Web hosting providers with poor security

From SusoSight

I'm sick of it. I'm sick of seeing web hosting providers that have no clue as to what they are doing. Some are big providers with thousands of accounts and very visible advertising. It is my goal here to expose their negligence so that people will avoid them.

To qualify for this page, you have to meet one of the following criteria without having to gain administrator/root/superuser privileges or use any kind of hacking/cracking technique:

  • Customer's data should be readable or writable by other users when they claim that it is not.
  • Log files exposing customer's data should be readable by other users.
  • Password or other similar information is exposed and trivially accessable.
  • Anything else that shows severe negligence on the part of the system administrators, if they really have any of them.

Recently I've found some hosting providers that only allow ssh access if you email or fax a copy of your driver's license. You can read my thoughts on this and why I think its not a good idea.

2007

Joyent/textdrive

Pretty much the same problems as Dreamhost. If you know someone's username (which you can get from /etc/passwd), then you can easily cd into their home directory and the predictable structure underneath. And since they put their user's domain names into /etc/passwd, you can figure out where to go for their websites. Also, their log files are world readable and in a predictable directory.

Dreamhost.com

Where do I begin. These are the guys who say "Our servers are protected by ninjas" (see question 41 and 94) and swear up and down that they are really secure. Almost all aspects of user data is breachable and a significant amount of it is easily removable. And all of my research was done with commonly available commands. I did not use any "hacker tools". So it is trivial for anyone to do this.

  • Home directories are world executable, meaning you can pass through them and view user's web content by simply knowing what subdirectory to cd into. The subdirectories are readable so you can see the contents there.
  • User's website log directories could be entered and logs are world readable.
  • Some websites seemed to have a lot of world writable files created by their one-click installs or user error. You could theoretically go into a user's web directory and run rm -fr * and erase most of their site. Or sites could be altered to process information differently.
  • Database passwords visible in website files. So someone could login to someone else's database and delete/modify all data.
  • /var/log/xfer.log was world readable, meaning that you could figure out user's directory structure easily.
  • Load averaged 6 to 20 and was seen as high as 324.
  • Couldn't transfer to/from their server any faster than 2Mbit/sec the first attempt, tried a second time and transfered 10MB file 5 times (1 minute apart each) with the following rates (3.2Mbits/sec, 3.2Mbits/sec, 3.47Mbits/sec, 2.85Mbits/sec, 3.63Mbits/sec). The issue I have with this is that this information contradicts the general feel of these very large hosting providers having multiple T3s/OC12s/OC192s to the net., etc.
  • Able to run mailq and see the current mail queue for postfix. So I was able to see who was sending mail to who and when.
  • Because of the way they NFS mount home directories to 240 of their other servers which have a simular directory structure, it is essentially possible to see all their users overall from one single server.
  • Claim that they have 700 servers and host over 350,000 websites. Although given the varying, but low bandwidth measurements, this is less likely. They do however have 240 NFS mounts on the server I used to do these checks. Its possible the bandwidth limit could be done on a per connection session basis. So its possible that they have what they claim, but given that they are protected by ninjas, it seems that deceit is one of their core values.

2006

  • HPCinc.com (HoosierPC, Bedford, Indiana) - Running FreeBSD, but all home directories were world readable and writeable. I could have done major damage to many other accounts by running simply rm -fr /home.