Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Account Suspensions and how to deal with them

  1. #1
    Gold Member twinscythe12332's Avatar
    Join Date
    Jan 2007
    Location
    durban
    Posts
    769
    Thanks
    12
    Thanked 110 Times in 84 Posts

    Account Suspensions and how to deal with them

    Hey All,

    I've been trying to help out someone. Their website got hacked, a particularly nasty page was uploaded as the prominent display, and he told the hosting company to restore everything back to how it was. They have done so... but within a few hours, his site was taken down and replaced by an account suspended notification. Other than the obvious fact that he wouldn't want to tell the world he had hacked his own site, as well as the confirmation of the hosting company that they had put his site back to normal, I'd like to know what sort of leg he has to stand on with regards to taking the matter further.
    I'd especially like some advice on how to resolve it as quickly as possible. I've been in discussions with their 24 hour support team, and they've pretty much acknowledged that there is a major problem. Further feedback should have been supplied by this morning, but it seems they aren't quite ready to give out any details.
    I don't want to go name dropping yet, because I feel I'd like to give them 24 hours and the benefit of the doubt before raging.
    I'm looking for any similar experiences and how you interacted with the hosting company to get your site back up and running.

    Thanks

  2. #2
    Site Caretaker Dave A's Avatar
    Join Date
    May 2006
    Location
    Durban, South Africa
    Posts
    20,979
    Thanks
    3,055
    Thanked 2,462 Times in 2,067 Posts
    Blog Entries
    12
    It's not enough just to restore a backup - you should also change all the usernames and passwords with admin, ftp or database access privileges. Wouldn't hurt to force a change of password on any hosted email accounts while you're about it.

    If it's a script flaw that's enabling the hacking, taking the site down until the flaw is resolved probably is a good idea.

    I would expect the hosting company would take a close look at the log files to identify the source of the problem (provided you're on supported hosting, of course).
    The trouble with opportunity is it normally comes dressed up as work.

  3. #3
    Gold Member twinscythe12332's Avatar
    Join Date
    Jan 2007
    Location
    durban
    Posts
    769
    Thanks
    12
    Thanked 110 Times in 84 Posts
    The support guy we spoke to pointed towards a possible security flaw, but he wasn't entirely certain. The support team has said they will be emailing him stuff from the technical support team, but he still hasn't received anything. He has been dealing with this group for years, and this is the first time they've ever been slow to respond. This makes me think it's a little more than simply an outdated version of joomla!
    I'll hopefully be able to get something going this evening or tomorrow, especially the password changes like you have said.

  4. #4
    Site Caretaker Dave A's Avatar
    Join Date
    May 2006
    Location
    Durban, South Africa
    Posts
    20,979
    Thanks
    3,055
    Thanked 2,462 Times in 2,067 Posts
    Blog Entries
    12
    Quote Originally Posted by twinscythe12332 View Post
    This makes me think it's a little more than simply an outdated version of joomla!
    Just how outdated?
    The trouble with opportunity is it normally comes dressed up as work.

  5. #5
    Platinum Member SilverNodashi's Avatar
    Join Date
    May 2007
    Location
    Johannesburg, South Africa
    Posts
    1,172
    Thanks
    11
    Thanked 188 Times in 136 Posts
    Quote Originally Posted by twinscythe12332 View Post
    Hey All,

    I've been trying to help out someone. Their website got hacked, a particularly nasty page was uploaded as the prominent display, and he told the hosting company to restore everything back to how it was. They have done so... but within a few hours, his site was taken down and replaced by an account suspended notification. Other than the obvious fact that he wouldn't want to tell the world he had hacked his own site, as well as the confirmation of the hosting company that they had put his site back to normal, I'd like to know what sort of leg he has to stand on with regards to taking the matter further.
    I'd especially like some advice on how to resolve it as quickly as possible. I've been in discussions with their 24 hour support team, and they've pretty much acknowledged that there is a major problem. Further feedback should have been supplied by this morning, but it seems they aren't quite ready to give out any details.
    I don't want to go name dropping yet, because I feel I'd like to give them 24 hours and the benefit of the doubt before raging.
    I'm looking for any similar experiences and how you interacted with the hosting company to get your site back up and running.

    Thanks

    Website security is your, or your client's responsibility - it's like a credit card. The bank has vaults, keycard access to their premises, security guards, armed patrol & response, etc. They give you a credit card with a PIN and signature - this is your responsibility, and no amount of security they apply on their side can actually keep your card safe if you type your PIN in full view of other people.


    The same goes with website hosting. The ISP / hosting company will have firewalls and many other security measures in place to protect their network, servers, data on the servers, etc. But, if you have an insecure password, or use the same username & password all over the internet, or have outdated & insecure scripts on your website then it's your own fault if it gets hacked. This may sound harsh, but you need to take responsibility for your own property.


    You should ask for a backup of the website, and any related logs and scan thoroughly through them.
    Change ALL passwords.
    don't use the same username & password as being used on forums / blogs / twitter / facebook / etc.
    don't use a recognizable username, i.e. something that could tie to the owner or company.
    user strong passwords. Check this out: http://howsecureismypassword.net/
    Follow the developer's recommended security measures.
    google and see if other people has recommendations for additional security measures to take.
    Make a backup of your website, at least once a week and keep 2 or 3 different copies (i.e. 3 weeks in a row) in-case you need to go back to a previous version, after making changes which could have led to the hacking attempt.

    Just cause our neighborhood has armed partol, security booms, CCTV on the major corners and even neighbor watch doesn't mean I can leave my gate & doors wide open. When someone decides to walk in and rob us, it's my own fault.
    Get superfast South African Hosting at WebHostingZone

  6. #6
    Gold Member twinscythe12332's Avatar
    Join Date
    Jan 2007
    Location
    durban
    Posts
    769
    Thanks
    12
    Thanked 110 Times in 84 Posts
    I'm with you on the reasons for the site being hacked SoftDux, 100%, as well as where the blame lies.
    Imagine that the Neighbourhood patrol has boarded up the house, lost the spare key, denies access to the CCTV footage and has arrested you as the criminal. That's the situation he now faces. If we manage to get the site back up and running, I'm locking it down tighter than a nun. I'm also in the process of training up the poor oke. His dev uploaded the site, explained nothing and just left him to the wolves. By the end of this, I hope to have him a little more tech and web savvy.

  7. #7
    Platinum Member SilverNodashi's Avatar
    Join Date
    May 2007
    Location
    Johannesburg, South Africa
    Posts
    1,172
    Thanks
    11
    Thanked 188 Times in 136 Posts
    Quote Originally Posted by twinscythe12332 View Post
    I'm with you on the reasons for the site being hacked SoftDux, 100%, as well as where the blame lies.
    Imagine that the Neighbourhood patrol has boarded up the house, lost the spare key, denies access to the CCTV footage and has arrested you as the criminal.
    Surely you should be able to identify yourself as a resident?


    But, most hosting providers aren't very helpful in this case since they just presume clients know-it-all.

    He should still however get a backup of the game
    Get superfast South African Hosting at WebHostingZone

  8. #8
    Gold Member twinscythe12332's Avatar
    Join Date
    Jan 2007
    Location
    durban
    Posts
    769
    Thanks
    12
    Thanked 110 Times in 84 Posts
    We've identified ourselves as a resident (this metaphor gets more elaborate as it goes on, doesn't it =P), so much so that at least half of the support center know us by now. His backup was apparently "corrupted", even though it worked perfectly fine the last time. Ah, the fickleness of 1's and 0's...Anyway, it looks like the environment will need to be reset, emails lost and site files deleted. We're holding off on this until we can locate a pproper backup.

    Another analogy for this: I've been called to a train wreck. There are no spare coaches, and I have to put the train together again... or build a new one.

  9. #9
    Gold Member twinscythe12332's Avatar
    Join Date
    Jan 2007
    Location
    durban
    Posts
    769
    Thanks
    12
    Thanked 110 Times in 84 Posts
    The hosting company came to the party. They acknowledged that he wasn't the hacker, but the hacked. They cleaned up his site, removed any of the scripts that were causing issues and let the site run. All the necessary passwords have been changed (and even some that weren't entirely necessary), and the site is live again. The scariest thing were some of the passwords used by the developer... I'll leave that to your imagination. I've been teaching him how to make backups, what a safer password is, and to try not to use the same password everywhere. I think this was a bit of a scare, and that's often enough to get people on board with the security mindset.

  10. #10
    Platinum Member SilverNodashi's Avatar
    Join Date
    May 2007
    Location
    Johannesburg, South Africa
    Posts
    1,172
    Thanks
    11
    Thanked 188 Times in 136 Posts
    This thread has made me think about our own strategies and I would like some input to see if we can improve it to a point where both us and the client is happy about the outcome.


    As a side note: One of our datacenters in the USA will send out an email to me if they find anything suspicious on our servers (like reported spam of phishing sites, etc) and literally nullroute the offending IP address of the server withing 24hours of sending out the email Regardless of which day of the year they send the mail - public holiday or not. I haven't received anything over Christmas / New Years yet, so I don't know what would have happened...... Anyhow once the IP has been nullrouted (i.e. it's totally unaccessible on the network or internet they fine me $1000USD to have it de-listed and give me 2hours to fix the problem. The whole server then gets decommissioned 36hours later. No questions asked, no backups kept (they delete that as well).


    So, now we have the takedown notice, and 24hours to respond.

    We then immediately send out an email with a full report giving the client upto 1hour less than when they will nullroute the IP to get it fixed - just for some leeway. An automated script will suspend the account at that time, unless we hear back from the client at which point we disable the automated suspension.

    We kindly also tell the client what recommended security steps to take and most of the times the client resolves the issue right away. Just about every case which I can remember involved an out of date insecure web script or poor admin password.


    The most recent incident was were a client had an old Wordpress website, which was a demo for one of their clients but never used that somehow produced an email email everytime a certain page was visited, dumping 35MB's worth of data (at which point the server cuts it off) to themselves, and generated 113GB's worth of emails. It took us a few hours to find this one, purely cause it took us about 3hours to contain the sudden rush of mail. The script literally sent out an error email every second, but back to the local user. At first we thought the server was under DDOS attack but couldn't see anything on the routers or firewalls.

    I have chosen not to phone the clients, purely cause one client kept a tech on the line for 7 hours during that time forcing the tech to tell the client over the phone how to fix a coding error on his website. Oh, and off course blaming us for having insecure servers. The client in question had many websites, all of which were hacked and phishing sites uploaded to. Only his accounts were hacked. For this reason we don't phone clients for this kind of thing anymore.


    Internet Solutions actually told me over the phone one day I have 1hour to have a solution fixed



    So my question is: how much grace do you give a client, who's website(s) is directly affecting you server, network and other clients?
    How long do you allow his hacked account to deny service to other clients on the same server, affecting their productivity and business as well?
    Get superfast South African Hosting at WebHostingZone

Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 8
    Last Post: 18-Apr-12, 06:14 AM
  2. New cabinet - new deal for business?
    By Dave A in forum Business Finance Forum
    Replies: 0
    Last Post: 21-May-09, 02:21 PM
  3. The SASOL BEE deal
    By Dave A in forum BEE and Employment Equity Forum
    Replies: 9
    Last Post: 10-Nov-08, 07:01 PM
  4. The Naspers BEE deal
    By Dave A in forum BEE and Employment Equity Forum
    Replies: 1
    Last Post: 29-Nov-06, 08:10 AM

Did you like this article? Share it with your favourite social network.

Did you like this article? Share it with your favourite social network.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •