Results 26 to 47 of 47
-
04-09-2004, 08:38 PM #26Junior Guru Wannabe
- Join Date
- Apr 2004
- Location
- Chicago, IL
- Posts
- 83
Originally posted by Watcher_TVI
So they accessed and altered your database so you wouldn't know they had been in there. While in your database they obtained some User's login information for the purpose of logging in undetected and reviewing private directories for a TOS violation?
"Now I can understand why you assume that the 'tracks would
be covered', in that you beleive the information of the
added account was falsified. In essence, the row directly
above the user that was inserted was copied, and then
modified with random information. The IP was simply not
changed from what it was copied from. This was not to throw
anyone off, or mislead anyone in anyway. To put it simply,
the user information that was used to create a test account
was simply pulled out of the air, with the exception of the
ip address.
As for the Apache logs, to the best of my knowledge they
have not been tampered with in the least bit. Stats are run,
and apache logs are compressed and rotated on a nightly
basis. This is most likely the reason you are missing a
"chunk" of records for your site. They arent lost, they were
simply compressed and rotated just like the logs for every
other domain on the server. You can find your rotated and
compressed log files under [etc..]
[...]
I hope this clears up any misunderstanding between yourself
and HostRocket. Once again, I apologize for any concern this
may have caused. Please let us know if we can do anything
else for you and good luck with the site."
Keep in mind much of my site is secured behind a mandatory membership system, and I'm under the impression that they accessed the admin functions to verify that I do indeed actively screen photographs as opposed to just allowing photos to go public with no approval process at all.
I can understand why they'd check just as they can understand why I'd freak out about them checking without warning me first.
-
04-09-2004, 08:45 PM #27Build It Better!
- Join Date
- Dec 2002
- Posts
- 5,448
I think it's quite clear what they did, thank you for posting this thread and following things up with the facts you obtained during your inquiry...
-
04-09-2004, 08:50 PM #28Junior Guru Wannabe
- Join Date
- Oct 2002
- Posts
- 45
You are letting them off way to easy.
I would be raging mad if a host violated my privacy like that.
Thats the same thing if a building owner uses his copy of the key to enter his tenants apartments in the middle of the night to snoop around.
Its wrong.
-
04-09-2004, 08:55 PM #29New Member
- Join Date
- Apr 2004
- Posts
- 1
You're leasing a server from a hosting company; it's not your hardware or your network. What makes you think you have a right to privacy?
The owners have the legal right to monitor and investigate activity for legal reasons and technical reasons. What if a user takes down a whole server -- one that you also happen to be on? What if the Feds confisicate a hard drive -- that you had data on?
-
04-09-2004, 08:57 PM #30Newbie
- Join Date
- Mar 2004
- Posts
- 19
How many time do I have to tell you people to keep the data in the database encrypted, nothing is safe on the web!
(espetially the email address)
Dont even trust your own brother if he uses the internet :-)
-
04-09-2004, 09:14 PM #31Junior Guru Wannabe
- Join Date
- Oct 2002
- Posts
- 45
monitor server - ok
alter clients DB to gain access to his site? - no
If you have root, why do you need to create a user? Just look at the source of the files.
Sounds like this guy just wanted to view sites photos.
-
04-09-2004, 11:09 PM #32Web Hosting Master
- Join Date
- Nov 2000
- Location
- Newport Beach CA
- Posts
- 609
Squeak - I'm glad that you feel this matter was resolved to your satisfaction. HostRocket has a responsibility to quickly investigate material and conduct the mentioned compliance checks throughout our network.
If you or anyone else on that board have any additional questions at all regarding this matter or HostRocket operations/practices, please feel free to contact me directly off the board at timothy@hostrocket.com or 518-371-3421 x116. I apologize for any and all confusion, and thank for you your continued confidence in HostRocket.VOIPO - VoIP Telephone Service
-
04-09-2004, 11:26 PM #33Build It Better!
- Join Date
- Dec 2002
- Posts
- 5,448
Originally Posted by HRTimothy
-
04-09-2004, 11:54 PM #34New Member
- Join Date
- Apr 2004
- Posts
- 1
Well
Everything on your server is actually the property of the company your hosted by, They have every right to do as they see fit to maintain their service.
Sad but true
-
04-09-2004, 11:57 PM #35Build It Better!
- Join Date
- Dec 2002
- Posts
- 5,448
Originally posted by tonyBBB
Well
Everything on your server is actually the property of the company your hosted by, They have every right to do as they see fit to maintain their service.
Sad but true
-
04-10-2004, 12:29 AM #36Aspiring Evangelist
- Join Date
- Mar 2001
- Posts
- 397
Actually that is not true at all. If I create an image and have it stored on a server, the datacenter certainly doesn't own the image, it's copyright or anything else connected with the image...
-
04-10-2004, 12:54 AM #37Newbie
- Join Date
- May 2003
- Posts
- 17
Hey,
WoW.. Great details and a great job keeping up on the info. I'm sure alot of users will find this post very useful.
hmmmm HRTim.... i know you.. LOLJohn
100Megswebhosting INC
-
04-10-2004, 01:02 AM #38Web Hosting Master
- Join Date
- Dec 2000
- Location
- The Woodlands, Tx
- Posts
- 5,974
Originally posted by Watcher_TVI
Actually that is not true at all. If I create an image and have it stored on a server, the datacenter certainly doesn't own the image, it's copyright or anything else connected with the image...
12. ###pre wording cut out for this post### By hosting your material on our servers, you agree to 'fair use' distribution by WORLDZONE. When a visitor comes to your site hosted by us, your material viewed by them is cached within their computer. This is a form of DISTRIBUTION. This 'FAIR USE DISTRIBUTION' permission is given to WORLDZONE by you upon uploading your content to our servers.
-
04-10-2004, 01:17 AM #39Build It Better!
- Join Date
- Dec 2002
- Posts
- 5,448
You're right in that there are protections for Fair Use in some cases, not all. I am quite certain that if you gained access without my knowledge to my database to steal a User's password so that you could access otherwise restricted content, you would not be entitled Fair Use for that content...
What happened here in this thread is just not right by any stretch of the imagination...
-
04-10-2004, 03:21 AM #40Web Hosting Master
- Join Date
- Mar 2003
- Location
- Duluth MN
- Posts
- 3,863
What HR did makes sense, and I agree that they did it in a proper fashion. They received a tip that someone was breaking their TOS, rather than confront the user and risk them trying to "cover their tracks" in cleaning up the issue before HR can find the truth, they did some investigating "under cover"
Yes they would have root access to the DB and server, but just because you are root doesnt mean it is easy to see what is going on by looking at database tables and files. They need to be able to see the system in use. So they copied some random row to create a user (rather than announce their actions by using the normal create user/registration feature, I am assuming). They gave themselves the permission that they needed to do their investigation, and they completed it.
-
04-10-2004, 03:32 AM #41Junior Guru Wannabe
- Join Date
- Oct 2002
- Posts
- 45
to each his own.
IMO, the method in which HR used to check the data was wrong, but I am not a client of theirs so it does not concern me.
-
04-10-2004, 07:01 AM #42Junior Guru Wannabe
- Join Date
- Mar 2004
- Posts
- 70
Squeak: The way I see it, your attitude and handling of this issue have given you a lot of credibility. Thanks for all the follow-up information - it's refreshing to see something like this resolved, rather than leaving everyone wondering who was right...who was wrong...whether HostRocket was good after all, etc. Kudos.
-
04-10-2004, 10:11 AM #43Retired Moderator
- Join Date
- Oct 2002
- Location
- EU - east side
- Posts
- 21,920
Personally I don't like how things were handled. While they had to investigate, that doesn't mean they should use any methods available. I believe that one is innocent until proven guilty, not the other way around and thus should be treated accordingly. But that's just me it seems...
-
04-10-2004, 11:16 AM #44Web Hosting Master
- Join Date
- Apr 2002
- Posts
- 631
Originally posted by jpayne
Squeak: The way I see it, your attitude and handling of this issue have given you a lot of credibility. Thanks for all the follow-up information - it's refreshing to see something like this resolved, rather than leaving everyone wondering who was right...who was wrong...whether HostRocket was good after all, etc. Kudos.
-
04-10-2004, 12:38 PM #45Junior Guru Wannabe
- Join Date
- Apr 2004
- Location
- Chicago, IL
- Posts
- 83
The way I see it, we're all webmasters or hosting reps here; webmasters want to run their sites, hosting reps want to make money off of us--it serves the general interests of the web hosting community better when there's trust and understanding between host and webmaster alike.
Without this system there wouldn't be anything besides super-conglomerate sites up because nobody would be able to afford it. So kudos to all involved, and even though it was amicably resolved I still apologize for freaking out; You spend a lot of time securing your site so when you see something unexplained happening to your database you immediately fear a massive attack.
But, IMHO, paranoia keeps the web up because let's face it--there's still a lot of script kiddies out there and new ones are born every day. I've endured POST-floods, GET-floods, and brute force attacks and I must say having gone through those things has taught me a bit about what needs to be done to keep a site running despite the k-rad who get their kicks off of lame DoS attacks that take advantage of poor coding; it was when I saw something occuring to the DB directly that was *totally* beyond my control to secure that I got pretty nervous; you should have seen me fly through all the password changes that morning!
So thanks to all for your attention to this.
-
04-10-2004, 01:47 PM #46Web Hosting Master
- Join Date
- Aug 2001
- Posts
- 1,210
Originally posted by Watcher_TVI
What happened here in this thread is just not right by any stretch of the imagination...
-Biptables -I INPUT -s 64.88.128.0/19 -j DROP
iptables -I INPUT -s 66.111.192.0/18 -j DROP
iptables-save > /etc/sysconfig/iptables
-
04-13-2004, 02:16 AM #47Newbie
- Join Date
- Sep 2002
- Location
- Boston, MA
- Posts
- 21
I feel exactly the same way as you TMX. If I were a client of a hosting company and that company actually went so far as to alter my database under the guise of "checking for inappropriate content" I would not let let them off nearly as easy as you have.
While I do belive the host has every right to keep his property and network safe, they crossed the lines in this case. From their responses I believe that this is a standard operating procedure and so I would never feel safe with my sensitive information on their servers.