Web Hosting Talk : Web Hosting Main Forums : Web Hosting : A bad experience with Dreamhost

[roberb7]

I spent an afternoon completely away from computers, and when I got back, I received this email from the Dreamhost Security Bot:
-----

We have noticed your myacct user causing a large amount of load on the webserver. We also noticed that domains under this user are running outdated web software that may be hackable. Often times when domains get hacked the hackers will launch malicious processes that use a great deal of CPU time and thus increase the load on the machine caused by your user. This does not necessarily mean that your sites are hacked, but they could be. To ensure that your user is not compromised and contributing to server load unnecessarily (and, also not engaging in illegal activity typically associated with these types of hacks) we ask that you review the following and act accordingly.

Comment: so far, so good

Most commonly hacking exploits of this nature occur through known vulnerabilities in outdated copies of web software (blogs, galleries, carts, wikis, forums, CMS scripts, etc.) running under your domains. To secure your sites you should:

1) Update all pre-packaged web software to the most recent versions available from the vendor. The following site can help you determine if you're running a vulnerable version:
http://secunia.com/advisories/search/

Joomla (v1.5.8) : /home/myacct/disabled site.net/ (OUTDATED!)

I disabled this site six months ago.

Joomla (v1.5.12) : /home/myacct/joomla1512site.com/ (OUTDATED!)

There were three of these

WordPress (v2.8.4) : /home/myacct/wp284site.org/ (OUTDATED!)

There were six of these

- WordPress installations need to be updated to the current release of 2.8.5.
- Joomla installations need to be updated to the respective current secure release: 1.0.15 or 1.5.14.
- Any old/outdated/archive installations that you do not intend to maintain need to be deleted from the server.

The (OUTDATED!) domains above have been disabled by renaming the domain directory to end in "_DISABLED_FOR_POSSIBLE_EXPLOIT__CONTACT_DREAMHOST". Please do not reinstate them until you are ready to immediately upgrade them, or until you have already upgraded them.
-----

So, nine of my sites were disabled, for a period of four hours, with NO ADVANCE WARNING from Dreamhost.

I send them a response, pointing out that:

1. I run a tripwire program, integrit, on a daily basis. It showed no evidence that any of these sites had been hacked.

2. My access logs showed no increase in activity on this date.

They wrote, "We have noticed your myacct user causing a large amount of load on the webserver." Well, I certainly would like some details on this, but I haven't received any.

Here's part of the response I got:
-----

In the case of some of the domains that were disabled your softwares were
years out-of-date.
------

Uh, no. Wordpress 2.8.4 was released August 12, 2009. Joomla 1.5.12 was released July 1, 2009. The only software that was "years" out of date was on two sites that had been disabled by me six months ago.

It's clear that these people are making things up as they go along. All they really had to do was send me a note saying, "Hey, Bob, could you update these Wordpress and Joomla sites sometime in the next few days?"

[MikeDVB]

It's very strange that they've chosen to police your scripts and to force you to keep them up to date. 99.999% of the time this is the responsibility of the customer and even if it's not I would think they would simply inform you and give you time to update (and not automatically suspend).

[Dan_EZPZ]

Have they not told you exactly what was causing the load? Normal practice is to provide a snippet from the logs showing exactly what is consuming resources.

[Patrick]

Quote:

Originally Posted by MikeDVB

It's very strange that they've chosen to police your scripts and to force you to keep them up to date.

Yeah, that's very strange that a provider doesn't want a single user causing a high load, possibly due to a compromised script... very strange indeed.

[mynehost]

They should have provide a prove showing what account cause high load. As Dan_EZPZ said, normally they will provide with an evident to prove it that i come from you account.

In this case, i'm not too sure what dreamhost are trying to pull.

[ldcdc]

Quote:

In this case, i'm not too sure what dreamhost are trying to pull.

Well, it may be that in some cases the simple upgrade from very old software versions led to decreased resources usage, hence this strong suggestion to do so for customer who have reached the limits of DH's shared hosting.

Old software is a serious risk, and it is unfair in a way that hosts are expected to put up with the laziness of customers using a shared hosting environment.

[roberb7]

Quote:

Originally Posted by Dan_EZPZ

Have they not told you exactly what was causing the load?

No, and that's one of the things I'm not happy about. It's also evidence that they are just guessing.

[CodyRo]

Quote:

Originally Posted by ldcdc

Well, it may be that in some cases the simple upgrade from very old software versions led to decreased resources usage, hence this strong suggestion to do so for customer who have reached the limits of DH's shared hosting.

Old software is a serious risk, and it is unfair in a way that hosts are expected to put up with the laziness of customers using a shared hosting environment.

I tend to concur, but the issue is automated suspensions of accounts. For instance I run numerous software where I manually patch / backport the security fixes for certain reasons - this usually makes it so the version number is off / not updated. Granted I understand this that common - it's still something to think about.

The better route would to be simply notify the customer / auto submit a ticket on their behalf and give them at least some chance to reply / acknowledge it.

[WireNine]

Quote:

Uh, no. Wordpress 2.8.4 was released August 12, 2009. Joomla 1.5.12 was released July 1, 2009. The only software that was "years" out of date was on two sites that had been disabled by me six months ago.

By disabling the sites, did you delete the scripts/files from the server? If the files were still hosted on the account, that still presents a vulnerability.

In my opinion, a 12/24 hour notice would've been nice but if you think about doing this for millions of web sites and waiting for a response then disabling the scripts, you would understand why they did what they did.

In regards to the high cpu usage, it seems like you have plenty of scripts hosted on the account which could certainly cause high cpu/memory consumption.

[roberb7]

Quote:

Originally Posted by WN-Ali

By disabling the sites, did you delete the scripts/files from the server? If the files were still hosted on the account, that still presents a vulnerability.

No, they renamed the directory.

Quote:

In my opinion, a 12/24 hour notice would've been nice but if you think about doing this for millions of web sites and waiting for a response then disabling the scripts, you would understand why they did what they did.

No, what they did was totally inappropriate. They shut down my sites without any evidence (that I've seen) that there was actually a problem,

Quote:

In regards to the high cpu usage, it seems like you have plenty of scripts hosted on the account which could certainly cause high cpu/memory consumption.

Well, yes. That's the way database-driven sites work. What do you think would happen if a web hosting company told potential cutomers, "We'll give you hosting for $100 a year, but you can't run Wordpress, Joomla, or Drupal?"

[WireNine]

Quote:

Well, yes. That's the way database-driven sites work. What do you think would happen if a web hosting company told potential cutomers, "We'll give you hosting for $100 a year, but you can't run Wordpress, Joomla, or Drupal?"

Not all Wordpress, Joomla or Drupal web sites consume high cpu/memory. You have more then the usual amounts of scripts installed, thus the high cpu/memory consumption. It also depends on how you optimize your scripts, and the number of unique visitors to your web site. Perhaps you can share with us the daily/monthly unique visitors to all your web sites that would be helpful in determining how/why your cpu/memory consumption is high according to DreamHost.

Unfortunately if your website is potentially harmful to other customers on the server, they have to think about the entire server and what's good for everyone on it not just you alone.

[akirah]

Well, sorry to hear about your bad experience with them. You might want to consider moving and look around for another one.

[foobic]

Judging by your own earlier thread your Wordpress and Joomla sites were hacked repeatedly between July and September this year. If DH says they've been hacked again I don't see why you'd doubt their word. Perhaps you missed a backdoor left by the hackers last time.

Quote:

Originally Posted by roberb7

It's clear that these people are making things up as they go along. All they really had to do was send me a note saying, "Hey, Bob, could you update these Wordpress and Joomla sites sometime in the next few days?"

And let your unfortunate neighbours on the shared server suffer for a few days while you get around to sorting it out? No. DH did the right thing. Any other responsible host would do the same.

[JayNL]

I don't see anything wrong with this. The hoster is not responsible for updating your scripts, you are. And if you left disabled sites' files in place on the server, you're creating a big security risk for all other clients on the server.

If you don't mind about that, you should get a dedicated server and not share your hosting space with other paying customers.

Dreamhost gave you a warning, and if your sites got hacked before, they are probably just extra careful.

[roberb7]

Quote:

Originally Posted by foobic

Judging by your own earlier thread your Wordpress and Joomla sites were hacked repeatedly between July and September this year. If DH says they've been hacked again I don't see why you'd doubt their word. Perhaps you missed a backdoor left by the hackers last time.

If you read the initial posting in this thread,

1. DH DID NOT say that any of my sites were hacked again.

2. I said that I had checked my sites with a tripwire program, and saw no evidence of any hacking.

3. "Perhaps you missed a backdoor..." and perhaps not. If DH knew that such an thing had happened, I would have appreciated some details.

I the absence of any hard information from DH (and yes, I asked them for it), I would have every reason to doubt their word, if they had actually said that my sites had been hacked.