Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ask Slashdot: What To Do When Finding a Security Breach On Shared Hosting?

Soulskill posted about 2 years ago | from the responsible-disclosure-irresponsible-support dept.

Businesses 168

An anonymous reader writes "A few months ago I stumbled across an interesting security hole with my webhost. I was able to access any file on the server, including those of other users. When I called the company, they immediately contacted the server team and said they would fix the problem that day. Since all you need when calling them is your username, and I was able to list out all 500 usernames on the server, this was rather a large security breach. To their credit, they did patch the server. It wasn't a perfect fix, but close enough that moving to a new web host was moved down on my list of priorities. Jump a head to this week: they experienced server issues, and I asked to be moved to a different server. Once it was done, the first thing I did was run my test script, and I was able to list out everyone's files again. The hosting company only applied the patch to old server. I'm now moving off this web host all together. However, I do fear for the thousands of customers that have no clue about this security issue. With about 10 minutes of coding, someone could search for the SQL connection string and grab the username/password required to access their hosting account. What's the best way to handle this type of situation?"

cancel ×

168 comments

Sorry! There are no comments related to the filter you selected.

Do nothing (5, Insightful)

Gutboy (587531) | about 2 years ago | (#41791107)

Move to a new host. Don't talk about the old host, don't post the script, don't describe it at all. You don't want the lawsuit/criminal charges that will follow.

Re:Do nothing (5, Insightful)

serialband (447336) | about 2 years ago | (#41791133)

You might want to tell them why you're moving to a new host. Explain that their security is insufficient for your needs which is why you're moving. You don't have to give them more detail than that.

Re:Do nothing (5, Informative)

Zontar_Thing_From_Ve (949321) | about 2 years ago | (#41791351)

You absolutely cannot post the script or make any kind of public statement about the company and what it takes to get this information. The US and the UK have laws that I know of that cover hacking activities and your discovery of this problem could potentially be legally viewed as running afoul of those laws. If you live in the USA, trust me on this. You really do not want a possible fine and jail term hanging on the whims of the US jury system.

Re:Do nothing (-1, Troll)

Anonymous Coward | about 2 years ago | (#41791639)

It is not the US jury you need to be worrying about, it is the vicious police, prosecutors, and American justice system. They have become soulless, pursuing everyone they can get their hands on. It is all about the notch on their gun that makes a difference to them anymore. There are also scads of feminist prosecutors today who are nothing less than wolves, like the devil seeking whom they may devour. They especially hat men and go after them with a vengeance.

Re:Do nothing (1)

theshowmecanuck (703852) | about 2 years ago | (#41793815)

It isn't the police, prosecutors, and American justice system, per se, it's the RIAA's, MPAAs, the Apple's and MS's, and all the other corporate politician buyers out there who corrupt the system. But then again, if the system allows this, is it corrupt or just not very good? Either way it needs to change. The American paranoid gun freaks need to stop worrying about their need to fight the government and start looking at those that are paying off the politicians. Regardless, sadly the point holds a lot of truth, don't tell anyone because in the U.S. world of the internet, the adage 'no good deed goes unpunished' holds more water than all the oceans of the world combined.

Re:Do nothing (4, Interesting)

JMJimmy (2036122) | about 2 years ago | (#41791685)

I always wondered why no one has tried a 2nd amendment challenge to those laws. The US officially recognizes 'cyberwarfare' so these "hacking tools" can now be classified as arms in digital warfare.

Re:Do nothing (4, Insightful)

rgbrenner (317308) | about 2 years ago | (#41791743)

So rather than be dealt with as a civilian, you would prefer to be 'unlawfully engaged in warfare against another state'?

I don't think that would be an improvement...

Re:Do nothing (1)

MisterSquid (231834) | about 2 years ago | (#41791851)

I always wondered why no one has tried a 2nd amendment challenge to those laws. The US officially recognizes 'cyberwarfare' so these "hacking tools" can now be classified as arms in digital warfare.

The Second Amendment "Right to Bear Arms" might be applied profitably to unconventional weapons such as software, sure.

The Second Amendment does not specify the conditions for the legal use of such arms. The legality of the use of legally owned weapons is something determined on a case-by-case state-by-state basis in local courts, and I think the issue is whether the OP's use of security scripts would be determined to be legal.

Re:Do nothing (5, Interesting)

Anonymous Coward | about 2 years ago | (#41791971)

OK I'll post his "test script":
ls -al /home/*

huge surprise, most shared hosts run suphp with 755 on all directories inside of ~/public_html/.

COME AT ME HOSTGATOR

Re:Do nothing (1)

Gutboy (587531) | about 2 years ago | (#41792165)

You'll be fined no mater what the jury system determines. Defending yourself from any charges that are filed will take a non-trivial amount of money. You could lose your job (who wants a possible criminal working for them?), your possessions, etc. and still be found not guilty or have the charges dropped.

Re:Do nothing (0)

Anonymous Coward | about 2 years ago | (#41791147)

Also, why is anyone still using shared hosting? Places charge the same for VM's now.

Which entry-level VPS provider? (1)

tepples (727027) | about 2 years ago | (#41791283)

Anonymous Coward wrote:

Also, why is anyone still using shared hosting? Places charge the same for VM's now.

Go Daddy charges more for a VPS than for its bargain basement PHP-only shared hosting package. As for "so just don't use Go Daddy", I thought a VPS was more expensive in general because a VPS needs its own IPv4 address, and we've run out of those. Which VPS provider do you recommend?

Re:Which entry-level VPS provider? (3, Interesting)

Anonymous Coward | about 2 years ago | (#41791401)

I've been using Linode for the last 8 months or so, and have been pretty happy with it.

$20 per month gets you 1 static ip address, 512 MB of ram, 20 GB of disk space, 200 GB of upload bandwidth, unlimited download bandwidth, and up to 4 cpu cores.

Re:Which entry-level VPS provider? (0)

Anonymous Coward | about 2 years ago | (#41791475)

linode is insecure as evidenced by all the bitcoin hacks stemming from there.

Re:Which entry-level VPS provider? (0)

Anonymous Coward | about 2 years ago | (#41791593)

To my knowledge, there was only a single incident, it was fixed as soon as it was discovered, and it was disclosed [linode.com] . I think they handled the situation well.

Re:Which entry-level VPS provider? (0)

Anonymous Coward | about 2 years ago | (#41791649)

Linode is very good. Yes, they had an issue once, and dealt with it professionally.

If you want even less expensive options, other good ones start at like $5/mo. This must be in shared hosting price range, right?

This is one well known one. I don't use it, but I've heard good things. http://prgmr.com/ [prgmr.com]

Re:Which entry-level VPS provider? (1)

rgbrenner (317308) | about 2 years ago | (#41793069)

Did the hackers get access to the bitcoin VM by hacking in through XenServer/VMWare?

Because if they didn't, then it has nothing to do with Linode. Linode's only responsibility is to secure the hypervisor. The security of your VM is your problem.

Re:Which entry-level VPS provider? (4, Interesting)

hawguy (1600213) | about 2 years ago | (#41791611)

I've been using Linode for the last 8 months or so, and have been pretty happy with it.

$20 per month gets you 1 static ip address, 512 MB of ram, 20 GB of disk space, 200 GB of upload bandwidth, unlimited download bandwidth, and up to 4 cpu cores.

If you don't need much bandwidth or CPU, check out an Amazon Micro instances. If you buy a reserved instance, a Micro instance ends up costing around $7/month plus $0.10/GB for disk and $0.10/GB for outbound bandwidth.

They are cheap enough to run multiple instances - I have my public website on one instance and use the other one for my mail server, and other things I don't want on the public server giving me complete separation between the two. If the webserver ever gets hacked, I can just restore it from an S3 snapshot. I had started looking at chroot'ing Apache or running it in a VM for better isolation, but spinning up a second micro instance was much easier.

If you need to use significant CPU, a micro instance is probably not going to be a good choice, as I've heard that Amazon throttles back CPU to Micro instances that use a lot of sustained CPU. But it runs my PHP based photo gallery software pretty well (shared only to family/friends, so it's not super busy).

The bandwidth costs could get expensive quickly at 10 cents/GB if you have a busy website. I run a script that checks my bandwidth utilization and if I hit more than 10GB in one day it shuts down Apache and notifies me so I don't end up with a huge bandwidth bill if my site ever slashdotted.

Even with multiple S3 snapshots, my total hosting bill is always less than $20/month, less than I was paying for a single VPS server (that was having performance issues due to being oversubscribed so heavily by the ISP)

Re:Which entry-level VPS provider? (1)

mrmeval (662166) | about 2 years ago | (#41793067)

They make that as complex and undecipherable as possible. I want it capped at a maximum amount preferably with a warning and a request to authorize more. I would really like them to translate that in to a language spoken casually somewhere on the planet.
I get the features I need at my current service and I don't have to play Russian roulette with my finances. So far the service I use works without issue.

Re:Which entry-level VPS provider? (1)

gum2me (723529) | about 2 years ago | (#41793329)

Can you post a howto?

Re:Which entry-level VPS provider? (0)

Anonymous Coward | about 2 years ago | (#41791431)

It has nothing to do with IPv4 addressing. A good hosting company would have a smart load balancer or somesuch at the gateway that could route internally to whatever based on hostname.

Re:Which entry-level VPS provider? (0)

Anonymous Coward | about 2 years ago | (#41791441)

OH. Forgot to say, I really like pagodabox.com for hosting my PHP sites. They do a lot of nice automation for me.

IE for XP does not support SNI (2)

tepples (727027) | about 2 years ago | (#41791503)

A good hosting company would have a smart load balancer or somesuch at the gateway that could route internally to whatever based on hostname.

You can't route HTTPS based on hostname until Internet Explorer for Windows XP reaches its end of life in 18 more months. If multiple sites are hosted on port 443 of a given IP address, IE for XP can't see the certificate for any site other than the first because IE for XP doesn't support SNI [wikipedia.org] . To me, at least, getting a dedicated IPv4 address on which to run HTTPS is one of the main reasons to upgrade from shared hosting to a VPS, especially for web site administrators who are concerned about security. Because without HTTPS, anybody can intercept and forge your site's users' session cookies using Firesheep.

Re:Which entry-level VPS provider? (0)

Anonymous Coward | about 2 years ago | (#41791511)

No, that would be a bad hosting company. Routing based on "hostname" would only work for HTTP traffic, and would therefore mean your VPS could not be used for anything that used other traffic, or in other words you have none of the advantages of a VPS. In fact, I would go as far as to say if your hosting company is telling you they do this, you do NOT have a VPS, you have shared hosting and you have been lied to.

Re:Which entry-level VPS provider? (1)

jbolden (176878) | about 2 years ago | (#41791729)

I pay $72 for 3 years for my shared host for my small business. I might upgrade to $180 per 3 / yr for a high service account. The cheapest I've seen is $360 for a low service low bandwidth VPS.

Re:Which entry-level VPS provider? (2)

LVSlushdat (854194) | about 2 years ago | (#41792135)

I have several 512mb vps I run several services on, which cost me a whopping $6/mo. The services are non-critical, and if not for this price-point, would not be running on a vps. I was having a problem with one of them where the vps os would randomly reboot itself. I asked the vendor to check the vps host to make sure there wasn't something amiss. They claimed there wasn't, and I could find nothing amiss on the Debian slice OS. I finally came to the realization that since these vps are OpenVZ, it was likely something one of the other slices was doing, since its well-known that OpenVZ containers are very susceptable to other slices taking more than their share of resources. I therefore began to look for a Xen-based host, as these reboots were hair-pulling annoying. With a bit of searching, I came across a vendor advertising 512MB Xen vps either in LA or Kansas City for .... get this.. $5/mo.. Am in the process of migrating the nasty rebooting OpenVZ services over to a nice Xen instance.. I'd been with the OpenVZ vendor for nearly two years and have had zero issues with them, up to this issue, which I don't believe is their "fault" vs just the nature of the OpenVZ "beast".. This vendor does have Xen vps, but they're quite a bit more than the newly discovered host..

Not gonna provide links to the vendors, but, for the OpenVZ vendor, "ThrustVPS" and for the Xen vendor, "Virpus"..

Re:Do nothing (2)

Zemran (3101) | about 2 years ago | (#41791389)

"why is anyone still using shared hosting?"

Because people with no knowledge they can set up a web site on shared hosting. Some of them will even set up a shop for you, you do not need any knowledge... ... you especially do not need the knowledge to set up and run a script to get the details of all the other users. If you do that you will realise how overloaded the server is and why you SQL queries time out all the time.

Re:Do nothing (1)

dgatwood (11270) | about 2 years ago | (#41791539)

Or because shared hosting is a lot cheaper and is good enough for many purposes. I use shared hosting for a website that basically acts like a poor-man's Akamai cache of photographs for my real website. For $9 a month, it makes my home DSL connection fast enough to host my photo server, because I only have to push each photo out over the slow link exactly once.

Why would I pay more for a VPS when there's no content on the site that isn't publicly available and no databases to protect?

Re:Do nothing (1)

Zemran (3101) | about 2 years ago | (#41791625)

You pay how much???

http://www.cinfu.com/ [cinfu.com]

Re:Do nothing (0)

Anonymous Coward | about 2 years ago | (#41791805)

I use cinfu's Shared Hosting too. Dont expect to use any CPU at the backend (want to calculate the sunset time given the GPS coords, expect it to suck) and the bandwidth to suck more often than not. But it is ok for the price I guess.

Re:Do nothing (1)

jimicus (737525) | about 2 years ago | (#41791479)

Because with shared hosting, keeping on top of OS updates is Somebody Else's Problem.

Re:Do nothing (3, Insightful)

Chris Mattern (191822) | about 2 years ago | (#41791841)

Which is great, until you find out the Somebody Else regards it as Not His Problem.

Re:Do nothing (1)

Kalriath (849904) | about 2 years ago | (#41792627)

Odd. With my dedicated server, keeping on top of OS updates is Somebody Else's Problem too. They have WSUS servers, yum repositories, and all that good stuff sitting in the DC so updates can be automated at no extra cost.

Is this unusual?

Re:Do nothing (0)

Anonymous Coward | about 2 years ago | (#41791223)

Security through obscurity is not a good idea, but that doesn't mean it doesn't work.

Leave them be, move somewhere else. Do NOT send them any more emails or suggestions about their security. People rarely have positive reactions when they're told they're doing something wrong. Especially when it might mean losing their jobs.

Just because it might happen, doesn't mean that it will. But if it does, you don't want any fingers pointed in your direction.

Re:Do nothing (1)

drolli (522659) | about 2 years ago | (#41792839)

The question is if the new host will be better. Make sure to not limit the price in an unreasonable way.

Hey (-1)

Anonymous Coward | about 2 years ago | (#41791125)

Unless you are going to name and shame and perhaps get something to change at this hosting company....

You are wasting everyones time here.

being an attention whore does not help anyone. you have to hurt this company to make them change. either thru costing them customers or just bad publicity.

name and shame (0)

Anonymous Coward | about 2 years ago | (#41791135)

If you have provided reasonable time for them to resond to the issue; which you have and the resolution was not satisfactory then the best course of action is to name and shame them so that they will be forced to fix the issue.

Re:name and shame (2)

NEDHead (1651195) | about 2 years ago | (#41791177)

Ummm, you might want to tell them your plan and give them 10 days to fix & fess up. And make sure your notice to them is sent to the boss, not the sysadmin who screwed up and has no stake is letting anyone know.

Re:name and shame (1)

NEDHead (1651195) | about 2 years ago | (#41791191)

that would be - 'in' letting anyone know.- My bad

This is obvious (0)

Anonymous Coward | about 2 years ago | (#41791141)

Publish the vulnerability and the name of the hoster on slashdot

Re:This is obvious (0)

Anonymous Coward | about 2 years ago | (#41791747)

That would just put the other customers in danger.

Re:This is obvious (1)

c0lo (1497653) | about 2 years ago | (#41792379)

Publish the vulnerability and the name of the hoster on 4chan

FTFY

Did you read your license agreement? (1)

abirdman (557790) | about 2 years ago | (#41791143)

I assume there was a list of remedies on about page 14 of the license agreement you probably clicked through when you signed up for their service. My advice is same as previous poster, move and forget about it.

Re:Did you read your license agreement? (1)

Kalriath (849904) | about 2 years ago | (#41792637)

Services don't have license agreements. They're Terms of Service, and very rarely do you actually see them without going to an effort (usually there's a box saying "I agree to the terms of the MSA" or similar and you're supposed to go dig for the document referenced).

Switching Host is best. (2)

bfmorgan (839462) | about 2 years ago | (#41791145)

Don't reward bad behavior. I recently severed a relationship with a hosting company of more than ten years because there support had gone from great to terrible. We had a problem and they wouldn't or couldn't fix the problem so I switched. The switch didn't come without some pain, but now everything is back to normal. Don't reward bad behavior, period.

Don't reward bad behavior. (1)

hessian (467078) | about 2 years ago | (#41791987)

Don't reward bad behavior.

This rule applies to a lot more than just hosting!

What you tolerate, you get more of. Your tolerance is an implicit endorsement of it.

If you reward the good, and punish the bad, you always get more good than bad.

Very few people have the experience/wisdom/gumption to see this however.

Responsible Disclosure (3, Informative)

TubeSteak (669689) | about 2 years ago | (#41791151)

Tell the webhost they have XYZ days to fix the problem before you publish the exploit.

https://forms.us-cert.gov/report/ [us-cert.gov] is also a good place to report exploits.
But if you're shy, I'd also consider forwarding the details to a reputable security research company,
so that maybe they can alert others with misconfigured systems and CERT.

Re:Responsible Disclosure (4, Informative)

mysidia (191772) | about 2 years ago | (#41791349)

Tell the webhost they have XYZ days to fix the problem before you publish the exploit.

If you do that, be prepared for them to shut off your account immediately, and for them to file a complaint/police report, listing you as the offender, with possible criminal charges, for you hacking their service.

Their lawyers may also send you a cease-and-decist letter, warning that you will be sued if you publish the information.

Re:Responsible Disclosure (4, Interesting)

Anonymous Coward | about 2 years ago | (#41791641)

Tell the webhost they have XYZ days to fix the problem before you publish the exploit.

If you do that, be prepared for them to shut off your account immediately, and for them to file a complaint/police report,
listing you as the offender, with possible criminal charges, for you hacking their service.

Their lawyers may also send you a cease-and-decist letter, warning that you will be sued if you publish the information.

I keep seeing these shills on this thread telling people to "do nothing, or ELSE!"... WTF? Why tell people this? (hint: citations needed) Is there some huge list of all the security experts rotting in prison for disclosing Windows/Flash/Android exploits that I'm not aware of?

Why not call the police yourself as a CYA preemptive strike to go along with your "full disclosure notice?"

Police non-emergency operator: "How can I help you?"
You: "I'm calling to report a security breach with my ISP/host/whatever."
Police non-emergency operator: "What do you mean?"
You: "Well I've discovered an exploit that would allow hackers to compromise my computer servers."
Police non-emergency operator: "What would like us to do about it?"
You: "I just needed to file a report, because I want to notify the service provider as well as make a public disclosure."
Police non-emergency operator: "Ok, but why did you need to let us know?"
You: "Because a bunch of assholes on /. told me if I exposed the flaw you would arrest me for hacking."
Police non-emergency operator: "ROFLCOPTER"

Re:Responsible Disclosure (1)

Anonymous Coward | about 2 years ago | (#41792101)

The EFF and probably other organizations can act as a "go-between" to aid responsible disclosure and prevent lawsuits, even going so far as to anonymize the reporter. It would probably be best to contact them and seek advice if you are interested in releasing the information.

And donate!

Re:Responsible Disclosure (1)

TubeSteak (669689) | about 2 years ago | (#41792761)

1. Obviously the concerned /.er should wait until his business relationship with that company is ended.

2. A cease and desist letter means fuck all.
It's a statement of intent, designed to intimidate, and should be treated with all the respect that type of behavior deserves.
The threat of C&D letters are a big part of the reason that so many advocate full disclosure.

3. It isn't likely that a C&D would be granted by a court. Many have made the threat, but few go through the courthouse doors, because it is textbook free speech they are trying to suppress.

4. If C&Ds were handed out like candy, the security research industry would have died off years ago, which is why I suggested (s)he passes off the exploit to someone with standing in the security research community.

If the OP seriously thinks the webhost are the C&D types, then he should go through TOR and post everything to a security mailing list, .
The webhost can go fuck itself if they refuse to respond in a responsible fashion.

Re:Responsible Disclosure (1)

dgatwood (11270) | about 2 years ago | (#41791597)

Tell the webhost they have XYZ days to fix the problem before you publish the exploit.

Or if you have shell access and/or the ability to run scripts on the server, fix it yourself with chmod. It doesn't really matter if other users can see your home directory. What matters is whether they can see what's inside your home directory, and those permissions are under your account's control.

Unless, of course, this is Windows shared hosting, in which case the correct answer is "Don't do that." :-D

Security and shared hosting don't mix (4, Informative)

Giant Electronic Bra (1229876) | about 2 years ago | (#41791161)

You have no idea what idiotic web applications people are running. You should ASSUME that any shared host is compromised. Don't store any unencrypted data there which is at all sensitive. Given the low cost of renting a virtual or physical host machine these days it seems there's little reason to bother with shared hosting (yes, it is cheaper, but honestly the cost of an AWS micro instance is pretty low).

The real problem is bulk shared hosting facilities just can't afford to tinker. There are often 100 or more accounts on a server, sometimes even 1000's. One stupid tweak to fix a security hole can break a LOT of scripts. These places will always prefer to just set up servers and not EVER patch them.

The ultimate observation is just that driving the cost of hosting down to $2.99 a month means doing absolutely nothing beyond what is absolutely needed to make it work. You get what you pay for.

