Ask Slashdot: What To Do When Finding a Security Breach On Shared Hosting?

An anonymous reader writes "A few months ago I stumbled across an interesting security hole with my webhost. I was able to access any file on the server, including those of other users. When I called the company, they immediately contacted the server team and said they would fix the problem that day. Since all you need when calling them is your username, and I was able to list out all 500 usernames on the server, this was rather a large security breach. To their credit, they did patch the server. It wasn't a perfect fix, but close enough that moving to a new web host was moved down on my list of priorities. Jump a head to this week: they experienced server issues, and I asked to be moved to a different server. Once it was done, the first thing I did was run my test script, and I was able to list out everyone's files again. The hosting company only applied the patch to old server. I'm now moving off this web host all together. However, I do fear for the thousands of customers that have no clue about this security issue. With about 10 minutes of coding, someone could search for the SQL connection string and grab the username/password required to access their hosting account. What's the best way to handle this type of situation?"

Use your hack for something good...

[Anonymous Coward]

and try to find the mail addresses of the users and alert them of the security problems. If many of them leave, maybe the hoster feels it's time to act.

Inform the users

[mkraft]

Back in the days of dial up, I used a dial-up ISP that offered free scripting (CGI, ASP, you name it) on a Windows server. While teaching myself scripting, I discovered that files I wrote as part of scripts ended up in the c:\windows\system32 directory of the server instead of my user folder. Worse still cgi scripts allowed running executables. Needless to say that is bad as it allowed me to get remote shell access to the box. Finally to complete the incompetence, I found that the ISP was storing the customer records on the server as an access database. When I mean records, I mean everything: names, addresses, credit cards, etc.

I informed the ISP of the problem. They responded, but said it was a "windows" problem and couldn't be fixed so I posted on a message board for customers about the problem (but not the details on how to do it), wiped my own customer records from their database (yes I could read and write) and canceled service. I don't know what ever happened to them, but I'm assuming they went out of business like most other dial up ISPs.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Which entry-level VPS provider?

[Anonymous Coward]

I've been using Linode for the last 8 months or so, and have been pretty happy with it.

$20 per month gets you 1 static ip address, 512 MB of ram, 20 GB of disk space, 200 GB of upload bandwidth, unlimited download bandwidth, and up to 4 cpu cores.

Re:Which entry-level VPS provider?

[hawguy]

I've been using Linode for the last 8 months or so, and have been pretty happy with it.

$20 per month gets you 1 static ip address, 512 MB of ram, 20 GB of disk space, 200 GB of upload bandwidth, unlimited download bandwidth, and up to 4 cpu cores.

If you don't need much bandwidth or CPU, check out an Amazon Micro instances. If you buy a reserved instance, a Micro instance ends up costing around $7/month plus $0.10/GB for disk and $0.10/GB for outbound bandwidth.

They are cheap enough to run multiple instances - I have my public website on one instance and use the other one for my mail server, and other things I don't want on the public server giving me complete separation between the two. If the webserver ever gets hacked, I can just restore it from an S3 snapshot. I had started looking at chroot'ing Apache or running it in a VM for better isolation, but spinning up a second micro instance was much easier.

If you need to use significant CPU, a micro instance is probably not going to be a good choice, as I've heard that Amazon throttles back CPU to Micro instances that use a lot of sustained CPU. But it runs my PHP based photo gallery software pretty well (shared only to family/friends, so it's not super busy).

The bandwidth costs could get expensive quickly at 10 cents/GB if you have a busy website. I run a script that checks my bandwidth utilization and if I hit more than 10GB in one day it shuts down Apache and notifies me so I don't end up with a huge bandwidth bill if my site ever slashdotted.

Even with multiple S3 snapshots, my total hosting bill is always less than $20/month, less than I was paying for a single VPS server (that was having performance issues due to being oversubscribed so heavily by the ISP)

Re:Responsible Disclosure

[Anonymous Coward]

Tell the webhost they have XYZ days to fix the problem before you publish the exploit.

If you do that, be prepared for them to shut off your account immediately, and for them to file a complaint/police report,
listing you as the offender, with possible criminal charges, for you hacking their service.

Their lawyers may also send you a cease-and-decist letter, warning that you will be sued if you publish the information.

I keep seeing these shills on this thread telling people to "do nothing, or ELSE!"... WTF? Why tell people this? (hint: citations needed) Is there some huge list of all the security experts rotting in prison for disclosing Windows/Flash/Android exploits that I'm not aware of?

Why not call the police yourself as a CYA preemptive strike to go along with your "full disclosure notice?"

