Results 1 to 25 of 47
-
04-09-2004, 03:02 PM #1Junior Guru Wannabe
- Join Date
- Apr 2004
- Location
- Chicago, IL
- Posts
- 83
Hacked by a HostRocket NOC employee????
This happened to me just this morning, I still have yet to hear back from HostRocket about it but I'm curious to see what the result will be; this has seriously soured my experience with their company and makes me quite nervous about hosting companies in general (considering that this one is such a large, reputable company and that something like this could happen).
While auditing my system logs (I have scripted my site so that anytime a user performs administrative tasks, an entry is recorded into a table in my MySQL database), I noticed a userid I didn't recognize was performing photo approval.
Upon looking up the users account, I found that the user had been given access to several different areas of the site that I had *not* authorized. At first I thought someone had simply managed to acquire my password (perhaps a keylogger or something) and gone into my database and changed things directly (since I've been rather lazy programming in administrative functions like that, the only way for a person to get admin access is to change it directly in the database).
So after changing all my passwords and then editing all the scripts accordingly, I set out investigating who the heck this person was.
In addition to changing the areas of the site the user account had access to, the IP address the user appeared to have registered from was changed to be identical to the IP address of the user in the row directly below it.
Fortunately, the person must have missed the fact that I have a table for system logs in my database, because it recorded the IP address where these actions were coming from.
Upon doing a reverse-IP lookup, the IP address was part of a block *owned* by hostrocket. I then sent in a trouble ticket asking "WTF", basically, and am still awaiting a response.
This sort of thing would be understandable for testing (as I was being informed that my site was using too many apache threads).. but, why not call the account "hostrocket support" and *ask* my permission first, and additionally why masquerade as a normal user and then try to cover your tracks?
Additionally, when I looked at the raw access logs (which I don't even have edit access on, I can only download them through CPanel), entries from midnight through 4am were removed, and according to my script's logging capabilities the intrusion occured at about 3:10am.
Additionally, when I did a reverse DNS on the IP address it came up as dave.hrnoc.net.
I've spent some time hardening my site against external intruders, programming in brute-force prevention and everything but.. never *once* did I think I'd ever have to worry about a NOC employee invading both mine and my user's privacy like that.
I think this is ridiculous. I just moved to hostrocket not two months ago and have been happy with the performance of their servers thus far. In addition to the $30 I spent on a setup fee, I'd rather *not* have to move again, but if I can't get assurance from hostrocket that this won't happen again (ie., the guy's been FIRED) or if they try to deny it I'll have no choice. I know what my logs said and it said that it came from their offices.
Anyone else *ever* had a problem like this from HR?
I'm seriously considering moving over to a VPS at vpscolo per good reviews on this site.
-
04-09-2004, 03:08 PM #2Retired Moderator
- Join Date
- Nov 2002
- Location
- WebHostingTalk
- Posts
- 8,901
Re: Hacked by a HostRocket NOC employee????
Originally posted by squeak
This happened to me just this morning, I still have yet to hear back from HostRocket about it but I'm curious to see what the result will be; this has seriously soured my experience with their company and makes me quite nervous about hosting companies in general (considering that this one is such a large, reputable company and that something like this could happen).
<<snip >>
Anyone else *ever* had a problem like this from HR?
I'm seriously considering moving over to a VPS at vpscolo per good reviews on this site.
SiriusI support the Human Rights Campaign!
Moving to the Tampa, Florida area? Check out life in the suburbs in Trinity, Florida.
-
04-09-2004, 03:10 PM #3Web Hosting Master
- Join Date
- Oct 2001
- Location
- Ohio
- Posts
- 8,535
It's possible there may be some sort of Open Proxy on their network.
-
04-09-2004, 03:11 PM #4Junior Guru Wannabe
- Join Date
- Apr 2004
- Location
- Chicago, IL
- Posts
- 83
Re: Re: Hacked by a HostRocket NOC employee????
Originally posted by sirius
These are pretty serious accusations... do you have any proof? This is your first post here, so you don't have any credibility with most of the folks here.
Sirius
So beyond that, no. You can take my words at face value or dismiss them, I was just communicating what I know so far. The IP address could very well have been spoofed. But somebody *was* in my database futzin' around with things.
I was also looking for recommendations on actions to take in the event it *is* true as well as possible hosting alternatives.
-
04-09-2004, 03:21 PM #5WHT Addict
- Join Date
- Feb 2004
- Location
- Asia
- Posts
- 161
Hi Squeak,
What kind of information your database contains? If it is of valuable and confidential info within your working or web users's environment, what are the temptation people may want to copy your data ?
Are there people working with you as well who is accessing the database ? Check thoroughly and give yourself at least 5 days to gain more traces to work out the traces.
Yes, VPS is quite popular nowadays, but please research more reviews of a certain VPS to avoid disppointed hosting services.
Cristiano
-
04-09-2004, 03:22 PM #6Junior Guru
- Join Date
- Jan 2004
- Posts
- 241
It wouldn't suprise me, though I don't know that it's a mark against Host Rocket. Shady employees slip through sometimes, I would judge them on what they do from here on. It could be some night shift employee who knows enough to be dangerous thinking he's outsmarting the system and passing time by looking at the customers stuff.
-
04-09-2004, 03:25 PM #7Junior Guru Wannabe
- Join Date
- Apr 2004
- Location
- Chicago, IL
- Posts
- 83
Originally posted by 25hosts
Hi Squeak,
What kind of information your database contains? If it is of valuable and confidential info within your working or web users's environment, what are the temptation people may want to copy your data ?
Are there people working with you as well who is accessing the database ? Check thoroughly and give yourself at least 5 days to gain more traces to work out the traces.
Yes, VPS is quite popular nowadays, but please research more reviews of a certain VPS to avoid disppointed hosting services.
Cristiano
And it is exactly because of my paranoid attitude that I'm the only one with access to the database directly.. any tasks I want to delegate to others I take the time to code in through a web-based interface. But this did make it easier to recognize that someone had been changing things directly in the database.
-
04-09-2004, 03:31 PM #8WHT Addict
- Join Date
- Feb 2004
- Location
- Asia
- Posts
- 161
Squeak,
If you are very sure that the IP address comes from HostRocket, contact the person you know at HostRocket. Ask him or her, if the Ip addresses stated in the log references to the database access comes from the HostRocket's Up range.
Avoid sending out general emails to HostRocket. Contact the person you know at HostRocket. Usually, the person you know would be the first contact when you first purchase HostRocket's service.
Hope this helps
Cristiano
-
04-09-2004, 03:47 PM #9Web Hosting Master
- Join Date
- Oct 2002
- Posts
- 1,611
Definitely be careful with accusations - a server running one of my shared hosting plans was once badly hacked. I managed to retrieve something of the logs, and found a suspicious entry that had been trying to access an admin part of the site.
A lookup of the IP showed it came from a US naval base - so I nearly had a story about the US Navy hacking my site.
It actually turned out that just after I mentioned the story here, one of the webhosts - Protollix - had then done a quick search for security vulnerabilities.
Point is, be carefully about jumping to conclusions - keep an open mind and do ensure you speak to the person involved, preferably without overtly insinuating anything.
-
04-09-2004, 03:49 PM #10Junior Guru Wannabe
- Join Date
- Apr 2004
- Location
- Chicago, IL
- Posts
- 83
Originally posted by 25hosts
Squeak,
If you are very sure that the IP address comes from HostRocket, contact the person you know at HostRocket. Ask him or her, if the Ip addresses stated in the log references to the database access comes from the HostRocket's Up range.
Avoid sending out general emails to HostRocket. Contact the person you know at HostRocket. Usually, the person you know would be the first contact when you first purchase HostRocket's service.
Hope this helps
Cristiano
I didn't even deal with a salesman. It was all automated. Typically their tech support is pretty good but they're dragging their feet on this one. I'm about to call and raise some hell.
-
04-09-2004, 05:30 PM #11Newbie
- Join Date
- Apr 2004
- Posts
- 8
It probably was a Hostrocket employee. I hosted with them many months ago and was unexpectedly kicked off of their servers because I was "running malicious scripts". This was convieniently right after their server was hacked to pieces because of a "security hole in the server" which is the default response for a down server for more than 4 hours.
Anyway, to get to the point. I couldn't write a malicious script if I tried... After repeated emails to them about reactivating my account, nothing. After repeated emails about getting my DB, forget it. I would run and run fast. My site was down for about a week because of those pricks.
-
04-09-2004, 05:41 PM #12Junior Guru Wannabe
- Join Date
- Apr 2004
- Location
- Chicago, IL
- Posts
- 83
Originally posted by ncognito
It probably was a Hostrocket employee. I hosted with them many months ago and was unexpectedly kicked off of their servers because I was "running malicious scripts". This was convieniently right after their server was hacked to pieces because of a "security hole in the server" which is the default response for a down server for more than 4 hours.
Anyway, to get to the point. I couldn't write a malicious script if I tried... After repeated emails to them about reactivating my account, nothing. After repeated emails about getting my DB, forget it. I would run and run fast. My site was down for about a week because of those pricks.
The thing that bugs me the most is them trying to *mask* the fact that they did this and are now ignoring my request to look into it. I can't believe this is common practice for such a large company.
-
04-09-2004, 05:43 PM #13Genuine Impact™
- Join Date
- Aug 2002
- Location
- Charleston, SC
- Posts
- 668
Greetings,
It's nice to hear the other side of story as well. Brandon of HR posts here. I'm sure this thread will get his attention and he'll investigate further.
Bests,
Amir GolestanAmir Golestan
Executive Director | Micfo
datacenter facilities in 39 cities across the world | AS53889
www.micfo.com/datacenter
-
04-09-2004, 05:52 PM #14Junior Guru Wannabe
- Join Date
- Apr 2004
- Location
- Chicago, IL
- Posts
- 83
Originally posted by Amir
Greetings,
It's nice to hear the other side of story as well. Brandon of HR posts here. I'm sure this thread will get his attention and he'll investigate further.
Bests,
Amir Golestan
I do however get a feeling that they're going to find "no record of this occuring" and call my system logs BS.
It just makes me *very* nervous when people are rooting around in places they're not supposed to be, and I'm probably not the only webmaster who feels that way.
Oh, and it's trouble ticket 134554, Brandon.
-
04-09-2004, 06:03 PM #15Genuine Impact™
- Join Date
- Aug 2002
- Location
- Charleston, SC
- Posts
- 668
Greetings,
I truly understand your feelings and totally agree with you. I'm pretty much interested as well to know how exactly this has happened. Could be some sort of misunderstanding, or they might have an open proxy server available to public and someone else outside of HR team has done it.
Good luck!
Bests,
Amir GolestanAmir Golestan
Executive Director | Micfo
datacenter facilities in 39 cities across the world | AS53889
www.micfo.com/datacenter
-
04-09-2004, 06:26 PM #16Web Hosting Guru
- Join Date
- Apr 2003
- Location
- Austin, TX
- Posts
- 304
I'm a little bit confused, are you saying the intruder actually damaged or altered some of the data in your database? Or did they just access it to look around the site?
You mentioned they had already warned you that your web site was causing issues with Apache on the server, therefore, is it not possible that the host logged in and accessed your account to resolve that issue? Assuming that your account is on a shared hosting environment, if the issue the site was causing was serious enough and meritted immediate attention, I could understand why a technician might login and review the origination of the problem. I can't say whether it would be necessary/appropriate to look in the database to resolve that issue - but maybe it was?
-
04-09-2004, 06:43 PM #17Junior Guru Wannabe
- Join Date
- Apr 2004
- Location
- Chicago, IL
- Posts
- 83
Originally posted by jcwebii
I'm a little bit confused, are you saying the intruder actually damaged or altered some of the data in your database? Or did they just access it to look around the site?
You mentioned they had already warned you that your web site was causing issues with Apache on the server, therefore, is it not possible that the host logged in and accessed your account to resolve that issue? Assuming that your account is on a shared hosting environment, if the issue the site was causing was serious enough and meritted immediate attention, I could understand why a technician might login and review the origination of the problem. I can't say whether it would be necessary/appropriate to look in the database to resolve that issue - but maybe it was?
Additionally they gave themselves admin privledges. As my site is a dating site, users are allowed to post photos on their profiles, but those photos must be approved by an admin first. I did add a photo approval section so I could delegate this responsibility, and whomever went in approved 9-10 photos. I have no idea why a hostrocket employee would do this and that's why I'm asking them to look into it.
Like I said, perhaps the IP address was spoofed, perhaps my password was keylogged somewhere. But the one thing that doesn't add up is the first 4 hours having disappeared out of my apache logs. The only people who can change those logs are the HR employees. Even *I* don't have access to do anything but download those logs.
At the very least, if it was a technician, they should have notified me they were going to do it, and labelled the user account they made "HR technician". Even the e-mail address they listed on the fake account was some random AOL address and was probably changed after the fact anyways.
-
04-09-2004, 07:05 PM #18Junior Guru Wannabe
- Join Date
- Apr 2004
- Location
- Chicago, IL
- Posts
- 83
Okay I got the final word from their tech support.
"Hello Todd,
From time to time, we will periodically preform routine
security, and TOS compliance checks accross our entire
network as to provide the best, as well as secure web
services. There is no need to worry, as we were simply
making sure that your site was not in violation of our Terms
of Service. There were some reports that you had
questionable material under your account, and we were simply
investigating.
We acted in this manner as to prevent your account from
actually being suspended, so that we could investigate
further and determine whether or not you were you were in
fact in violation of our TOS. Upon further investigation,
there was indeed some border-line content that blurs the
line between what is allowed on our servers, and what is NOT
allowed on our servers. We apologize for any worry, or
concern this may have caused."
So, looks like it was not a rogue employee. I'm still quite baffled as to why they'd "cover their tracks", so to speak.
To be honest I just felt kind of.. violated, when I first saw the access logs. That is all. Crisis averted, thankfully! Now I won't have to change hosts!
-
04-09-2004, 07:27 PM #19Build It Better!
- Join Date
- Dec 2002
- Posts
- 5,448
Originally Posted by squeak
-
04-09-2004, 07:32 PM #20Web Hosting Master
- Join Date
- Jan 2004
- Location
- Ellesmere Port, Wirral, UK
- Posts
- 1,540
To be honest, i dont find that acceptable. They dont need to look/modify a db to view the content of the site, the database is for holding personal information.
You should ask them why the db was checked/changed and why it was returned to normal.
Or maybe they're saying that to cover their tracks.BTi-Hosting.co.uk High quality hosting, low low prices.
One step ahead of the competition - Today IS tomorrow.
FraudWise.Net - Fight the fraud!
-
04-09-2004, 07:32 PM #21Junior Guru Wannabe
- Join Date
- Apr 2004
- Location
- Chicago, IL
- Posts
- 83
Originally posted by Watcher_TVI
Originally Posted by squeak
All I really wanted to make sure was that my site was secure. I don't want to accuse their techs of anything because, really, I *was* being checked out for questionable content--I don't want to throw gasoline onto the fire.
-
04-09-2004, 07:46 PM #22Aspiring Evangelist
- Join Date
- Jul 2001
- Location
- Northern VA
- Posts
- 400
If I understand this right, these guys 'hacked' your private DB, to get a username/pw to gain access to your material to "check if it was ok with their TOS"?
Surely I cannot be the only one who finds these actions quite shocking?
/me shakes his head...what is this industry coming to!
Tom
-
04-09-2004, 07:54 PM #23Web Hosting Master
- Join Date
- Nov 2002
- Location
- Canada
- Posts
- 1,545
Greetings,
It's nice to hear the other side of story as well. Brandon of HR posts here. I'm sure this thread will get his attention and he'll investigate further.
Bests,
Amir Golestan
Heh heh, Just yankin' yer chain Brendan, no malcious intent!
-
04-09-2004, 08:19 PM #24Junior Guru Wannabe
- Join Date
- Apr 2004
- Location
- Chicago, IL
- Posts
- 83
Okay--
Apparently the chunk missing from the front of my apache logs is explained away by nightly rotation, and the "fraudulent" information was the result of simply copying a previous line from the database so that they could log in under a user's account without modifying said user's account.
I am very pleased with their handling of this since my initial complaint and will return my review of them to "thumbs up."
-
04-09-2004, 08:31 PM #25Build It Better!
- Join Date
- Dec 2002
- Posts
- 5,448
So they accessed and altered your database so you wouldn't know they had been in there. While in your database they obtained some User's login information for the purpose of logging in undetected and reviewing private directories for a TOS violation?