Security Conundrum
First, the landscape. I have only rudimentary programming skills. However, I am a scientist and musician and know how to do experiments and seek knowledge,so I am not a total dolt.
Next: I wanted to morph my music charity (bumblefunk.com) into a small community site. I chose BoonEx after much consideration and, in light of being a novice at best in terms of programming, I figured this would be a fast way to get up to speed. I read a lot of the threads here and did what I thought was adequate diligence.
I chose HostForWeb as the virtual server provider at BoonEx’s recommendation.
Weeks pass....Not a lot happens here - mostly me waiting for BoonEx to do the first install for me so I could be SURE that it was done correctly and with the most current updates. Finally that happens.
Within two days of the site being live I am receiving “aggressive” notifications that I will be shut down for spamming if I do not fix the compromised directories and files in my brand new, up to date, running on the preferred server configuration site.
I begin to check permission settings but realize that it is important that they remain as is (set by BoonEx) to allow the community functions (i.e., two way information flow). I finally ask HFW to PLEASE shut me down so I am not in the hot seat and making enemies as a spam factory while trying to understand a lot of code (again, a novice, but not afraid to learn).
OK - to cut to the chase, after many conversations with BoonEx and HFW I am at this point
BoonEx: “Eric, take your site back up so we can assess the problem”.
HFW: Eric, you may do nothing until you have proven to us that the site is not compromised in any way”.
So my site is down, I am out 1348 US dollars and seem to be stalemated since I cannot risk putting the site back up and BoonEx is apparently impotent with regard to assistance until I do (they have full root access, many times over). BTW I now have an alternate site up and have the registrar DNS configured to point to that site. But I am concerned that if I make the BoonEx files available on my HFW my server it will be insecure since it can be accessed by ip address, ftp and so forth.
Does anyone have experience with this issue and any advice to offer (other than,”learn to program”, “don’t rely on others”, ya know?).
Thanks
Eric
|
Wow- what an unfortunate story. I know very little about security issues but would certainly like to prevent this from happening with my site. Could you tell me who is sending the "aggressive notifications" that you will be shut down for spamming? If hostforweb is your host, how and why would they shut you down? I am just trying to understand this better.
Rob
|
cal, and eric,
i have been saying this from the onset. HFW is pushed by boonex because boonex gets $25.00 or some form of payment for every customer that goes to them on an affiliate payout. their servers are absolute shit and boonex knows that, yet they continue to push HFW and many have told me the same story time and again. I have made my best effort to offer my hosting and yes boonex i am now goin to spam my hosting, in hopes of saving other unknowing souls. Dolphin Optimized Servers No Hacking No Charge for Support No Register Globals On No Site Shut Downs OR Threats To Shut Down.
Terabyte Hosting Solutions
unfortunately you have fallen victim to the almighty dollar. and that is a real shame.
cal, hfw is the one threatening, all of their servers are unsecured and run with register_globals ON, absolutely against industry standards according to php.net, and absolutely against the developers recommendations BOONEX, yet they continue to push hfw so they can gain monetarily a buck or two.
i just had to clean up a site yesterday from the exact same thing on bluehost.
let me try to explain this as best i can although i have stated this numerous times on this forum. as an experienced and knowledgeable programmer and server manipulator, i have used the script that many of you have fallen victim to. remote shell which is written in php, and if used correctly and legally is an excellent tool, but as with anything, sometimes it falls into the hands of the wrong people, and they use it for their own self gratification. with a remote shell script on a shared server, the person on the browser side who knows how to issue a few commands can gain access to any site that is on that server, not necessarily accessing that site itself, other than via of remote shell access. the most common practice is to do an mput, which is a command for writing a file to the server, or even a wget, which will do a web get for any file that is available on the internet.
among other harmful as well as harmless activity, the use of a remote shell script only limits the user from manipulating the actual server files, but all user accounts /usr are available for access, and hfw knows this, but they choose to blame the uknowing and innocent end user who has paid them for a secure server.
eric, make them provide you with server logs so you can see how the files were put on your account? i bet you a dime to a million they will refuse. see in their TOS they can drop your account, and there is nothing you can do about it, as it is ultimately our responsibility to keep the server clean on our user account.