Police non-emergency operator: "How can I help you?"
You: "I'm calling to report a security breach with my ISP/host/whatever."
Police non-emergency operator: "What do you mean?"
You: "Well I've discovered an exploit that would allow hackers to compromise my computer servers."
Police non-emergency operator: "What would like us to do about it?"
You: "I just needed to file a report, because I want to notify the service provider as well as make a public disclosure."
Police non-emergency operator: "Ok, but why did you need to let us know?"
You: "Because a bunch of assholes on /. told me if I exposed the flaw you would arrest me for hacking."
Police non-emergency operator: "ROFLCOPTER"

Re:Do nothing

[JMJimmy]

I always wondered why no one has tried a 2nd amendment challenge to those laws. The US officially recognizes 'cyberwarfare' so these "hacking tools" can now be classified as arms in digital warfare.

The server is configured correctly

[raymorris]

The host isn't doing anything wrong. That configuration is actually the most secure of any common configuration. If your script can read other people's files, that probably means it's running as the unprivileged user "nobody" or "apache". All scripts can read all files, but can only WRITE files that are chmod 666. The only commonly used alternative is suexec, where your scripts run as your user. That means they can only read your files, but it also means all scripts can WRITE to any file, delete any file, or create files anywhere. Given that most all PHP scripts have security holes, running them using suexec is super dangerous - FAR more risky than running them as nobody and letting them read files. So the configuration they are using is definitely the safest, in the opinion of poster who has fifteen years of server security experience. It usrd to be, you could run suexec as a different user, bob_scripts, and that was much safer. Recent versions don't allow that due to some poorly thought rules about file ownership. The ultimate would be set up custom.selinux rules such that your scripts could only read your files AND could only write 666 files, but NOBODY does that. I don't think there is a single shared host in the world who offers that, and I've worked with hundreds of hosts.

Re:Do nothing

[Anonymous Coward]

OK I'll post his "test script":
ls -al /home/*

huge surprise, most shared hosts run suphp with 755 on all directories inside of ~/public_html/.

COME AT ME HOSTGATOR

Dealing with Vulnerabilities The American Way ...

[golodh]

Today's lecture is on dealing with accidental vulnerabilities you accidentally stumbled into while accidentally probing a system that accidentally happens to have a lot of potential interest. You know what I mean.

I read a lot of indignant posts and a few moany warning ones on the subject. The authors of either kinds of post have obviously lost touch with the American Way.

When you find a vulnerability, the first thing to do is to disassociate yourself from it. Wipe your data and close down your account (many posts correctly advised this). Then get two sets of some cheap one-off hardware (second-hand paid-in-cash stuff is best). Use one of those to assess the economic potential of your find as best as you can (or you'll get fleeced later on).

Then you Monetize your find. Quickly, before someone else beats you to it. That's the American Way right there.

Use the second piece of old kit you bought to surf the web. There are certain websites, often in Eastern Europe, on which you will find people who'll use a peculiar form of English but who will be prepared to pay smallish but reasonable amounts for such information. Depending on e.g. whether the flaw leads to credit card data (that's why you ascertained the economic potential of your find first) or advanced military technology (in which case you may be able to get better quotes from buyers in the Middle East or the Far East).

Be aware that there is a certain protocol to be followed when conducting this sort of transaction. Contacting them from home, work, or any other place that can easily be traced to you is a beginner's mistake. Secondly, don't *ever* give out information like your real name, physical address, bank account or credit card to them. They won't do that either, and besides, you'll *really* value your privacy when dealing with them.

Use e.g. an old second-hand laptop and work from an Internet cafe or use a prepaid smart phone with Internet browsing facilities. Don't ever use that hardware for *anything* but completing this one transaction. Wipe, disassemble, smash, and ditch said hardware component-wise as soon as the transaction is completed.

The trick is of course to get the money to where you can spend it. Having it wired into your account will show up and may be a bit difficult to explain. Even when done from a US account (you can negotiate for this but it costs extra). They will pay you in bitcoin or E-gold if you insist, but that too is tricky. Asking for cash in the mail is asking to be fleeced, and likewise a bit conspicuous should they actually do it (amateurs).

I'm leaving the question of arranging secure and discreet transfer as homework. Additional points will be awarded (optionally off the record or against a discreet little cash bonus) for really good solutions. Remember: should government officials come calling at your doorstep you'll automatically fail the course and all traces of your enrollment will mysteriously have vanished. No refunds.

Re:Inform the users

[Anonymous Coward]

I worked at an ISP that had an extremely similar (but different enough that I know it's not the same ISP) issue. The customer could access our RADIUS UN/PW files and browse other unsecured NT machines... This all prompted us to firewall up, but not before the customer decided we weren't moving fast enough and decided to call the local ABC affiliate and put the passwords for various local agencies/companies/users on the TV screen. What else... Front page on the newspaper and the local computing magazine, had a nice big "COMPANY X DROPS THE BALL" on the cover. All this was in '99. Well before big corporations started suing the messengers.
Fun times!