Server hacked for more than 24 hours

[carled]

I've also provided plenty of (so far unreplied to "critical" (ha!) tickets with my domains listed.

It's the tacit implication that it's "our fault" that annoys me with references to write permissions...

I trust your billing department will be sympathetic to refund requests when leaving WHUK?

[Gerrad8]

Quote:

Originally Posted by danaos

Gerrad8, it would help if the vBulletin javascript wasn't broken so that clicking on your name would display the standard options including sending a PM rather than having to do it manually via control panel. I've sent the domain, in case you don't see it the ticket number is #AUZ-139-56510.

You might want to advise your "admins" that setting global read permissions when ASP.Net is enabled breaks sites. You might also want to tell them enabling every extension on sites that have them disabled it also not what I'd consider a fix, that just opens up even more risks.

Hello Danos,

I have replied to your PM. Please kindly let me know via PM once your done.

Regards
G

[Gerrad8]

Quote:

Originally Posted by carled

I've also provided plenty of (so far unreplied to "critical" (ha!) tickets with my domains listed.

It's the tacit implication that it's "our fault" that annoys me with references to write permissions...

I trust your billing department will be sympathetic to refund requests when leaving WHUK?

Hello Carl,

You can PM me the domain name or the ticket numbers. I will look into them.

Regards

[Gerrad8]

Quote:

Originally Posted by IanJ0208

Hi

Domain name? Try checking Ticket ID: YBB-976-68071, all ten of them are listed there. You've had that ticket for about three hours now.

HTH

Ian

Hi Ian,

I am looking into the ticket YBB-976-6807 and will have an update for you shortly

Regards

[danaos]

Quote:

Originally Posted by Gerrad8

Hello Danos,

I have replied to your PM. Please kindly let me know via PM once your done.

Regards
G

I've replied to yours. And just to make sure you get the message, do not start my site up again until I've cleared out all the defaced files and put the overwritten ones back. I don't know what you think you're playing at but it doesn't help putting a defaced site live again. Every folder other than the root still has the defacement default.* and index.* files present. At least whoever tried cleaning up yesterday had the sense to clean them out of every folder.

[Gerrad8]

Quote:

Originally Posted by IanJ0208

Hi

Domain name? Try checking Ticket ID: YBB-976-68071, all ten of them are listed there. You've had that ticket for about three hours now.

HTH

Ian

Hello Ian,

I have replied to your ticket. Please check for updates and respond ASAP.

Thanks

[Gerrad8]

Quote:

Originally Posted by danaos

I've replied to yours. And just to make sure you get the message, do not start my site up again until I've cleared out all the defaced files and put the overwritten ones back. I don't know what you think you're playing at but it doesn't help putting a defaced site live again. Every folder other than the root still has the defacement default.* and index.* files present. At least whoever tried cleaning up yesterday had the sense to clean them out of every folder.

Hello Dannos

I have replied to yours. Please post an update to it where ever possible.

Regards

[IanJ0208]

Hi all

This is my reply to a post just received from Support. Please feel free to comment on my ignorance or stupidity as I am more than happy to learn from my errors and I'm sure you good people know a lot more about it than I do. My text is italicised.

Hi Raymond

Hello Ian,

All the sites you have listed as hacked have the IUSER write permissions. From your chat history I can see this being requested by you.

It was? That's strange. Until I just looked it up, I had never even heard of IUSER write permissions. Under what guise did I ask for that to be done, please? I can't think of any reason to allow 'guests' to write to my spaces. And, if it is so wrong, why was my request (though obviously not specifically so) carried out? And I most certainly do not remember asking that IUSER permissions, as such, to be granted on *all ten* of my sites. I would really appreciate it if you would be so kind as to send me those ten chat histories.


I have now removed write permissions for the IUSER form the sites listed and am removing the hacked files for you.

Thank you.

It would appear, from the complaints in the forums, that a *lot* of your users have requested similar permissions to be granted to guests.

I have setup the redirect as requested

Thank you.

I will update this ticket once your account is cleaned and check our backups for backups of your index pages. We may require you to upload your index page from your local backups.

Yes, I can manage that.

As I am not 100% certain of what you are telling me it is that I have done, I hope you won't mind if I post this to the forum thread so that others may explain my mistake or comment on my stupidity of doing such a thing.

Regards

Ian

Perhaps all the latest sufferers are as ignorant/stupid as I am?


Cheers

Ian

[cooldudesadd74]

Webhosting.uk.com has turned out to be a complete nightmare... Server got hacked and over 15 customers have problem with their websites & have changed their home page or application error. Some of them even playing Indian national anthem with Indian flag & message saying Indian hackers’ pm their way from chief.

Webhosting claim to fix them but they attacked again and got lucky.

I have been in touch with technical support and they do not have enough man power to deal with the issues and cannot fix this within time frame.

I came to know they do not have any SLA although they say they have 24/ 7 support but even their phone number do not work now and no one call back. It is like, you have paid now go and we are not going to support.

I had a very angry conversation with a person called Bruce Taylor who sounds a 100% Indian with English name and I had to ask him to spell his name phonetically because I couldn't under him.

He said he is customer support manager and turned out he was telephone support manager instead.

Very disappointed with Webhosting support and the way they have behaved. I got 2 clouds, 2 reseller packages & 1 more hosting package with them which i am most likely to move and look for compensation.
I still have over 5 websites which are hacked and not fixed despite they claim to fix them already. Services are very disappointing & I

I don't recommend anyone using them again. I certainly would not use them for new servers....

[Gerrad8]

Quote:

Originally Posted by IanJ0208

Hi all

This is my reply to a post just received from Support. Please feel free to comment on my ignorance or stupidity as I am more than happy to learn from my errors and I'm sure you good people know a lot more about it than I do. My text is italicised.

Hi Raymond

Hello Ian,

All the sites you have listed as hacked have the IUSER write permissions. From your chat history I can see this being requested by you.

It was? That's strange. Until I just looked it up, I had never even heard of IUSER write permissions. Under what guise did I ask for that to be done, please? I can't think of any reason to allow 'guests' to write to my spaces. And, if it is so wrong, why was my request (though obviously not specifically so) carried out? And I most certainly do not remember asking that IUSER permissions, as such, to be granted on *all ten* of my sites. I would really appreciate it if you would be so kind as to send me those ten chat histories.


I have now removed write permissions for the IUSER form the sites listed and am removing the hacked files for you.

Thank you.

It would appear, from the complaints in the forums, that a *lot* of your users have requested similar permissions to be granted to guests.

I have setup the redirect as requested

Thank you.

I will update this ticket once your account is cleaned and check our backups for backups of your index pages. We may require you to upload your index page from your local backups.

Yes, I can manage that.

As I am not 100% certain of what you are telling me it is that I have done, I hope you won't mind if I post this to the forum thread so that others may explain my mistake or comment on my stupidity of doing such a thing.

Regards

Ian

Perhaps all the latest sufferers are as ignorant/stupid as I am?


Cheers

Ian

Hello Ian,

That was me replying to you. You had IUSR write permissions I told you the account had IUSR write permissions.

Ian I have spoken to you twice on chat and You have requested IUSER write permissions. I will post those logs for everyone to see when I have completed other tasks and my primary focus on the support board.

Thanks

[danaos]

This has nothing to do with customers asking for write permissions for the IUSR account. This is down to the default "security" setup on this WHUK server (and I'm guessing it's not the only one) is to have write access enabled for every site, and it's up to the customer to request removal of that write access. In a hosting setup, even if it's not shared, the default should be a restrictive permission set - it will be extremely rare for any site to require global write access to all of it's folder, and in those rare cases the customer can then request it.

Yet again blame is being pointed at the customers when the blame lies with whoever has defined the default DNP configuration templates. WHUK support seems to be trying to pass the buck to anyone but themselves, any half-professional company would put their hands up and admit they made a mistake and get it rectified.

[IanJ0208]

Quote:

Originally Posted by Gerrad8

Hello Ian,

That was me replying to you. You had IUSR write permissions I told you the account had IUSR write permissions.

That's fine, I have no problem with whoever is replying. I know what you told me, I can read. I'm posting here so others may explain to me what you are talking about. I have worked on several help and support desks over the years. As IT manager for a film company, it's part of my job at the moment to deal with 'punters' and their IT problems. It's no good me using technical jargon, as most of them do not have a clue what I'm talking about. I'm not a network guru, I'm a Delphi/DB/several other programmer, so why you think me, Joe Public, has any sort of a clue what an IUSER is, I don't know..

Quote:

Ian I have spoken to you twice on chat and You have requested IUSER write permissions. I will post those logs for everyone to see when I have completed other tasks and my primary focus on the support board.

Thanks

That's fine. I truly look forward to seeing them. I do not doubt you. As I said, I had no idea what IUSER permissions were; so how or why I was asking for them is a bit of a mystery. Maybe I was asking for that, but telling you what I wanted doing rather couching it in guru-speak. And I really can't understand why I would want to give guest permissions (if that's what they are) to the whole planet on all ten of my sites.

Once the dust has settled on this, I had better get into chat and ensure that none of the work domains have these things set up.

Meantime, I'm happy to listen to anyone who wants to tell me what it is that I've asked for that has had such disastrous consequences.

Cheers

Ian

[IanJ0208]

Quote:

Originally Posted by Gerrad8

Hello Ian,

Ian I have spoken to you twice on chat and You have requested IUSER write permissions.

Thanks

Just a thought. I actually have two other domains, which I act as webmaster for. I have no access to the webspace, besides ftp. The site was created and has hardly been touched since. The only things that were ever done to it, AFAIR, were to have it .NET3.5 and AJAX enabled. I can *promise* you that the domain owner would not have been in chat asking for IUSER permissions. He won't mind me saying that he's about as computer-savvy as your average dining table. Yet it was a mail from him that alerted me that something was wrong, again.

Was this IUSER permissions thing the problem the last time my sites were hacked, a couple of weeks ago? If not, what was the problem please? I don't remember being told or reading about any reason for the loss of service. If it was an IUSER problem, why was it allowed to happen again?

Cheers

Ian

[danaos]

Ian, the IUSR account is a Windows user account that by default every site in IIS runs under. The actual account name is IUSR_<machinename>, so if the server is named SERVER1 then the account is named IUSR_SERVER1. If this account is given write permissions then every site that runs under the same account (which by default in IIS is every site on the server) can potentially write to the folders that have write permission.

Even with read only access to the IUSR account across sites there is still a massive security risk - for instance, lets say that you have a file called "config.php" on a PHP hosted site that contains database username and password (for instance, phpBB does this). It's then feasible that someone could upload a malicious script to another site on the same server that can read the contents of the config.php from your site and so then gain access to your database using valid user credentials.

However with full write access given (which appears to be the default when a site is created in DNP) it means that it's possible for any site on any account on the server to write files to every other site on the same server that has write permissions enabled (which being the default will be every site where it has not been modified, which is probably 99% of them at least). So a single script on one site in one account could, for instance, loop through the folders for every other site and copy defacement pages into them - which appears to be what has happened in this case.

I've been running IIS6 web sites where I work for the past 6 years, and every single site I set up uses a unique account name for the anonymous user account which has permissions to read only from it's own folder space. In this way nothing run in one site can access anything in another site, even just to get a list of filenames from a folder. This is how multiple sites should be set up on a Windows server, allowing them all to run under the single IUSR account is not only lazy, it's a security mess waiting to happen.

Unfortunately WHUK appear to run all the sites under the IUSR account instead of having unique user accounts for each hosting account or site. I assume this is done to reduce the overhead of oversubscribing sites on a single server - by having them all share the single IUSR account it keeps the memory and thread count overheads lower than running them securely with their own user accounts, as they all run under a single process.

I guess hosts like WHUK rely on customers not realising the security implications of the default account setups. Had I known that this was how things were run at WHUK when my client was looking for hosting I would have steered him well clear. Had the initial setup emails clearly stated that the security is non-existent I could have at least tried to sort things out back then, rather than having to deal with it after the site had already been defaced. I personally have never asked for any IUSR write permissions to be given, and I have repeatedly stated I want the sites to have read-only permissions and to work in this configuration - ASP.Net requires specific folders to have write access to create and update configuration data, and whoever changed my site to read only yesterday obviously didn't realise this and in doing so prevented the site from functioning correctly, so Arthur ended up undoing the changes and in doing so opened the site up to attack again. I can happily post up the chat logs proving this if required, I've got them all on my home PC and will be able to get at them in 3 hours.

[Gerrad8]

Quote:

Originally Posted by danaos

This has nothing to do with customers asking for write permissions for the IUSR account. This is down to the default "security" setup on this WHUK server (and I'm guessing it's not the only one) is to have write access enabled for every site, and it's up to the customer to request removal of that write access. In a hosting setup, even if it's not shared, the default should be a restrictive permission set - it will be extremely rare for any site to require global write access to all of it's folder, and in those rare cases the customer can then request it.

Yet again blame is being pointed at the customers when the blame lies with whoever has defined the default DNP configuration templates. WHUK support seems to be trying to pass the buck to anyone but themselves, any half-professional company would put their hands up and admit they made a mistake and get it rectified.

Hello Dannos.

Go ahead and add any site in DNP and I will send you a screenshot of the permission's it set up your site. It will have the basic IUSER read list execute permissions, network service for ASP APS system and administrator. I have attached a screenshot I have done as a demo for you.

The hacking has occurred due to weak permissions. when your anon user has write privileges the best firewall in the world cannot stop you from being hacked period.

If It was a mistake on our part I would be the first one to admit it .. But when its not how can we take blame for it.

FYI .. You may have installed CMS wordpress.. By default when you install such CMS or software's such a wordpress or joomla does it not require you to have write permissions for it to write the config file out? during the GUI installation it fails the install if you do not grant write permissions. This is what is happening post the installation users have not removed these write permissions.

In your code do you allow for user interaction IE upload a file write to a file even having an access database require the IUSER to have write permissions. Dannos Please update my pm when you complete your site reupload. I will check your permissions and update you with a screenshot of the same.

Regards