Attention To All Current And Future Clients Of Dathorn

Portal Home > Knowledgebase > Articles Database > Attention To All Current And Future Clients Of Dathorn

Posted by rouho, 06-23-2005, 09:18 AM
Dear friends, I have been hosting with dathorn for quite some time, and I had only nice comments about them (I have also taken time to post them in this forum). HOWEVER, this is my last experience with them: Three weeks ago one of the off the shelf scripts (phpbb) which I installed at the touch of a button from my accounts control panel was hacked. The reason being a security hole in the old version of the script I was using. Following this incident Andrew suspended my domain. After posting a trouble ticket he unsuspended it instructing me to uninstall the script. I tried to do so from the cpanel where there is an option to uninstall scripts that are on the library but it was not there! Andrew then suggested that I should FTP and delete the folder. And I did. At the same time I checked if any other scripts were installed by checking the scripts library. Sometimes I was installing scripts from the library (given on cpanel) to test them. From there I seemed that nothing was installed, so I thought that the domain was safe. Couple of days ago Mr. Andrew Thornton dathorn, once again suspended my domain PERMANENTLY this time because another script 2bgal I was using was hacked. The bottom line is that should you or clients have one or more accounts for personal use and they fail to keep up with the updates of all the scripts provided by dathorn's cpanel they risk of permanent suspension of their accounts!! From one point they give you the ability to install scripts at the touch of a button from the cpanel WHICH OTHERWISE I WOULD HAVE NOT INSTALLED, SINCE I WOULD HAVE MOST PROBABLY CHOSEN OTHER ONES THAT I COULD FOLLOW (updates etc) and from the other side none of them take some time to inform their clients about the security holes of the script THEY host and THEY HAVE CONFIGURED to work on their servers. I have to point out that when installing scripts from the cpanel it is not necessary to make ANY changes ALL scripts are configured to WORK on their servers. Sorry for posting such a long topic but I had to. I am sure that there are several people out there (with various hosts) that are unaware of the security holes of each script they install from their cpanel. Do you risk the permanent suspension fo their accounts?
Posted by ChrisTech, 06-23-2005, 03:30 PM
So, again, why is Dathorn's fault that YOU didn't keep YOUR scripts updated? Best way to install a script, is to do it by hand. If you do install something from the script library in Cpanel, then, you yourself, need to check up on that script, and make sure its up to date. Looks like you got warned once, and you then again had a hackable script on the server, which did get hacked, and your account was suspended perm as per Dathorn's policies. If your un-secure scripts were on the same server I'm hosting on, then I hope Dathorn did the right thing to protect ALL their customers on that server. If I have a script that's out of date, or has a security flaw in it, I HOPE Dathorns lets me know, so I can fix it, or if one of my sites, or users is causing a problem, perm. suspend the domain. Yes, I host @ Dathorn. Over 27 months now. Its stable, Andrew keeps his servers in check, and takes care of problems quickly.
Posted by Duport, 06-23-2005, 03:39 PM
Certainly phpbb is the most insecure bulletin software out there; well the older versions, Dathorn was right in suspending. These hacks can do some nasty things to servers, you only need to look at phpbb's community to see there are hundreds that have been hacked. Keep your scripts updated.
Posted by tke71709, 06-23-2005, 03:53 PM
If someone is installing something from fantastico or Cpanel it's a fairly safe bet that they aren't very technical. So it's unlikely that they will know how to keep it up to date. Is there no script out there that will check what is running on their servers so that they can disable it or warn the customer without the customer having to guess what is secure and what is not?
Posted by ChrisTech, 06-23-2005, 04:35 PM
You are missing the point. Its NOT up to the provider to check everyone's scripts to make sure everyone is up to date. If providers did that, they would have to hire extra personel, then costs would go up, ect. If you are installing a script, you need to know what it does, and you, yourself need to keep it updated. Most scripts, keep an updated website, with info there, as well as their own support staff. If you aren't techincal, and don't understand something, ASK! Dathorn maintains some very friendly forums, where plenty of "how to's" are posted. If you have a question, ask, many people there are more than happy to help out. Also, there is an area in Dathorn's forums, just for script updates. Just subscribe to it, and you will get an email when someone posts there.
Posted by 2Grumpy, 06-23-2005, 05:10 PM
This is why I don't have Installatron (the Fantastico equivalent for Directadmin) on my servers. If the version of phpbb installed BY YOUR CONTROL PANEL is insecure it is not the customer's "fault" when it's hacked. Hence I supply NO scripts so I can use the big stick when one of them gets hacked on my servers. Dathorn, by providing the phpbb that was installed, should fix it on THEIR end and not take it out on the client, this is my take on this subject and why I myself supply no "insta install" scripts. I've been asked before why and I said "if I supply it, I am expected to support it, and I ain't got time to keep up with that".
Posted by BigBison, 06-23-2005, 05:33 PM
Aside from the helpful advice, Chris, I think you're missing the point. Hosts assume the client already knows about these things. However, I think it's reasonable for a customer (unless clearly informed otherwise) to assume that the host is providing the specific version they approve of. Often, hosts run downlevel software due to stability and even security. Apache 2, anyone? So why should the same customer you've explained your reasons for running Apache 1.3 to, assume the latest version of a script to be run on Apache is the safest one? Isn't it reasonable, then, for a customer to assume that the version they can install at the press of a button is the version their host approves of, latest version or not? Heck, what version of vB is WHT running? If a host doesn't specifically tell customers which version of the supplied software they ought to be using, the host shouldn't assume the customer can infer this. In many cases, downlevel scripts are still running without problems while the new version takes a year to stabilize, so IMHO, it's never wise to assume the latest version of any code is the safest. Perhaps Fantastico should be modified to include a 'check for updates' feature, allowing updates to automatically install on top of the Fantastico-installed version. The only way I know Fantastico installs flawed versions of phpBB is due to the frequency of this very problem being mentioned at WHT by customers unhappy with a variety of hosts. Or maybe, Fantastico could integrate a list of the latest version for each installable script. If they don't match, it's then obvious to the customer that they'll have to upgrade the script after the initial installation, just like patching software installed from a CD-ROM. Would it be so tough for Cpanel to provide this list for all its customers? To sum up, from the customer standpoint, why would a host allow any customer to install seriously compromised software at the touch of a button, without warning that the installed version still needs patching? It's a valid question for a beginner to have. Exactly. I find it most surprising that Dathorn even offers Fantastico.
Posted by Dathorn-Andrew, 06-23-2005, 10:05 PM
Some of you are misunderstanding the situation. At the time of installation via the auto-installer, these scripts were assumed to be secure, as they were the latest versions available. BUT not continuing to update scripts as necessary when new versions are released is where the problem comes in. These can even be upgraded via cPanel, but YOU (as a customer) still have to do it. We do not modify our customer's data in any way.
Posted by 2Grumpy, 06-23-2005, 10:09 PM
Did you let customers know when a new version was released that they SHOULD upgrade? This is my problem with things like fantastico/installatron/etc when you hand something like that to a customer and then an exploit is found it's kinda hard to bitch at the customer unless you can show "hey we told everyone there's a new version of ..... and to please upgrade". My take on it is, don't give them the scripts then you can bitch all you want when they don't upgrade the scripts they themselves downloaded and installed
Posted by cartika-andrew, 06-23-2005, 10:46 PM
Although it is unfortunate this happened - you cannot blame the customer for installing an insecure script provided by the hosting company... I completely agree with dixiesys - do not offer an auto-installer - they cause nothing but issues - moreover - who's responsibility is it to update the scripts in the autoinstallers - certainly not the clients ! Why is everyone jumping on the customer here - they used an automated installer, provided by the hosting company - who never bothered to keep their scripts updated... This is why we only support specific scripts - install the latest versions for our clients and post application announcements on our forum for the scripts we support and recommend (re updates, patches, etc) so that they can easily keep them upto date... Marketing autoinstallers for 100's of applications in order to attract non-technical clients - while not taking the appropriate care to keep the scripts in the autoinstallers updated - and then blaming the client when the vulnerable application you provided in an autoinstaller was compromised is sheer ridiculousness... Update the script for the client and apologize profusely for not keeping your autoinstaller up to date and allowing your client the ability to install applications with known security holes...
Posted by Dathorn-Andrew, 06-23-2005, 11:13 PM
As Chris pointed out above, we have a forum dedicated to script security where we along with other customers post issues regarding scripts that need to be upgraded. phpBB notices have been posted there for quite some time. I mean a lot of these accounts end up running phpBB 2.0.5 from a long time ago which has more security holes than you can shake a stick at. The Advanced Guestbook script was another big one that went around for a while which was announced there as well. But we cannot possibly keep up with every single script that exists, it is much easier for customers (and it is their responsibility) to maintain the scripts that they have on their accounts. Edit: CartikaHosting, perhaps you should read the rest of the thread. The auto-installer scripts were "secure" at the time they were installed. It is the fact that the user never updated them that caused the problem. I made that clear in my previous post.
Posted by cartika-andrew, 06-23-2005, 11:32 PM
Fair enough - however, I have yet to meet a host that has all scripts in fantastico updated with the latest patches and upgrades- Good on you if you have figured out how to do this...
Posted by BigBison, 06-24-2005, 12:12 AM
Yes, I also make the assumption that there is a particular amount of lag time between the latest patches, and Fantastico. I stand by my earlier point, that unless notified of the need to upgrade, it's fair for a customer to assume no upgrade is necessary because the host knows better than they do which version to run. How plainly and clearly are customers informed that if they install a script, it is their responsibility to check the 'script security forum' on a regular basis and perform updates when necessary? Is there a link on the CP to that forum?
Posted by rouho, 06-24-2005, 12:43 AM
If you let let your customers install a script which is ALREADY CUSTOMISED for the server and NO technical background is required then I believe that it is the host's responsibility to inform clients about the security holes. As far as the ability to upgrade or uninstall a script from the cpanel when i tried to uninstall or upgrade phpbb ... it was not there!
Posted by ChrisTech, 06-24-2005, 12:47 AM
From the Terms Page . The Script Security Forum. Just loaded my scripts libarary (attached image) shows current phpbb, as well as a button to upgrade it. Attached Thumbnails
Posted by ChrisTech, 06-24-2005, 12:51 AM
Check my attachment above, its from cpanel08 (server name) using the x2 skin. Shows me upgrade button. I don't use auto installer scripts though, and scripts do need to be updated from time to time.
Posted by rouho, 06-24-2005, 04:59 AM
I still have the email where Andrew suggests that I should FTP and delete the folder MANUALLY. If you do not believe it that's fine . I am not here to argue. I believe that since a script is already on the server and customised for the server and can be installed at the touch of a button then the user who has no technical background CANNOT support it. That's my opinion. If you think something different that's fine and GOOD LUCK. But make sure that all your clients upgrade their script oftenly otherwise you will end up with suspended accounts.
Posted by rouho, 06-24-2005, 05:01 AM
By the way I did not say that the button was not there at all. It was however, in the drop down box seemed that nothing was installed!!!!!!!!!!!!
Posted by Website Rob, 06-24-2005, 05:25 AM
Sounds like Dathorn does not properly secure their Servers, or at least one of them. It doesn't take too much to properly do some basic security so that the Server is protected against the majority of hack attempts. After all, many people have used the most uptodate version of phpBB in the past only to be hacked and then a patch is released. So those using the most current version at the time whilst still getting hacked are somehow in the wrong? I don't think so. We have Clients using various versions of phpBB from 2.06 and up. Not a one has been hacked. Not to say many have not tried but they've been script kiddies -- which are easy to block. And regardless of security in place, if a serious hacker ever wanted to get into a Server they probably would but I seriously doubt they would bother trying to use a phpBB script to get in. I have to agree with others who posted along the lines of; "If a Hoster is going to provide a script installer then regardless of what scripts or versions are offered, basic security should be good enough to at least stop the script kiddies." Last edited by Website Rob; 06-24-2005 at 05:28 AM.
Posted by Dathorn-Andrew, 06-24-2005, 07:53 AM
How does securing servers have anything to do with security holes in a PHP script that a customer is running? Unless you severely cripple your PHP installation (among other things) the insecure PHP scripts will always be exploitable, and at the very least able to destroy the customer's account. There is no magical end all setup as far as this is concerned. Mind you, that very few of these exploits are actually used to do anything productive with system restrictions that we have in place (which I'm obviously not going to discuss here) - but it our monitoring still picks them up and it only takes one successful attempt to become a problem.
Posted by Website Rob, 06-24-2005, 10:18 AM
How does securing servers have anything to do with security holes in a PHP script that a customer is running? I guess that answers the obvious, at least in the TS situation. Unless you severely cripple your PHP installation (among other things) the insecure PHP scripts will always be exploitable I guess locks on doors (basic security) severly cripples how a door functions? Server is as Server does and experience tells the story. Can we be more descriptive and have someone (either Andrew or the TS) determine if the phpBB "hack" was a Forum or Site Index page defacement?
Posted by rouho, 06-24-2005, 10:35 AM
I am afraid that I do not have this kind of information (or at least i cannot figure out) below is what I got with the suspension email: root@cpanel25 [~]# ps aux | grep rou rouho 8950 0.0 0.0 1936 112 ? S Jun14 0:09 /usr/local/apache/bin/httpd -DSSL ? livezo rouho 10871 0.0 0.0 1460 4 ? S Jun18 0:00 "/usr/local/apache/bin/httpd" rouho 5564 0.0 0.1 12092 1200 ? S 14:35 0:00 /usr/bin/php inc.php rouho 5566 0.0 0.0 0 0 ? Z 14:35 0:00 [perl ] rouho 5567 97.2 0.1 4336 1932 ? R 14:35 68:17 /usr/local/apache/bin/httpd -DSSL rouho 6657 0.0 0.0 12096 432 ? S 14:37 0:00 /usr/bin/php inc.php rouho 6659 0.0 0.0 0 0 ? Z 14:37 0:00 [perl ] rouho 6660 89.8 0.0 4340 772 ? R 14:37 61:09 /usr/local/apache/bin/httpd -DSSL root 729 0.0 0.0 3576 632 pts/0 S 15:45 0:00 grep rou root@cpanel25 [/proc/8950]# ls -la total 0 dr-xr-xr-x 3 rouho rouho 0 Jun 21 15:46 ./ dr-xr-xr-x 171 root root 0 Jun 14 11:34 ../ -r--r--r-- 1 rouho rouho 0 Jun 21 15:46 cmdline -r--r--r-- 1 rouho rouho 0 Jun 21 15:46 cpu lrwxrwxrwx 1 rouho rouho 0 Jun 21 15:46 cwd -> /home/rouho/public_html/.access.log/ -r-------- 1 rouho rouho 0 Jun 21 15:46 environ lrwxrwxrwx 1 rouho rouho 0 Jun 21 15:46 exe -> /home/rouho/public_html/.access.log/httpd* dr-x------ 2 rouho rouho 0 Jun 21 15:46 fd/ -r--r--r-- 1 rouho rouho 0 Jun 21 15:46 maps -rw------- 1 rouho rouho 0 Jun 21 15:46 mem -r--r--r-- 1 rouho rouho 0 Jun 21 15:46 mounts lrwxrwxrwx 1 rouho rouho 0 Jun 21 15:46 root -> // -r--r--r-- 1 rouho rouho 0 Jun 21 15:46 stat -r--r--r-- 1 rouho rouho 0 Jun 21 15:46 statm -r--r--r-- 1 rouho rouho 0 Jun 21 15:46 status root@cpanel25 [/tmp]# ls -la | grep rou -rw-r--r-- 1 roundup roundup 0 Jun 18 13:23 .emo -rw-r--r-- 1 roundup roundup 3913 Jun 18 08:56 .marimoon -rw-r--r-- 1 roundup roundup 19367 Jun 17 22:35 .marimoon2 drwx------ 2 rouho rouho 4096 Jun 7 18:59 muhstik11814/ drwx------ 2 rouho rouho 4096 Jun 7 18:48 muhstik7335/ drwx------ 2 rouho rouho 4096 Jun 7 18:54 muhstik9816/ -rw-r--r-- 1 rouho rouho 6040 Jun 16 23:47 qwe.pl -rw-r--r-- 1 rouho rouho 6040 Nov 22 2004 r57phpbb2010.txt -rwxr-xr-x 1 rouho rouho 14484 Jun 10 12:09 rzr* drwxr-xr-x 2 rouho rouho 4096 Jun 21 15:31 .sec/ -rw------- 1 groupeci groupeci 1904 Jun 17 04:19 sess_5bb0c94e3822a3457eedcf52b8dcbc82 -rw------- 1 groupeci groupeci 87181 Jun 16 12:23 sess_d66e6ada9428dec3a28ad587f3b57a34 drwxr-xr-x 2 rouho rouho 4096 Jun 13 03:23 st/ root@cpanel25 [/home/rouho/www/.access.log]# ls -la total 464 drwxr-xr-x 8 rouho rouho 4096 Jun 13 05:50 ./ drwxr-x--- 27 rouho nobody 4096 Jun 21 03:11 ../ -rwxr-xr-x 1 rouho rouho 320 May 31 2004 config* -rw------- 1 rouho rouho 1002 Mar 9 2004 config.h -rw-r--r-- 1 rouho rouho 72 Jun 7 18:44 cron.d -rwxr-xr-x 1 rouho rouho 347 May 31 2004 ***** drwxr-xr-x 2 rouho rouho 8192 May 31 2002 help/ -rwxr-xr-x 1 rouho rouho 202544 Mar 10 2004 httpd* drwxr-xr-x 2 rouho rouho 4096 Jul 26 2004 lang/ -rw------- 1 rouho rouho 137 Jun 13 05:50 livezone -rw-r--r-- 1 rouho rouho 36 Jun 7 18:44 livezone.dir -rw------- 1 rouho rouho 137 Jun 13 05:50 livezone.old drwxr-xr-x 2 rouho rouho 4096 Jun 14 16:37 log/ drwxr-xr-x 2 rouho rouho 4096 Jun 4 2004 motd/ drwxr-xr-x 4 rouho rouho 4096 Jun 7 18:48 muh/ -rw-r--r-- 1 rouho rouho 103063 Jun 7 18:47 muh.tar.gz -rwxr-xr-x 1 rouho rouho 14306 Nov 13 2003 proc* -rw------- 1 rouho rouho 5 Jun 14 16:37 psybnc.pid -rw-r--r-- 1 rouho rouho 33557 Mar 9 2004 README -rwxr-xr-x 1 rouho rouho 68 Jun 4 2004 run* drwxr-xr-x 2 rouho rouho 4096 Mar 10 2004 scripts/ -rwxr--r-- 1 rouho rouho 21516 Sep 25 2002 xh* -rwxr--r-- 1 rouho rouho 245 Jun 7 18:44 y2kupdate*
Posted by Website Rob, 06-24-2005, 11:02 AM
Ok, can you tell us, rouho, if your Forum or Web Site index page was changed/defaced? This you would notice when your visited your Forum or Web site using a Browser. The 'psybnc.pid' file is a dead give-away that someone did 'hack' your account, but I must admit, as a Hosting Client you were probably scratching your head and wondering what you were supposed to understand, from the information eMailed to you as shown above.
Posted by ChrisTech, 06-24-2005, 11:03 AM
Check here **edit - forgot to close my tag
Posted by rouho, 06-24-2005, 12:05 PM
The last time i checked the web site everything was ok. However, I am on GMT +2 time zone and I must admit that I do not have that site as my home page. So I cannot tell whether the index page was defaced. Nor can I see now since the account is suspended and I cannot FTP.
Posted by Dathorn-Andrew, 06-24-2005, 01:51 PM
It was not defaced, that was not the point of the exploit, and it would be stupid for them to do so. Then it would be extremely obvious that something is wrong and it would be corrected. But if they leave it as is, a lot of hosts and domain owners won't ever find it and they will be able to continue to run software from the account.
Posted by Website Rob, 06-24-2005, 02:07 PM
On the contrary, many script kiddies prefer to deface a Forum or Web site index page, substituting one of their own. A) because that is all most can do and B) they take a screenshot and post it for bragging rights. In this case it seems like someone wanted to run an IRC channel. rouho, hopefully you have found a new Hoster that is more suited to your needs and provides Server protection agains common script hacks.
Posted by Dathorn-Andrew, 06-24-2005, 02:26 PM
That has not been our experience at all. 90% of the scripts that have been exploited have been done to run other kinds of software, not to deface websites. Sure, that has been done, but only very rarely. There is A LOT more there than an IRC bot, some of it isn't even listed. Including a PHP shell that was uploaded via the gallery and run repeatedly. Alternatively, you could just install the latest (secure) version of the scripts that you are running - especially after already receiving a warning for it once. That is where our opinion differs and this thread is not going anywhere. We offer advanced cPanel/WHM reseller accounts. We expect customers to have a reasonable knowledge of our types of systems. Even following the phpBB upgrade instructions is not by any means difficult. We offer many avenues that help with this (our forums are very good at this), it's not like the help and notifications aren't there - because they certainly are.
Posted by rouho, 06-24-2005, 02:58 PM
I appreciate your input in this thread it was very helpful indeed. I am doing my research, and to be honest I would like your advise on this. When I first signed up with dathorn I thought I had found THE HOST but , I believe that currently they have secured a large number of clients and they don't really care on keeping their existing clients. If it was for security and what Andrew claims then instead of spending time emailing about their offers they should email about the security holes of the scripts THEY have configured for their servers! Thanks once again Website Rob I am looking formward for your advice.
Posted by BigBison, 06-24-2005, 03:30 PM
I thought ChrisTech's posts were very enlightening, and Andrew addressed my concerns professionally. I was giving you the benefit of the doubt, but there is the issue of the warning, which is when you should have asked some questions or worked with the host to improve their service. If any hosts are listening, I ask how difficult would it be to implement e-mail notification of critical patches? This would require some wording on the page with the 'install this script' button stating that by installing this software the customer agrees to subscribe to the pertinent thread in the script security forum. Pain in the butt to automate this, unfortunately. I checked out the script security forum. There's a new thread for each patch of each script. How about making one thread just for announcements of phpBB upgrades, perhaps only allow mods to post to it, and leave discussion of it (installation problems, etc.) for other threads? When a customer installs phpBB, they agree to subscribe to that thread... Voíla! Problem solved?
Posted by NexDog, 06-25-2005, 01:10 AM
On phpBB hacks like this, the hacker (ahem, script kiddie), finds a hole and uploads simple code that connects to a remote phpshell script and proceeds to wget binaries on the server. There are various defences against this including safe_mode and phpsuexec which are amongst the most crippling. However, there are other solutions you can employ to defend against such behaviour. We've had successes with suPHP and firewalling outbound php (with whitelists). Now we are working on a new php class that strips out particular request in php that wouldn't affect anything "normal".
Posted by rouho, 06-26-2005, 02:24 PM
I am sure that this would interest hosts that CARE ABOUT THEIR CLIENTS and their security.
Posted by rouho, 07-02-2005, 05:44 PM
I was almost at the point of realising how difficult it was to keep hackers away from your servers when I realised how even more difficult it is to process and keep track of your client's payments!!! Yesterday and today I received two emails from dathorn saying that the last payment had not gone though! I immediatelly contacted my bank to check my cc,and I did everything I could in order to verify that the credit card was ok. Then I submitted a trouble ticket to dathorn only to find out that they had troubles processing credit cards. BUT NO ONE TOOK TIME TO LET ME KNOW. They only had there automated system emailing me about unsuccesfull payments!!!!
Posted by rouho, 07-09-2005, 05:02 AM
According to the latest Alerta reports the server I am on (with dathorn) is down for 2hrs 37mins 58secs and still counting! I contacted them and they said that there has been a problem with the planet network center they are using. The bottom line is: 1. Accidents like router failure surely happen and obviously Andrew knows that. 2. Script hacking is also another reality which I am sure Andrew knows as well. HOWEVER, Andrew has permenantly suspended my account because of been hacked.... I will leave the rest of the comments on you.
Posted by Website Rob, 07-09-2005, 05:15 AM
rouho, I had thought you went ahead with hosting your Domain(s) somewhere else? Surprized you'd still be with Dathorn if they were not the kind of Hoster you wanted to be with -- as you've pointed out in this thread.
Posted by rouho, 07-09-2005, 07:39 AM
After so long and after the initial "nice" experience with dathorn I have concluded that you have to do a thorough research before chosing THE reseller! Actually I have not yet found one.
Posted by Bofu2U, 07-09-2005, 09:00 AM
I'm not exactly sure what you're saying here... You said they didn't let you know, but then you said that the automated system notified you about unsuccessful payments? Am I missing something here? As for the situation in general, I (personally) fail to see where Dathorn is in the wrong about this. They can't spend time going through every single client's files looking for out of date installations of scripts. The job of the customer is to keep their own scripts in check. They have a security forum about the latest exploits, they have an upgrade button for it through cPanel, but I guess neither of these were used? I don't know if it's still me, but I still don't see where Dathorn is in the wrong here.
Posted by net-trend, 07-09-2005, 10:07 AM
Actually mod_security can do all that without all the extra work.
Posted by gilmourrules, 07-09-2005, 10:12 AM
Having been with Dathorn for over two years now, I will comment on the issues that rouho seems to be having issue with. I too had the credit card issue, however I knew my credit card was good so I sent them a trouble ticket and asked what the issue was got a response from Andrew, no big deal. I certainly didn;t ccall the bank . Rouho have you never been in a retail store and had trouble with their machines??? it' electronics run by humans not a good combination. Yes there were problems at the Planet last night guess what ....it happens with Dathorn and all hosts at one point or another. Andrew posted right away there were isuses, when he gets answers from the folks at the DC he will let us know. I had one of the sites I hosted with dathorn hacked, I did up a trouble ticket and asked what happened and they advised to update or change the script so I did , end of story. Another domain I have I was developing and was going to use a couple of the scripts in Cpanel, before I did I sent a trouble ticket and asked the questions, got replies right away no problems.. It's been my experience with dathorn they will help to the best of their ability. Even as a newbie to them two years ago they helped me many times and even today if I have a problem, or a question I ask. I actually looked back at the trouble tickets I have sent them and it averages maybe one every month to 6 weeks and those are not all service issues, more like general questions etc. Rouho you will not like this and so be it, I can not find fault in Dathorn's service for the past two years can I. There has been problems all be it minor and they get resolved. I have found Andrew and his staff always look after any questions and or problems. All you have to do is ask they are there to help. From the sounds of things you should look for a host that offers telephone support or special services that are to your liking you should move on and I wish you luck finding your perfect host. For people following this post check out the forums at Dathorn and you will see Andrew runs a tight ship Overall my experience with Dathorn the past two years has been on a scale out of 10...... a 9.9 Last edited by gilmourrules; 07-09-2005 at 10:27 AM.
Posted by rouho, 07-09-2005, 11:35 AM
Wow I am extremely surprised that you realised that your domains were hacked!!!!!! Whenever a domain is hacked you only realise it after Andrew suspends it!! It is obvious you have some other kind of information from Andrew. I am glad that you said so, because that is what I have been asking in this post. Should Andrew had let me know on the attack then I would have been able to take all the necessary steps. If you have read the post there has been no change on the appearence of the page! Last edited by rouho; 07-09-2005 at 11:42 AM.
Posted by rouho, 07-09-2005, 11:39 AM
You are actually missing the fact that I got INCORRECT information and none of them let me know about THEIR PROBLEMS in processing the payment.
Posted by Bofu2U, 07-09-2005, 11:40 AM
Keep in mind that suspension depends on the severity of the hack. If they only got into your files, that's one thing. However, if they are attacking the rest of the server, that's quite another. But they contacted you (automatically) and told you it didn't go through, right? Edit: Revised
Posted by rouho, 07-09-2005, 11:43 AM
??
Posted by gilmourrules, 07-09-2005, 11:45 AM
No Rouho, I got no information from Andrew, I went to the site and it was hacked on the index page all messed up and some entries in one of the scripts. I submitted a ticket to Dathorn I think it was Andrew that replied to the ticket. He told me I should upgrade to the latest version and I did. End of story, I had no other infomation from Andrew.
Posted by Bofu2U, 07-09-2005, 11:45 AM
You were notified of unsuccessful payments, right?
Posted by ChrisTech, 07-09-2005, 03:57 PM
Face the facts rouho, You were running an old version of phpbb. It was exploited. Even by your own post, you show your directory listing, which clearly shows. -rw------- 1 rouho rouho 5 Jun 14 16:37 psybnc.pid psybnc is a Bouncer program used for irc. irc bouncers aren't allowed on Dathorn. Read more about PSYBNC here. Read more on read more on rouho's post here You were exploited due to running an outdated script. Updates were avaible, and you didn't do them. As posted previously, you might want to change to a different host that will provide you with more hand holding than Dathorn provides. If you continue to use phpbb, you need to check out phpbb's website and subscribe to some sort of an update list, so you can be informed of new updates or exploits when they happen & update accordingly. **edited grammer & spelling (its been a long day ) Last edited by ChrisTech; 07-09-2005 at 04:01 PM.
Posted by Rollmops, 07-15-2005, 11:06 AM
The way a security breach was handled by Dathorn prompted me to move my sites elsewhere. There were two deciding factors: First, Dathorn's communication skills leave a lot to be desired. Arguably, they talked themselves out of a customer. Second, the disclosure of applied policies not reflected in the terms of service or acceptable use policy and that would have dissuaded me from signing up with Dathorn in the first place had they been documented in a visible place (or anywhere at all). It was this issue in certain that left me with no choice but to leave. Whether the actions taken (or the actions not taken) were within Dathorn's contractual rights is not a question that factored into my decision. At the end of the day, I retracted the recommendation of Dathorn that I extended to third parties, because now knowing what was communicated to me, Dathorn is not a possible hosting choice for them either.
