Page 1 of 2 12 LastLast
Results 1 to 25 of 47
  1. #1
    Join Date
    Apr 2004
    Location
    Chicago, IL
    Posts
    83

    Hacked by a HostRocket NOC employee????

    This happened to me just this morning, I still have yet to hear back from HostRocket about it but I'm curious to see what the result will be; this has seriously soured my experience with their company and makes me quite nervous about hosting companies in general (considering that this one is such a large, reputable company and that something like this could happen).

    While auditing my system logs (I have scripted my site so that anytime a user performs administrative tasks, an entry is recorded into a table in my MySQL database), I noticed a userid I didn't recognize was performing photo approval.

    Upon looking up the users account, I found that the user had been given access to several different areas of the site that I had *not* authorized. At first I thought someone had simply managed to acquire my password (perhaps a keylogger or something) and gone into my database and changed things directly (since I've been rather lazy programming in administrative functions like that, the only way for a person to get admin access is to change it directly in the database).

    So after changing all my passwords and then editing all the scripts accordingly, I set out investigating who the heck this person was.

    In addition to changing the areas of the site the user account had access to, the IP address the user appeared to have registered from was changed to be identical to the IP address of the user in the row directly below it.

    Fortunately, the person must have missed the fact that I have a table for system logs in my database, because it recorded the IP address where these actions were coming from.

    Upon doing a reverse-IP lookup, the IP address was part of a block *owned* by hostrocket. I then sent in a trouble ticket asking "WTF", basically, and am still awaiting a response.

    This sort of thing would be understandable for testing (as I was being informed that my site was using too many apache threads).. but, why not call the account "hostrocket support" and *ask* my permission first, and additionally why masquerade as a normal user and then try to cover your tracks?

    Additionally, when I looked at the raw access logs (which I don't even have edit access on, I can only download them through CPanel), entries from midnight through 4am were removed, and according to my script's logging capabilities the intrusion occured at about 3:10am.

    Additionally, when I did a reverse DNS on the IP address it came up as dave.hrnoc.net.

    I've spent some time hardening my site against external intruders, programming in brute-force prevention and everything but.. never *once* did I think I'd ever have to worry about a NOC employee invading both mine and my user's privacy like that.

    I think this is ridiculous. I just moved to hostrocket not two months ago and have been happy with the performance of their servers thus far. In addition to the $30 I spent on a setup fee, I'd rather *not* have to move again, but if I can't get assurance from hostrocket that this won't happen again (ie., the guy's been FIRED) or if they try to deny it I'll have no choice. I know what my logs said and it said that it came from their offices.

    Anyone else *ever* had a problem like this from HR?

    I'm seriously considering moving over to a VPS at vpscolo per good reviews on this site.

  2. #2
    Join Date
    Nov 2002
    Location
    WebHostingTalk
    Posts
    8,901

    Re: Hacked by a HostRocket NOC employee????

    Originally posted by squeak
    This happened to me just this morning, I still have yet to hear back from HostRocket about it but I'm curious to see what the result will be; this has seriously soured my experience with their company and makes me quite nervous about hosting companies in general (considering that this one is such a large, reputable company and that something like this could happen).
    <<snip >>

    Anyone else *ever* had a problem like this from HR?

    I'm seriously considering moving over to a VPS at vpscolo per good reviews on this site.
    These are pretty serious accusations... do you have any proof? This is your first post here, so you don't have any credibility with most of the folks here.

    Sirius
    I support the Human Rights Campaign!
    Moving to the Tampa, Florida area? Check out life in the suburbs in Trinity, Florida.

  3. #3
    Join Date
    Oct 2001
    Location
    Ohio
    Posts
    8,535
    It's possible there may be some sort of Open Proxy on their network.

  4. #4
    Join Date
    Apr 2004
    Location
    Chicago, IL
    Posts
    83

    Re: Re: Hacked by a HostRocket NOC employee????

    Originally posted by sirius
    These are pretty serious accusations... do you have any proof? This is your first post here, so you don't have any credibility with most of the folks here.

    Sirius
    Just the info in my logs. And as well you know, anybody can type fraudulent rows into a log.

    So beyond that, no. You can take my words at face value or dismiss them, I was just communicating what I know so far. The IP address could very well have been spoofed. But somebody *was* in my database futzin' around with things.

    I was also looking for recommendations on actions to take in the event it *is* true as well as possible hosting alternatives.

