Get Paid to Participate - up to $1 per post!     Twitter     Facebook     Google+
Hosting Discussion
 

forgot password?



Reply


Old
  Post #1 (permalink)   08-23-2015, 05:56 PM
HD Newbie
 
Join Date: Feb 2014
Location: Montréal, Canada
Posts: 46

Status: webalternative is offline
Hello,

how did you deal with a compromised account? Like an outdated Wordpress installation that's have been compromised?

Did you charge your customer to solve the problem? If yes, how much?

If no, what you do?



Regards,
__________________
- Web Alternative
- [CA / US / NL / FR ] Shared Hosting - Offshore Hosting - Reseller - VPS
- https://webalternative.net
 
 
The Following User Says Thank You to webalternative For This Useful Post:
Licensecart (08-26-2015)


Old
  Post #2 (permalink)   08-23-2015, 06:06 PM
HD Addict
 
Join Date: Apr 2015
Posts: 164

Status: Harv45 is offline
Quote:
Originally Posted by webalternative View Post
Hello,

how did you deal with a compromised account? Like an outdated Wordpress installation that's have been compromised?

Did you charge your customer to solve the problem? If yes, how much?

If no, what you do?



Regards,
I would personally inform them and see if they take actions within say 24 hours. If they do then try to work with them, if not I would just suspend their account until they demonstrates to cooperate with you on the issue. Or until end of billing cycle and then just deactivate their account.
 
 
 


Old
  Post #3 (permalink)   08-24-2015, 04:03 PM
HD Guru
 
Join Date: Mar 2013
Posts: 811

Status: Alex HubRocket is offline
I think it would really depend on the severity of the case. If they've been compromised and spam is starting to come from the account then that is obviously a higher priority as potentially it could cause issues for other clients.

In any case, any provider should try working with the client to a reasonable extent.
 
 
 


Old
  Post #4 (permalink)   08-24-2015, 04:40 PM
HD Wizard
 
easyhostmedia's Avatar
 
Join Date: Mar 2011
Location: Northumberland, UK
Posts: 5,007
Send a message via MSN to easyhostmedia

Status: easyhostmedia is offline
wordpress is know for not been secure so you must make sure you are running latest version at all times.

we sent this to clients on 24/10/2014
Quote:
Once again one of our servers (Venus) was offline 2 hrs today due to a compromised Wordpress installation. the client had an outdated version 3.5 while the current version is 4.0.

This has led to the below announcement being issued and publised on our website. If you have Wordpress installed then make sure you are running the latest version 4.0 and have this updated in Softaculous as it is whichever sites Softaculous shows as outdated that will be disabled

Due to a recent rash of web hosting accounts being compromised and exploited and a lot of these being traced back to outdated Wordpress scripts, we have made the decision to sunset all Wordpress 3.5, 3.6, 3.7, 3.8 and Wordpress 3.9 scripts that are installed on our servers.
Sunsetting, in this context, means that we will be disabling these web hosting accounts or directories that currently have a Wordpress 3.5, 3.6, 3.7, 3.8 and Wordpress 3.9 script installed.
Current Wordpress version is 4.0
then on 24/11/2014 we sent this

Quote:
We have noticed that since our mailout on 25/10/2014 about Wordpress 3.x Sunsetting has gone ignored by wordpress users, as still Softaculous shows many outdated installations, with some still using version 3.5 when the current version is 4.0.

Today at 2am i was informed of yet another Wordpress installation being compromised due to not having the recent version/security updates. (these are only effecting WP installations, so no one is actually getting into the server in general)

Each time this is costing us time and effort to sort these issues out.

So this is what is going to happen at some point today

1) ALL accounts with outdated scripts will be suspended (not just outdated Wordpress scripts)
2) To reactivate the suspended accounts you will have to pay a £10 reactivation fee
3) Once reactivated you will have 12 hours to update the outdated installation and if it is updated within the 12 hrs we will refund the Fee

We will give you until 12 noon today Friday 14th Nov. to check your installations and update them before these accounts will start to get terminated.

you can do this by going into your accounts cPanel and then look under Software >> Softaculous then search for the script you use and this will tell you the script and current version and next to that you should see 2 small blue arrows which will allow you to upgrade in a simple 1 click step.

We can do this for you but would have to charge our Min. hourly fee of £25
at the time out of 300 sites with outdated scripts that got suspended 250 paid the £10, only 7 upgraded within the 12 hrs, so got refunded, 10 asked me to update their scripts. 220 updated within 72 hrs. remaining 63 were never upgraded or i never heard back from the clients, so were terminated.
__________________
Terry Robertson - CEO The Easyhost Media Group
Niceday Hosting - Affordable Hosting
PowerSSL - - We Secure your World
The Scamlist Forum - Fighting against scammers
 
 
The Following User Says Thank You to easyhostmedia For This Useful Post:
Licensecart (08-26-2015)


Old
  Post #5 (permalink)   08-25-2015, 12:29 PM
HD Community Advisor
 
ughosting's Avatar
 
Join Date: Jan 2011
Location: London
Posts: 608

Status: ughosting is offline
We have fewer compromises now than a year ago, but more attempts at attacks, we've just got better defenses now.

If we find an account compromised, or spamming, we suspend it and wait for the customer to make contact.
We rarely terminate the account, if the customer is paying, but just leave it suspended.

Again like easyhostmedia, if the domain/account is found to be compromised again, we suspend it again and so it goes on.
__________________
DDoS Protected, LiteSpeed + LiteMage on CloudLinux with SSD Disks, R1Soft, Softaculous, SIteBuilder, BitNinja, LetsEncypt & Patchman
UnixGuru: Accounts with 1-16 CPU Cores, 2-32GB RAM. Why use a VPS?
█ Choose from Shared, Reseller and Elastic-Sites Hosting
 
 
 


Old
  Post #6 (permalink)   08-26-2015, 02:52 AM
HD Wizard
 
easyhostmedia's Avatar
 
Join Date: Mar 2011
Location: Northumberland, UK
Posts: 5,007
Send a message via MSN to easyhostmedia

Status: easyhostmedia is offline
Quote:
Originally Posted by ughosting View Post
We have fewer compromises now than a year ago, but more attempts at attacks, we've just got better defenses now.

If we find an account compromised, or spamming, we suspend it and wait for the customer to make contact.
We rarely terminate the account, if the customer is paying, but just leave it suspended.

Again like easyhostmedia, if the domain/account is found to be compromised again, we suspend it again and so it goes on.
Yes but script compromises are not attacks against your servers, these are attacks and even hacks into individual scripts, some server security systems will pick these up and some wont.
Some cases its just a matter of looking in the mail queues and seeing a very large amount of queued mail from specific accounts so leading you to investigate that account.

if you have cpanel or directadmin on your server then it is a good idea to goto http://configserver.com/ and install these on your server (ALL FREE)

ConfigServer Security & Firewall (csf)
ConfigServer ModSecurity Control (cmc)
ConfigServer Explorer (cse)
ConfigServer Mail Queues (cmq)
ConfigServer Mail Manage (cmm)

through SSH using this

cd /usr/src
rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

use the same commands for all the above by just changing the 3 letter code for the script

and if you can afford $60 then also install ConfigServer eXploit Scanner (cXs) http://configserver.com/cp/cxs.html
__________________
Terry Robertson - CEO The Easyhost Media Group
Niceday Hosting - Affordable Hosting
PowerSSL - - We Secure your World
The Scamlist Forum - Fighting against scammers
 
 
The Following User Says Thank You to easyhostmedia For This Useful Post:
Hostrica (08-26-2015)


Old
  Post #7 (permalink)   08-26-2015, 01:08 PM
HD Newbie
 
Join Date: Dec 2014
Posts: 31
Send a message via Skype™ to Hostrica

Status: Hostrica is offline
Quote:
Originally Posted by easyhostmedia View Post
Yes but script compromises are not attacks against your servers, these are attacks and even hacks into individual scripts, some server security systems will pick these up and some wont.
Some cases its just a matter of looking in the mail queues and seeing a very large amount of queued mail from specific accounts so leading you to investigate that account.

if you have cpanel or directadmin on your server then it is a good idea to goto http://configserver.com/ and install these on your server (ALL FREE)

ConfigServer Security & Firewall (csf)
ConfigServer ModSecurity Control (cmc)
ConfigServer Explorer (cse)
ConfigServer Mail Queues (cmq)
ConfigServer Mail Manage (cmm)

through SSH using this

cd /usr/src
rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

use the same commands for all the above by just changing the 3 letter code for the script

and if you can afford $60 then also install ConfigServer eXploit Scanner (cXs) http://configserver.com/cp/cxs.html
Good info, thanks. I'll be using this. Follow up question, if I may ...

I'm most familiar with maldet ... how does cXs compare to maldet, which is free? Is cXs worth the cost to you, personally?
__________________
HOSTRICA.com cPanel | Unlimited Domain | VPS | Windows & Linux | Instant Setup
 
 
 


Old
  Post #8 (permalink)   08-26-2015, 01:28 PM
HD Wizard
 
easyhostmedia's Avatar
 
Join Date: Mar 2011
Location: Northumberland, UK
Posts: 5,007
Send a message via MSN to easyhostmedia

Status: easyhostmedia is offline
Quote:
Originally Posted by Hostrica View Post
Good info, thanks. I'll be using this. Follow up question, if I may ...

I'm most familiar with maldet ... how does cXs compare to maldet, which is free? Is cXs worth the cost to you, personally?
I use both

Maldet is basic. i installed this through WHXtra along with RHK Rootkill.

cXs was only $50 when i purchased it, but its been well worth it.
__________________
Terry Robertson - CEO The Easyhost Media Group
Niceday Hosting - Affordable Hosting
PowerSSL - - We Secure your World
The Scamlist Forum - Fighting against scammers
 
 
 
The Following User Says Thank You to easyhostmedia For This Useful Post:
Hostrica (08-26-2015)


Old
  Post #9 (permalink)   08-26-2015, 02:26 PM
HD Amateur
 
Join Date: Sep 2013
Posts: 72
Send a message via AIM to Licensecart Send a message via Skype™ to Licensecart

Status: Licensecart is offline
Quote:
Originally Posted by webalternative View Post
Hello,

how did you deal with a compromised account? Like an outdated Wordpress installation that's have been compromised?

Did you charge your customer to solve the problem? If yes, how much?

If no, what you do?



Regards,
When I was in hosting, we used to offer to restore a backup and then upgrade them for free otherwise they can upgrade for free. If they didn't we'd tell them we would have to let them go to another provider.
 
 
 


Old
  Post #10 (permalink)   08-26-2015, 02:58 PM
HD Wizard
 
easyhostmedia's Avatar
 
Join Date: Mar 2011
Location: Northumberland, UK
Posts: 5,007
Send a message via MSN to easyhostmedia

Status: easyhostmedia is offline
Quote:
Originally Posted by Licensecart View Post
When I was in hosting, we used to offer to restore a backup and then upgrade them for free otherwise they can upgrade for free. If they didn't we'd tell them we would have to let them go to another provider.
no so much restoring backups, but this is about how to deal with outdated scripts.

I know we all want to be pleasant to clients and bend over backwards to help them, but it should go both ways. If they wont or are unwilling to upgrade outdated scripts, then it can cause problems for other users on the server if someone through their outdated script gets into other sites on the server. Software Houses update scripts for a reason and clients need to know this and how important to update scripts.
A provider has really 3 options

1) help the client or get the client to upgrade the outdated script
2) if they wont upgrade then terminate them
3) as a last resort ban the script on your servers.

This is what we did with E107 it is banned from any of our servers because when it had a security issue they were not releasing any patch for it and a client that was using it managed to get our server IP blacklisted using this.
__________________
Terry Robertson - CEO The Easyhost Media Group
Niceday Hosting - Affordable Hosting
PowerSSL - - We Secure your World
The Scamlist Forum - Fighting against scammers
 
 
 


Old
  Post #11 (permalink)   08-27-2015, 09:44 AM
HD Amateur
 
Join Date: Sep 2013
Posts: 72
Send a message via AIM to Licensecart Send a message via Skype™ to Licensecart

Status: Licensecart is offline
Quote:
Originally Posted by easyhostmedia View Post
no so much restoring backups, but this is about how to deal with outdated scripts.

I know we all want to be pleasant to clients and bend over backwards to help them, but it should go both ways. If they wont or are unwilling to upgrade outdated scripts, then it can cause problems for other users on the server if someone through their outdated script gets into other sites on the server. Software Houses update scripts for a reason and clients need to know this and how important to update scripts.
A provider has really 3 options

1) help the client or get the client to upgrade the outdated script
2) if they wont upgrade then terminate them
3) as a last resort ban the script on your servers.

This is what we did with E107 it is banned from any of our servers because when it had a security issue they were not releasing any patch for it and a client that was using it managed to get our server IP blacklisted using this.
Yeah but if the account is "hacked" you want to go back to the old version before it was hacked and then upgrade .
 
 
 


Old
  Post #12 (permalink)   08-27-2015, 09:54 AM
HD Wizard
 
easyhostmedia's Avatar
 
Join Date: Mar 2011
Location: Northumberland, UK
Posts: 5,007
Send a message via MSN to easyhostmedia

Status: easyhostmedia is offline
Quote:
Originally Posted by Licensecart View Post
Yeah but if the account is "hacked" you want to go back to the old version before it was hacked and then upgrade .
No as that wont help, you need to look at how they got in. 9/10 they will get in as you use a weak password and then FTP a php file into your site that you are not aware of until your host gets notices, downgrading will not help if you still use week passwords.

You need to

1) change all passwords to strong passwords.
2) go through the files structure to find the hackers files/folders and remove them.
3) upgrade the script

in that order.
__________________
Terry Robertson - CEO The Easyhost Media Group
Niceday Hosting - Affordable Hosting
PowerSSL - - We Secure your World
The Scamlist Forum - Fighting against scammers
 
 
 


Old
  Post #13 (permalink)   08-27-2015, 11:38 AM
HD Newbie
 
Join Date: Dec 2014
Posts: 31
Send a message via Skype™ to Hostrica

Status: Hostrica is offline
Quote:
Originally Posted by easyhostmedia View Post
No as that wont help, you need to look at how they got in. 9/10 they will get in as you use a weak password and then FTP a php file into your site that you are not aware of until your host gets notices, downgrading will not help if you still use week passwords.

You need to

1) change all passwords to strong passwords.
2) go through the files structure to find the hackers files/folders and remove them.
3) upgrade the script

in that order.
Yep. Done this more times than I would care to admit. Overlook a single FTP account or CMS user ... and you have to start all over again.
__________________
HOSTRICA.com cPanel | Unlimited Domain | VPS | Windows & Linux | Instant Setup
 
 
 


Old
  Post #14 (permalink)   08-27-2015, 12:04 PM
HD Wizard
 
easyhostmedia's Avatar
 
Join Date: Mar 2011
Location: Northumberland, UK
Posts: 5,007
Send a message via MSN to easyhostmedia

Status: easyhostmedia is offline
Quote:
Originally Posted by Hostrica View Post
Yep. Done this more times than I would care to admit. Overlook a single FTP account or CMS user ... and you have to start all over again.
yup and its fine when a client cooperates with you.
I had 1 client who had a typical WP hack due to week passwords, so i instructed them to clean their account and change passwords, they agreed, but same thing happened again fine this time told them to clean their account and i would change their passwords. i changed passwords and gave then them the passwords. I told them that next time this happens and i will have to charge them for my time at our rates as per our TOS £25 per hr.
within a week the same thing happened and i noticed they had changed the passwords back to their old week ones, so as i told them i would clean their site and charge them.
In all i spent 30+ hrs, but only invoiced them £300, they refused to pay and even threatened to report me for trying to scam them. strange as i had all evidence of them not cooperating and changing the passwords back and accepted that i would charge if it happened again. so then never paid, so WHMCS system suspended them and them terminated them, but leaving the invoice active. since them ( 12 months) they have gone through 4 hosts, so i assume all for the same reason
__________________
Terry Robertson - CEO The Easyhost Media Group
Niceday Hosting - Affordable Hosting
PowerSSL - - We Secure your World
The Scamlist Forum - Fighting against scammers
 
 
 


Old
  Post #15 (permalink)   08-28-2015, 12:01 PM
HD Guru
 
Join Date: Mar 2013
Posts: 811

Status: Alex HubRocket is offline
@Easyhostmedia: Your emails sound a little harsh on the client but I won't go into that.

Are you only using Softaculous to determine outdated WordPress installations on your server? If so, you probably have some more outdated installs on your network.

There are a few more ways you could look which would catch every outdated install.
 
 
 
Reply
Previous Thread Next Thread


Thread Tools

New Post New Post   Old Post Old Post
Posting Rules:
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Sponsored By: