Site hacked

[SilverNodashi]

Great idea - yes


For sure - I pay a lot more than what you deridingly assume I do, and if all I am getting is some space on a server and no other service as you are suggesting then its damn expensive.



Lets see - 200 staff X R5000 salary = R1mill
25000 clients (WA's claim) X (your) R50 subscription = R1.25mill
But on this basis - seeing as I make a change every three to six months on the odd page - thats say 8000 clients changing stuff over the year for the 25,000 clients divided by 200 staff = each staff member must monitor and worry about 3,3 changes a month. So 200 staff is way too much. So if each staff member looks after one client change a day - thats about 25 staff needed. They will be in business a long time and have happy clients.

Fair enough, with R250K profit they have no excuse not to hold their client's hands, even when they surf. But, how much profit do they make from the R50pm subscription? They still need to pay rent, purchase new equipment (you want better technology in the future, right?), phones, water & lights, insurance, etc.

The point though as we can see in your answer is that the client is always in the wrong. Take the pin code for example - I did not give it away. I say the isp let it out of the bag - but you automatically gave them the benefit of that doubt.

Marq, I didn't say that, but instead I'm trying to imply that it's a 2-way street. The client needs to take responsibility as well.

IF your website is really that important (let's take a bank's website, for example), then surely you (as owner) should do your part to make sure everything on your side is fine. The banks, in this example, spend a few million a month on security (staff / their own servers / own data centre space / developers who code very well / etc) IF their site get's hacked, who's fault is it? Theirs, or the ISP's? - this is an example, but I don't know if it came through properly.

let's bring it to our level. If one of our reseller's accounts gets hacked, who's fault is it? Ours? Our client (as reseller), or his client? Let's say the 3rd party developer (so we're 4 levels down now, us -> reseller - his client -> 3rd party developer) doesn't follow secure coding standards, and a hacker discover an XSS flaw, and then get's the client's control panel password and hacks into the control panel. This hacker is then a bit more patient in leaving his marks. He then leaves some "worms" on the client's account to get other info from the client. Any username & password combination can be used to possibly hack other accounts the client has. BUT, since he has access to the client's account, he has access to the client's email as well, and could silently capture all emails the client get (like new password request from this forum, or even the bank, or whatever). This goes on for a month or 2, if he's really clever, he'll lay low for about 6 months (long enough for his "stealth worm" to have infiltrated the backups and the logs in such a way that an admin won't see it as abnormal activity), and then he strikes and causes havoc. IF, this account was a forum, then he would have thousands of email addresses & password combinations - even if the passwords are MD5 encrypted, he could probably have enough PC power to decrypt those passwords. My guess is, about 70% of those passwords are easy to pronounce, and could thus be cracked against a dictionary - which is quick on a multi-Core XEON.

A restore was eventually offered by WA for an additional R300 - I had to suck them for the answers - it then turned out they only keep backup for 7days and did not have a clean version as the hack had happened prior to that. So they expected me to buy my site back from them after they lost it.

I could not find how the hackers got in and the isp sure is not going to admit to having holes - so one will never know the answer to this.

This IMO leads me to believe they either don't know, or don't want to dig deeper to find the problem. OR, they screwed up somewhere like you suspected.

Do they not have an option where you could restore your website yourself?
And do you have access to any raw logs on the server? This could sometimes indicate where / how the hacker got it.
Can you pronounce your password? Is so, then you need to change it ASAP.

If google can assume a malware hack and stop the site loading then I do not believe that the isp is unable to run software against their clients pages to look for the same, so I do not believe this is mission impossible. Similarly they could run software against the dates of files and scripts that may indicate old and vunerable software. This could then be offered as a service to the client to update the site for the client...at a cost of course. If that was offered and then refused and an attack occurred, well now theres a reason to say I told you so.

It's not as simple as running a script against the date of the script. The main problem is, there's probably 50 billion scripts on the internet, and a date check alone won't be accurate enough.

For example, a client uploads a static web page in 2003, with some basic HTML content and nothing more. The monitor script will then go berserk on this account due to the date. There's no need to update the site as the static content is invulnerable. Do you think this client would enjoy being spammed by the server every day / week / month - whenever the script runs to say his 7 year old HTML page is a hazard? I can see how this is going to peev off some clients already.

Similarly, if you decide to upload a script, like say Joomla, which has 7,968 scripts (new install - no mods or anything yet) , and there's say 100 client's (there's normally more) on this particular server - that would be 796,800 script for a single Joomla installation per account alone. What if every client has a forum & blog installed as well. Now, this figure goes up to say 2,788,800 scripts.

So, a simple date checker script will need to loop through 2,788,800 scripts, every day to see if the date is older than say 6 months (to be a realistic number)?



In theory, your suggest is a valid one, but not practical, by a million miles. Is it really so hard to take responsibility of your own website? Does your website mean so little to you that you refuse to take care of it and insist that the ISP do it? And if they absolutely need to take care of it, are you prepared to pay extra for it?
I'm asking this, as a matter of research

From what I can feel, there is this thought that because the service is so cheap it does not include anything beyond storage and there is no responsibility out there in isp land.

How much of the R50 (this is purely the example) you pay do you think the ISP's actually pocket as mark-up? Sure, I would love to assign a dedicated tech to every client I have, but my business will go down in flames on day1.

And while the thought it probably very true, I can assure you that it's not 100% so. That R50 (with your calculations on 20,000 clients is R1.25mil) needs to pay for servers, switches, firewalls, server room (either rent or maintenance on own equipment) software licenses, staff, office, water & light, insurance, bandwidth (chances are R30 is for bandwidth only, so they don't even see that money), and the list goes on. The responsibility is in fact far greater than you think. If, for example, they didn't pend R25K on a new server recently, they couldn't accommodate your website. OR, that new R400K firewall makes a huge difference on DDOS, QOS, VLAN, etc control making everyone's life easier. And, the new software licenses probably cost them in the region of say R700K this year, but they need to pay it to keep up with the demand.

i.e they provide you with all the tools you need to make sure you website is up and running, 24/7/365, with security (physical & electronical), with all the software that you need ( server OS, control panel, mail server, database server, site builders, etc, etc). You just need to maintain your own website. Is this not responsible enough?

Do you want them to run your website as well? And take care of the CEO while their at it? And how about managing your company?
All of these are possible (whether WA offers it or not,I don't know), but will cost you extra money. Did you pay the extra money? Then you get the service. If not, then you can't expect it.

Like I said - all we want is some service, good advice and accountability, which we assume is in the monthly hosting fee. Denial of that service and hiding behind technical issues, when things go wrong, is no different to the insurance guys who let you believe you are covered and then run and hide when the claim happens.

agreed. but again, I can't vouch for any other ISP. I just get a bit worked up when the ISP industry is always to blame for everything, even though 70%+ of the problems are user-related.