Website hacked, down for days...

[Queen Bee]

<rant>Well, to speak of the devil. My site just got hacked... again. This time, however, I feel that I am hardly to blame. Since the last time my website was hijacked, HostExcellence assured me that they had "cleaned up the mess." (They denied me access to the contaminated files-- I guess they thought they could do a better job?) Since then, I have not downloaded and installed any new scripts (except for ones that I promptly removed due to fear of being hacked again) and, at the time of hacking, my website was completely database, PHP, script-free.

How much longer should I be punished for installing an insecure version of SMF more than 6 months ago?

My site was down for four days, and it took HE more than 36 hours to respond... maybe that's acceptable, but I think when it comes to running a business, 36 hours of downtime is crucial. In addition, Google put up that amazing "contaminated website" message in the search engine. Thankfully, I cleaned up the mess and contacted Google who promptly removed the message.

Amazing, isn't it? A company that's not paid to handle my website worked swiftly to restore my reputation, whereas a company that has been paid to host my website for more than 4 years doddled while my website was on lockdown.

I know it's not because HostExcellence's Help Center is slow. Everytime an attack on my website affected them personally (say, a TOS violation), they not only took care of the problem immediately (within less than 2 hours), but they aggressively held me accountable and even threatened to close my website.

I should have discontinued my service with them a long time ago, but I just didn't want to hassle with moving over to a new hosting company. Well, it's never too late to learn a lesson. I already moved my domain and asked them to refund my prepayments (approx. $120 worth of unused monthly hosting costs) and one of my business associates has kindly offered to host my website on his server for free.</rant>

[donecweb]

Sorry to hear your having troubles Rachel. You are right you should be compensated for the delay as that is excessive. Maybe you should ask them to respond to your post on the forum so they will see the damage to their reputation they have caused and maybe they will try and make amends. If you are a StatCounter user then you could post the same thing there and inform HostExcellence. This is a great forum but it is not near as large and does not reach as many people as StatCounter. If you want I can post at StatCounter for you and all you need to do is tell HostExcellence about it. Good luck with you new host.

[Andy]

Sorry you got affected in this manner Rachel, I too found Google very responsive in updating status once I corrected hacking contamination.

[Queen Bee]

Thanks for listening, guys. Once I move over to the new server, I will be posting my review of HostExcellence to other websites and forums as well.

It has been 5 days since I opened an account cancellation ticket; I'm still waiting on HostExcellence to refund my money. I think that 10 business days is reasonable. If I do not receive a refund by then, I will contact my bank.

[Menard]

I have, unfortunately, been hacked several times.

In a discussion with a webmaster on another forum, who had berated free web hosting, I brought up to him the fact that I have never been hacked on a free service, only on paid services. Of course, free services will have certain functions disabled, compared to paid hosting, which helps to maintain the security of their servers.

I was never hacked using Byethost; it didn't prevent them from losing an entire website of mine, but I was never hacked. Of course, my use of php scripts was limited, if I was using any at all at the time, so that probably figures into the equation.

One thing I have learned from webhosts, and taken to be gospel, is that they are never at fault for you being hacked.


On one service on which I was hacked, for which they promptly suspended my hosting and sent an accusational email about me spamming people and having a phishing script on my webspace; they did not like my response back and told me in a roundabout way that I was being unreasonable and that they seriously doubted their server would fit where I told them to put it.

In our roundabout discussion (a.k.a. trading licks) they had informed me that 'you had a script on your hosting'.

Duh! You think? They wanted me to pay for the hosting, but not put anything on it?

I actually didn't recall having put a php script on that particular hosting, only a perl script, but there was one, plus several other files, in the backup they provided me; and I don't know what gave them the idea, had they looked at it, that I understood Chinese.


My worst experience with a hosting company, and a well known one too, was when they debited my bank account without approval. Since I didn't have the money to cover it, and several payments hitting at the same time causing overdraft fees on top of fees running several hundred dollars, I ended up losing my bank account and the bank filed a credit report on me which prevents me from getting a banking account. The hosting service could not have cared less what they did.


I'm more weary of paid hosting than I am of free hosting. If the hackers don't get you, the hosting company will. Byethost, 3ix, and a few others do have some security measures enabled which require writing a workaround in the htaccess file, but I've come to find that I'd rather have that little inconvenience compared to being hacked.


You probably weren't to blame the first time you got hacked, Rachel. If they got you again, even with improved security, or fixed bugs in a script, any bugs which may have been in the script, or something you may have done with the script, were probably negligible compared to the hosting service just not having good security.

[Queen Bee]

You probably weren't to blame the first time you got hacked, Rachel. If they got you again, even with improved security, or fixed bugs in a script, any bugs which may have been in the script, or something you may have done with the script, were probably negligible compared to the hosting service just not having good security.

Thanks for your support, Menard. I am happy to say that yesterday I finished moving my site over to my friend's servers. I uploaded everything from my computer, just incase there happened to be a contaminated file on my website that I somehow missed.

The site loads much faster now, and FTP is lightning speed. I remember waiting several minutes just to load a few images through HostExcellence...

One thing I have learned from webhosts, and taken to be gospel, is that they are never at fault for you being hacked.

It's funny that you mention it... I have been searching through HostExcellence reviews and found more than one situation that seemed suspiciously similar to mine.

Here's an amusing one, posted at Web Hosting Jury:
"These guys are born liars and the worst hosting company out there. My sites got hacked several times. Plain HTML site, no PHP, no Frontpage extensions, no Virtual FTP, no Directory Listing, so how did this happen? Because Host Excelence servers get hacked by people in Russia every once in a while and they then get into individual sites using a shell script. One of the agent told me this by mistake. Then when I confronted them, they denied everything."

In our roundabout discussion (a.k.a. trading licks) they had informed me that 'you had a script on your hosting'. Duh! You think? They wanted me to pay for the hosting, but not put anything on it?

Hah! When I spoke to their online chat representatives, I kept receiving stupid comments like that. They were about as useful as AOL chat bots. Every comment or question seemed to prompt a copy-and-paste solution such as, "Avoid 777 permissions." Right... because, you know, when I'm uploading images and HTML to my website, I like to change the permissions just for fun.

My worst experience with a hosting company, and a well known one too, was when they debited my bank account without approval. Since I didn't have the money to cover it, and several payments hitting at the same time causing overdraft fees on top of fees running several hundred dollars, I ended up losing my bank account and the bank filed a credit report on me which prevents me from getting a banking account. The hosting service could not have cared less what they did.

What? That's horrible.

You're right, of course. It took me four years of poor hosting experiences to realize this, but I think I finally do; they don't care. We're IP addresses and bank accounts-- not customers or clients.

I will avoid big hosting companies (Ipowerweb, HostExcellence...) in the future. I set up my dad's website with Everity last year. I have been, overall, pretty pleased with it. I haven't run into any problems (and hopefully never will) so it's difficult to rate their customer service. The one time I did ask them a question their response was quick and intelligible.

[Menard]

I will avoid big hosting companies (Ipowerweb, HostExcellence...) in the future. I set up my dad's website with Everity last year. I have been, overall, pretty pleased with it. I haven't run into any problems (and hopefully never will) so it's difficult to rate their customer service. The one time I did ask them a question their response was quick and intelligible.

I left eVerity for 2 reasons:

1) They have the shortest possible time, it seems, for suspending an account for late payment; of course, they have their little thing where, if you are going to be late, you can declare that, and have a fee added to the next month's payment. Their late payment charges and the rapidity with which they will suspend an account seems a little like extortion to me.

2) I have sent them near 8 times the referral traffic I have sent to my other hosting affiliates, without a single reported sale, but I have made sales from the other affiliates; something just strikes me as fishy about that.

Their service is fine; not the greatest, but nothing bad I can think of. Their semi-dedicated and higher cpu use hosting seems promising as well.

I am going to try out Netfirms on a special deal Manu plugged me into in a different thread.

It is sad to say that I have learned that expecting too much, or even what is promised, from hosting is going to lead to letdowns. It's almost like voting for a politician, and choosing the one who sucks the least.

[Mikey]

It is sad to see how web hosting is these days.  It is tough to find a dependable hosting company out there when it comes to shared hosting accounts.  Many companies try to see how many shared accounts they can jam on 1 server before people begin to complain.  A good host would have a limit on the number of accounts and it would be a reasonable one as well.  One interesting thing that the bigger hosts are getting into now is clustering.  That is where your hosting account is on a group of servers.  I definitely feel that hosts have came a long way over time with hosting but you still need to be careful with which ones you pick.  Sometimes some of the smaller hosts are better because they may provide better technical support.

Please try to watch out for hosting resellers.  There are many people out there trying to get into the hosting business.  You will see hosts pop up and then vanish right before your eyes.  One of my customers was a victim of this.  I was providing his domain registration services and he was getting his hosting through a wonderful hosting provider that was cheap.  Unfortunately this wonderful provider who was cheap was a con artist.  I was doing an investigation on the hosting provider and discovered that he was opening up small hosting companies and then shutting them down leaving client's stranded without any refunds, etc.  So be careful.

Over the past few years I have been focusing mostly on providing domain registration services but there are times I have thought of getting back into the hosting business.  I do offer hosting accounts on a private dedicated server for friends and family but it seems I have been getting more friends and family somehow which is why I just got another dedicated server yesterday.  It is a Core2Quad server.  (Just in case I start getting more friends and family members somehow).  I guess that is the beauty of word of mouth... friends tell other friends and family members lol.  But the server im getting should be more than enough for what I need and im excited about getting it up and running.

[Andy]

I think the web hosts that do a good job are going to clean up in the industry since word quickly spreads about bad/good hosts. But if you are a small hosting company that provides a great service you could get problems if you had too many new customers flooding towards you and were unable to cope with the administration.

If I was going to run a web hosting company, I think I would specialise in servicing a particular kind of client e.g. tech geek (low tech support needed, give them cool features like clustered servers and secure root access), businesses (could charge higher fees and charge for support) or starter (provide automated tools for website creation, script installs, FAQ-based help).

[Menard]

I think the web hosts that do a good job are going to clean up in the industry since word quickly spreads about bad/good hosts.

In a world where we make decisions based on logic and analytics, that may be true, but I don't find webmasters, or anybody wanting to host a simple blog, to be any different in their shopping choices than the general public; and the three determining factors of most people of where they shop are convenience, cheap prices, and if it's big it must be good. Quality, value for price, etc. get lost in there somewhere.

As an example, several years ago, my sister used AOL as her internet provider. AOL was a simple choice, because everybody had heard of it...so it must be good. One consistence of the service is that you would invariably lose your connection at some point, and even every few minutes when it got bad. She just took that as 'normal' because that was all that she was familiar with.

I see webmasters just as guilty, perhaps even more so, of handing out unproven cliches to other webmasters. one webmaster, on DP, had inquired about why his domain had been de-indexed by Google. Another webmaster came back with a reply (paraphrased) 'if it's been de-indexed, it's been banned and you'll never get it listed again'. I suggested to the second webmaster that he needs to stop reading his webmaster advice off of bathroom stalls.

Perhaps I am too pessimistic and don't give people enough credit, but I see too many people as more than gleeful to do as they are told and to be happy with it. They don't bother to look around and come to accept poor performance and service as the 'norm'.

There are very probably some very good webhosts that specialize in enterprise hosting for business, customize specific hosting plans, etc. They are probably very good as a result of not crowding servers and having to meet the expectations of clients who can not only afford such service, but afford to go elsewhere if they don't meet their expectations. I am not such a client and I'd put money on a good percentage of those looking for hosting are not such clients either.

There must be quite a balance to maintain a reasonable service and at a low end price for shared hosting. Ten dollars a month is not going to make it for a company if they are limiting the number of accounts per server. On the other hand, huge downtime is going to slime off customers who will up and leave; but, perhaps, the balancing act is that there are enough customers who will accept poor service, or who have just parked their simple site there and are happy with paying their yearly hosting fee. Those latter customers are probably what makes up a good bit of the profitability of shared hosting, and why bother to keep on customers who may actually use the resources promised when they can just go elsewhere.

I just don't see hosting companies as any different than other companies, and any company with altruistic goals is not going to be around very long, IMO.

I also see too many people as willing to accept what they get, or accepting it as the norm, to inspire a company to offer anything more if their preferred herd is content.

When dial-up was the norm and AOL was king, AOL consistently had the worst customer service rating of any American business. Yet, people consistently went with their service because its availability was made convenient and they came to accept it as the 'norm'.

Who is a good webhost? I really don't know. I don't think, at least for me, that decision can be made in a short term of hosting with a service. I had been with a hosting service with which I had been happy for months and would have recommended to anybody, until my hosting got hacked twice within two weeks and what had been a normally receptive and quick to reply customer service became silent.

Very often, the yardstick of customer service is how they handle a bad situation. Of course, if you have been with someone for a long time, and have not had a bad situation to test them, well, that's probably a good sign too.

[Mikey]

Please keep in mind that it may not always be the hosting provider's fault if you get hacked.  A good hosting provider would normally do what they can to prevent something like that from occurring.  But there are no guarantees something like that wont happen which is why all hosting providers make it known in their Terms Of Service that they are not responsible for any data loss on your account.

Being hacked would normally occur when you do not have a strict enough password on your hosting account.  All passwords should contain numbers, letters, and special characters.  A2*b9@W2d would be an example of a decent password for your hosting account.  Another reason a hosting account may be hacked is if someone finds out the password to your email account or maybe there is someone you trust reading your email.  It is easy to request a new password for your hosting account and have it emailed to you in case you forgot it.  Also what is most commonly overlooked is scripts you may decide to use.  You want to make sure that any script you use is SECURE.  From what I remember, NO script should require that you have Register Globals ON.  There is just no need for it.  Having register globals on itself isn't a security issue but if the programmer of the script isn't careful, having globals on could lead to vulnerabilities in their product.  So if a php script ever tells you to have register globals on, perhaps you should ask yourself why and find out if it is really necessary to have them on.

It is one thing if the web host's whole server is hacked.  It is another if it was an individual account.  That is where the host has to wonder if you were a specific target.  Then they might question what kind of scripts you were running on your account and what type of site you may have.  And lastly they have to determine if you may be a future threat to the rest of the customers on the server somehow.  The last thing I would expect a good host to do is lose profit and trust in it's customers.  If the host is looking to stay in business long term, then I can promise you they are not going to go hacking their customers.  Software and hardware firewalls do exist but you know that they are not a guarantee.  Virus scan software is made to prevent viruses just like firewall software is made to prevent attacks.  But it never is a guaranteed safety feature.

ALWAYS KEEP BACKUPS.  NEVER rely on the host to keep backups of your site.  Even if they say they keep backups, if the site is real important to you, it is worth doing your own backups as well.  It is easy and takes a small amount of time.  I encourage everyone on my private server to keep backups and if they don't know how, ill teach them how.

[donecweb]

Rachel, I was just wondering if you happen to know if the server you had when you were hacked was an Linux server or a Windows server?

[Queen Bee]

Hey Don,

When I originally signed up I specified my website be hosted on Linux servers. I'm pretty sure (although not certain) that at the time of hacking my website was hosted on a Linux server.

[donecweb]

Hey Don,

When I originally signed up I specified my website be hosted on Linux servers. I'm pretty sure (although not certain) that at the time of hacking my website was hosted on a Linux server.

I ask because MS has released a press release that like other companies they have had to layoff several employees and they are afraid that those disgruntle employees will try striking back and I thought if your site was on a Windows server that may have been what happened.  But it doesn't sound like it.

[Queen Bee]

I ask because MS has released a press release that like other companies they have had to layoff several employees and they are afraid that those disgruntle employees will try striking back and I thought if your site was on a Windows server that may have been what happened.  But it doesn't sound like it.

Ah, I see.

My site was infiltrated by a Turkish hacker named "Techn*caL." I only "know" he is Turkish because the image he uploaded to my index prominently displayed the Turkish flag symbol-- then again, maybe he just thinks Turkey is a great country.

I can't imagine any reason why I would be personally targeted by Turkish hackers, and I'm pretty sure it's not the case. I did a search after my site was hacked and found that "Techn*cal" had hacked over 200 sites; there was nothing to connect them, really, except for maybe sloppy PHP and insecure servers...

[donecweb]

Sounds like you were in the results of an automated Internet search for PHP vulnerabilities.

[Queen Bee]

Sounds like you were in the results of an automated Internet search for PHP vulnerabilities.

I think so, too...

Last year an insecure version of SMF I had installed was exploited by a hacker that used my site to display fake Bankwest login pages (phishing). HostExcellence disallowed my access to those scripts, but they were still "available" on my website. When I requested they please remove the folders and the scripts they ignored my message. My mistake was leaving the issue in their hands; I assumed they knew what they were doing. With the exception of the afforementioned (which was out of my control), my website was clean of all PHP-related scripts and databases at the time of the last hacking.

[rickmeister]

Hi Rachel...

I noticed that you're running SMF 1.1.4.. time to update, LOL 

If you run into any more hosting issues, I'll host you for free, as a courtesy.

Richard D.

[Queen Bee]

I noticed that you're running SMF 1.1.4.. time to update, LOL

Hah, you're right... it's about time. I need to ask the owner of the forum (Sensovision) if he wants me to upgrade.

If you run into any more hosting issues, I'll host you for free, as a courtesy.

Wow, thanks for the generous offer! I will keep this in mind.

[rickmeister]

Upgrades are easy...takes a few minutes and can save hours of trouble
 
I've finished tweaking your red_classic template and now it's stylin' my user forum. (http://plentyofhosting.info)

It matches up with my Canadian logo very well...(I think...I'm not a designer) LOL

Thanks for a great design. I've been searching for quite a while for something like that, and had to put up with poor designs and broken forums.
This one fit...perfectly!!

-RLD

[Queen Bee]

Upgrades are easy...takes a few minutes and can save hours of trouble

I am all too aware of this one...

Thanks for a great design. I've been searching for quite a while for something like that, and had to put up with poor designs and broken forums.
This one fit...perfectly!!

You're welcome. I'm really happy to see you getting so much use out of it, and I appreciate you taking the time to tell me.

Also, your logo looks great.