# General Business Category > Technology Forum >  Site hacked

## Marq

Went into my my website to find a dreaded google warning message that my site  hosts malware and 'visiting this site may harm your computer'.

I discovered that a few files had been hacked and a bunch of javascript code had been added at the end of the files.

Seeing as its just a static site with no sql or other means to break in, I assume they came in through the front door. :EEK!: 

So I queried this with webafrica, who are avoiding the issue and telling me I must change my website write permissions and then it will be safe. :Rant1: 

Can anyone tell me whether this is my fault or should I not expect this isp to safeguard our sites from basic scenarios like this?

Besides being elusive about the situation, this isp continues to be obtuse and unhelpful whenever I have a problem. Is it normal to be treated as if one has a degree in this stuff and they talk down to you like a turkey or do you get helpful people out there in isp land who would guide you through a situation like this. 

Obviously I had a problem but their initial response is ..send us an email and we will respond sometime. Then next came the ....it will cost me R300 for a restore from their side message, then nothing.......I reloaded the site and then had to figure out the google resubmit and webmasters tools etc to get back in action. No help from Webafrica........Its obviously time for a change.........mmmmm........yes I feel a new years resolution coming on.

----------


## Dave A

You need to check the folder permissions for your public folder and subfolders. If it's straight HTML pages, set them to read only....

Change your password (and username if possible)!

Also check for unauthorised or non-password protected FTP user profiles.

----------

Marq (25-Dec-09)

----------


## tec0

Well ISPâs do think that god made them better. That is basically the problem with any tech in these times. âI am so good I love myselfâ types that think the normal people are stupid and not worthy of their time. 

What Dave suggested is a good start also I would recommend you have a long look at your contract and their policies on protecting your website. I am sure that they made some commitment... And then you contact them and tell them you are not getting the service you are paying for and you think that the consumer council must be involved. Also it would be a good time to get names and a contact number for a manager.

Make waves!!    :Yes:

----------

Marq (25-Dec-09)

----------


## tonyflanigan

One of my client's site was hacked a few weeks ago. Google informed my ISP, who let me know. I got the mail about ten minutes after Google sent it, and telephoned my ISP right away. He had already fixed what was broken, tossed what was not original, and I was able to mail Google to let them know the site was squeaky clean and wholesome again. 

I pay a bit more than I would were I to use another vendor, but have been with my ISP for some years. I have never had reason to be even slightly disgruntled, as he is hands-on, and jacked up. The sorta ISP I need cos I am seriously tech challenged. :Smile:

----------

Marq (25-Dec-09)

----------


## Marq

Thanks  - Tony - do not be shy, I am in serious need of of a new isp.....which isp are you talking about - If only I could get that type of service? You can make a list if you are not sure about promoting them and just make sure they are first on the list. :Smile:

----------


## tonyflanigan

lol! I'm not shy, far from it, I just don't wantto be smacked around, thrown against the wall, and shot at dawn for furthering commercial interests on the forum!  :Big Grin: 

Speak to Collin, on his cell now, or e-mail him, as he is "on leave", at the moment. 
You can tell him I referred you, I don't get commission or kick-backs or anything, just a "noddy badge" and a "red smartie".

Tel Number : 041-3630535 (9:00am - 4:30pm)
Fax Number : 086-6762661
Email Address : support@bisnet.co.za
Cell : 083-9963068

----------

Marq (26-Dec-09)

----------


## AndyD

Of the various ISP's I have dealt with I can recommend eNetworks. They're a smallish business oriented ISP in Cape Town, not the cheapest but good value for money and a pleasure to deal with. I have no vested interest in their business.

----------

Marq (19-Jan-10)

----------


## SilverNodashi

No offence, tec0, but if we (ISP's) have to keep tab on every client's website that was hacked, then when exactly do you think our staff will find time to do their work?

Website gets hacked due to the followintg reasons:
1. weak passwords - on control panels / FTP accounts / email accounts / etc. 
2. Outdated scripts on websites, most commonly on Joomla / Wordpress / phpBB / SMF / vBulletin / etc. 
3. the client access his control panel / FTP account / email account from a public PC (internet cafe / "friend's house" / airport / library / etc) and either left the account logged in, or there was a keylogger on that PC. 

- In all the cases above, it's the client's responsibility to make sure he's passwords are strong. 
"MyPass1234" isn't strong! Use something like "PN45%@na8!". 
- If the client allows others to access his control panel, for example a 3rd party web designer, then that person can wreak havoc - which often happens when the client & the designer have a fight about the costs of the project. 
- If you ABSOLUTELY have to access your control panel from a public PC, then make sure you clean out all cookies, password, temporary internet files, etc from the PC, and change your password immediately afterwards.


I see these things happen a LOT. And while the client believes that it's our fault for not keeping the servers secure and allowing others to access their control panels, it's not. NO FIREWALL will ever keep a website secure, if the client's password is compromised. In fact, if the servers were insecure (for example, in WA's case), then the WHOLE SERVER would have been compromised, not just your website!

If the bank had to hold your hand while you walk down the street to draw cash, then there would be no people left in the bank to operate the bank. How then, do you expect your ISP to pay a staff member to keep an eye on your website 24/7/365 ?

----------


## tec0

Well it is true that weak passwords are to blame but again, no... If everything is our responsibility, and the ISP are only the host with no commitment to security what-so-ever then specify it in the contract. Also you can specify the length of the password and you can set-up a rule that will force the user to use caps and what not for their passwords. But this is not being done because some ISPâs found the system to difficult others just donât worry about it. 

In the end of the day if you expect your client to be more educated then you then yes, but some clients are new to this world and the ISP needs to make sure that the client is protected on a basic level. But if it is a sink or swim scenario you want then chances are you will have a few people drowning and a negative image towards hosting in general.

----------


## Marq

Valid comments.......if true:-

except, using your analogy -  if the bank cannot hold the money properly in its vault, is it the customers fault when someone breaks in and steals the cash?

Would they - not tell the customer that his cash has gone and wait for him to say 'hey where's my cash?'

Would they after being informed that the cash is missing - ignore the customer and not inform him how to rectify the situation, say for example through insurance.....(ok don't answer that one - they probably wouldn't either - lol)

And - these situations are controlled by the software-  there is no staff member anyway looking after your site 24/7/365.

And - Yes - I expect, cause I know jack about these things, for the experts to tell me and inform me that my site is at risk. That is why there is a monthly payment for hosting. Google send the isp a message that the site has been hacked - its a simple procedure to pass that message on so that even if it is the clients fault - they can do something about it.

And - how do I know whether I was the only site hacked - the isp is not going to tell me or the world that they have a problem with many sites being hacked - not good business practice.




> Our hosting service has successfully been migrated to our new network, immediately offering massive resource increases to our locally hosted offerings....As we will now be operating our own network and IPâs, we will have full control over the performance and quality of the ADSL network.


 Thats the message received a few days before the site was compromised. What must I make out from that - that they have a problem and moved their service?......or did someone find a hole after they moved to their own network?

----------


## SilverNodashi

> Well it is true that weak passwords are to blame but again, no... If everything is our responsibility, and the ISP are only the host with no commitment to security what-so-ever then specify it in the contract. Also you can specify the length of the password and you can set-up a rule that will force the user to use caps and what not for their passwords. But this is not being done because some ISPâs found the system to difficult others just donât worry about it. 
> 
> In the end of the day if you expect your client to be more educated then you then yes, but some clients are new to this world and the ISP needs to make sure that the client is protected on a basic level. But if it is a sink or swim scenario you want then chances are you will have a few people drowning and a negative image towards hosting in general.


So, how do you propose the ISP's keep tab on what you do? Think about this, for a moment. 
How will a firewall help in this case? Your website is supposed to be "open on the internet", so the firewalls really only protect the servers / switches / routers / etc. 
If you (not you personally, the client) installs Joomla, and insists on using "Johny" as an admin password, then that's NOT the ISP's fault or responsibility. And if the client insists on using "Jonhy" as his email password, then again that's not the ISP's fault. 

We, for example, have a minimum password strength of 65 - which is rather high, you need a capital letter a lower case letter, a digit, and non-numeric password. To get 65 score on most encryption algorithms, you also need a minimum of 6 characters. But this is only effective on our own servers, where we have control over it, for example with cPanel, FTP, email, etc. This doesn't help you if you have a weak admin password in your Joomla installation. 


BUT, my point is still, if you access your control panel from the internet cafe in town, then NO SECURITY in the world will help you. 

Re: the comments on the bank: No matter how strong their vaults are, how secure their entire operation is, etc, if you go and withdraw R10,000 cash from an ATM in Hillbrow, then it's your own fault for being robbed. 


While we all like to blame someone else for problems that happen, we also need to be mature enough to take responsibility for our own actions. I can't vouch for another ISP, but I get a bit upset if it's always "the stupid ISP that is to blame".

----------


## Marq

I dont think this should be a blame game cause neither side can really prove their case.

What I do think is that there appears to be this unwillingness for isp's in general  to help out given the various scenario's that can go down. 

When my site was hacked, the isp closed up ranks in an immediate 'its not our fault - you will have to sort it out' mode. It would have gone a long way, if they had firstly notified me, cause they knew the situation had gone down, and when I inquired, told me and guided me through resolving the situation. If they had gone into help mode, this thread probably would not be out there for discussion.

The tones of their emails was that I was bugging them as an irritating client.

I do think that isp's, instead of telling me they have a Brazilian clients, a gazillion gigs, a hoard of network wiring, a pentaflop of technical geeks and they are the greatest thing since the external harddrive - that they should concentrate on ensuring that I am aware of these very things mentioned , like adequate passwords, surfing at the internet cafe and local hotel, poor and old software and furthering my education so that I do not pose a threat to the whole system. And if I do ask them a question or have a concern, they take their time out to ensure that I understand the answer or have a warm feeling at the end of the call or email.

My son, who fixes PC's and does IT type stuff, gleefully told me the other day that there are really stupid people in his town, they don't even know how to switch on their PC. When I pointed out that firstly a while back until he had been shown, he did not know how to switch the machine on either, and also that if it wasnt for these 'stupid' people that he also calls clients, he would be holed up in our spare room wondering if he was going to eat that day; his gleeful expression changed as has his disposition towards his clients.

----------


## SilverNodashi

> Valid comments.......if true:-
> 
> except, using your analogy -  if the bank cannot hold the money properly in its vault, is it the customers fault when someone breaks in and steals the cash?
> 
> Would they - not tell the customer that his cash has gone and wait for him to say 'hey where's my cash?'


Sure, but this isn't really the same thing. Is it the banks fault if you wrote your PIN on your card, and lost you card, thereby giving the thieves the money? IS this the bank's fault? 

OR, if your PIN is 12345 / 24680 / 13579 - which although they may look "secure" to you, can be guessed very easily. You need to "think out of the box". The average human being is not a genius, and tends to forget things very quickly, especially with numbers. SO, most people will have a PIN / password they they can remember & pronounce. And, surprisingly, cracker bots are written to look for passwords with easy-to-make-up and easy-to-remember combinations. Even something like Bob@123 is easy enough for a computer bot to find. 




> Would they after being informed that the cash is missing - ignore the customer and not inform him how to rectify the situation, say for example through insurance.....(ok don't answer that one - they probably wouldn't either - lol)


You're right, the bank won't. But could probably offer such a service @ a extra premium, and ISP's more than often have backups of data as well, which they may or may not charge for above your monthly hosting costs. 

Could your website be restored from a backup?
And could you, or the ISP determine where & how the hackers got in? This is the question which should make you decide to look for a better ISP though. I agree, if they don't support you afterwards then you may need a better ISP. 




> And - these situations are controlled by the software-  there is no staff member anyway looking after your site 24/7/365.


Yes, and now. How will software know that a change on your website was a defacement, or a legit change? For example, how will a software program know that if there was changes made to this forum, that it's actual form posts, and not hackers? Someone still have to watch it, even if the software application send them an email saying there was changes. Imagine how many emails Dave's ISP's staff will get today, saying "There was a possible hack attempt on http://www.theforumsa.co.za, please investigate."





> And - Yes - I expect, cause I know jack about these things, for the experts to tell me and inform me that my site is at risk. That is why there is a monthly payment for hosting. Google send the isp a message that the site has been hacked - its a simple procedure to pass that message on so that even if it is the clients fault - they can do something about it.


Really? DO you really expect your ISP to know about EVERY change you make to you hosting account & website? So if you decide to try out a new PHP script, do you want them to automatically detect that you have installed it, and then tell you that it's insecure? OR to "advise" you to use something else, something better? Do you think this is worth the R50pm you pay them every month? How long do you expect they will be in business if they need to employ 200+ staff members @ say R5000pm, to watch your R50pm website for any changes made by you, at all. 

Think about it this way, you have a business which you need to protect from various elements - floods, lightning, fire, theft, robbery, bankruptcy, etc. Who's responsibility is it to make sure these things are all looked after? Even though I don't much about most of these things, It's my responsibility to find out about it, and learn what todo. I need to employ a guard, pay for an alarm system & armed response company, employ knowledgeable accountant, make provision for fire & floods ( in our case make sure we have off-site data backups, redundant internet connections, etc). Even if the shop I rent cost R20k/pm, it's still my own responsibility, not the landlords (even though my shop is on his premises, and I think that he should keep the thieves out), or the municipality's (for not making this a safer town), or even (as an example) Los Angeles' fault cause they have earth quakes. 




> And - how do I know whether I was the only site hacked - the isp is not going to tell me or the world that they have a problem with many sites being hacked - not good business practice.


True, but they may choose not to disclose this info, as it could lead to thousands of other hackers trying their hand to take this ISP down. Bear in mind that this, and every other ISP is in competition with all other ISP's, and another ISP could very well have employed the hacker(s) to take down WA. IF they were to disclose this info, then the hackers / competition won, and there would be chaos. 




> Thats the message received a few days before the site was compromised. What must I make out from that - that they have a problem and moved their service?......or did someone find a hole after they moved to their own network?


Well, what do they say? Is there any link with this? I don't know what they did, or how they operate. 

But, if it was my business, and I would have made this move, then I would either have moved the same servers that your website was running on to a new location, i.e. nothing on the servers would have changed except for the IP addresses and there would be no coincidence with the 2 matters. 

If, on the other hand, the servers can't be moved like this, to avoid downtime, then the new server(s) would be setup at the new data centre, with all security measures in place already, and the migration would happen in real time

----------


## Dave A

> Thats the message received a few days before the site was compromised. What must I make out from that - that they have a problem and moved their service?......or did someone find a hole after they moved to their own network?


 :Hmmm:  That *is* an interesting coincidence.

It had me thinking when I moved TFSA onto a VPS. Here's a few thoughts that flitted through my mind reading that and Softdux - you'll probably know the answers. 

If you're on a reseller account and you transfered your accounts onto a shiny new VPS or dedi on another service, what are the chances that *all* the security and permission settings will remain the same?

What if that shiny new VPS or dedi is not on a managed package with experienced server techs tweaking the "default" security settings?

What if the old files were left on the old server and someone from the old firm was p'd off or bored?

Of course if they were *really* setting up their own server from scratch and weren't techs, I'd be truly sh*tting myself.

----------


## Marq

> Really? DO you really expect your ISP to know about EVERY change you make to you hosting account & website? So if you decide to try out a new PHP script, do you want them to automatically detect that you have installed it, and then tell you that it's insecure? OR to "advise" you to use something else, something better?


Great idea - yes




> Do you think this is worth the R50pm you pay them every month?


For sure - I pay a lot more than what you deridingly assume I do, and if all I am getting is some space on a server and no other service as you are suggesting then its damn expensive.




> How long do you expect they will be in business if they need to employ 200+ staff members @ say R5000pm, to watch your R50pm website for any changes made by you, at all.


Lets see - 200 staff X R5000 salary = R1mill
25000 clients (WA's claim) X (your) R50 subscription = R1.25mill
But on this basis - seeing as I make a change every three to six months on the odd page - thats say 8000 clients changing stuff over the year for the 25,000 clients divided by 200 staff = each staff member must monitor and worry about 3,3 changes a month. So 200 staff is way too much. So if each staff member looks after one client change a day - thats about 25 staff needed. They will be in business a long time and have happy clients.

The point though as we can see in your answer is that the client is always in the wrong. Take the pin code for example - I did not give it away. I say the isp let it out of the bag - but you automatically gave them the benefit of that doubt.

A restore was eventually offered by WA for an additional R300 - I had to suck them for the answers - it then turned out they only keep backup for 7days and did not have a clean version as the hack had happened prior to that. So they expected me to buy my site back from them after they lost it.

I could not find how the hackers got in and the isp sure is not going to admit to having holes - so one will never know the answer to this.

If google can assume a malware hack and stop the site loading then I do not believe that the isp is unable to run software against their clients pages to look for the same, so I do not believe this is mission impossible. Similarly they could run software against the dates of files and scripts that may indicate old and vunerable software. This could then be offered as a service to the client to update the site for the client...at a cost of course. If that was offered and then refused and an attack occurred, well now theres a reason to say I told you so. 

From what I can feel, there is this thought that because the service is so cheap it does not include anything beyond storage and there is no responsibility out there in isp land.

Like I said - all we want is some service, good advice and accountability, which we assume is in the monthly hosting fee. Denial of that service and hiding behind technical issues, when things go wrong, is no different to the insurance guys who let you believe you are covered and then run and hide when the claim happens.

----------


## AndyD

Just the fact that from what I've read here, the customer doesn't trust the ISP, the ISP and customer aren't communicating on any meaningful level and neither the customer nor the ISP feel that security is their responsibilities or have a common understanding as to what is whose responsibility,it's no wonder the script kiddies are working in such a target rich environment and you're getting pwned by the haxors.

----------


## Dave A

> Lets see - 200 staff 
> 25000 clients.


OK. Scrap the palukas theory  :Embarrassment:

----------


## tec0

Let us start, firstly I would love to see a sixty digit pass-code when you withdraw money. Typing it might take a few minutes but it will be secure. Is it the bankâs fault if I lose my cash-card? Oh HELL YES it IS the banks fault! Why are we using outdated technology! Do you know how easy it is to duplicate a cash cart âthe one without the chip!â and how long did it take banks to implement the smart card???????

There are some nifty new technologies that are able to identify you in a few seconds no matter if you had facial reconstruction because it takes a picture of your internal genetics like blood-vessels and if I recall it is only second to DNA identification. So this technology is available and can be implemented so that I can use my face and a pin-code. And if I am dead then the Camera will see it and it will not work.

Now letâs continue with what is possible. It is possible to specify a 31 character password to be used on the contract so there is no negotiation. Then on your password rules you specify that it must have X amount of whatever you feel is necessary 999AaC@#%$YIOT77895)(&^%((***^%  I think cracking that will take a few seconds more than normal. So as an added extra you set up a second rule that the password must be renewed every 10 working days. 

Now you give the user a nice document that specifies the does and donâts and everyone is happy.

----------


## Dave A

> There are some nifty new technologies


At what cost? Just remember, ultimately the client foots the bill.



> It is possible to specify a 31 character password to be used ... So as an added extra you set up a second rule that the password must be renewed every 10 working days.


Erm... We're talking about *people* doing this, right?

I think we should bear in mind that in most instances hacking doesn't occur due to a lucky guess or brute force attack. It's shoulder surfing, fooling a person into giving up their password, finding scraps of info that contain the password...

----------


## SilverNodashi

> That *is* an interesting coincidence.
> 
> If you're on a reseller account and you transfered your accounts onto a shiny new VPS or dedi on another service, what are the chances that *all* the security and permission settings will remain the same?


Very slim. 

When it comes to websites, there's 2 (visible) levels of security, that of the server and that of the website. Moving your website to a new server means you'll loose all the current server's security protection. The only security settings you pertain, is that which you have control over. For example, on a cPanel server, your cPanel username & password will stay the same. If you setup extra security measures on your website, for example .htaccess files / CAPTCHA protection / "smart PHP script that could do firewalling" / etc, then that goes with you. 

But, if the previous server had, for example, phpsuexec installed, or a bruteforce detection script, then it stays behind. And the server admin (whether it's the ISP in question, of if you prefer / have an un-managed server) responsibility to setup the security measures on the new server again. The internet has changed a LOT in the last 2-3 years, and security measures have taken a leap over what it used to be 2 years ago. For example, on our servers, we deploy about 50 different security measures before we even consider setting up a client's account on it. 




> What if that shiny new VPS or dedi is not on a managed package with experienced server techs tweaking the "default" security settings?


Then you have a problem  :Smile:  There's generally 2 ways of running a server, if you want to run your own server. It's either managed by the ISP - with different levels & pricing involved, or self-managed, where you take care of it yourself. 

If you don't know how to manage a server, or VPS, then you either need to employ a tech who does, or pay the ISP to manage if for you. 




> What if the old files were left on the old server and someone from the old firm was p'd off or bored?





> As in, someone from the old ISP took revenge on you? Sure, it's possible, BUT probably only really if your website hosting brough in say R20k/pm, and they suddenly lost that R29k/pm. OR, maybe if you did something which directly influenced them and their business. But, for the average joe-soap site, I don't see why another ISP would go through that effort. But even then, it's still your responsibility to change your password on the new ISP's server for this exact reason. 
> 
> Of course if they were *really* setting up their own server from scratch and weren't techs, I'd be truly sh*tting myself.


WA has some good techs, but I have seen a lot of cases where they have messed up big time, with similar results as the OP experienced. 


I'm not taking WA, or any other ISP's side in this, I'm purely trying to show you that ISP's are not always to blame, even though South African's enjoy playing the blame-game.

----------


## SilverNodashi

> Great idea - yes
> 
> 
> For sure - I pay a lot more than what you deridingly assume I do, and if all I am getting is some space on a server and no other service as you are suggesting then its damn expensive.
> 
> 
> 
> Lets see - 200 staff X R5000 salary = R1mill
> 25000 clients (WA's claim) X (your) R50 subscription = R1.25mill
> But on this basis - seeing as I make a change every three to six months on the odd page - thats say 8000 clients changing stuff over the year for the 25,000 clients divided by 200 staff = each staff member must monitor and worry about 3,3 changes a month. So 200 staff is way too much. So if each staff member looks after one client change a day - thats about 25 staff needed. They will be in business a long time and have happy clients.


Fair enough, with R250K profit they have no excuse not to hold their client's hands, even when they surf. But, how much profit do they make from the R50pm subscription? They still need to pay rent, purchase new equipment (you want better technology in the future, right?), phones, water & lights, insurance, etc. 




> The point though as we can see in your answer is that the client is always in the wrong. Take the pin code for example - I did not give it away. I say the isp let it out of the bag - but you automatically gave them the benefit of that doubt.



Marq, I didn't say that, but instead I'm trying to imply that it's a 2-way street. The client needs to take responsibility as well. 

IF your website is really that important (let's take a bank's website, for example), then surely you (as owner) should do your part to make sure everything on your side is fine. The banks, in this example, spend a few million a month on security (staff / their own servers / own data centre space / developers who code very well / etc) IF their site get's hacked, who's fault is it? Theirs, or the ISP's? - this is an example, but I don't know if it came through properly. 

let's bring it to our level. If one of our reseller's accounts gets hacked, who's fault is it? Ours? Our client (as reseller), or his client? Let's say the 3rd party developer (so we're 4 levels down now, us -> reseller - his client -> 3rd party developer) doesn't follow secure coding standards, and a hacker discover an XSS flaw, and then get's the client's control panel password and hacks into the control panel. This hacker is then a bit more patient in leaving his marks. He then leaves some "worms" on the client's account to get other info from the client. Any username & password combination can be used to possibly hack other accounts the client has. BUT, since he has access to the client's account, he has access to the client's email as well, and could silently capture all emails the client get (like new password request from this forum, or even the bank, or whatever). This goes on for a month or 2, if he's really clever, he'll lay low for about 6 months (long enough for his "stealth worm" to have infiltrated the backups and the logs in such a way that an admin won't see it as abnormal activity), and then he strikes and causes havoc. IF, this account was a forum, then he would have thousands of email addresses & password combinations - even if the passwords are MD5 encrypted, he could probably have enough PC power to decrypt those passwords. My guess is, about 70% of those passwords are easy to pronounce, and could thus be cracked against a dictionary - which is quick on a multi-Core XEON. 




> A restore was eventually offered by WA for an additional R300 - I had to suck them for the answers - it then turned out they only keep backup for 7days and did not have a clean version as the hack had happened prior to that. So they expected me to buy my site back from them after they lost it.
> 
> I could not find how the hackers got in and the isp sure is not going to admit to having holes - so one will never know the answer to this.


This IMO leads me to believe they either don't know, or don't want to dig deeper to find the problem. OR, they screwed up somewhere like you suspected. 

Do they not have an option where you could restore your website yourself?
And do you have access to any raw logs on the server? This could sometimes indicate where / how the hacker got it. 
Can you pronounce your password? Is so, then you need to change it ASAP.




> If google can assume a malware hack and stop the site loading then I do not believe that the isp is unable to run software against their clients pages to look for the same, so I do not believe this is mission impossible. Similarly they could run software against the dates of files and scripts that may indicate old and vunerable software. This could then be offered as a service to the client to update the site for the client...at a cost of course. If that was offered and then refused and an attack occurred, well now theres a reason to say I told you so.


It's not as simple as running a script against the date of the script. The main problem is, there's probably 50 billion scripts on the internet, and a date check alone won't be accurate enough.

For example, a client uploads a static web page in 2003, with some basic HTML content and nothing more. The monitor script will then go berserk on this account due to the date. There's no need to update the site as the static content is invulnerable.  Do you think this client would enjoy being spammed by the server every day / week / month - whenever the script runs to say his 7 year old HTML page is a hazard? I can see how this is going to peev off some clients already. 

Similarly, if you decide to upload a script, like say Joomla, which has 7,968 scripts (new install - no mods or anything yet) , and there's say 100 client's (there's normally more) on this particular server - that would be 796,800 script for a single Joomla installation per account alone. What if every client has a forum & blog installed as well. Now, this figure goes up to say 2,788,800 scripts. 

So, a simple date checker script will need to loop through 2,788,800 scripts, every day to see if the date is older than say 6 months (to be a realistic number)?



In theory, your suggest is a valid one, but not practical, by a million miles. Is it really so hard to take responsibility of your own website? Does your website mean so little to you that you refuse to take care of it and insist that the ISP do it? And if they absolutely need to take care of it, are you prepared to pay extra for it?
I'm asking this, as a matter of research  :Smile: 




> From what I can feel, there is this thought that because the service is so cheap it does not include anything beyond storage and there is no responsibility out there in isp land.


How much of the R50 (this is purely the example) you pay do you think the ISP's actually pocket as mark-up? Sure, I would love to assign a dedicated tech to every client I have, but my business will go down in flames on day1. 

And while the thought it probably very true, I can assure you that it's not 100% so. That R50 (with your calculations on 20,000 clients is R1.25mil) needs to pay for servers, switches, firewalls, server room (either rent or maintenance on own equipment) software licenses, staff, office, water & light, insurance, bandwidth (chances are R30 is for bandwidth only, so they don't even see that money), and the list goes on. The responsibility is in fact far greater than you think. If, for example, they didn't pend R25K on a new server recently, they couldn't accommodate your website. OR, that new R400K firewall makes a huge difference on DDOS, QOS, VLAN, etc control making everyone's life easier.  And, the new software licenses probably cost them in the region of say R700K this year, but they need to pay it to keep up with the demand. 

i.e they provide you with all the tools you need to make sure you website is up and running, 24/7/365, with security (physical &  electronical), with all the software that you need ( server OS, control panel, mail server, database server, site builders, etc, etc). You just need to maintain your own website. Is this not responsible enough?

Do you want them to run your website as well? And take care of the CEO while their at it? And how about managing your company? 
All of these  are possible (whether WA offers it or not,I don't know), but will cost you extra money. Did you pay the extra money? Then you get the service. If not, then you can't expect it. 




> Like I said - all we want is some service, good advice and accountability, which we assume is in the monthly hosting fee. Denial of that service and hiding behind technical issues, when things go wrong, is no different to the insurance guys who let you believe you are covered and then run and hide when the claim happens.


agreed. but again, I can't vouch for any other ISP. I just get a bit worked up when the ISP industry is always to blame for everything, even though 70%+ of the problems are user-related.

----------


## SilverNodashi

> Let us start, firstly I would love to see a sixty digit pass-code when you withdraw money. Typing it might take a few minutes but it will be secure. Is it the bankâs fault if I lose my cash-card? Oh HELL YES it IS the banks fault! Why are we using outdated technology! Do you know how easy it is to duplicate a cash cart âthe one without the chip!â and how long did it take banks to implement the smart card???????


How can you hold the bank / ISP / whomever responsible for your own foolishness / negligence ?




> There are some nifty new technologies that are able to identify you in a few seconds no matter if you had facial reconstruction because it takes a picture of your internal genetics like blood-vessels and if I recall it is only second to DNA identification. So this technology is available and can be implemented so that I can use my face and a pin-code. And if I am dead then the Camera will see it and it will not work.


Even if it is available, people don't want to use it. It's a simple known fact that the more difficult it is todo something, the less willingness there is from a human to perform it. If my bank made me jump through 5 hoops just to get my money, then I'll definitely move to an easier bank. I keep an eye on all my cards, my PINS are super random, on every single card I own, and I don't carry all cards on my at any given moment. I take responsibility, cause the banks don't give me my own bodyguard just cause I pay them R150 per year, regardless of the fact that I have R1, or R1million on their vault. And, if I go and take out that R1million, their security still only stops at their door. What happens outside their door is my problem. Do I hold them responsible for being robbed? 




> Now letâs continue with what is possible. It is possible to specify a 31 character password to be used on the contract so there is no negotiation. Then on your password rules you specify that it must have X amount of whatever you feel is necessary 999AaC@#%$YIOT77895)(&^%((***^%  I think cracking that will take a few seconds more than normal. So as an added extra you set up a second rule that the password must be renewed every 10 working days. 
> 
> Now you give the user a nice document that specifies the does and donâts and everyone is happy.


This is very possible, but how many people do you actually know, who will remember that password? And how many people do you actually know, apart from yourself who would change their password every 10 days. 

Even then, if whatever you have online is THAT important to you, then a shared hosting account is most definitely not the right solution for you. And then you also can't rely on a 3rd party for security, you need to employ your own staff who are sworn in by your rules, and whom you can sue if something goes wrong. In this case, is it the ISP's fault if you decided to make use of their shared hosting environment to store every human being's DNA code information?

----------


## SilverNodashi

> I think we should bear in mind that in most instances hacking doesn't occur due to a lucky guess or brute force attack. It's shoulder surfing, fooling a person into giving up their password, finding scraps of info that contain the password...


Dave, you'd be surprised to know that is not entirely true. Do you know how many people have passwords like "Pass123", "Pass1234", "a1b2c3d4", "qwerty12345", etc? Although they all look safe, they're not. A lot of hacking attempts involve brute force since the average human has a limited brain span, i.e. only "think as far as their noses reach". Many people also stick to the default "root", "admin" or "administrator" usernames - which is as bad an idea. Joomla / Wordpress / vBulletin / etc checks to see if a given password matches a given username, so if one of the default usernames are already used, the then brute force attempts are much easier. 

We sometimes get aa few hundred emails a day, from our serves notifying us that a brute force attempt was made, the IP address blocked. normally these emails goes unread, but we have some software which looks for similarities, like a brute force on a certain service (for example POP3 / SMTP / SSH / FTP / SQL / etc), and the escalates a ticket to take action, at which point we contact the ISP(s) where the hacking attempts come from and get them to take action where needed. 

Yet, even with the more sophisticated firewalls in the world, nothing will stop a hacker if the password was written down & obtained that way (i.e. an employee writes the password in notepad & saves it on his PC, or on a piece of paper), or if the website has very poor security measures. Normally a website won't detect brute force attempts, and the hacker can get in. And then, more than often the owner uses the same username & password for his control panel as well, so the hacker doesn't need to try brute force, and the firewall won't pick it up, and the hacker gets in.  - Is the ISP to blame in this case? Most definitely! It is their responsibility to monitor every guest, user & IP address on the website, trace the IP address to the hacker's home, and do a security check on them. The ISP is also supposed to contact the person on the other end of Russia and ask him 50 security questions before he can access your website.

----------


## Marq

When it comes to non technical types employing/hiring/subscribing to a technical situation/company/person then unless the ground rules are specifically documented and laid out and agreed to upfront, the technical guy is always going to take the flak when a technical type issue comes about. This is the unwritten rule of technical guy blaming perfected by us non technical guys. :Smile: 

I think to resolve these issues in the future, the first thing that has to change is the communication of these elements we have talked about so that both parties know what is expected of them.

ISP's generally have a couple of packages that they offer  - for the cheap package you can have 5 emails, a static type side x megs of this and that etc. For the more advanced site with database and more stuff the package costs that much more. So we have a list of what is provided and catered for but thats it. There is a lot that is assumed one of those being that the new client knows what this is all about and should just get on with the job aof getting their site up and active. When I have signed on in the past, I have received very little afterwards besides an email saying heres the link to get to your domain via cpanel or whatever and your ftp password and user is as follows. Thereafter I do not recall receiving anything like - welcome to our isp,  do you have any questions or thoughts on how this all hangs together.

Nobody has sent me an email or picked up the phone and said 'welcome', can we establish a few principles of how we operate and what we do, and did you know that there are a few things you are responsible for and things we suggest you do, for example it is your responsibility to keep the password safe and did you know it should be at least 8 characters long (sleepygrumpyhewey,dewey.... :Big Grin: ) etc and that we can do additional stuff like backing up your site and restoring your site but this will cost you an additional fee every month and if you want we can run some analytical software and advise of your sites content etc. for a few dollars more.  Ok all set, tick this box here and its all systems go. I looked around at a few isp sites and cannot see these simple rules of engagement.  

The isp could identify their clients and place them into levels of competency, This list the guys seem to know stuff and we can leave them to get on with it, these guys do stuff and might need holding hands and these guys know absolutely nothing and it will be easier to do things for them, rather than try to explain them why the world goes round. The idea here being that the technical guys can learn that everybody is not as bright as them and that they should try and communicate at the right levels. 

The clients then can then get emails and communication in their own language  and everybody feels a lot happier. 

I think that the basics and the problems experienced such as hacking and spamming are few enough that a set of thoughts and rules can be drafted to indicate who is responsible for what. If I had a set of rules that said...If your site get hacked - it is probably your fault. You must check that your scripts and passwords and method of operating are correct. If it does happen - we will notify you and we will help you get your site back up and running by doing the following....it would be great and most of the problems would go away.
If you need to restore your files for some reason, it will cost you an additional R300 per incident.
If you want a dedicated staff member to help you through and advise you what you should be doing, we will provided this with pleasure - absolutely free.

I think if this side of customer relations came into being by isp's and the various options of what can be done on the net for the client as added extras and suggestions then the isp would be able to make a few extra bucks, create some client loyalty and a scenario where they would not be seen as the bad guys and can be trusted. Right now, my isp is the last company I contact for any advice on internet related issues - if one thinks about it.....they should actually be the first, but I hate being spoken to in that arrogant manner where I end up not getting an answer or wondering what it is that I am supposed to do.

----------


## AndyD

I think passwords as security is not a good system. The average person might have a credit card, a debit card, online banking, 3 or 4 online login accounts, cellphone pincode, 2 x home pc logon, 1 x work pc logon, website admin login and so on. With this number of passwords it's not surprising people duplicate or use birthdays etc to make passwords. If you don't have an extraordinary memory you can't win, either your passwords are weak or duplicated or you write them down.

----------


## Dave A

This is one fascinating discussion - as much as it deals very honestly with our expectations of each other as all the technical issues raised.



> If you're on a reseller account and you transfered your accounts onto a shiny new VPS or dedi on another service, what are the chances that all the security and permission settings will remain the same?





> Very slim. 
> 
> When it comes to websites, there's 2 (visible) levels of security, that of the server and that of the website.


That's pretty much what I thought. When I upgraded to a VPS I was staggered at the options. Happily I'm on a managed account so tweaking them is not my problem. 




> I think we should bear in mind that in most instances hacking doesn't occur due to a lucky guess or brute force attack. It's shoulder surfing, fooling a person into giving up their password, finding scraps of info that contain the password...





> Dave, you'd be surprised to know that is not entirely true. Do you know how many people have passwords like "Pass123", "Pass1234", "a1b2c3d4", "qwerty12345", etc? Although they all look safe, they're not. A lot of hacking attempts involve brute force...


And if we just look at *successful* hacking attempts?

I hear you about weak passwords, but wouldn't timing out an IP range for a series of unsuccesful login attempts give a heck of a lot more bang for your (password strength) buck?




> I think passwords as security is not a good system. The average person might have a credit card, a debit card, online banking, 3 or 4 online login accounts, cellphone pincode, 2 x home pc logon, 1 x work pc logon, website admin login and so on. With this number of passwords it's not surprising people duplicate or use birthdays etc to make passwords. If you don't have an extraordinary memory you can't win, either your passwords are weak or duplicated or you write them down.


A way to deal with this is to have a key password which is pretty secure in itself and then insert a context specific fragment to make sure each one is different. Personally I've got 4 keys with 3 different fragment rules for different segments of my (password) life.

----------


## SilverNodashi

> And if we just look at *successful* hacking attempts?


I'm busy fixing a hacked account for a client right now. He was running Joomla 1.0.8 and the website wasn't updated in 3 years.The hacker brute forced his Joomla installation, so the firewalls didn't pick it up. From there the hacker found a weakness in the Joomla installation, and installed a rootkit on the client's account. Our server security prevented the rootkit from doing any harm to the server itself, so the damage isn't too bad. 




> I hear you about weak passwords, but wouldn't timing out an IP range for a series of unsuccesful login attempts give a heck of a lot more bang for your (password strength) buck?


Not really. Bob is on a Telkom ADSL account and attempts to hack the server, our server then blocks the whole Telkom IP range, and 40 of our actual client's suddenly can't get email, or into their websites. This cause more problems, since "the ISP is down again" - I often get threatening emails from angry clients who can't get into their websites, and 97% of the time John have received a dynamic IP from Telkom / Vodacom / iBurst / etc which was previously blocked by our firewall for hacking attempts. And then we're the ones who have poor uptime and "email is always down". Simply put, we can't win. 


I also, from time to time, get other smaller ISP's blocking access to our mailservers, so the client who hosts their website on our server, and use them for internet access can't get his email. Who is to blame? We are, since our systems are down again. 

Who remember, a few years ago, Mweb blocked access to their client's websites for internet users who dialed up with other ISP's. Who was to blame? The other ISP's. What ended up happening, a lot of those angry clients ended up signing up with Mweb, since "Mweb's systems always work"

----------


## tec0

Look, all I am saying is you get âonline inscription host keysâ You get server to user inscription hardware. And in most cases it is the packet header that gets âheavyâ and inscription keys are a good piece of technology to start with. See net hosting was designed to have a âcontrol panelâ and basically if you know how to log on it will only take time before you are in. 

Fact is networks is not as secured as it used to be. A 10 year old can do data capture and getting the data decrypted is just a matter of time because most keys can be found on âscript-kiddieâ websites all over the net.

Secondly is âsocial hackingâ getting your targetâs e-mail, keyboard loggers and all that bad stuff can be done easily and is being done by people that do this kind of thing for fun. 

Let ask a question: Do you or donât you send out newsletters regarding security? If so what new developments are there available? Was this technology tested? 

See homework needs to be done from the userâs side and homework needs to be done from the ISPâs side. Can the âcontrol panelâ be a small program that you install and with that program you get a special activation key and this key will run with the inscription key and your username and password. What about random passwords. âLike what is your dogâs nameâ stuff like that... Random passwords can be effective and is more difficult to attack. 

The point I was hoping to make was âinnovation!â

----------


## SilverNodashi

tec0, your points don't go unnoticed. 

From experience though, I find that a lot of users either don't read those emails, or they forgot the info already. 

Why do they ignore, or not the emails? 
- Is the info too technical - most probably, but how do you speak about a technical issue, in a non-technical way?
- Are they too busy too bother? Probably as well.
- Is the info in the emails relevant? I don't know.

I'm work with the servers every day, so technical emails like this is good for me. But I don't think they mean much to a shop owner who sells roses, for example. 


When a client signs up, they automatically get a welcome email with a lot of info, including on how to login to their control panel, how to setup email addresses, upload website,etc. Yet, we still get a lot of support calls on, "how do I setup an email address", or "how do I upload my website". 

Then, 45 days later we send out another email asking them if they need any help with anything, or if they found everything they need. All emails have links to our: billing portal, support desk, knowledge base, order form, etc. 

This tells me that those emails are either not read, or not understood well enough.

We have a fairly large knowledge base with everything the clients need to manage their hosting account, but we still get the support calls & tickets. 

Bottom line, I think, is that people don't like reading emails or website content. They want to be spoon fed, and then they insist you help them chow the food as well.

----------


## tec0

Well you may be surprised at what it is I can do and what it is that I know when it comes to computer security. It used to be my job. But more importantly I also got sick with all the support questions and people just phoning all the time.

This is how I got through to the customers. I stated with the questions asked. I then identified the important questions and made a âlotâ of 7 minute to 10 minute video clips and converted it to DVD format so that anybody that can operate a DVD player would be able to watch the clips. 

I got a CD/DVD Duplicator and in about 3 months our calls went down by about 30% more or less. Also I wrote a topic list so that if the people that called asked about something that was on the DVD they would be told by support team that this is number so and so on the DVD. And then helped them with their problem. 

Still after a while things did get better. Every six months there would be a new DVD that was delivered to them via âregistered postâ and I could say it was a success especially with our wireless products. I got the call volume down to about 50% and that is a lot! Especially when it comes to wireless products and setup support! It was really a successful strategy. 

See âinnovationâ the technology exist so use it.    :Smile:

----------


## daveob

I see your point and agree with a lot of what you say, BUT ....




> We have a fairly large knowledge base with everything the clients need to manage their hosting account, but we still get the support calls & tickets.


I run a business, and when my web site or server or mail server or apache or mySQL or FTP or PHP code goes wrong, I am not interested in spending 30 to 60 frustrating minutes searching a knowledgebase with a minute hope of finding the correct solution - when my day goes pear shaped, I pick up the phone and call technical support -- PRONTO -- that's human nature.

The only thing I have found that helps my clients ( some quite PC illiterate ) is I direct them to my web site, click on a link and use RemoteView to connect to their screen - then I can take them through the steps one-by-one and they can see what I'm doing - often a lot faster than trying to talk them through it on the phone. 

Yes sir - Click on the button - Yes, with the right button - the one on the mouse, no, a single click. Click on the Start button - no, on the screen - yes, with the mouse - the right mouse button. It's at the bottom left corner of the screen ...... and just pray you don't have to ask them to use ctrl-alt-del ...... and my wife wonders why I'm almost bald !!

----------


## SilverNodashi

> I see your point and agree with a lot of what you say, BUT ....
> 
> 
> 
> I run a business, and when my web site or server or mail server or apache or mySQL or FTP or PHP code goes wrong, I am not interested in spending 30 to 60 frustrating minutes searching a knowledgebase with a minute hope of finding the correct solution - when my day goes pear shaped, I pick up the phone and call technical support -- PRONTO -- that's human nature.
> 
> The only thing I have found that helps my clients ( some quite PC illiterate ) is I direct them to my web site, click on a link and use RemoteView to connect to their screen - then I can take them through the steps one-by-one and they can see what I'm doing - often a lot faster than trying to talk them through it on the phone. 
> 
> Yes sir - Click on the button - Yes, with the right button - the one on the mouse, no, a single click. Click on the Start button - no, on the screen - yes, with the mouse - the right mouse button. It's at the bottom left corner of the screen ...... and just pray you don't have to ask them to use ctrl-alt-del ...... and my wife wonders why I'm almost bald !!



Dave, I'm not sure what your setup is, but on a shred hosting server (like in the OP's case) you should have to worry about the web, FTP, SQL, or mailserver. You should be worried about, and focusing on your website. Your ISP (normally) takes care of issues directly related to the server software. I know our techs sort out technical things like this before the client even knows about it. 

If the case is a serious one, which may take longer, then we email our clients about it. 

Your own PHP code, however, is still your own responsibility as client. If you're not a PHP developer then you normally hire / employ one. If the ISP happen to  offer this as a service and you make use of them, then it's stil your responsibility. Almost always, the development team is a different department from the server admins team, and treated as 2 different business entities. Think of your car dealer. Although VW / BMW / Mazda / Mercedes / etc sell you the car, they also have a garage to repair it. When, say the radiator breaks, you need to take it in (or in this case get towed in), and deal with the service / parts department with this regard. The sale team has nothing todo with. The same with an ISP that has web developers as well. When you have an issue with your website, you contact your web developer. The web developer will then (normally) contact the ISP (whether it's the same ISP or not doesn't make a difference) and sort out any technical issues they may have with the server admins. 


The knowledge base that I was referring to is not intended for this use. It's more aimed at the end user to equip him with the tools he needs, free of charge to run his website / hosting account. We, or anyone else for that matter, is not forced / obliged to have these resources available, but it helps to teach the end-user something and lighten the help desk's load. 

But from your response, and past experience, it's clear that some people simply don't want to learn new things. They want to be, and insist on being, spoon fed. Now, I ask you this, as research, do you feel it's your ISP's responsibility to "spoon feed" you? Do you feel they have todo everything for you?
Or, do you feel it's their responsibility to teach you, free of charge, everything  there is to know about the internet?



On a side note, here's an interesting article: http://mybroadband.co.za/news/Internet/11242.html

----------


## tec0

Is there a possibility that VPN along with an Intranet and host to user inscription be implemented so that the control panel is only accessible on the intranet? See you have a lot more control.

----------


## SilverNodashi

> Is there a possibility that VPN along with an Intranet and host to user inscription be implemented so that the control panel is only accessible on the intranet? See you have a lot more control.


Sure, why not? But I doubt if you're going to find a host who will setup a VPN for every client on a shared hosting server. The amount of additional resources (RAM / CPU & labor) needed todo this is simple too expensive for a R15pm / R50pm account. 

Another way of doing it is to allow SSH access (then the client can use SFTP / FTP-over-SSH) but then they open up the servers to possible hacking and other unwanted problems.

We setup all our cPanel servers to only use the SSL ports for cPanel & webmail access, and each one has a commercial SSL certificate as well, so the clients don't get warnings about untrusted SSL certificates - which in itself is very confusing for most people.

So, at least when a client connects to his control panel, it will be on an encrypted channel. But that still won't stop a brute force attack, or keyloggers.

----------


## SilverNodashi

Here's something you could use to warn you in future:  http://binarycanary.com/en/feature-t...monitoring.cfm

----------

