Compromised account

[webalternative]

Hello,

how did you deal with a compromised account? Like an outdated Wordpress installation that's have been compromised?

Did you charge your customer to solve the problem? If yes, how much?

If no, what you do?



Regards,

 

[Harv45]

Hello,

how did you deal with a compromised account? Like an outdated Wordpress installation that's have been compromised?

Did you charge your customer to solve the problem? If yes, how much?

If no, what you do?



Regards,

I would personally inform them and see if they take actions within say 24 hours. If they do then try to work with them, if not I would just suspend their account until they demonstrates to cooperate with you on the issue. Or until end of billing cycle and then just deactivate their account.

 

[Alex - A2 Hosting]

I think it would really depend on the severity of the case. If they've been compromised and spam is starting to come from the account then that is obviously a higher priority as potentially it could cause issues for other clients.

In any case, any provider should try working with the client to a reasonable extent.

 

[easyhostmedia]

wordpress is know for not been secure so you must make sure you are running latest version at all times.

we sent this to clients on 24/10/2014

Once again one of our servers (Venus) was offline 2 hrs today due to a compromised Wordpress installation. the client had an outdated version 3.5 while the current version is 4.0.

This has led to the below announcement being issued and publised on our website. If you have Wordpress installed then make sure you are running the latest version 4.0 and have this updated in Softaculous as it is whichever sites Softaculous shows as outdated that will be disabled

Due to a recent rash of web hosting accounts being compromised and exploited and a lot of these being traced back to outdated Wordpress scripts, we have made the decision to sunset all Wordpress 3.5, 3.6, 3.7, 3.8 and Wordpress 3.9 scripts that are installed on our servers.
Sunsetting, in this context, means that we will be disabling these web hosting accounts or directories that currently have a Wordpress 3.5, 3.6, 3.7, 3.8 and Wordpress 3.9 script installed.
Current Wordpress version is 4.0

then on 24/11/2014 we sent this

We have noticed that since our mailout on 25/10/2014 about Wordpress 3.x Sunsetting has gone ignored by wordpress users, as still Softaculous shows many outdated installations, with some still using version 3.5 when the current version is 4.0.

Today at 2am i was informed of yet another Wordpress installation being compromised due to not having the recent version/security updates. (these are only effecting WP installations, so no one is actually getting into the server in general)

Each time this is costing us time and effort to sort these issues out.

So this is what is going to happen at some point today

1) ALL accounts with outdated scripts will be suspended (not just outdated Wordpress scripts)
2) To reactivate the suspended accounts you will have to pay a £10 reactivation fee
3) Once reactivated you will have 12 hours to update the outdated installation and if it is updated within the 12 hrs we will refund the Fee

We will give you until 12 noon today Friday 14th Nov. to check your installations and update them before these accounts will start to get terminated.

you can do this by going into your accounts cPanel and then look under Software >> Softaculous then search for the script you use and this will tell you the script and current version and next to that you should see 2 small blue arrows which will allow you to upgrade in a simple 1 click step.

We can do this for you but would have to charge our Min. hourly fee of £25

at the time out of 300 sites with outdated scripts that got suspended 250 paid the £10, only 7 upgraded within the 12 hrs, so got refunded, 10 asked me to update their scripts. 220 updated within 72 hrs. remaining 63 were never upgraded or i never heard back from the clients, so were terminated.

 

[ughosting]

We have fewer compromises now than a year ago, but more attempts at attacks, we've just got better defenses now.

If we find an account compromised, or spamming, we suspend it and wait for the customer to make contact.
We rarely terminate the account, if the customer is paying, but just leave it suspended.

Again like easyhostmedia, if the domain/account is found to be compromised again, we suspend it again and so it goes on.

 

[easyhostmedia]

We have fewer compromises now than a year ago, but more attempts at attacks, we've just got better defenses now.

If we find an account compromised, or spamming, we suspend it and wait for the customer to make contact.
We rarely terminate the account, if the customer is paying, but just leave it suspended.

Again like easyhostmedia, if the domain/account is found to be compromised again, we suspend it again and so it goes on.

Yes but script compromises are not attacks against your servers, these are attacks and even hacks into individual scripts, some server security systems will pick these up and some wont.
Some cases its just a matter of looking in the mail queues and seeing a very large amount of queued mail from specific accounts so leading you to investigate that account.

if you have cpanel or directadmin on your server then it is a good idea to goto http://configserver.com/ and install these on your server (ALL FREE)

ConfigServer Security & Firewall (csf)
ConfigServer ModSecurity Control (cmc)
ConfigServer Explorer (cse)
ConfigServer Mail Queues (cmq)
ConfigServer Mail Manage (cmm)

through SSH using this

cd /usr/src
rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

use the same commands for all the above by just changing the 3 letter code for the script

and if you can afford $60 then also install ConfigServer eXploit Scanner (cXs) http://configserver.com/cp/cxs.html

 

[Hostrica]

Yes but script compromises are not attacks against your servers, these are attacks and even hacks into individual scripts, some server security systems will pick these up and some wont.
Some cases its just a matter of looking in the mail queues and seeing a very large amount of queued mail from specific accounts so leading you to investigate that account.

if you have cpanel or directadmin on your server then it is a good idea to goto http://configserver.com/ and install these on your server (ALL FREE)

ConfigServer Security & Firewall (csf)
ConfigServer ModSecurity Control (cmc)
ConfigServer Explorer (cse)
ConfigServer Mail Queues (cmq)
ConfigServer Mail Manage (cmm)

through SSH using this

cd /usr/src
rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

use the same commands for all the above by just changing the 3 letter code for the script

and if you can afford $60 then also install ConfigServer eXploit Scanner (cXs) http://configserver.com/cp/cxs.html

Good info, thanks. I'll be using this. Follow up question, if I may ...

I'm most familiar with maldet ... how does cXs compare to maldet, which is free? Is cXs worth the cost to you, personally?

 

[easyhostmedia]

Good info, thanks. I'll be using this. Follow up question, if I may ...

I'm most familiar with maldet ... how does cXs compare to maldet, which is free? Is cXs worth the cost to you, personally?

I use both

Maldet is basic. i installed this through WHXtra along with RHK Rootkill.

cXs was only $50 when i purchased it, but its been well worth it.

 

[Licensecart]

Hello,

how did you deal with a compromised account? Like an outdated Wordpress installation that's have been compromised?

Did you charge your customer to solve the problem? If yes, how much?

If no, what you do?



Regards,

When I was in hosting, we used to offer to restore a backup and then upgrade them for free otherwise they can upgrade for free. If they didn't we'd tell them we would have to let them go to another provider.

 

[easyhostmedia]

When I was in hosting, we used to offer to restore a backup and then upgrade them for free otherwise they can upgrade for free. If they didn't we'd tell them we would have to let them go to another provider.

no so much restoring backups, but this is about how to deal with outdated scripts.

I know we all want to be pleasant to clients and bend over backwards to help them, but it should go both ways. If they wont or are unwilling to upgrade outdated scripts, then it can cause problems for other users on the server if someone through their outdated script gets into other sites on the server. Software Houses update scripts for a reason and clients need to know this and how important to update scripts.
A provider has really 3 options

1) help the client or get the client to upgrade the outdated script
2) if they wont upgrade then terminate them
3) as a last resort ban the script on your servers.

This is what we did with E107 it is banned from any of our servers because when it had a security issue they were not releasing any patch for it and a client that was using it managed to get our server IP blacklisted using this.

 

[Licensecart]

no so much restoring backups, but this is about how to deal with outdated scripts.

I know we all want to be pleasant to clients and bend over backwards to help them, but it should go both ways. If they wont or are unwilling to upgrade outdated scripts, then it can cause problems for other users on the server if someone through their outdated script gets into other sites on the server. Software Houses update scripts for a reason and clients need to know this and how important to update scripts.
A provider has really 3 options

1) help the client or get the client to upgrade the outdated script
2) if they wont upgrade then terminate them
3) as a last resort ban the script on your servers.

This is what we did with E107 it is banned from any of our servers because when it had a security issue they were not releasing any patch for it and a client that was using it managed to get our server IP blacklisted using this.

Yeah but if the account is "hacked" you want to go back to the old version before it was hacked and then upgrade .

 

[easyhostmedia]

Yeah but if the account is "hacked" you want to go back to the old version before it was hacked and then upgrade .

No as that wont help, you need to look at how they got in. 9/10 they will get in as you use a weak password and then FTP a php file into your site that you are not aware of until your host gets notices, downgrading will not help if you still use week passwords.

You need to

1) change all passwords to strong passwords.
2) go through the files structure to find the hackers files/folders and remove them.
3) upgrade the script

in that order.

 

[Hostrica]

No as that wont help, you need to look at how they got in. 9/10 they will get in as you use a weak password and then FTP a php file into your site that you are not aware of until your host gets notices, downgrading will not help if you still use week passwords.

You need to

1) change all passwords to strong passwords.
2) go through the files structure to find the hackers files/folders and remove them.
3) upgrade the script

in that order.

Yep. Done this more times than I would care to admit. Overlook a single FTP account or CMS user ... and you have to start all over again.

 

[easyhostmedia]

Yep. Done this more times than I would care to admit. Overlook a single FTP account or CMS user ... and you have to start all over again.

yup and its fine when a client cooperates with you.
I had 1 client who had a typical WP hack due to week passwords, so i instructed them to clean their account and change passwords, they agreed, but same thing happened again fine this time told them to clean their account and i would change their passwords. i changed passwords and gave then them the passwords. I told them that next time this happens and i will have to charge them for my time at our rates as per our TOS £25 per hr.
within a week the same thing happened and i noticed they had changed the passwords back to their old week ones, so as i told them i would clean their site and charge them.
In all i spent 30+ hrs, but only invoiced them £300, they refused to pay and even threatened to report me for trying to scam them. strange as i had all evidence of them not cooperating and changing the passwords back and accepted that i would charge if it happened again. so then never paid, so WHMCS system suspended them and them terminated them, but leaving the invoice active. since them ( 12 months) they have gone through 4 hosts, so i assume all for the same reason

 

[Alex - A2 Hosting]

@Easyhostmedia: Your emails sound a little harsh on the client but I won't go into that.

Are you only using Softaculous to determine outdated WordPress installations on your server? If so, you probably have some more outdated installs on your network.

There are a few more ways you could look which would catch every outdated install.

 

[easyhostmedia]

@Easyhostmedia: Your emails sound a little harsh on the client but I won't go into that.

Are you only using Softaculous to determine outdated WordPress installations on your server? If so, you probably have some more outdated installs on your network.

There are a few more ways you could look which would catch every outdated install.

its not harsh when they get plenty of notices and just ignore the notices. How many times can you tell them to use strong passwords and clean their account before you need to take direct action.

 

[Alex - A2 Hosting]

Well, whilst I understand recommending it, I don't think its a hosting providers place to force them to use strong passwords.

 

[easyhostmedia]

Well, whilst I understand recommending it, I don't think its a hosting providers place to force them to use strong passwords.

but if they are constantly getting hacked due to weak passwords and not doing anything to prevent this from happening then yes you can force them to use strong passwords, as constantly having their sites hacked places the server at risk

Some sites wont even let you register if you use common or weak passwords.

 

[ughosting]

I can see both parties point of view.

But if a customer paying me £5/month for hosting repeatedly gets hacked and we knew it was because they couldn't be bothered to take our advice, We would ask them to leave.

We may even refund their last months hosting, because our time repeatedly sorting this out would have to be worth more than £5/month.

We wouldn't perform the task and retrospectively bill them. they have choices.

1) They pay us, we do the work.
2) They do the work quickly themselves.
3) They get suspended/terminated for "harming the network".

Obviously you wouldn't do this immediately, but you would have to when the offense is repeated.

 

[easyhostmedia]

1) They pay us, we do the work.

but you have no idea how long the work will take you, so we would rather inform them that if they dont do it then we will do it and then bill them, they actually agree to this as its in our TOS