Mass Web Defacements - ATTENTION PLEASE!

[exdiogene]

GhostRider2110,

this was exactly what i had in mind. I was speaking of a professional application, not a recent university graduated student software...

If i do it myself it would be a three part process: Display of the suspected files with recovery information, Selection of the desired depth of recovery and recovery with report.

I have hundreds of those files in each domains, it wont be practical do do it manually. Mainly because i know that 95% of those files would be cleaned and/or recovered easily.

From what i read on the zone-h.org website there must be hundreds of Micfo's customers having the same hacked files on their servers...

But even if there was only 10 customers hacked, Micfo would have to post a message to warn the others just in case! That's the professionnal way to go...

[Elik]

Greetings,

Not quite true. The /tmp are secured and always have been. Just the issue is that if someone can get in though any of the websites that got insecure php application, they will hack though that site by uploading the scripts into it.

PHPSuexec prevents that since all are run as the user, so they cannot access any other sites no matter how they try, but it is not the issue of /tmp. It is their php applications that they target for that issue.

Quote:

Originally Posted by drachma

I too was a victim of hack on & before 4/11/07 (both version 1 and 2). This was before phpsuexec...

As far as I know...phpsuexec prevents this from happening. Previously this hack occured because of unsecure /tmp directory. Now since everyone is moved to phpsuexec, this shouldn't be a problem.

Now -- that's only if all dirs are CHMOD 755.
Remember -- for regular php apps, at times you need CHMOD 777, but for PHPSUEXEC, you should only use CHMOD 755.

Unfortunately the only way to eliminate this is to delete the files manually. Both *.php and modify the .htaccess per directory.

A full restore will not eliminate already existing files ~~ I tried this method and still had to manually delete everything.

[exdiogene]

Russell(Elik),

do you intend to do something to help the Micfo customers, victim of those defacements, to cleanup their php files?

[GhostRider2110]

Another question I have, how much is the fault of Micfo and how much just bad php deployment from customers? Is there a way to tell that? My defacement was due to my not setting proper file perms..

I don't think micfo has the responsibility to do anything except maybe send a notice out with the info known.... Unless it is something they explicitly did. There are wholes in every OS, most every app out there has some sort of whole in it. You can only keep things updated at best as possible but in a responsible way... and hope the users are doing the same thing... Maybe another forum strictly for micfo admins to post the latest security warnings (boy would that be a busy thread!!!!!)

Not sure what the best way to handle things like this are..

Yes, would it be a better customer service to come up with something like you said.... but is bad customer service not to? I don't think so, depending on the bases behind the defacements... And yes, I have not read up on all the details of that last round... Still doing that in my abundant free time(cough cough) I have

[exdiogene]

GhostRider2110,

nice reflexion, now think about this one :

If a web hosting company advertise a feature like Fantastico to get new customers and if a customer pay for a hosting plan with no knowledge at all about programming. If after the customer do a "Simple click installation" with Fantastico of the "SohoLauch" or the "Zencart" application and get defaced with a "plain vanilla" installation, who is resposible of the cleanup process?

I wont get into the argumentation of the percentage of the responsabilities between the application conceptor, the Fantastico application and the final promoter of the whole product to make money with his hosting plans, but suffice to say that the customer who did not play a real "active" part in the software installation cannot have 100% of the responsability and cannot be asked to do the technical cleanup himself.

First of all, the server owner have a responsability to assure the security from external attackers and must be sure not to propose unsafe applications to its customers. And thats my point!

I have a neutral opinion here, like a lawyer whould advise against abuse from each sides, customer or company owner.

The situation would be different if the PHP defacement was caused by a proprietary PHP script of a customer or a customer who voluntarely modifyed the directories permissions, this is not the case here.

[GhostRider2110]

exdiogene,

My problem is I am of the school of thought, don't run something you know nothing about... and that is one of the biggest problems of the web today. To many people can buy a web site without knowing what they are doing and relying on thing to be set and safe by default. When they are not...

Some of the reading I was doing on this had to do with the last kernel bug, if I was reading the right threads... That is beyond the control of micfo and the customer.

Micfo being a "customer" of cpanel is caught in the same link as micfo customers.

I can't fullly subscribe to your thought of since micfo provided it, they are responsible for the use on install. By default, the install of most apps like that require the user to remove the install dir before starting... and many require file permission changes by the user to finish off the protection. In a way that is like saying a gun manufacturer is responsible for someone shooting someone else... or the tire manufacture being blamed for someone not properly inflating the tire...

I think this is a point we will have to agree we disagree on...

[exdiogene]

GhostRider2110 your comparaison is flawed!

You should ompare the situation with a gun manufacturer who do not know they made a gun that fire backward due to a careless employee in their chain assembly.

Or to a company manufacturing tires with a rubber coating that detach from the inside steel belt because a new design error.

In an American justice court the manufacturer would be blamed for the customers injuries 100% of the time. A company must assure the safety of their products. Same thing for a reseller.

So at least choose good examples to sustain your way of thinking.

The only part i agree with you is the part that someone should have at least a basic knowledge of the product he is buying or selling. But do not this kind of thinking applying to Micfo as well. If you do not know enough about server security ,administration and programming; do not get in the business of web hosting?

[Elik]

Greetings,

Unfortunably, Exdiogene, Micfo do not take responsiblity of what the customer install in their accounts. What they install in their accounts, that is their responsibility of maintaining their account and making sure it is up to date.

Since it is next to impossible to track what they install or such, since some are of their programming design and some are from their own installation from 3rd party for their sites and such. Micfo do take care of security, but what they install, that is their responsiblity for it. We deal with the basic ends like the versions of the software like PHP, perl and such, and we secure the server in general from general hackages. Pretty much all hacks that happens, they are all happens in individual accounts, not from root or from server security, but due to the account itself due to insecure applications and improper directory permissions and poor password management.

[exdiogene]

Russell,

i understand what you write and you are right about third party and private softwares. But if you follow the discussion from the start you will notice that i only talk about the "plain vanilla" Fantastico "one click install" applications that Micfo make available to their customers.

Can you comment only on this please! I saw websites defaced with only a "zencart", "picture manager" or "soholauch" installation. No other softwares or personal scripts.

No where in your messages you tell if Micfo should be at least partly responsible or not for an insecure application available trought its own Fantastico interface.

This discussion could be oriented on three levels: morality, legality, business.

At least dont you agree that a warning message on the forum would have been appropriate?

[GhostRider2110]

exdiogene,

First what I agree with... Yes, I think that anyone, micfo or customer should post in the forums if they find out there is a problem with an application or the underling OS and support programs.

Now, I don't believe Micfo is not responsible for what is distributed by Fantastico or Cpanel. They are commercial applications as well. Just wrappers around the base install of the program like Zencart or phpbb. Now if THEY are distributing (cpanel or fantastico) versions of an application that has a major security issue, then Micfo could possibly disable future installs and give a general notice to it's users until cpanel and or fantistico updates the applications. Maybe I am totally wrong about how they work, but I don't think Micfo controls the scripts used or the app version installed.

So, going back to what you said, micfo is not the manufacturer of these products, just a reseller/distributer and would only be the gun dealer who ordered the gun from the manufacture to be delivered to the client which the manufacturer messed up to backfire..... In all probability the gun dealer did not test fire the weapon....

Example exploit of Zencart, was it only the ones installed via Fantastico? or was it ones installed by downloading from Zencart direct. My Zencart install was not done via Fantastico because it was at the time it was a version or two behind the current release.. So I downloaded and installed it. Then I scoured the Zen support web site for security issues. To make sure I had installed everything right.

This subject has been and will be debated for a long time. Who is responsible for a security issue? Can you sue Microsoft for leaving an exploit open for 3 weeks until they come out with the monthly patch? Can you sue Zencart for a variable bounds not checked causing a loss in customer data? Is the ISP for allowing the ports used to transport the exploit?

Now to agree again, from a business standpoint, Micfo should do what it can to notify it's customers when it finds out about a security issue with software that could be installed from those "click and become a webmaster" programs.

I personally feel, even if it is provided by Micfo via a 3rd party installer like cpanel, fantastico or any of the other click and install front ends, it is the responsibility of the customer to make sure what they are doing is installed properly, configured properly, secured and used in a legal manner...

See-ya

[exdiogene]

I mostly agree with what you say except the conclusion.

If a customer buy a car, it is supposed that he knows how to drive it as well of maintain it in a secure way by following the manufacturer directives. That's all.

At no point it is supposed that the owner of a car will have the engineering expertise to know if the manufacturer glue for the brake lining is strong enough to allow an emergency braking or to know that the tires are not safe for over 100km/h. The same way you cannot port the damage responsability to the owner of that car because he is no expert!

We can say the same for the end user of a "commercial" software that came with a "commercial" selling package like a hosting plan. He have the right to be advise of the known problems of the product and if nothing is said then he have the right to ask a refund or a compensation for the defective software that came with the package. Even if it is stated that the designer takes no responsability in the consequences of the use of the software.

I would do it if it was happening to one of my customer and i was negligent to interveen in a reasonable time period...

If the car manufacturer learn about a defective part on a car, he have the obligation to call back all cars for fixing the defective part. If he do not do it he can be sued for negligence.

And for your own knowledge, the "zencart", "picture manager" and "soholaunch", were the original ones that came with the micfo hosting plan, no modifications were made and no directory permissions were changed...

The conclusion, it is always a question of goodwill from all...

[Amir]

exdiogene,

In future, if I were you, before jumping with your guns and attacking Micfo, I would go and read the terms of service which is available on our corporate web site. Perhaps you couldn't find it, so I'm pointing to those terms for you:

Terms of Service
URL: http://www.micfo.com/web-site-hostin...f-service.html

Quote:

11. Additional Service Installation: Micfo.com offers its customers many scripts for free by offering its customers Fantastico hosting and cPanel hosting. These free scripts are provided on 'as-is' basis. Customer agrees to be fully responsible for any damage resulting from installation and usage of such scripts within their web hosting account. Should a customer request to have any additional scripts or software installed onto Micfo.com servers that are not included already in the control panel or Fantastico, there will be a technical administrative charge of $25 for this service.

Quote:

Additional Services Warranty: Additional web hosting services include but are not limited to, upgrades, additional disk space or bandwidth, dedicated IP address, SSL Certificates and Promotions. These additional services are not covered under our “30-Day Money Back Guarantee or 30-day money back guarantee” and will therefore be deducted from the prorated refund amount. They are provided on “as is” and “as available” basis. Micfo.com disclaims any implied warranties from Micfo.com, its employees or affiliates and therefore can not be held responsible or liable for any possible damages resulting in the use or misuse of any information, content or services provided by Micfo.com. Including direct or indirect, punitive and incidental resulting from any failure to provide services, suspension or termination of services.

Quote:

Limited Liability: Customer agrees that no Micfo.com member of staff, at anytime shall be held responsible or liable for any but not limited to the following: i) where Micfo.com services are accessed by any third parties through illegal or illicit means. This includes any situations where data is accessed through exploiting of security gaps, flaws or weaknesses which may exist in the Micfo’.com services or any of Micfo.com equipment. ii) for any damages or losses (including those of third parties) that could result from the use of or inability to use Micfo.com products or services, or that could result from but are not limited to; any omissions, loss of data, interruptions, mistakes, deletion of files, errors viruses, defects, delays in operations or transmissions or any failure of performance, whether or not limited to acts of god, communications failure, theft, destruction or unauthorized access to Micfo.com records, programs, equipment products or services. iii) for consequential, indirect, incidental, punitive or special damages, any loss of profits or revenue earned, or data lost that is used by the customer or any third party, this stands whether the action is in contract, tort, strict liability or other legal theory. iv) when Micfo.com has to take corrective action under this agreement, due to a action resulting from a Micfo.com customer, one of their customers or a reseller customer that as a result may adversely affect all their other customers. Should any the above occur, Micfo’s maximum liability under this agreement from any and all claims (whether in contract, tort, including negligence, quasi-contract, statutory or otherwise) will not exceed the actual dollar amount paid by the customer for the services that gave rise to such damages, losses and causes of actions during the quarter period (three months) prior to the date that the damage, loss occurred or the cause of action arose. Please note that this limitation of liability reflects an informed and voluntary allocation between parties involved of the potential risks that may exist in connection with this agreement. In addition it is stated that the terms of this section shall also survive any termination of this agreement.

The examples you've provided are not relevant or even close to this industry. I was told to compare orange with orange and not orange with apple.

Sincerely,
Amir.

[Elik]

Greetings,

What Amir pointed out, he could not have made it clear any clearer than what he said. Thanks for saving me 10 minutes of writing out a response.

[GhostRider2110]

Quote:

Originally Posted by exdiogene

I mostly agree with what you say except the conclusion.

If a customer buy a car, it is supposed that he knows how to drive it as well of maintain it in a secure way by following the manufacturer directives. That's all.

At no point it is supposed that the owner of a car will have the engineering expertise to know if the manufacturer glue for the brake lining is strong enough to allow an emergency braking or to know that the tires are not safe for over 100km/h. The same way you cannot port the damage responsability to the owner of that car because he is no expert!

Or the dealer who sold the car... Which is where I would place Micfo in this pic... Also, as Amir pointed out it is a total different industry with different expectations.

Quote:

We can say the same for the end user of a "commercial" software that came with a "commercial" selling package like a hosting plan. He have the right to be advise of the known problems of the product and if nothing is said then he have the right to ask a refund or a compensation for the defective software that came with the package. Even if it is stated that the designer takes no responsability in the consequences of the use of the software.

I can't agree there.... The hosting plan is just that, a hosting plan... no applications are include. Tools to build your own site are there and they are just that, tools and if used wrong they can get you into trouble. And also as Amir point out the terms of service are clear and they same with most all from hosting providers I have seen.

Quote:

I would do it if it was happening to one of my customer and i was negligent to interveen in a reasonable time period...

Ahhh but someone did.. didn't have to be Micfo.. This thread was started and a warning was given. The other hosting provider I use, I didn't even get any type of warning and there is no forums like this.

Quote:

If the car manufacturer learn about a defective part on a car, he have the obligation to call back all cars for fixing the defective part. If he do not do it he can be sued for negligence.

Again, Micfo is not the manufacturer of any of the applications provided....

Quote:

And for your own knowledge, the "zencart", "picture manager" and "soholaunch", were the original ones that came with the micfo hosting plan, no modifications were made and no directory permissions were changed...

The conclusion, it is always a question of goodwill from all...

That is true and the goodwill was started when this thread was started.
And as has been pointed out, my use of car and gun manufacture was probably not correct without putting the dealer in the middle and even then it is still not apples to apples. Many things are different in the digital industry. I am glad that you would step up and take responsibility for one of your customers like that and I hope it does not backfire on you. And if 99.9% of the people in the world were honest and didn't have the "lets sue at the drop of a hat" mentality, Amir would not need a terms of service agreement that said more then 2 lines. But that gets me a soap box and way off topic for here...

See-ya

[exdiogene]

Ok,

my first basic question was : "Will Micfo do something to help their customers who were victims of the defacement?".

From what was written up to now i can only deduct that the response is "no" because they do not feel any responsibility in it.

So there is no point continuing this discussion.

I will manage to repair the damages on my side by myself, i just hope your other customers could do it as well!

P.S. But remember that the spying PHP code have been migrated to the new servers and that many customers do not know about it...