping on top of OS updates is Somebody Else's Problem too. They have WSUS servers, yum repositories, and all that good stuff sitting in the DC so updates can be automated at no extra cost.
Is this unusual?
Did you read your license agreement? (Score:2)
Re: (Score:2)
Services don't have license agreements. They're Terms of Service, and very rarely do you actually see them without going to an effort (usually there's a box saying "I agree to the terms of the MSA" or similar and you're supposed to go dig for the document referenced).
Switching Host is best. (Score:2)
Don't reward bad behavior. (Score:2)
This rule applies to a lot more than just hosting!
What you tolerate, you get more of. Your tolerance is an implicit endorsement of it.
If you reward the good, and punish the bad, you always get more good than bad.
Very few people have the experience/wisdom/gumption to see this however.
Responsible Disclosure (Score:4, Informative)
Tell the webhost they have XYZ days to fix the problem before you publish the exploit.
https://forms.us-cert.gov/report/ [us-cert.gov] is also a good place to report exploits.
But if you're shy, I'd also consider forwarding the details to a reputable security research company,
so that maybe they can alert others with misconfigured systems and CERT.
Re:Responsible Disclosure (Score:5, Informative)
Tell the webhost they have XYZ days to fix the problem before you publish the exploit.
If you do that, be prepared for them to shut off your account immediately, and for them to file a complaint/police report, listing you as the offender, with possible criminal charges, for you hacking their service.
Their lawyers may also send you a cease-and-decist letter, warning that you will be sued if you publish the information.
Re:Responsible Disclosure (Score:4, Interesting)
Tell the webhost they have XYZ days to fix the problem before you publish the exploit.
If you do that, be prepared for them to shut off your account immediately, and for them to file a complaint/police report,
listing you as the offender, with possible criminal charges, for you hacking their service.
Their lawyers may also send you a cease-and-decist letter, warning that you will be sued if you publish the information.
I keep seeing these shills on this thread telling people to "do nothing, or ELSE!"... WTF? Why tell people this? (hint: citations needed) Is there some huge list of all the security experts rotting in prison for disclosing Windows/Flash/Android exploits that I'm not aware of?
Why not call the police yourself as a CYA preemptive strike to go along with your "full disclosure notice?"
Police non-emergency operator: "How can I help you?" /. told me if I exposed the flaw you would arrest me for hacking."
You: "I'm calling to report a security breach with my ISP/host/whatever."
Police non-emergency operator: "What do you mean?"
You: "Well I've discovered an exploit that would allow hackers to compromise my computer servers."
Police non-emergency operator: "What would like us to do about it?"
You: "I just needed to file a report, because I want to notify the service provider as well as make a public disclosure."
Police non-emergency operator: "Ok, but why did you need to let us know?"
You: "Because a bunch of assholes on
Police non-emergency operator: "ROFLCOPTER"
Re: (Score:2)
I keep seeing these shills on this thread telling people to
You are posting complete nonsense, in the total bogus claim that there might be "shills" in the discussion. It would seem you are so incompetent in supporting your own arguments, that you think the only way to do so, is to try to project your own character deficiencies on other people.
Is there some huge list of all the security experts rotting in prison for disclosing Windows/Flash/Android exploits that I'm not aware of?
Professional Security
Re: (Score:2)
1. Obviously the concerned /.er should wait until his business relationship with that company is ended.
2. A cease and desist letter means fuck all.
It's a statement of intent, designed to intimidate, and should be treated with all the respect that type of behavior deserves.
The threat of C&D letters are a big part of the reason that so many advocate full disclosure.
3. It isn't likely that a C&D would be granted by a court. Many have made the threat, but few go through the courthouse doors, because it
Re: (Score:2)
The webhost can go fuck itself if they refuse to respond in a responsible fashion.
They already refused to respond in a responsible fashion, by patching the issue on one system, and leaving other servers vulnerable to the same thing, according to the OP. This creates risk for both the users, and the webhost. The webhost itself might be subject to lawsuits for their negligence, if the situation were discovered
It's a statement of intent, designed to intimidate, and should be treated with all the respe
Re: (Score:2)
Or if you have shell access and/or the ability to run scripts on the server, fix it yourself with chmod. It doesn't really matter if other users can see your home directory. What matters is whether they can see what's inside your home directory, and those permissions are under your account's control.
Unless, of course, this is Windows shared hosting, in which case the correct answer is "Don't do that." :-D
Re: (Score:2)
Security and shared hosting don't mix (Score:5, Informative)
You have no idea what idiotic web applications people are running. You should ASSUME that any shared host is compromised. Don't store any unencrypted data there which is at all sensitive. Given the low cost of renting a virtual or physical host machine these days it seems there's little reason to bother with shared hosting (yes, it is cheaper, but honestly the cost of an AWS micro instance is pretty low).
The real problem is bulk shared hosting facilities just can't afford to tinker. There are often 100 or more accounts on a server, sometimes even 1000's. One stupid tweak to fix a security hole can break a LOT of scripts. These places will always prefer to just set up servers and not EVER patch them.
The ultimate observation is just that driving the cost of hosting down to $2.99 a month means doing absolutely nothing beyond what is absolutely needed to make it work. You get what you pay for.
Re: (Score:2)
You have no idea what idiotic web applications people are running.
You're wrong. I do: It's PHP... The rest of your comment is spot on though.
Re: (Score:2)
LOL, yeah, its probably some old version with known insecure settings configured globally.
Re: (Score:2)
Given the low cost of renting a virtual or physical host machine these days it seems there's little reason to bother with shared hosting
About the only reason I can see is if that is literally the only thing you need: A single small and simple website where every file is public.
If every last html and image file is available through the web-server, then it's not exactly a big security risk for others to directly access the files instead of getting them through the web server.
This only holds true if everything should be public of course.
A single hidden URL or private section (or any form of restriction or control at all) would render this pla
Re: (Score:2)
That is exactly it. They get 2.99 from you in a month. If a reasonably competent admin reads an email from you, they have burned up most of the month's profit immediately.
At $10 per month, he can afford to read it, but actually doing anything about it burns up the month's take.
Public shaming is all you need (Score:2)
If you really want to help those other customers, all you have to do is tell us the name of the company, and let the bad publicity take care of the rest.
Re:Public shaming is all you need (Score:4, Informative)
Re: (Score:2)
I realise that IANAA (I am not an American) but in most of this world the company only has a case if what you say is false.
Re: (Score:2)
It's also true in the USA, but you can still be ruined by the legal fees required to mount the defense in the first place. It can be difficult or impossible to get legal fees paid by the opposing side in the event you successfully defend yourself from a suit unless you have proof the lawsuit was malicious.
Re: (Score:2)
You are talking about libel. It is the same in the US. However you still be hit with attempting to break the security of the system and privacy and all related laws.
Re: (Score:2)
That's true in America as well, but to get there you'll have to pay a lawyer several thousand dollars and take a few days off work. By the time you successfully defend against a lawsuit, you have already been punished.
Use your hack for something good... (Score:2, Interesting)
and try to find the mail addresses of the users and alert them of the security problems. If many of them leave, maybe the hoster feels it's time to act.
Try responsible disclosure (Score:5, Informative)
Contact them to agree a timeframe to patch.
Be careful! (Score:5, Informative)
Re: (Score:2)
Seconding the parent.
A lot of folks here seem to be confused about the difference between someone finding and disclosing a vulnerability that you found on YOUR OWN COPY of a piece of software, and finding and disclosing a vulnerability that you found while you were on SOMEONE ELSE'S COMPUTER SYSTEM.
To the legal system, and most judges, prosecutors and juries, computers are still "magic". It doesn't matter how childishly, stupidly simple it was to find the problem, or how dangerous it is to others, what matt
Re: (Score:2)
Amusingly, I actually did read "country" instead of "host" in that sentence the first time.
If you are in Europe (Score:5, Insightful)
and attempting to speak with the ISP has not worked (it's not clear if you have tried to inform them that the bug remains on this, and likely other, servers, and given them the chance to fix it (albeit a second chance)), call up your data protection regulator on Monday morning, and explain the nature of the issue and its impact?
Inform the users (Score:4, Interesting)
Back in the days of dial up, I used a dial-up ISP that offered free scripting (CGI, ASP, you name it) on a Windows server. While teaching myself scripting, I discovered that files I wrote as part of scripts ended up in the c:\windows\system32 directory of the server instead of my user folder. Worse still cgi scripts allowed running executables. Needless to say that is bad as it allowed me to get remote shell access to the box. Finally to complete the incompetence, I found that the ISP was storing the customer records on the server as an access database. When I mean records, I mean everything: names, addresses, credit cards, etc.
I informed the ISP of the problem. They responded, but said it was a "windows" problem and couldn't be fixed so I posted on a message board for customers about the problem (but not the details on how to do it), wiped my own customer records from their database (yes I could read and write) and canceled service. I don't know what ever happened to them, but I'm assuming they went out of business like most other dial up ISPs.
Re: (Score:2, Interesting)
I worked at an ISP that had an extremely similar (but different enough that I know it's not the same ISP) issue. The customer could access our RADIUS UN/PW files and browse other unsecured NT machines... This all prompted us to firewall up, but not before the customer decided we weren't moving fast enough and decided to call the local ABC affiliate and put the passwords for various local agencies/companies/users on the TV screen. What else... Front page on the newspaper and the local computing magazine, had
Comment removed (Score:5, Interesting)
Re: (Score:2)
move (Score:2)
First move and get all your data out of their hands.
THEN shame them by naming them publicly.
You already gave them a chance to fix it and they got lazy.
Web server security hole (Score:4, Informative)
Contact the company again with your findings. They patched the hole that you pointed out before but kept the details of the exploit limited to senior programmers and support. When they reloaded the server after a down period, a SNAFU recreated the hole.
So there are two problems. One is the security hole that you found and the other is their back-up and security breach repair process. Point out both problems to them.
Then review the security of your data that you are exchanging with them. How important is it that this data remain secret? And secret to who? To another user who might have stumbled onto the same exploit window? To a Soviet/Russian criminal organization? (a three-way redundancy, yes, I know) To the American feds? To your wife or kid that looks over your shoulder while you type?
Please understand, all this technology is still basically new. It has problems. Tech problems and social problems. The tech issues get discovered and solved faster than the social problems, i.e. crime issues. For example, we (the American government and Interpol) can not go after criminal organizations in the (former) Soviet Union because many of them are in alliance with the corrupt Soviet/Russian/Gangster government that still controls thousands of nuclear bombs. So criminal organizations there can loot American banks and businesses with stolen credit card information with near impunity. It's a defect of the modern computer age. It will get fixed someday, but for now, guard your data and be aware that every data and login password that you type on an internet-linked PC can be stolen.
If the web-server company can't and/or won't fix the issue after you point it out to them several times, document the issue and submit this documentation in writing (not on-line) to both the local Better Business Bureau and your state Attorney General's Office. When they get inquiries from both parties about this issue, they will get the fear of God and fix it right. Until then, be patient and remind people to guard their data.
Re: (Score:3)
Please understand, all this technology is still basically new. It has problems. Tech problems and social problems.
No, it is very old. Remote Unix is one of the oldest computer technologies we have. What goes on top of it has to follow the rules and be implemented by people who understand it.
And therein lies the problem. Your average Linux guy doesn't. He has never had to deal with multi-user environments, and more likely than not comes from a background where gratuitous privilege escalation is the way to do things (yes, Canonical, I am looking at you). Then there's insecure middleware, and databases set up by the
Re: (Score:2)
welcome to shared hosting (Score:2)
you've learned your first lesson as an admin: shared hosting is shit. congrats.
you're concerned about security, but you're on a shared host that could be compromised by any of X hundred people who have access to it (not just your shared server... EVERY shared server is just waiting for a local priv escalation hole)
at least get a VM... yes, you still need a competent hosting company to ensure they apply patches to XenServer/VMWare... but that requires less work by the admins, and is harder to exploit.
a VM at
Act anonymously next time. (Score:2)
Forget this event, but it's a lesson learned.
You have no rights since you aren't rich. The only way to act is from cover and without chance of attribution.
godaddy (Score:2)
Notify them via Certified letter (Score:4, Insightful)
Others have made a good case for simply moving on, but another thought would be to move to another provider, then notify them via certified letter why you're moving and informing them that if/when the hole is exploited (and reiterate that you will not exploit it yourself), then the certified letter will be shared with the legal teams of those customers who have suffered damages.
i.e. "Here's your official notice of a potential exploit, don't say you weren't warned."
It won't provide preemptive help for their other customers but may make their damages somewhat recoverable through legal means.
Re: (Score:3)
Dealing with Vulnerabilities The American Way ... (Score:5, Interesting)
I read a lot of indignant posts and a few moany warning ones on the subject. The authors of either kinds of post have obviously lost touch with the American Way.
When you find a vulnerability, the first thing to do is to disassociate yourself from it. Wipe your data and close down your account (many posts correctly advised this). Then get two sets of some cheap one-off hardware (second-hand paid-in-cash stuff is best). Use one of those to assess the economic potential of your find as best as you can (or you'll get fleeced later on).
Then you Monetize your find. Quickly, before someone else beats you to it. That's the American Way right there.
Use the second piece of old kit you bought to surf the web. There are certain websites, often in Eastern Europe, on which you will find people who'll use a peculiar form of English but who will be prepared to pay smallish but reasonable amounts for such information. Depending on e.g. whether the flaw leads to credit card data (that's why you ascertained the economic potential of your find first) or advanced military technology (in which case you may be able to get better quotes from buyers in the Middle East or the Far East).
Be aware that there is a certain protocol to be followed when conducting this sort of transaction. Contacting them from home, work, or any other place that can easily be traced to you is a beginner's mistake. Secondly, don't *ever* give out information like your real name, physical address, bank account or credit card to them. They won't do that either, and besides, you'll *really* value your privacy when dealing with them.
Use e.g. an old second-hand laptop and work from an Internet cafe or use a prepaid smart phone with Internet browsing facilities. Don't ever use that hardware for *anything* but completing this one transaction. Wipe, disassemble, smash, and ditch said hardware component-wise as soon as the transaction is completed.
The trick is of course to get the money to where you can spend it. Having it wired into your account will show up and may be a bit difficult to explain. Even when done from a US account (you can negotiate for this but it costs extra). They will pay you in bitcoin or E-gold if you insist, but that too is tricky. Asking for cash in the mail is asking to be fleeced, and likewise a bit conspicuous should they actually do it (amateurs).
I'm leaving the question of arranging secure and discreet transfer as homework. Additional points will be awarded (optionally off the record or against a discreet little cash bonus) for really good solutions. Remember: should government officials come calling at your doorstep you'll automatically fail the course and all traces of your enrollment will mysteriously have vanished. No refunds.
Anonymise the details and stick it on pastebin (Score:2)
Move hosts, leave it a few weeks, then anonymise the details and stick it on pastebin. Don't leave a trace. Seriously, just do this. Most shared hosting companies don't give a shit about their customers so you're not going to get anywhere by telling them other than a legal case filed against you.
Root Access on Shared Hosting (Score:2)
I work at a website development company and one of our clients websites was hacked/defaced. The web host blamed out of date software on our client's website for the breach and the deface. Our client was on a shared hosting package with the hosting company.
When I was told to be the one to clean up the mess on the website and after getting rid of recently modified files (most of the site hasn't been touched for several months) and other malicious files, I stumbled upon a directly conveniently named "sym". Thi
Re: (Score:2)
If you own the trademark on the name used in the domain name, you might be able to get it back by going directly to ICANN with a trademark complaint.
However, if you can't access your hosting company's files and your contract doesn't describe how they guarantee access to your data then (for static sites, i.e. no dynamic content or web applications) you can use the `wget` command available on GNU/Linux to crawl and download the entire site as it exists currently.
This would not help you in recovering files tha
You have a hard decision (Score:2)
If you fail to report who this hoster is, you are covering up THEIR violations, and could be liable if someone who suffers damages as a result finds out you were covering it up.
But the hateful and stupid people in the legal system could bring charges against YOU for "hacking" (even though it can be argued that all you were doing is verifying the security of YOUR OWN data ... and found the security to be defective).
Does this company claim to be secure? If they do, they are COMMITTING FRAUD! Whistle blower
STFU and keep it moving (Score:2)
Unless a good friend or business associate is using this insecure host, don't say a word.
Take your business elsewhere. Tell them why you're leaving. Don't tell anyone else.
You'd be exposing yourself to a lot of liability.
LK
Re: (Score:2)
No problem! (Score:2)
I know a Nigerian prince who can help you out...
I would post it (Score:2)
If it was me, I'd anonymise it so it didn't refer to the particular web host and then post it somewhere, and link to it on some mailing list, with my real email. There is so much to lose by restricting information about security flaws. It makes it much easier for criminals and governments to have illegitimate access to many systems. Like many people said above, if you post it, it could possibly fuck up your life. I'd put up a hell of a fight (hopefully with the help of EFF et al) if they tried to convict me
Re: (Score:2)
Actually, either that, or go in through Tor and someone else's login and install unicorns on all customer's pages. Then you'll be liable, but people are bound to notice and it will make the web a cornier place.
Sounds like default on most shared hosts. (Score:3)
If I'm reading between the lines well enough, I suspect the problem is that
If you host runs Apache as a single user then there is no way around this. You can mitigate it somewhat with carefully setting permissions on your own files and some obfuscation of file/directory names, but that isn't really a proper answer to the problem.
Apache can be configured to run scripts (via suexec, phpsuexec, and so forth) as a the owner of the script which allows you to lock down configuration files and others that contain sensitive information so other uses can't read them (only set them to -rw------- and only you can read them, and that includes scripts if Apache runs them as you) - but most hosts don't do this (or they didn't last time I was working in that arena) as it is more hassle to setup and/or because it requires more resources. And by "more hassle to setup" I simply mean that it means more than just the out-of-the-box configuration: the "leading" standard control panel back than was cPanel (it may still be, I've not kept an eye on the market recently) and seeing posts like http://www.linuxgo.net/howto-enable-suphpphpsuexec-on-a-cpanel-server/ [linuxgo.net] indicates that it still does not offer an easy (from the point-and-click PoV most cheap hosts need as they are rarely Linux/Apache/other experts) route to using the more secure arrangement. Most hosts will consider the extra admin time of setting up the more secure options to not be worth keeping (or gaining) your custom - 99%+ of their target market don't care (or don't know any better) and spending time to satisfy the other 1% or less is not worth it to them.
tl;dr: You will probably find this is the standard setup on a great many shared hosts, possibly most, maybe even nearly all. To ensure you are getting a new host that does things more securely when you move, you need to ask some pre-sales questions that are fairly technical (in the sense that sales may not be able to help, unless the company is small enough that the sales and tech support teams are the same people).
I would suggest instead using a VPS provider or self-hosting, that way there are no other direct users of the machine (be it real or virtual) to worry about, but unfortunately both of those options put more administrative load (and cost, unless you are paying far too much for shared hosting) on yourself and can be a minefield of its own (as with shared hosting avoid the cheapest options and ask searching question
Re: (Score:3)
Ummm, you might want to tell them your plan and give them 10 days to fix & fess up. And make sure your notice to them is sent to the boss, not the sysadmin who screwed up and has no stake is letting anyone know.
Re: (Score:2)
that would be - 'in' letting anyone know.- My bad
Re: (Score:2)
Publish the vulnerability and the name of the hoster on 4chan
FTFY
Re: (Score:3)
So what you're saying is that Linux is LESS secure that Windows? Because it's a piece of cake to make a Windows server run scripts in such a way that they can't read, write, delete, or list directory contents outside their own little sandbox.
But that can't be the case. And in fact... it isn't the case! PHP can indeed be properly secured on Linux in such a way that scripts can't access outside their sandbox, and it certainly doesn't include custom SELinux rules. I've used tons of hosts where this is in
Noobs everywhere. (Score:2)
Re: (Score:2)
You meed to tell them, ...
No, he doesn't. They (the hosting company) are the ones who have the needs here. Our informant's only actual "need" is to move to a host with better security. They have shown that they won't/can't provide it, so he should move on.
Sadly (for the rest of their customers), US laws on the subject say that he'd be risking his time and money and possibly freedom if he were to report their incompetence to anyone. In the US, computer security has become a "shoot the messenger" arena, which unfortunately for