well i am agitated now about this. BOONEX you need to step up and STOP putting yourself first, and recommending hfw just because they give you a couple of dollars. HFW is insecure, and are only in this for the money, their servers are not setup for dolphin as boonex proclaims.
eric if you want my help hit me up. if not then at least i got this out there where all can read it. HFW is a ripoff company and their servers are insecure, and not setup to run dolphin. BOONEX you know this, it has been reported thousands of times, and you choose to turn a blind eye to it.
well later,
DosDawg
When a GIG is not enough --> Terabyte Dolphin Technical Support - Server Management and Support |
Forget about HostforWeb they are absolutely depressing. Guess what, you need a virtual server or a dedicated server in order to avoid compatibility problems. There is no one special webhost for that. HostforWeb's support is atrocious.
Further, Boonex software is overpriced as far as I am concerned. By this I mean, the lifetime license is way too much. This is the case if one considers the prices offered by competitors. To even have a decent website you must pay freelance contributors, which is a further cost. Some scripts come along with widgets, profile custom css, media players and the like; not Boonex.
You need to backup your database and delete all the Dolphin file and reupoload the most current version. Install it yourself it is rather simple. The script is supposed to tell you what file permissions must be changed at each step.
|
Boonex really should stop pushing HostforWeb and stay objective - it is actually giving them a bad reputation. I've mentioned I have a low cost service www.alterhosting.com that seems to work pretty well. For other reasons, it would be tough to change right now, but if I was going to do it again I would probably be tempted to use Dosdawg or Sammies service- or another of the experts here who has set up specialized hosting for Dolphin, and you would almost certainly get great "above and beyond the call of duty" support.
Rob
|
Forget about HostforWeb they are absolutely depressing. Guess what, you need a virtual server or a dedicated server in order to avoid compatibility problems. There is no one special webhost for that. HostforWeb's support is atrocious.
Further, Boonex software is overpriced as far as I am concerned. By this I mean, the lifetime license is way too much. This is the case if one considers the prices offered by competitors. To even have a decent website you must pay freelance contributors, which is a further cost. Some scripts come along with widgets, profile custom css, media players and the like; not Boonex.
You need to backup your database and delete all the Dolphin file and reupoload the most current version. Install it yourself it is rather simple. The script is supposed to tell you what file permissions must be changed at each step.
prince dashan,
your input is appreciated, but there are no and i repeat no releases of software with as much functionality as dolphin. the cost of dolphin was not in question here. it is who they recommend for hosting and the quality of hosting one can expect from hfw. has nothing to do with the dolphin script. i would stand behind the dolphin script 100%, and have been using it and supporting it myself because i want to. and just to curb your one statement. there is many of us who do this all for free, not one pence. so please put yourself in check on that one.
later,
DosDawg
When a GIG is not enough --> Terabyte Dolphin Technical Support - Server Management and Support |
That $1000 - or $995 pricetag for the pro version - or whatever it is, causes some confusion. The license is $40 per year or $100 per lifetime. Is that is what you are saying is overpriced?
Rob
|
Sure, if you need a hand I can help right here or pm me. Best advice is to install again like was mentioned. I have a tutorial to follow on my blog. I have actually many video toots for free you can follow stop and start at your leisure.
Many many site are being hacked right now and attempts, by bots, we have found the holes and have many guys helping ...again for free...to stop them.
http://www.boonex.com/unity/blog/entry/Mscott_s_mindless_security_tips
I found this with the use of the search tags function.
Sammie has paid for another fix and posted for free. There are many people here who just help. I am on eof them. Please do not hesitate to ask anything. Please watch all my toots first though...I'd hate to answer something that I have made a toot for.
I have video tutorials to help you mrpowless.com |
Thanks very much for your feedback and contacts. I feel less like I am in a parachute-less free float after reading through all your comments. It is ironic that I take a lot of heat for heretic and cynic in my circles yet I was a babe in the woods when it came to the hosting situation - well another lesson learned (on top of a giant pile, ever growing).
I neglected to mention - HFW ...well let me just print the quote below...note the fee
(begin quote)
ReferenceId: 9626-14094
Main account: server.bumblefunk.com
Reported account: 216.246.46.85
Response Deadline: 1 hour
The following report has been sent to HostForWeb. This report indicates that there is a security breech on your server. Locate the issue and fix any problems to prevent further abuse. If we do not hear from you within 60 minutes, we will take further action outlined below. Please review the following report and let us know of any actions you take to prevent further abuse.
No Response or Reoccurrence
-------------------------------------
1. Shutting down the reported domain or your server from public access.
2. Account will remain blocked while we discuss the report.
3. $60 fee for fixing of any issues.
Possible Causes and Solutions
-------------------------------------
1. An abuser may have gotten access to a cpanel/ftp/ssh account and used it to login and upload malicious scripts/software to the server or to send unsolicited e-mails. Check your access logs for any suspicious behavior containing information provided in the report.
2. You or your client could have installed or has not maintained script/software uploaded to the server. Check the server for any outdated scripts that need to be updated. Most popular outdated scripts are phpbb, php-nuke, formmail, and other send mail type scripts.
(end quote)
So I had 60 minutes to figure out what the heck was going on and another 60 dollar fee looming - ouch!
Thanks again for the support - I guess that is how these community sites are supposed to work!
Eric
|
That is outrageous. Hostforweb seems to be guilty of false advertising and should refund every penny you paid to them.
Rob
|
eric,
that is ludicrous for them to present that to you that way. are you on a dedicated server? or should i say were you on a dedicated server?
hfw is not only doing this to people. they proclaim, or should i say boonex proclaims that this is the best hosting provider for this script, however what i have found and personally dealt with on these servers, dedicated, vps or shared accounts, is that they are not even remotely close to being optimized for hosting this script. all and i say all, of their server configurations are so far left of boonex recommendations of a server requirement its unreal.
i have seen everything from missing xml, mb_string, xslt, only to mention a few that were not compiled on the server. when a user would send in a support ticket, they would typically receive a response that it would cost $50.00 to recompile php with the required modules. then there is the whole ordeal with register_globals, hfw knows that without a doubt that dolphin should not be running on a server with register_globals on, but yet, they not only continue to sell their hosting packages to those who are hosting dolphin, but they also do the installation, for a fee of course. then when the site is hacked because of an inferior product sold, they blame the site owner. i am not making this up, this is what i have dealt with personally.
its their servers, for them to tell you to review your logs is absolutely asinine. they should have been the one reviewing the logs and making the professional determination of who the server was compromised.
eric, i know you have posted this to the forum, but this is absolutely something i would post to the blog. the blog is more in your face, and it gets indexed better than the forums. if you dont want to post it yourself, then i will do a copy and paste of your post with your permission. i am totally appalled at both boonex and hfw.
later,
DosDawg
When a GIG is not enough --> Terabyte Dolphin Technical Support - Server Management and Support |
sammie, cal, mrp, eric,
yes sammie what you posted will stop RFI (remote file inclusion) however, it is my belief and i am speaking from experience, that most of these attacks are not from RFI, but from RSA (remote shell access) via php script.
i have spent countless hours on the internet back five or six years ago, learning all of this server security stuff, and the hosting provider could prevent this from happening if they chose to. i wrote an article over on one of the other forums back five or six years ago, with a detailed explaination on how to prevent this script from being run on a server. the problem is that hosts dont want to do the leg work required.
well i am pissed off at boonex and hfw about this whole occurrence so i will just stop talking about it now.
later,
DosDawg
When a GIG is not enough --> Terabyte Dolphin Technical Support - Server Management and Support |
I can't say that this is the case, but when I worked in the industry what often happens is the data center that the server is leased, purchased from, or plugged into by the hosting company finds a phishing script, spam script or similar. They notify the host company and say hey we found this and what are you going to do about fixing it, get back to us how and when you fix this. Now some of these data centers don't mess around. They give you a little time, I've never been pressured to come up with a solution in 1 hour or less, but they don't give you a week either.
Then the host may suspend the account, so it's not publically available to you or anyone else. They will probably email you with something like we found a phishing script or whatever located at x-location. And tell you to remove it, check all files and folders etc. Once you acknowledge the email usually your site is un-suspended and you have an opportunity to fix and remove it.
If it's not fixed in a timely manner the data center can and will shut the whole server down. If this happens instead of 1 angry customer you will have many angry customers in some cases hundreds on a shared hosting environment. So they don't let it get that far.
Often a phishing script, mass email or other spam/scam, is not done purposely by the account holder. It can be due to a compromised account, script, or some form of hack. Usually the account holder is unaware of it until they are notified by the host. But if it keeps happening to the same account they might consider terminating the account.
Some data centers scan servers more often and do a better job than others. Some can be pretty strict.
Even if you or the host has a dedicated server leased or owned, it's still plugged into the data centers network which they control and have final say over.
I can't really comment on fees to fix or remove it for you, and same goes for re-compiling php with any additional modules. I guess it could be part of hfw policy or terms some where.
Again this may not be the case, but I thought I would offer what I know and have seen.
I am no fan of hfw.
gameutopia
dialme.com
DialMe.com - Your One and Only Source For Boonex Dolphin Tutorials and Resources |
What is just TOTALLY INSANE is that boonex continues to recommend HFW KNOWING full well they DO NOT meet the requirements of their script!
If it's about money well GUESS WHAT??? EVERY host that meets dolphin requirements has an affiliate program and they can make bucks BUT MORE IMPORTANTLY can keep what little INTEGRITY and REPUTATION they have left because they actually work with their scripts!
. |
I don't know if I'm thinking backwards, but here's my thought on this:
It's simple, a person who represents the goods to be fit for any purpose is responsible for that representation. If Boonex represents that HFW to be fit for there script, and it is not, then it is Boonex that need to go fix this.
If HFW represents that their servers meet the script's requirements then they would be equally responsible. In any case, scalpshifter shouldn't be penalized for their failures.
Rumpy mentioned that Boonex know that HFW servers do not meet the requirements.. That, as far as I am concerned would put some, if not all, responsibility on Boonex given the fact that the starting point for a client to buy the hosting package would be the Boonex recommendation anyway.
Maybe DosDawg should be more active in promoting his hosting services, or any other user for that matter. Simply because, they use the script, they keep it updated themselves and they understand other users' grief.
As far as fixes 'Forum fixes' and code scattered allover the post.. I can tell you now, this shit can look scary to non-coders or novice programmers and they might find it daunting to have to start the process themselves.
My advice is if you really are willing to spend a long time writing a post.. forget about that.. use that time to send a message to the person with the problem, get their PHPmyAdmin and ftp details.. fix the problem, and then, if you still want to show them what went wrong and how it was fixed, you can do that.
Finally, HFW servers are a pile of turd not worth the money people spend for them.. add to that, support at both, HFW and Boonex is even a bigger pile of poop!
|
Forget about HostforWeb they are absolutely depressing. Guess what, you need a virtual server or a dedicated server in order to avoid compatibility problems. There is no one special webhost for that. HostforWeb's support is atrocious.
Further, Boonex software is overpriced as far as I am concerned. By this I mean, the lifetime license is way too much. This is the case if one considers the prices offered by competitors. To even have a decent website you must pay freelance contributors, which is a further cost. Some scripts come along with widgets, profile custom css, media players and the like; not Boonex.
You need to backup your database and delete all the Dolphin file and reupoload the most current version. Install it yourself it is rather simple. The script is supposed to tell you what file permissions must be changed at each step.
prince dashan,
your input is appreciated, but there are no and i repeat no releases of software with as much functionality as dolphin. the cost of dolphin was not in question here. it is who they recommend for hosting and the quality of hosting one can expect from hfw. has nothing to do with the dolphin script. i would stand behind the dolphin script 100%, and have been using it and supporting it myself because i want to. and just to curb your one statement. there is many of us who do this all for free, not one pence. so please put yourself in check on that one.
later,
DosDawg
The only validation for your claim that Dolphin is more functional than other scripts is your emotions. To be sure, the fact that you have invested so much time on working with Dolphin leads you to take any criticism of it as an attack on your person. I could list at least three commercial scripts that have better or more affordable features. For instance, there are scripts that have forums, media players, chat and widgets included for around $300. Not only that, said scripts make it easy to insert adsense codes and also they have built in css profile customizers.