  5. #5
    Join Date
    Feb 2004
    Location
    Asia
    Posts
    161
    Hi Squeak,

    What kind of information your database contains? If it is of valuable and confidential info within your working or web users's environment, what are the temptation people may want to copy your data ?

    Are there people working with you as well who is accessing the database ? Check thoroughly and give yourself at least 5 days to gain more traces to work out the traces.

    Yes, VPS is quite popular nowadays, but please research more reviews of a certain VPS to avoid disppointed hosting services.

    Cristiano
    HostPulse.com - Hosting Directory & Tips
    Cheap Web Hosting
    ASP Hosting
    Domain Hosting

  6. #6
    It wouldn't suprise me, though I don't know that it's a mark against Host Rocket. Shady employees slip through sometimes, I would judge them on what they do from here on. It could be some night shift employee who knows enough to be dangerous thinking he's outsmarting the system and passing time by looking at the customers stuff.

  7. #7
    Join Date
    Apr 2004
    Location
    Chicago, IL
    Posts
    83
    Originally posted by 25hosts
    Hi Squeak,

    What kind of information your database contains? If it is of valuable and confidential info within your working or web users's environment, what are the temptation people may want to copy your data ?

    Are there people working with you as well who is accessing the database ? Check thoroughly and give yourself at least 5 days to gain more traces to work out the traces.

    Yes, VPS is quite popular nowadays, but please research more reviews of a certain VPS to avoid disppointed hosting services.

    Cristiano
    This is another reason I was confused. There is absolutely *nothing* of value in the database beyond the user's passwords and e-mail addresses. It's just a community site.

    And it is exactly because of my paranoid attitude that I'm the only one with access to the database directly.. any tasks I want to delegate to others I take the time to code in through a web-based interface. But this did make it easier to recognize that someone had been changing things directly in the database.

  8. #8
    Join Date
    Feb 2004
    Location
    Asia
    Posts
    161
    Squeak,

    If you are very sure that the IP address comes from HostRocket, contact the person you know at HostRocket. Ask him or her, if the Ip addresses stated in the log references to the database access comes from the HostRocket's Up range.

    Avoid sending out general emails to HostRocket. Contact the person you know at HostRocket. Usually, the person you know would be the first contact when you first purchase HostRocket's service.

    Hope this helps

    Cristiano
    HostPulse.com - Hosting Directory & Tips
    Cheap Web Hosting
    ASP Hosting
    Domain Hosting

  9. #9
    Definitely be careful with accusations - a server running one of my shared hosting plans was once badly hacked. I managed to retrieve something of the logs, and found a suspicious entry that had been trying to access an admin part of the site.

    A lookup of the IP showed it came from a US naval base - so I nearly had a story about the US Navy hacking my site.

    It actually turned out that just after I mentioned the story here, one of the webhosts - Protollix - had then done a quick search for security vulnerabilities.

    Point is, be carefully about jumping to conclusions - keep an open mind and do ensure you speak to the person involved, preferably without overtly insinuating anything.

  10. #10
    Join Date
    Apr 2004
    Location
    Chicago, IL
    Posts
    83
    Originally posted by 25hosts
    Squeak,

    If you are very sure that the IP address comes from HostRocket, contact the person you know at HostRocket. Ask him or her, if the Ip addresses stated in the log references to the database access comes from the HostRocket's Up range.

    Avoid sending out general emails to HostRocket. Contact the person you know at HostRocket. Usually, the person you know would be the first contact when you first purchase HostRocket's service.

    Hope this helps

    Cristiano
    A large hosting company with a single point-of-contact? You must be joking.

    I didn't even deal with a salesman. It was all automated. Typically their tech support is pretty good but they're dragging their feet on this one. I'm about to call and raise some hell.

  11. #11
    It probably was a Hostrocket employee. I hosted with them many months ago and was unexpectedly kicked off of their servers because I was "running malicious scripts". This was convieniently right after their server was hacked to pieces because of a "security hole in the server" which is the default response for a down server for more than 4 hours.

    Anyway, to get to the point. I couldn't write a malicious script if I tried... After repeated emails to them about reactivating my account, nothing. After repeated emails about getting my DB, forget it. I would run and run fast. My site was down for about a week because of those pricks.