Re:Security and shared hosting don't mix (0)

Anonymous Coward | about 2 years ago | (#41791469)

Mention the drawbacks of putting all one's eggs in one basket. Try not to mention the cloud, there's a reality distortion field in place that might blow back...

Re:Security and shared hosting don't mix (-1)

Anonymous Coward | about 2 years ago | (#41792023)

Giant Electronic Bra is correct. You are using a shit service that "administrates the box" using cPanel or Plesk. They have no clue on how to do anything but click through steps of creating an account on the panel. If they make changes it will go tits up. Get your own machine or get used to being pants down.

Public shaming is all you need (1)

sir-gold (949031) | about 2 years ago | (#41791175)

If you really want to help those other customers, all you have to do is tell us the name of the company, and let the bad publicity take care of the rest.

Re:Public shaming is all you need (3, Informative)

Seor Jojoba (519752) | about 2 years ago | (#41791209)

I wouldn't do that. Original poster has described his history with the company. Effectively, he is no longer anonymous. Lawsuits could follow public statements here.

Re:Public shaming is all you need (0)

Anonymous Coward | about 2 years ago | (#41791269)

Really nice business climate you have over there. I'm surprised there is technological progress in that country at all.

Re:Public shaming is all you need (0)

Anonymous Coward | about 2 years ago | (#41791403)

Where are you and we'll cock-block each other.

Re:Public shaming is all you need (1)

Zemran (3101) | about 2 years ago | (#41791813)

I realise that IANAA (I am not an American) but in most of this world the company only has a case if what you say is false.

Re:Public shaming is all you need (1)

Fjandr (66656) | about 2 years ago | (#41793371)

It's also true in the USA, but you can still be ruined by the legal fees required to mount the defense in the first place. It can be difficult or impossible to get legal fees paid by the opposing side in the event you successfully defend yourself from a suit unless you have proof the lawsuit was malicious.

Re:Public shaming is all you need (1)

ThatsMyNick (2004126) | about 2 years ago | (#41793853)

You are talking about libel. It is the same in the US. However you still be hit with attempting to break the security of the system and privacy and all related laws.

National authority (0)

Anonymous Coward | about 2 years ago | (#41791179)

Does your country have national security incident response teams/authority? If you do i suggest that you contact them and allow them to handle cooperation with company in question and noticing public.

Name names (1)

Darren Hiebert (626456) | about 2 years ago | (#41791181)

Only placing the company's reputation at risk will provide sufficient motivation for it to assign such a problem the proper priority.

Use your hack for something good... (2, Interesting)

Anonymous Coward | about 2 years ago | (#41791185)

and try to find the mail addresses of the users and alert them of the security problems. If many of them leave, maybe the hoster feels it's time to act.

Try responsible disclosure (4, Informative)

kop (122772) | about 2 years ago | (#41791195)

http://en.wikipedia.org/wiki/Responsible_disclosure
Contact them to agree a timeframe to patch.

Be careful! (4, Informative)

wmelnick (411371) | about 2 years ago | (#41791203)

If you live in the US, or your hosting is in the US, what you have done is technically cyber-crime. While I hate to say this, your best recourse is to move to another host and leave it all behind you. Should the hosting company start losing business because of you warning other users you could face all kinds of civil lawsuits and possibly even criminal penalties.

THAT IS F'ING STUPID!!! apk (-1)

Anonymous Coward | about 2 years ago | (#41791385)

It really is - I mean, personally? It *might* mean "swallowing your pride" for a second, & realizing the individual reporting it is DOING YOU A HUGE FAVOR!

* I mean, hey - It's THAT, or a gigantic "class-action" lawsuit once a security-breach goes down & you're found NEGLIGENT IN YOUR DUTIES "blowing off" warnings by your users...

APK

P.S.=> What a bunch of bullshit...

... apk

Re:Be careful! (1)

Anonymous Coward | about 2 years ago | (#41791697)

"If you live in the US, or your hosting is in the US, what you have done is technically cyber-crime. While I hate to say this, your best recourse is to move to another host and leave it all behind you"

You misspelled country

Re:Be careful! (1)

Fjandr (66656) | about 2 years ago | (#41793385)

Amusingly, I actually did read "country" instead of "host" in that sentence the first time.

Full Disclosure List (0)

Anonymous Coward | about 2 years ago | (#41791239)

Post on a full disclosure list after giving them a week to fix the issue.

Jump a head? (0)

Anonymous Coward | about 2 years ago | (#41791257)

Jump ahead.

FTFY

If you are in Europe (4, Insightful)

Neil_Brown (1568845) | about 2 years ago | (#41791281)

and attempting to speak with the ISP has not worked (it's not clear if you have tried to inform them that the bug remains on this, and likely other, servers, and given them the chance to fix it (albeit a second chance)), call up your data protection regulator on Monday morning, and explain the nature of the issue and its impact?

Inform the users (3, Interesting)

mkraft (200694) | about 2 years ago | (#41791309)

Back in the days of dial up, I used a dial-up ISP that offered free scripting (CGI, ASP, you name it) on a Windows server. While teaching myself scripting, I discovered that files I wrote as part of scripts ended up in the c:\windows\system32 directory of the server instead of my user folder. Worse still cgi scripts allowed running executables. Needless to say that is bad as it allowed me to get remote shell access to the box. Finally to complete the incompetence, I found that the ISP was storing the customer records on the server as an access database. When I mean records, I mean everything: names, addresses, credit cards, etc.

I informed the ISP of the problem. They responded, but said it was a "windows" problem and couldn't be fixed so I posted on a message board for customers about the problem (but not the details on how to do it), wiped my own customer records from their database (yes I could read and write) and canceled service. I don't know what ever happened to them, but I'm assuming they went out of business like most other dial up ISPs.

Re:Inform the users (2, Interesting)

Anonymous Coward | about 2 years ago | (#41792481)

I worked at an ISP that had an extremely similar (but different enough that I know it's not the same ISP) issue. The customer could access our RADIUS UN/PW files and browse other unsecured NT machines... This all prompted us to firewall up, but not before the customer decided we weren't moving fast enough and decided to call the local ABC affiliate and put the passwords for various local agencies/companies/users on the TV screen. What else... Front page on the newspaper and the local computing magazine, had a nice big "COMPANY X DROPS THE BALL" on the cover. All this was in '99. Well before big corporations started suing the messengers.
Fun times!

The same as I do when I see illegal stuff (5, Interesting)

houghi (78078) | about 2 years ago | (#41791313)

I do the same as I do when I see other illegal stuff. I report it.

I have once reported childporn. I was ordered to go to go to the police station where they tried to put the following on me:
1) Spreading of childporn (Remember that I was the one who reported it)
2) Obstruction of the law (because I called the newspaper, after wich they finaly closed the site)
3) Falsification of my person (because my trow away email address did not have any official address)

I send the report from work. They called there to say they needed to speak to me concerning a childporn case. Luckily I had VERY understand management (who even offered to pay for lawyers if anything would come of it towards me) otherwise I could have been out of a job.

So if I ever see anything illegal again, I would do the right thing and report it.

But somehow I never have seen anything illegal after that. Not even people speeding or pedestrians walking through a red light. Strange, isn't it?

Re:The same as I do when I see illegal stuff (1)

Anonymous Coward | about 2 years ago | (#41791425)

Well, CP works as intended then: they can silence whoever they want just by accusing them (I bet they didn't check that it was you who reported it, they thought it was the usual politician trying to blackmail someone).

Re:The same as I do when I see illegal stuff (0)

Anonymous Coward | about 2 years ago | (#41793835)

I really doubt that is what it is. The police surely know he isn't a politician just as much as random people who see me on the street know I'm not a movie star.

The police have really become fucked up. They just want to nab people for something at every opportunity they can. As soon as you report a crime you immediately become the target of suspicion.

Report child porn? Hey, we're going to have to confiscate your computer so we can analyze it. Guess what, there are still images of child porn in your cache. You're now being charged with possession because we don't believe your story 100%.

If you run across child porn on accident your best bet is to wipe your browser history and caches and never report it.

move (1)

shentino (1139071) | about 2 years ago | (#41791321)

First move and get all your data out of their hands.

THEN shame them by naming them publicly.

You already gave them a chance to fix it and they got lazy.

Web server security hole (3, Informative)

Simonetta (207550) | about 2 years ago | (#41791325)

Contact the company again with your findings. They patched the hole that you pointed out before but kept the details of the exploit limited to senior programmers and support. When they reloaded the server after a down period, a SNAFU recreated the hole.

    So there are two problems. One is the security hole that you found and the other is their back-up and security breach repair process. Point out both problems to them.
    Then review the security of your data that you are exchanging with them. How important is it that this data remain secret? And secret to who? To another user who might have stumbled onto the same exploit window? To a Soviet/Russian criminal organization? (a three-way redundancy, yes, I know) To the American feds? To your wife or kid that looks over your shoulder while you type?

    Please understand, all this technology is still basically new. It has problems. Tech problems and social problems. The tech issues get discovered and solved faster than the social problems, i.e. crime issues. For example, we (the American government and Interpol) can not go after criminal organizations in the (former) Soviet Union because many of them are in alliance with the corrupt Soviet/Russian/Gangster government that still controls thousands of nuclear bombs. So criminal organizations there can loot American banks and businesses with stolen credit card information with near impunity. It's a defect of the modern computer age. It will get fixed someday, but for now, guard your data and be aware that every data and login password that you type on an internet-linked PC can be stolen.
    If the web-server company can't and/or won't fix the issue after you point it out to them several times, document the issue and submit this documentation in writing (not on-line) to both the local Better Business Bureau and your state Attorney General's Office. When they get inquiries from both parties about this issue, they will get the fear of God and fix it right. Until then, be patient and remind people to guard their data.

Re:Web server security hole (2)

arth1 (260657) | about 2 years ago | (#41791947)

Please understand, all this technology is still basically new. It has problems. Tech problems and social problems.

No, it is very old. Remote Unix is one of the oldest computer technologies we have. What goes on top of it has to follow the rules and be implemented by people who understand it.

And therein lies the problem. Your average Linux guy doesn't. He has never had to deal with multi-user environments, and more likely than not comes from a background where gratuitous privilege escalation is the way to do things (yes, Canonical, I am looking at you). Then there's insecure middleware, and databases set up by the Google method. Sure, chmod -R 777 will make most things runnable. And if you do it, you're a blithering idiot. Sure, create db users with the same user names and passwords as for login, and default to a right to see all other users, be cause a web page lists that as the easiest example. Smart, it is not.

It is not difficult to set up relatively secure environment. It's been done for decades. But you can't do it on a shoestring budget, and if you pay your "admins" $40 per hour so more of top management can afford their green fee, you don't deserve customers. Or anything but derision.

welcome to shared hosting (1)

rgbrenner (317308) | about 2 years ago | (#41791361)

you've learned your first lesson as an admin: shared hosting is shit. congrats.

you're concerned about security, but you're on a shared host that could be compromised by any of X hundred people who have access to it (not just your shared server... EVERY shared server is just waiting for a local priv escalation hole)

at least get a VM... yes, you still need a competent hosting company to ensure they apply patches to XenServer/VMWare... but that requires less work by the admins, and is harder to exploit.

a VM at rackspace is $16/mo. If your security isn't worth that, then why are we even talking about it?

inform (0)

Anonymous Coward | about 2 years ago | (#41791461)

You should tell us who the hosting company is so we can switch companies if we are using them.

Act anonymously next time. (1)

couchslug (175151) | about 2 years ago | (#41791533)

Forget this event, but it's a lesson learned.

You have no rights since you aren't rich. The only way to act is from cover and without chance of attribution.

godaddy (1)

dmitrygr (736758) | about 2 years ago | (#41791555)

found this on GoDaddy years back - still the case

Notify them via Certified letter (3, Insightful)

Maow (620678) | about 2 years ago | (#41791609)

Others have made a good case for simply moving on, but another thought would be to move to another provider, then notify them via certified letter why you're moving and informing them that if/when the hole is exploited (and reiterate that you will not exploit it yourself), then the certified letter will be shared with the legal teams of those customers who have suffered damages.

i.e. "Here's your official notice of a potential exploit, don't say you weren't warned."

It won't provide preemptive help for their other customers but may make their damages somewhat recoverable through legal means.

Simple (0)

Anonymous Coward | about 2 years ago | (#41791857)

Jump a head to this week: they experienced server issues, and I asked to be moved to a different server. Once it was done, the first thing I did was run my test script, and I was able to list out everyone's files again.

Couldn't you just inform them again that the problem is still present?

The server is configured correctly (1, Interesting)

raymorris (2726007) | about 2 years ago | (#41791893)

The host isn't doing anything wrong. That configuration is actually the most secure of any common configuration. If your script can read other people's files, that probably means it's running as the unprivileged user "nobody" or "apache". All scripts can read all files, but can only WRITE files that are chmod 666. The only commonly used alternative is suexec, where your scripts run as your user. That means they can only read your files, but it also means all scripts can WRITE to any file, delete any file, or create files anywhere. Given that most all PHP scripts have security holes, running them using suexec is super dangerous - FAR more risky than running them as nobody and letting them read files. So the configuration they are using is definitely the safest, in the opinion of poster who has fifteen years of server security experience. It usrd to be, you could run suexec as a different user, bob_scripts, and that was much safer. Recent versions don't allow that due to some poorly thought rules about file ownership. The ultimate would be set up custom.selinux rules such that your scripts could only read your files AND could only write 666 files, but NOBODY does that. I don't think there is a single shared host in the world who offers that, and I've worked with hundreds of hosts.

Re:The server is configured correctly (0)

Anonymous Coward | about 2 years ago | (#41792473)

Reading other site files is a huge issue, such as database credential (SQL accounts, credit card systems, etc.).

First, the web host can assure that FTP/SFTP/WebDAV users only see their own files.

Second, the web host can disable dangerous PHP commands, like exec() and passthru(), so even though the web server runs as a single user (apache or _www or whatever), clients cannot create PHP scripts to navigate the file system. Include files can also be restricted to a certain path (the client's directories).

Third, the web host can make a few Google searches for securing Apache and PHP in virtual host environments.

Re:The server is configured correctly (2)

Kalriath (849904) | about 2 years ago | (#41792715)

So what you're saying is that Linux is LESS secure that Windows? Because it's a piece of cake to make a Windows server run scripts in such a way that they can't read, write, delete, or list directory contents outside their own little sandbox.

But that can't be the case. And in fact... it isn't the case! PHP can indeed be properly secured on Linux in such a way that scripts can't access outside their sandbox, and it certainly doesn't include custom SELinux rules. I've used tons of hosts where this is in fact the configuration.

Please name the hundreds of hosts you've worked with so we can avoid them?

Username n password in plain text submitted (0)

johnsnails (1715452) | about 2 years ago | (#41791915)

I complained to my hosting provider when I saw that my username n password were submitted as plain text get data u=john&p=password type thing. When they fixed it it was just sent to the server as post data. I think they use https n r a bit more professional now.

Dealing with Vulnerabilities The American Way ... (5, Interesting)

golodh (893453) | about 2 years ago | (#41792193)

Today's lecture is on dealing with accidental vulnerabilities you accidentally stumbled into while accidentally probing a system that accidentally happens to have a lot of potential interest. You know what I mean.

I read a lot of indignant posts and a few moany warning ones on the subject. The authors of either kinds of post have obviously lost touch with the American Way.

When you find a vulnerability, the first thing to do is to disassociate yourself from it. Wipe your data and close down your account (many posts correctly advised this). Then get two sets of some cheap one-off hardware (second-hand paid-in-cash stuff is best). Use one of those to assess the economic potential of your find as best as you can (or you'll get fleeced later on).

Then you Monetize your find. Quickly, before someone else beats you to it. That's the American Way right there.

Use the second piece of old kit you bought to surf the web. There are certain websites, often in Eastern Europe, on which you will find people who'll use a peculiar form of English but who will be prepared to pay smallish but reasonable amounts for such information. Depending on e.g. whether the flaw leads to credit card data (that's why you ascertained the economic potential of your find first) or advanced military technology (in which case you may be able to get better quotes from buyers in the Middle East or the Far East).

Be aware that there is a certain protocol to be followed when conducting this sort of transaction. Contacting them from home, work, or any other place that can easily be traced to you is a beginner's mistake. Secondly, don't *ever* give out information like your real name, physical address, bank account or credit card to them. They won't do that either, and besides, you'll *really* value your privacy when dealing with them.

Use e.g. an old second-hand laptop and work from an Internet cafe or use a prepaid smart phone with Internet browsing facilities. Don't ever use that hardware for *anything* but completing this one transaction. Wipe, disassemble, smash, and ditch said hardware component-wise as soon as the transaction is completed.

The trick is of course to get the money to where you can spend it. Having it wired into your account will show up and may be a bit difficult to explain. Even when done from a US account (you can negotiate for this but it costs extra). They will pay you in bitcoin or E-gold if you insist, but that too is tricky. Asking for cash in the mail is asking to be fleeced, and likewise a bit conspicuous should they actually do it (amateurs).

I'm leaving the question of arranging secure and discreet transfer as homework. Additional points will be awarded (optionally off the record or against a discreet little cash bonus) for really good solutions. Remember: should government officials come calling at your doorstep you'll automatically fail the course and all traces of your enrollment will mysteriously have vanished. No refunds.

What is PHP and how much can I charge? (0)

Anonymous Coward | about 2 years ago | (#41792393)

Many shared hosting admins have no clue about security. On one Mac-based admin forum, a member posted asking what PHP was, "but more importantly" how much he could charge. With that now-defunct product, any PHP script essentially owns all hosted sites on the box (all files including database credentials) AND has access to all hosted site configs including each site's login credentials AND read/write access to logs. Imaging what can be done with a tiny 250 character PHP page, that takes a textbox as input and returns its passthru() in a textarea, and can be placed in any site on the box.

As far as the original post, my first 2 web hosts in '96 and '97 had the same problems. You can cd to your site's parent directory and see all other sites, and go where ever you wanted.

Just walk away (0)

Anonymous Coward | about 2 years ago | (#41792829)

In the past I've reported security issues to hosting companies and ISPs, nothing was ever done. In the case of illegal goings on I reported it to the police and was told they weren't interested in such things. Lesson learned. Now I just walk away and take my business with me.

Anonymise the details and stick it on pastebin (1)

pointyhat (2649443) | about 2 years ago | (#41792843)

Move hosts, leave it a few weeks, then anonymise the details and stick it on pastebin. Don't leave a trace. Seriously, just do this. Most shared hosting companies don't give a shit about their customers so you're not going to get anywhere by telling them other than a legal case filed against you.

Root Access on Shared Hosting (2)

Turnerj (2478588) | about 2 years ago | (#41793249)

I work at a website development company and one of our clients websites was hacked/defaced. The web host blamed out of date software on our client's website for the breach and the deface. Our client was on a shared hosting package with the hosting company.

When I was told to be the one to clean up the mess on the website and after getting rid of recently modified files (most of the site hasn't been touched for several months) and other malicious files, I stumbled upon a directly conveniently named "sym". This directory contained a symbolic link to the Root directory on the site which stunned me a little that it could be created in the first place.

I checked some folders and files inside and I had full read/write access to any file on the system. The very first thing I did was make my own employer aware of the situation before then informing the web hosting company that there is a major security risk to the server. I sent the message to them two weeks ago and I have not heard a single thing since.

Since then however, the hosting company has been much harder to deal with not responding to the many messages we have sent to them regarding other issues with this particular client's hosting. The site has been defaced again but this time no matter how many times they say they reset the password to the FTP and cPanel, we still can't login. Without being able to login, we can not make our own backup of the site (database dump and files download) which means we can not move the site to another hosting company

We tried to do a second idea of actually just pointing the domain name to a temporary host with a splash page rather than the defaced page. Unfortunately with this, there were issues with who actually controlled the domain name. The Whois lookup said it was Netregistry however when contacting them, they said it was the web hosting company. Trying to login to the hosting company's domain manager, it said they were not managing that domain name.

We are actually kind of stuck with what to do now. We know we definitely want to transfer them to a new hosting company but like I said above, we can't even make a back up of the site to do a clean move. We did quote them a few months back about redoing their website (the bulk of the website was made several years ago) but they have so far resisted the rebuild.

What would any of the Slashdot crowd do if they were in the same situation?
Still fight with the hosting company to get the data?
Push the client to get a new website built with new data?
But then who would be responsible for the domain name if neither party says they are?

Inform them (0)

Anonymous Coward | about 2 years ago | (#41793309)

I know a lot of people here seems to think that you should do nothing. However, it's your data and they have a major hole in their security. You meed to tell them, and if they leave you unprotected then a simple better business report is enough to embarrass them. Just be sure that everything you say is 100% true, with no false accusations.

Get a dedicated server (0)

Anonymous Coward | about 2 years ago | (#41793347)

I pay 12 EUR/month for my own dedicated server. Real hardware, not just a vm. Why would anybody even consider shared hosting for important things?

You have a hard decision (1)

Skapare (16644) | about 2 years ago | (#41793725)

If you fail to report who this hoster is, you are covering up THEIR violations, and could be liable if someone who suffers damages as a result finds out you were covering it up.

But the hateful and stupid people in the legal system could bring charges against YOU for "hacking" (even though it can be argued that all you were doing is verifying the security of YOUR OWN data ... and found the security to be defective).

Does this company claim to be secure? If they do, they are COMMITTING FRAUD! Whistle blower time.

Leave and do NOT tell them why. Just leave.

Then at some later date establish anonymous identity and report them as insecure in a public forum. State in that public forum that if they wish to show the public that they are secure, then should make a post in their own blog (surely they have one) that denies the security risks and backs up that denial with a statement that authorizes you to publish your exploit without any risk.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>