I find it silly that one can't use free licenses with an adfree version. The free license is a waste of time. Most people who use it are not really serious webmasters. Most of those sites hardly last a year. The people who actually buy Dolphin and Ray must keep forking out money to make it decent.
I regret buying Dolphin and Ray licenses. I should have shopped around more than I did. By the way, HostforWeb sucks. Boonex is gouging adfree customers while getting a cut from HostforWeb when it gets business from people who use the free licenses.
|
princedashan wrote:
"I could list at least three commercial scripts that have better or more
affordable features. For instance, there are scripts that have forums,
media players, chat and widgets included for around $300. Not only
that, said scripts make it easy to insert adsense codes and also they
have built in css profile customizers."
-
So why are you here?
|
Forget about HostforWeb they are absolutely depressing. Guess what, you need a virtual server or a dedicated server in order to avoid compatibility problems. There is no one special webhost for that. HostforWeb's support is atrocious.
Further, Boonex software is overpriced as far as I am concerned. By this I mean, the lifetime license is way too much. This is the case if one considers the prices offered by competitors. To even have a decent website you must pay freelance contributors, which is a further cost. Some scripts come along with widgets, profile custom css, media players and the like; not Boonex.
You need to backup your database and delete all the Dolphin file and reupoload the most current version. Install it yourself it is rather simple. The script is supposed to tell you what file permissions must be changed at each step.
prince dashan,
your input is appreciated, but there are no and i repeat no releases of software with as much functionality as dolphin. the cost of dolphin was not in question here. it is who they recommend for hosting and the quality of hosting one can expect from hfw. has nothing to do with the dolphin script. i would stand behind the dolphin script 100%, and have been using it and supporting it myself because i want to. and just to curb your one statement. there is many of us who do this all for free, not one pence. so please put yourself in check on that one.
later,
DosDawg
The only validation for your claim that Dolphin is more functional than other scripts is your emotions. To be sure, the fact that you have invested so much time on working with Dolphin leads you to take any criticism of it as an attack on your person. I could list at least three commercial scripts that have better or more affordable features. For instance, there are scripts that have forums, media players, chat and widgets included for around $300. Not only that, said scripts make it easy to insert adsense codes and also they have built in css profile customizers.
I find it silly that one can't use free licenses with an adfree version. The free license is a waste of time. Most people who use it are not really serious webmasters. Most of those sites hardly last a year. The people who actually buy Dolphin and Ray must keep forking out money to make it decent.
I regret buying Dolphin and Ray licenses. I should have shopped around more than I did. By the way, HostforWeb sucks. Boonex is gouging adfree customers while getting a cut from HostforWeb when it gets business from people who use the free licenses.
I have to agree.. I actually do have a script right here that has all that and more, like mobile phone messaging system integration feature and podcast activation.. I paid $390. But, while you might think that this is great, for some, like me, I prefer to have the ability to break up my script into pieces.. so I guess, it all depends on what you want.
|
nosir princedashan,
i dont take this as an attack on my person. i dont take it as an attack on anything. you stated your piece, and that is kewl and all. but, here is the deal. you cannot bash dolphin as an application if you are incapable of using it. and if you regret purchasing the licenses, then just as caltrade stated, "what are you doing here" the script and this is from a programmers view, is absolutely unbeatable by any, and i have researched, and i have done beta for most of the scripts you are referring to. but functionality and cutting edge technology is not even close on those other scripts. but we are not here to debate the validity of the dolphin script.
my chief complaint just as it is with the owner of this thread, is HFW and BOONEX. both have failed severely on this one and then pushed it off on the end user who was unsuspecting of any such circumstance that she has now been down trodden with.
if you wish to air out your complaints about how you feel about the software, please find you the link to the blog and type away. but here we are trying to help somebody who has been wronged. you have not posted in here previsously prince shadan, and i highly suspect you have never used this script. but hey thats just me.
later,
DosDawg
When a GIG is not enough --> Terabyte Dolphin Technical Support - Server Management and Support |