  12. #12
    Join Date
    Apr 2004
    Location
    Chicago, IL
    Posts
    83
    Originally posted by ncognito
    It probably was a Hostrocket employee. I hosted with them many months ago and was unexpectedly kicked off of their servers because I was "running malicious scripts". This was convieniently right after their server was hacked to pieces because of a "security hole in the server" which is the default response for a down server for more than 4 hours.

    Anyway, to get to the point. I couldn't write a malicious script if I tried... After repeated emails to them about reactivating my account, nothing. After repeated emails about getting my DB, forget it. I would run and run fast. My site was down for about a week because of those pricks.
    Well after having my database and data hijacked on two seperate occasions with other hosts I run a nightly event on my home system that runs curl to download my data and database dump. I'm never more than 24 hours behind. I learned my lesson on that one right quick.

    The thing that bugs me the most is them trying to *mask* the fact that they did this and are now ignoring my request to look into it. I can't believe this is common practice for such a large company.

  13. #13
    Join Date
    Aug 2002
    Location
    Charleston, SC
    Posts
    668
    Greetings,

    It's nice to hear the other side of story as well. Brandon of HR posts here. I'm sure this thread will get his attention and he'll investigate further.

    Bests,
    Amir Golestan
    Amir Golestan
    Executive Director | Micfo
    datacenter facilities in 39 cities across the world | AS53889
    www.micfo.com/datacenter

  14. #14
    Join Date
    Apr 2004
    Location
    Chicago, IL
    Posts
    83
    Originally posted by Amir
    Greetings,

    It's nice to hear the other side of story as well. Brandon of HR posts here. I'm sure this thread will get his attention and he'll investigate further.

    Bests,
    Amir Golestan
    I would be *very* interested to get the HR perspective on this. Maybe it is a rogue employee--in that case I'd like him to be dealt with. If it's company policy, that disappoints me. All they would have had to do was *ask* me for a user account and permission to go through everything and then my panic would have been avoided. I'm not trying to screw their servers so I'd have no problem letting them look through to make sure this was the case.

    I do however get a feeling that they're going to find "no record of this occuring" and call my system logs BS.

    It just makes me *very* nervous when people are rooting around in places they're not supposed to be, and I'm probably not the only webmaster who feels that way.

    Oh, and it's trouble ticket 134554, Brandon.

  15. #15
    Join Date
    Aug 2002
    Location
    Charleston, SC
    Posts
    668
    Greetings,

    I truly understand your feelings and totally agree with you. I'm pretty much interested as well to know how exactly this has happened. Could be some sort of misunderstanding, or they might have an open proxy server available to public and someone else outside of HR team has done it.

    Good luck!

    Bests,
    Amir Golestan
    Amir Golestan
    Executive Director | Micfo
    datacenter facilities in 39 cities across the world | AS53889
    www.micfo.com/datacenter

  16. #16
    Join Date
    Apr 2003
    Location
    Austin, TX
    Posts
    304
    I'm a little bit confused, are you saying the intruder actually damaged or altered some of the data in your database? Or did they just access it to look around the site?

    You mentioned they had already warned you that your web site was causing issues with Apache on the server, therefore, is it not possible that the host logged in and accessed your account to resolve that issue? Assuming that your account is on a shared hosting environment, if the issue the site was causing was serious enough and meritted immediate attention, I could understand why a technician might login and review the origination of the problem. I can't say whether it would be necessary/appropriate to look in the database to resolve that issue - but maybe it was?
    JC, www.webii.net
    Premium Hosting Services Since 1996
    Custom Development- www.webxess.net

  17. #17
    Join Date
    Apr 2004
    Location
    Chicago, IL
    Posts
    83
    Originally posted by jcwebii
    I'm a little bit confused, are you saying the intruder actually damaged or altered some of the data in your database? Or did they just access it to look around the site?

    You mentioned they had already warned you that your web site was causing issues with Apache on the server, therefore, is it not possible that the host logged in and accessed your account to resolve that issue? Assuming that your account is on a shared hosting environment, if the issue the site was causing was serious enough and meritted immediate attention, I could understand why a technician might login and review the origination of the problem. I can't say whether it would be necessary/appropriate to look in the database to resolve that issue - but maybe it was?
    Well, they didn't damage anything.. but they did alter data. As I said, a user account had it's "registered-from" IP address changed, "date registered" changed, "account-type" changed (there is a normal and "enhanced" subscription option").

    Additionally they gave themselves admin privledges. As my site is a dating site, users are allowed to post photos on their profiles, but those photos must be approved by an admin first. I did add a photo approval section so I could delegate this responsibility, and whomever went in approved 9-10 photos. I have no idea why a hostrocket employee would do this and that's why I'm asking them to look into it.

    Like I said, perhaps the IP address was spoofed, perhaps my password was keylogged somewhere. But the one thing that doesn't add up is the first 4 hours having disappeared out of my apache logs. The only people who can change those logs are the HR employees. Even *I* don't have access to do anything but download those logs.

    At the very least, if it was a technician, they should have notified me they were going to do it, and labelled the user account they made "HR technician". Even the e-mail address they listed on the fake account was some random AOL address and was probably changed after the fact anyways.

  18. #18
    Join Date
    Apr 2004
    Location
    Chicago, IL
    Posts
    83
    Okay I got the final word from their tech support.

    "Hello Todd,

    From time to time, we will periodically preform routine
    security, and TOS compliance checks accross our entire
    network as to provide the best, as well as secure web
    services. There is no need to worry, as we were simply
    making sure that your site was not in violation of our Terms
    of Service. There were some reports that you had
    questionable material under your account, and we were simply
    investigating.

    We acted in this manner as to prevent your account from
    actually being suspended, so that we could investigate
    further and determine whether or not you were you were in
    fact in violation of our TOS. Upon further investigation,
    there was indeed some border-line content that blurs the
    line between what is allowed on our servers, and what is NOT
    allowed on our servers. We apologize for any worry, or
    concern this may have caused."

    So, looks like it was not a rogue employee. I'm still quite baffled as to why they'd "cover their tracks", so to speak.

    To be honest I just felt kind of.. violated, when I first saw the access logs. That is all. Crisis averted, thankfully! Now I won't have to change hosts!

  19. #19
    Quote Originally Posted by squeak
    I'm still quite baffled as to why they'd "cover their tracks", so to speak.
    Did you ask them about this specifically?

  20. #20
    Join Date
    Jan 2004
    Location
    Ellesmere Port, Wirral, UK
    Posts
    1,540
    To be honest, i dont find that acceptable. They dont need to look/modify a db to view the content of the site, the database is for holding personal information.

    You should ask them why the db was checked/changed and why it was returned to normal.

    Or maybe they're saying that to cover their tracks.
    BTi-Hosting.co.uk High quality hosting, low low prices.
    One step ahead of the competition - Today IS tomorrow.
    FraudWise.Net - Fight the fraud!

  21. #21
    Join Date
    Apr 2004
    Location
    Chicago, IL
    Posts
    83
    Originally posted by Watcher_TVI
    Quote Originally Posted by squeak
    I'm still quite baffled as to why they'd "cover their tracks", so to speak.
    Did you ask them about this specifically?
    I alluded to being confused about it in a response, but I didn't directly say "Why are you acting like hax0rs!?!"

    All I really wanted to make sure was that my site was secure. I don't want to accuse their techs of anything because, really, I *was* being checked out for questionable content--I don't want to throw gasoline onto the fire.

  22. #22
    Join Date
    Jul 2001
    Location
    Northern VA
    Posts
    400
    If I understand this right, these guys 'hacked' your private DB, to get a username/pw to gain access to your material to "check if it was ok with their TOS"?

    Surely I cannot be the only one who finds these actions quite shocking?

    /me shakes his head...what is this industry coming to!

    Tom

  23. #23
    Join Date
    Nov 2002
    Location
    Canada
    Posts
    1,545
    Greetings,

    It's nice to hear the other side of story as well. Brandon of HR posts here. I'm sure this thread will get his attention and he'll investigate further.

    Bests,
    Amir Golestan
    If Brendan posts on this thread it will be something to the effect of "None of you know how Host Rocket is run! Mind your own business!"

    Heh heh, Just yankin' yer chain Brendan, no malcious intent!

  24. #24
    Join Date
    Apr 2004
    Location
    Chicago, IL
    Posts
    83
    Okay--

    Apparently the chunk missing from the front of my apache logs is explained away by nightly rotation, and the "fraudulent" information was the result of simply copying a previous line from the database so that they could log in under a user's account without modifying said user's account.

    I am very pleased with their handling of this since my initial complaint and will return my review of them to "thumbs up."

  25. #25
    So they accessed and altered your database so you wouldn't know they had been in there. While in your database they obtained some User's login information for the purpose of logging in undetected and reviewing private directories for a TOS violation?

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •