Last year I signed up with a hosting company who turned out to be crap so I moved. However, I had prepaid for a year so I still have an FTP account etc.

Tonight I decided to FTP in to upload some personal pics of holidays etc (boring I know). Imagine my surprise when I logged in and was given FULL ACCESS to the whole server when I had only entered my FTP username and password.

YES, THE WHOLE BLOODY BOX. I can go into all dirs including ROOT, SBIN, SYS etc as well as access all 600 odd accounts (rough count) in the USR/HOME directory and browse them etc.

Now the question is what should I do? These guys are the most imcompetent and dishonest host I have ever known but this is a new low. I think it is only fair that I let others on the box know but how?

Give me advice guys - I have no intention of doing anything malicious to anything on the server but this has really pissed me off. Guys like these give the industry a really bad name so I would love to see them out of business.

How can I prove the access level I have achieved (I am not Unix savvy) and can I notify all the users hosted there so they can move to someone else?

BTW: I am NOT a hacker, I wouldnt have a clue where to even start.

tks

Jason

Ummm, I can certainly understand your position and I believe your old crooked host should thank themselves you're not a real bad person.

The only 'bad' thing that comes to mind is to modify their forum heading, if they have one, with something like "YOU HAVE BEEN INFILTRATED".

I was originally going to say nothing, but if you can get in, what about those 600 odd clients who are currently sitting on the edge if someone less ethical than yourself gains access.


Lats...

firstly I dont know what you mean by modify their forum header (I really am stupid...).

Also I dont want to do anything to their system which could get me prosecuted as a hacker.

Are there unique files I can download and send to them and their users on this box to prove what I have been able to do with no Unix ability whatsoever?

Thats all I want to do - embarass (sp?) these guys....

would it be possible to drop them a note and tell them what you discovered? But that would open you up for them accusing you of hacking or something.

Then do need to be notified, incase this was a mistake somehow.

I would want to know, if this was me that this was happening to.

Karen

get onto there machine and send them an email from their machine to root@localhost stating "YOUR SERVER HAS BEEN COMPRIMISED!" Then set it to mail this every 15mins by cron.

If they read the mail it will work.

cheesy - I dont know how to do what you say AND that would imply that I have hacked in and they would then try and prosecute me (especially bearing in mind my parting comments when I left them). I really dont want to be investigated for hacking.....

ftp in...switch to several different directories (multiple users, and root directories) and do file listings. Cut and paste the file listings into an e-mail and send them to them. This way they get the idea, and you don't have to be accused of hacking.

Although if you are really concered open a throwaway hotmail account or something and send it to them through that.

would imply that I have hacked

yes, oops of course your right.

:o

Jason,
don't do anything that could look suspiscious when taken out of context. You don't want to end up the bad guy, here.

Simply send them an email mentioning what you wrote here, and if they're the least competent they'll do something about it.
I don't think that forcing it on them ("You've been compromised!") will do any good and it may even do you some wrong.

=I don't think that forcing it on them ("You've been compromised!") will do any good and it may even do you some wrong.=

Absolutely. Seems to be another case of the WHT sharks circling. Didn't anyone learn anything last week?

Originally posted by OMC
Seems to be another case of the WHT sharks circling.

Not at all!

What about the other clients on that server? I certainly wouldn't want to be hosted there.

I'd like to know that an incompetent host has left a gaping hole.

What about an email to all the other clients?


Lats...

How about just letting the owner know there is a problem and give them the opportunity to solve it? Wouldn't you appreciate the same from one of your clients who discovered this? Of course you would!!! This may be a great host, average host or poor host. All we have is the =opinion= with no verification in the original post to go by. Most jumped right on this persons unverified =opinion= (at least an opinion as present) and decided it would be a good idea to just destroy this host.

I call it business ethics......

Originally posted by Mondeo
Tonight I decided to FTP in to upload some personal pics of holidays etc (boring I know). Imagine my surprise when I logged in and was given FULL ACCESS to the whole server when I had only entered my FTP username and password.

YES, THE WHOLE BLOODY BOX. I can go into all dirs including ROOT, SBIN, SYS etc as well as access all 600 odd accounts (rough count) in the USR/HOME directory and browse them etc.
Jason, while you can get into any dir., can you actually download from/upload to those or read any of the files? my guess is no, though even allowing users to browse via FTP isn't exactly what I'd call a wonderful set up.

I'd simply email them letting them know. No big deal.

If I was to publish the name of host here (which I wont) I think most people would agree with my sentiment that they are crap. However, my opinions on the company are not really relevant. What is relevant is that there are over 600 users / companies hosting with a company which is obviously grossly incompetent.

As for letting them know, I will do. I have a golden opportunity to screw these guys big time but I am not going to. Why? Because it is not only them who would suffer but also all their innocent and unassuming clients paying money each month to a firm of monkeys.

All I was asking for was a method of making the users aware just how incompetent these guys are - they have 600 clients on this box @ $30 per month which is $200,000 + per year and what do they provide in return? Shoddy service (never responded to any of my emails), dishonest actions (still charging me $60 a month 7 months on for 2 other accounts which I have cancelled with them) and to top it all off they now show they dont know what they are doing.

If you were hosting your business with this company, would you like to know or would you prefer to continue with your head buried in the sand?

As someone said earlier these guys have no idea how lucky they are that I am not a malicious person with bad intentions.

Jason

Try uploading a file to /etc/ directory. If it is possible, then notify your host "Hey, I can upload my files to your /etc!".

If you can't do that but still able to download files off other users' home directories, then it is permission problem. But most of the time, the root of the problem still persists even if they have the permission problem fixed.

Sharks?

If I was a sysadmin of a comprimised server I would much rather hear about it ASAP, rather than realise after that a "time" had passed where people were debating on how to go about not hacking the box. The method of message delivery would not matter to me, if it came by localhost I would know then I have a BIG problem, and that the problem is a sysadmin problem, and I would be happy in the knowing that nobody had emailed the details to a company address alerting other company members of the flaw, extending the reaction time and possibly endangering my job.

Is it hacking if you get an ftp account given to you that you can see more than what you should? I dont think so, its the companies fault I reckon,

Also, on many hosts the email can be sent from a normal email script in your designated email space directly to root@localhost so you are not actualy breaking and entering in this case.

And also again, if I had an account on a server with hundreds of domains that was open like so and it was handling lots of transactions for multipule sites then I would consider a command line "shutdown now" right there and then using any means, because a bit of downtime does not compare to hundreds of damaged accounts and pissed people.

Its a troublesome area but thats what I would do if I had money involved in the situ and I found out that the server was not running properly, after all your host has a duty, not to allow your site to be comprimised by there fault.

Overkill?
Well I am new to this stuff.... and rather tired.
I guess no one will ever let me host with them now:)
ho hum!

I have been able to upload a text file into the /etc directory and download the whole root directory to my local machine as well as download a few users home directories

. Bugga someone beat me to it. Its a shame to see that you can actually read the files that are not in your directory. Shoddy Sys Adminning on their part.

just sent them an email and attached text files with dumps from /, root and a random users home dir.

If they are as slow at responding to this as they were to my support emails then it might be fixed by Xmas!!

Lets see what they do....

Can you actually read/write to files in these directories?

Unfortunately it's not surprising to find hosts that don't sandbox/jail their users FTP access. It's not uncommon.

These are the same people who don't run PHP in safe-mode, etc.

The worst thing you could do, in my opinion, is mention the name of the host on any related boards and public support mediums.

If anything, you know a little more about system administration now -- and what to look out for in your next host. ;)

Notify the host, but do not disclose details of your exploits.

You could easily find yourself prosecuted if you disclose what you have done....with the current laws, the end does not justify the means...people have been prosecuted for just exactly what you describe yourself as having done....just like the people prosecuted for sending child porn to AOL to let them know it was being passed around on AOL.

So, please exercise care.

If I were you I would just send these clowns an email stating the problem........they may be a pathetic company, but by informing them you are helping out their 600 users.........and what goes around comes around.......

do you have shell access as well? if you do they screwed up major and you could control the whole machine via ssh or telnet...

i dont know law but i dont think you would be in trouble if they gave you full access thru ftp, ftp cant do as much of damage as shell can but you can still delete many files and whatever


if you pre paid for a year, you should be able to get your money back for the time you didnt use, unless their TOS says otherwise

just got a reply which states:

"You are showing us world-readable files which are supposed to be world readable."

Thats it - forgive me if I am being stupid but should the root directory on a server be world readable and should I be able to upload and download from directories other than my own including root, / and other users directories?

I dont think so......

I think this just proves how incompetent these guys are.

If they're not jailing you to your home directory, it is normal to be able to read a few files, and browse up to the root directory.

You definitely should not be allowed to write to the /etc directory.

And you should not be able to browse the other users' home directories.

Obviously, like everyone has said, they need to hire a real system administrator, or be shot, take your pick.

There is an anoymous emailer set up to notify sysadmins of security breaches at http://www.rawlogic.com/inform.html

Of course, you could probably find other anonymous means of contacting them.

A agree with OMC and with all due respect Mondeo, why don't you just let them know? I mean, is not that I don't believe that they are not competent, but incompetence is not really measured by these things. Who knows what could have caused this? Perhaps they have already been compromised?

If you don't like the host because they have poor support, customer service or what have you, then fine, but I don't really think that finding a security hole is an excuse to go and tell the whole world, again, they must have had something happened to that box that caused it and they probably don't even know it.

Just my modest opinion :)

Geez, it took me so long to write the a whole new page came up :D

Mondeo, can you read the /etc/shadow file ? If you can't then some level of poor security is still in place.

Last place i was reselling for was :puke: .com

At the begining i could only see my own home directory...

Then i could access everyones dir... but i could not get on to root!

The more freedom i got, the more i wanted to explore, but dont forget your BEING LOGGED VIA IP address!

I backed up a file from another users dir, and deleted it,, then re-uploaded it! This is shocking what you describe is happening, but just letting you know that i have seen it before...

Maybe its the same company anyway!

I did message the sys admin right away cause they never answered my emails (just like you) but they were always up most of the time, and had no email for 6 months :(

The point is, when your hosting your files, your customers, or who ever... if others can see these files it must be a breech of some practice or law...

If i was a customer i would take them to court keep the logs and witnesses...

But becareful as other board members have said " They can put you away for nearly anything these days even suspecting to have written a virus! SO play it smart... or even consult a internet lawyer!

regards, stay safe!

Originally posted by Mondeo
just got a reply which states:

"You are showing us world-readable files which are supposed to be world readable."

Thats it - forgive me if I am being stupid but should the root directory on a server be world readable and should I be able to upload and download from directories other than my own including root, / and other users directories?

I dont think so......

I think this just proves how incompetent these guys are.

Exactly. I'd leave it at that (and pack up your site and move on).

RAQs, many hosting applicances and several server management solutions do not provide home directory jailing. This really isn't hard to implement with tcsh shell or something similar -- even custom.

It's a sure sign your host needs to pick up a copy of Unix Security for Dummies. :homer:

Originally posted by jstanden
RAQs, many hosting applicances and several server management solutions do not provide home directory jailing

You are correct, but they don't show all the files in /etc via FTP.

Originally posted by bert


You are correct, but they don't show all the files in /etc via FTP.

He was actually referring to our shell access. It is also chrooted/jailed to the user's home directory on our boxes.

After reading through this thread I thought 2 things:

1) I do not condone any type of modification to the server/accounts. Do NOT modify any file in any way, don't even download them. There is no NEED for you to download them, and if somehow, someway the host finds out it was you that got in (very possible, actually) then you could be prosecuted under cybercrime laws for hacking. I also feel that the host made a mistake of giving you the access you have, and should be severely punished for it. It seems as if you've already notified them and got a poor response. That, IMO, is unacceptable. If they haven't fixed it, you should.......
If I was a customer on the server, I would want to know who has/had access to my files and when, and if some unauthorized person had access, then I want out.

I say that you post the name of the host here, describing exactly how you got access and what type of access you have, and at SitePoint, and also on the host's own forums. You have said already that many of us may not like this host, so it could be that they are the type of host that wouldn't tell they're clients if someone had the acess you do. It has also already been proven that the host does not care about their server's security.

2) I think that this is the proper time for all hosts to review their security procedures. Check:
Who has access to customer information?
Who has access to the server?
Who has access to internal operations? etc.

Summary: 1) Publicly name the host. 2)Everyone should check their security procedures.

akashd you are completely right. 100% :beer:

I dont believe it is right to post the name of the host.

All I will say is that if you are with a hosting company based in New York who offers 100MB space, unlimited bandwidth and unlimited email accounts and charges you $16 per month - BEWARE.

Jason

Originally posted by Mondeo
I dont believe it is right to post the name of the host.

All I will say is that if you are with a hosting company based in New York who offers 100MB space, unlimited bandwidth and unlimited email accounts and charges you $16 per month - BEWARE.

Jason

I don't see any reason why you shouldn't name it now...

You've already told the hosting company about it, and they haven't adequately responded. Don't you feel you have a right to warn the public and any existing customers that surf these boards. Although I did say that the host should be punished for this in my previous post, I don't condone the punishment. However, I still feel that the customers shouldn't have to suffer the consequences. If the host is as irresponsible as they seem to be, then they should be made aware of their mistake.

Put it this way: Let's say you work at a bank as a teller with safe deposit boxes. You notice that the door of the room that holds the safe deposit boxes is closed, but unlocked because the locking mechanism is broken. You tell managment that the door is unlocked and they reply, "No it's not. It has an auto-locking mechanism." Now that room has well over 600 clients (customers) with their personal valuables in it; don't you feel that you have the responsibility to tell someone else (like the police) that it's unlocked and management isn't doing anything about it?

If I were you, I would have named the host and let them-not the customers- suffer the consequences.

Now you shouldn't say to the customers/public "X Host has given me access to all your accounts, don't use them or get a refund." Rather, you should say "I have access to the root accounts on X Host's Servers, becase [explain everything here]. I have e-mailed them, and they didn't do anything about it."

That can do many things: 1) Make the host change their ways because they were publicly humiliated for not listening to you in the first place. 2) Force current customers to e-mail the host and asking them what's going on, thereby invoking number 1. 3) Force new customers to e-mail the host and asking them what's going on, thereby invoking number 1.

My point: Name the host.