Posted by idologicJeff, 07-15-2005, 11:25 AM
Dathor clients are mostly aware that Andrew does not hide his - shall we say "no tolerance" policy towards support issues like this, or for that fact his abrupt method of communicating. Non-patched version of phpBB are a problem, and his responsibility is to ALL of his clients not just a few. I guess his abrupt policy is designed to minimize issues in the long run. I don't understand however, how, every now again again this results in a circumstance that raised in these forums almost like they seem to surprise a few Dathorn clients. Perhaps one solution might be to have people read the "riot act" once they sign up, and then then Andrew's communication skills won't continue to take a beating in these forums. Cheers Jeff
Posted by Rollmops, 07-15-2005, 07:01 PM
I suspect that Dathorn's lack of communication skills will continue to "take a beating" until such time as they improve. However, in case I did not explain myself clearly, neither the communication issues nor the "no tolerance" policy as such were decisive; the latter did not even figure into the equation. What triggered my decision was an explanation of how Dathorn interprets a particular aspect of their published policy; I cannot and will not commit to meeting it in each and every case, which left me with no choice but move on. Jeff, your idea of reading customers the "riot act" right after signing up is a bad one. If there is a time for this, it would be right before signing up.
Posted by Hamtramck Rick, 07-15-2005, 07:33 PM
Hosting on the internet is like living in a high crime area. Having Andrew as your hosting provider, is like having a tuf cop on the beat, walking around your house, rattling the door knobs. He's a little brusk and his rules are rather strict, but most of his clients are grateful for the dedicated service.
Posted by rouho, 07-16-2005, 03:04 AM
They are gratefull for his service as I was BUT what I did not understand so far is that with Andrew's attidute (rather than policy) they are risking of having suspended domains because script hacking can happen at ANY time EVEN TO NEW VERSIONS of scripts, besides security holes are only discovered after scripts have been breached! So it is like playing a russian roulette, since you do not know when the latest version of the script you have installed will be breached.
Posted by Shazan, 07-16-2005, 06:08 AM
My feelings are that the server was not properly secured... I suggest Dathorn to take a look at: - background process killer in WHM (for "automagically" prevent PSYBNC from running) - mod_security for Apache - a firewall with egress port filtering.... - removing access to wget, ftp, etc. to the users giving a chmod 700 In a secure environment the damages that an exploitable script can do are very limited, IMHO
Posted by Rollmops, 07-16-2005, 11:08 AM
This is one of many responses that that does not address the substance of the criticism raised against Dathorn. The technical competence of Dathorn is undisputed. What I and others perceive as a lack of communication skills is largely an issue of personal tolerance and quite frankly, I am unforgiving in that respect. It is the tough cop comparison, though, where opinions start to diverge. I have no reason to believe that Dathorn expends a significant effort in patrolling a beat, but instead reacts severely to infractions brought to Dathorn's attention by third parties. And to repeat myself, it is not even the severity of the reaction that I objected to. A more apt comparison, perhaps, is to say that Dathorn publishes a book of state laws, but citizens only learn of overriding local ordinances well after moving in. To move from the abstract to the concrete, I was at a point with my conversation with Andrew where I would have settled for increased vigilance and a few pro-active measures when I received the parting shot that the actual house rule is that not only security flaws must be fixed as expeditiously as possible, but the fix must be deployed within "a day" of being published by the package maintainer. I cannot commit to meeting such a deadline in each and every case, even if I voluntarily take my sites offline when I know I will out of touch for a day or when merging custom code with an upstream version will push me past the deadline. It was at this point that I did a bit of research on WHT, came away with the conclusion that Andrew meant exactly what he said, that any attempt to reach an amicable solution was a waste of our mutual time, and that I had no choice but to take my custom elsewhere. In a shared hosting environment, security breaches are inevitable. It is entirely reasonable to ask customers to do their part and stay on top of known problems, but the webhost as the server maintainer has a number of options to mitigate the damage potential of a breach of customer code. To state the obvious, these measures place a significant burden on the hosting provider and would ultimately drive the costs up. In my personal opinion, Dathorn resolves the associated risk management process by minimizing their own expenditures and the ultimate removal of offending customers. I'm sure that most other hosts use a similar modus operandi, it's just that Dathorn is more blunt about it. Be that as it may, Andrew talked himself out of a previously very satisfied customer. Anyway, I've said what I wanted to say more than once and I will bow out now.
Posted by 2Grumpy, 07-16-2005, 01:05 PM
Every vulnerable script that gets used to run a bindshell or abused for some nefarious purpose was at one time, the newest version of that script, often itself having been released to fix previously discovered security holes and bugs. Today's "security update" for phpBB (etc) is tomorrow's exploited script.
Posted by CrazyTech, 07-18-2005, 12:36 AM
I don't want to come into this thread on a sour note but I have an observation or two to make because I see both sides of the story. On the client side of things you have got to keep your scripts updated. This is something that protects you in the longrun from situations like the one described in this thread. However, I do understand your frustration in the matter since it was an install provided by your host. I fully understand the host's desire to protect themselves and other clients from exploits. However, I also think that it's slightly unfair to permanently suspend an account because a script you offered is not updated by a client who one would assume might not know everything or keep track of updates. I should think that the user was offered a fair refund for the situation because it's not exactly his fault. However, the host ultimately has control over their policies and that's what counts in the end. If you don't agree with them then the best thing to do is just to move away.
Posted by rouho, 07-18-2005, 04:08 PM
CrazyTech you are right. However, I should point out that it is not only a matter of the hosts policy and the fine print but also a matter of customer relations .
Posted by tracphil, 07-18-2005, 09:55 PM
Word to the wise for hosters... you should have scripts that auto install for your clients. If they have to use that to install the script in the first place, then they are not going to know how to do an upgrade. If you provide the scripts for the "newbie" clients, then you should insure the scripts being installed are up to date. Since you are promoting this service to "newbie" clients, you should also keep up with security updates and tell them when their script needs updating and then if need be, update it for them. Its that simple.
Posted by Shorshor, 08-02-2005, 07:29 PM
I just checked it in Dathorn's CPanel (yes, I have an account with your company ) and found out that the information you provided is not correct. Right at this moment (August 02, 2005) the version of phpBB available for installation at Dathorn's Cpanel is 2.0.15, see the attachment. However, the current version of phpBB is 2.0.17 and it was released July 19th (more than 2 weeks ago!). 2.0.16 was released June 27th which makes the real delay 5 weeks! Nonetheless I agree that installing anything from CPanel is not in general a good idea.
Posted by Shorshor, 08-02-2005, 07:31 PM
Sorry, forgot to attach. Attached Thumbnails
Posted by ChrisTech, 08-02-2005, 09:21 PM
Care to share what box you are on? Just fine on Cpanel08 Attached Thumbnails
Posted by Shorshor, 08-03-2005, 02:56 PM
It's Cpanel30. And 2 hours ago it was still phpbb 2.0.15 in the autoinstaller.
Posted by rouho, 08-06-2005, 04:52 AM
Shorshor it seems that you are VERY LUCKY that your domain with the "upgraded" version of phpbb 2.0.15 is still active since it that this version of the script has a bug based on the old bug "...which was improperly fixed in phpBB 2.0.11. ". please read the link below. http://seclists.org/lists/fulldisclo.../Jun/0358.html
Posted by rouho, 08-06-2005, 04:56 AM
One more thing: phpbb 2.0.17 was released on July 19 2005 and phpbb 2.0.16 was released on June27 2005 !!!!
Posted by Shorshor, 08-06-2005, 09:13 AM
rouho, I never use CPanel autoinstall feature, as I already told here, so the version of phpbb in CPanel has nothing to do with the version I have on my web sites. I just showed that the following statement of Andrew was incorrect: Currently at least on one of his servers the version of phpbb for the autoinstaller is not the latest. rouho, what's the point of repeating what I already said? Seems like you didn't read my previous posts in this thread.
Posted by rouho, 08-06-2005, 09:33 AM
Actually I read your post. However, when some people hide behind the fine print and TOS of their company and "cannot tolerate" security breaches, of scripts they are suggesting on their cpanel, then some things like the one you mentioned have to be repeated again and again. Surely, there are people on cpanel30 who are using the "upgraded" version of phpbb 2.0.15.
Posted by ldcdc, 08-06-2005, 09:44 AM
I agree that a good company should keep an open perspective over things, but if a company rigorously sticks to its TOS, it isn't "hiding" in anyway.
Posted by rouho, 08-06-2005, 11:25 AM
When the security of a server is under threat it is particular that immediate action should be taken. However, in cases like the present where a script, customised by the host to work with his server, was abused becuase of a security hole in it then it is not a matter of TOS but common sense that should come into play. Particularly when the host fails to keep the cpanel with the latest udate of the script.
Posted by 2Grumpy, 08-06-2005, 01:08 PM
So should the web host now suspend themselves since they're the ones giving out the vulnerable script? They suspended a customer for doing that very thing, using an old script. It's more a case of hypocrisy than anything, "on one hand we suspend you without notice or remorse if you run an old script" then "we give you a vulnerable script to install on the other hand". To me it just stinks of hypocrisy. And this is why I don't supply any scripts to the end user. That way when I have to suspend someone without notice (because their phpbb is being ACTIVELY used to run processes) I don't have to worry "is that a phpbb install I gave them via installatron?" because I don't have installatron (or other) and no plans to supply any in the future.
Posted by sprint, 08-06-2005, 02:58 PM
hi all ok. this is a battle between the big techie guys and me newbie has only one question EVERY reseller hosting entices you with Fantastico et al but the 'riot act' reading by dathorn makes me very sceptical. What s the use in asking non-techs to use autoinstall scripts and removing them for THE MAIN HOST not securing servers properly? in this case there seems to be a warning but is this something to be very wary of? regards sprint.
Posted by Mall23, 10-08-2005, 03:28 AM
These "companies" who are offering this software aught to implement some sort of auto-update script. We did, and I've seen it in a couple other places like SugarCRM. It's not hard to do: http://www.aspfree.com/c/a/ASP/Getti...iles-With-ASP/ These guys developing this stuff are supposed to be the "Best of the Best". If they took a week to intelligently implement such a feature, it would help out quite a bit (it's not a cure-all of course).
Posted by Shorshor, 10-08-2005, 05:13 AM
If by "these guys" you refer to phpbb, then since v.2.0.14 I believe they have a "This version is out of date" notification feature in the phpbb admin panel. I think making the update process totally automatic may do a mess in case one uses a modded forum.
Posted by Mall23, 10-08-2005, 02:29 PM
I mean anyone. It is good to hear that PHPBB has a notification function! Cudos. I totally agree that an update function is bad for modded software, so they need to implement it with an on/off switch.
Posted by roro, 12-01-2005, 04:19 PM
One of my sites has been suspenden in dathorn, they said someone use it to "target of flooding to PHP scripts", the only script im using is wordpress and phpnuke... Please recommend me another host, I need 50gb of bandwidth. 500 mb of space. Thanks.
Posted by Dathorn-Andrew, 12-01-2005, 04:30 PM
As I replied to your ticket, your modules.php script was essentially being DoS attacked by many different IPs which resulted in a very high load on the server. We operate a shared hosting environment and this obviously cannot be allowed. I'm still working with you on this via the ticket.
Posted by roro, 12-07-2005, 01:49 PM
Well my site has grown and I need a hosting that supports 20,000 pageviews a day. any advice?
Posted by roro, 01-08-2006, 02:09 PM
Well i just moved out of that hell! Im really tired to argue as if he is doing me a great favor having me as a custumer
Posted by Shaw Networks, 01-09-2006, 04:34 PM
What web host did you eventually find and has service improved?
Posted by Hamtramck Rick, 01-09-2006, 05:30 PM
The internet is growing into a harsh place in which to do business due to all the hacking and cracking going on. Due to this harshness, it may be the case that budget web hosts are only appropriate for technical people willing to patch their own software. If you want to focus on your business, and not on the software, then maybe you need to pay more money for a more full featured web host (or hire a tech person). Security may be an opportunity for web hosts to up their service and up their price. It's just not the case that once you upload your software and it works, that you are done. Maintenance is a big issue. What is confusing is that it is all a moving target. As web hosts are stung by this auto-install software being out of date problem, they will probably add clauses to their TOS to cover it. Everyone learns by experience. To talk about two hosts I am familiar with, Dathorn takes one track and weeds out people who don't update their scripts, and Dathorn servers have great up time. Gazzin is more lenient, but maybe their uptime suffers a bit for it. Everyone is looking for a formula that works in this ever changing business climate.
Posted by xhackr, 01-09-2006, 10:58 PM
Having conflicting positions regarding the OP and Dathorn, I have to say this post clearly puts into perspective the opposing philosophies here, and provides a well articulated portion of what a user should consider when choosing a host. Notwithstanding the forgoing, I think the host here (any host) should be clear on the expectation of its users. While Dathorn is free to dictate its policies, it is understandable how the OP or anyone not technical might assume because a script is available in Fantastico that is all there is to it. More advanced users (ones that would be quicker to stay on top of updates and patches) generally do not use Fantastico and install manually. Further, I might suggest that if a host is going to be very strict in their policing of patches and updates, it might be better not having Fantastico available.
Posted by rouho, 01-12-2006, 03:30 AM
It is a matter of common sense rather than the user's technical level. Updates are only released when a script has already been breached! The hosting provider has to be there to HELP HIS client, should the last one has not exploited any security vulnerabilities in purpose. When you choose a serious provider for your company one of your targets is to minimise the time you spent in maintaing and fixing things. If I wanted to have all the fuss of maintaining a server I would have used my own equipment in a NOC.
Posted by xhackr, 01-12-2006, 04:03 AM
That simply is not true. Updates are released for more reasons than security patches. Additionally, Fantastico has had its problems as script installer. Personally I would not rely on it, and I would recommend users install and update manually. If you think that the amount of effort manually installing a few Fantasico provided scripts requires the same effort as managing your own server, you are in for a big surprise should you ever find yourself considering the latter. Hopefully you have found a host that is more suited to your expectations. Good luck with them.
Posted by rouho, 01-13-2006, 01:35 AM
In this case however we are discussing about scripts with security holes. The sequence is well known: 1. security hole is discuvered 2. script security breached 3. security patch released. Between steps 2 and 3 you are riscing of having your dathorn account suspended!!!!! xhackr I hope that I made it clear this time! Managing my own server by means of securing my clients' accounts and scripts.
Posted by xhackr, 01-13-2006, 08:32 AM
When you refer to a patch being released, is that through the author or Fantastico? There can be quite some delay between the time a patch is released and the time it becomes available in Fantastico. My understanding is that you were relaying on Fantastico being timely in the updates – it’s not always. Even in that case, I’m partly on your side here. If the host expects you to keep current beyond Fantastico (which they have chosen to provide) that expectation should be clearly set with the user base. Last edited by xhackr; 01-13-2006 at 08:43 AM.
Posted by hostmedic, 01-13-2006, 07:18 PM
This is perhaps one of the most intelligent statements I have heard on these forums for some time. Sadly - most of the bargain hunters don't have a clue how to update their own scripts, boxes, etc... nor do they want to learn. The issue with many of these guys is simple - they perhaps are great @ marketing - but stink @ the technical side of the web. Although Fantastico does not always update their script installer right away - any good administrator (not bashing Dathorn here - because it is obvious they do this) would look and make sure scripts like phpbb are up to date and/or secured... What one like Dathorn (and similar providers) might look into doing is identifying a person or company that is able to perform the updates - and tell the client they have 3 options - 1. dont update and get shutdown, 2. perform the update themselves, or 3. contact the software support provider the company knows - and/or one they can trust and have the script updated. We have suspened many an account - even a few resellers over similar issues - but it always looks bad when you have to suspend / kill an account over sillyness... Now that we offer solutions such as Platinum Server Management to our colo clients, as well as a few great guys over on Guru.com and ScriptLance - we are able to bill the client for the upgrades vs. turning them off - they are happy, we are happy - and the person performing the work who we have come into a business partnership with is also happy ... its rare seeing a win win win -- but it can happen. On the other hand - our TOS still state it is not our responsibility to find the solution for our client. I will happily sacrifice 1 for the sake of many. Only makes sense to do so.
Posted by hostingace, 01-14-2006, 08:17 PM
I agree dont be mad at your host. Most all phpbb users suffer this fate.
Posted by Valorum, 01-15-2006, 01:33 PM
Terminating service is too harsh a punishment IMHO. Suspending an account because it got hacked and telling the customer to fix it before the account will be re-enabled, sure, no problem with that. In fact i encourage that. If the customer is willingly abusing the system and not working with the hosting provider to fix issues, then yes, boot 'm of course. Booting them because of ignorance or lack of techincal savvy though is stupid. Imagine if Microsoft took away Windows from anybody who didn't keep their system fully up to date and protected at all times! Microsoft would be out of business real quick! I completely agree with Rollmops and Dixiesys on this. I was considering using Dathorn and they were near the top of my list, but reading this all has bumped them down on my list significantly.
Posted by ldcdc, 01-15-2006, 08:28 PM
IMO this comparison doesn't really work, but I agree that providing insecure scripts is a really unfortunate side effect of the popularity of products like Fantastico, and that hosts should give it a more serious thought before adding them to their offering. I think it would be fair if the policies would make customers who use Fantastico and have their scripts at the latest version provided via Fantastico, exempt from suspension based on the script version.
Posted by hostmedic, 01-15-2006, 08:38 PM
The key here is - even though cPanel and Fantastico sometimes will offer the ability to upgrade a script, some clients will scream when this is done - as their default settings etc... all go away. Bottom line is - the client (at least w/ us and most hosts) are help responsible to update their software, are given a warning if has not been done, and then terminated (or in our case given the option to terminate or be billed for the update via a 3rd party company.

Add to Favourites Print this Article