As you guys no doubt saw, i havnt posted in a bit and then the blog got stuck on the default. Well essentially i have shifted hosts. Below is a copy from a post that i wrote on a forum regarding this. But it belongs here aswell. Do note that the website that i had issues with below, is not this one. And the webhost in question is lacehost.com So anyway here we go :
——-
Yesterday i awoke to find that one of my largest Whitehat sites was in a disarray. Alot of content was missing or atleast not where it should be. As it turned out, from what i could see, that somehow an old backup of my database had been pushed onto my account. However no files were touched. Just the database.
I got in touch with the support desk immediately. And it took about 3 hours of back and forth of the technician doing nothing. Eventually Ishan (Owner of Lacehost), came online and started doing stuff immediately. Which tbh is typical of lacehost. I think the service desk guys are just there to waste your time until you can get ahold of the owner. Anyway Ishan advised me he was going to push the backup they had and then we should be sweet. Cool.
Well not so cool. It turns out (Or this is what he told me), that my site got messed up the night before, and then AFTER it got messed BOTH the daily AND weekly backups got taken. So essentially the backups he had were of my messed site. Bugger.
So anyway he flies off again and says he has to go, but the service desk guy will give me an update when he can. Well no shit, 10-11 hours after the original ticket Ishan came back online. And still nothing had been done. The service desk guy said he was waiting for the onsite technician to see if he had backups or something along those lines. But like i say, i think he was just wasting my time till Ishan came back online. Because 5 minutes before Ishan came online, the service desk guy said we were still waiting to head back from the onsite technician. Then as soon as Ishan comes online (5 Minutes later), he says the technician replied. Its just too much of a coincidence in my mind, that ive waited 11+ hours now for this onsite technician, and when the owner gets online suddently he has replied. (And no Ishan is not the onsite technician). Anyway, he told me on MSN to check the ticket as he had replied.
His reply was :
I am extremely sorry about the delay. From what our on-site technician is telling us, it looks like there has been some malicious activity in your account.
The IP address has been found & it leads to Sao Paulo in brazil. 189.15.54.238
The technician says that the hacker started removing entries from your posts table starting from the newest. This was done before yesterday’s backups & thus the backup also got compromised. As I told you earlier, weekly backup & daily backup will be the same if they happen on the same day, & yes they did happen yesterday.
The only way now is too see if any old backup of your database is left which is newer than May 26th . That is what the technician is currently working on, manually.
Please bear with us till we try to resolve this.
The hack/compromise was not server-wide, as you see that no other account of yours on this server is affected. I would suggest changing passwords immediately & upgrading any script that you use in the account.
Now. This is where it gets really weird. There is no way this happened. I checked my raw logs for my site. Now they wont show the MYSQL logins etc, but they will show if that person even came onto the site (I would think so if they were going to delete shit, they want to see what they deleted etc).
Also there is another problem. The script i am running is completely custom , but when i had it developed. It was developed by a friend of mine. And he put an out of this world password on the admin panel for the CMS he made. Well anyway i had changed the password since then. But with the database changes reverted back, the password had been changed back to what it was originally. So you see there is no way that a “hacker” deleted rows, because he would have also had to known my old password, and just for the lulz hashed it and entered it into the database.
Not only that, but content we had since taken OFF the site, was back on. So the hacker would have had to also ADD content. So yeah complete BS.
So i replied to the ticket with this, and told Ishan to read it. Then he started to go on like a broken record, he said to me “Well you tell me how this happened”. I mean i dont know how it happened but it happened, and it is a database import of an old database i was running at the end of may. There is NO other way this could have happened other then someone pushing an old backup.
I certainly didnt do it, i was asleep. My developer didnt do it either, and i find it unlikely he had a backup of the database AFTER he made the site for me. I have had him busy on other projects.
Here is the chatlog portion :
(11:17 p.m.) Lace Host:
& our php guy can check for any security loopholes
in the script
(11:18 p.m.) Wade ~:
No there is no loopholes
As far as i know
Even with my limited php knowledge
That there is no php loophole
(11:18 p.m.) Wade ~:
That a hacker can install a database backup from 2 months ago
Correct me if i am wrong
Could be here
But at a stretch
I would think thats impossible
(11:18 p.m.) Lace Host:
yes, there is no way he can do that
(11:18 p.m.) Lace Host:
unless he has a copy of the backup
(11:19 p.m.) Wade ~:
Haha man. I am seriously laughing at the stupidity of this whole thing
Look man
No hacker has a copy of my database
Anyway, this incident was only a long string of incidents. They have issues with DDoS attacks because they also host content that i guess people dont like all too much. So i told him enough was enough, and i was going to salvage what i could and move hosts because i couldnt live like this. And could if he could get back to me HOW this happened that would be awesome.
No shit, he said to me, That he will NOT get back to me, unless i buy another months worth of hosting. I was like… what.. the…hell. I still have several days left on this months hosting. So i told him that that was bullshit as i pay a month in advance and something happened on HIS end. Just to clear some of this up, here is a chatlog portion :
(12:26 a.m.) Wade ~: And you are basically saying
That if i stay with you
You will look into it
But if i cancel at the end of this month
You wont
(12:27 a.m.) Lace Host: yes, that is correct, if you are going to help us investigate, then yes we will look into it, if you are just going to threaten with bad reviews & abuse us, then no, we are not
(12:27 a.m.) Wade ~: I will help you look into it
(12:27 a.m.) Wade ~: But i am not staying with you guys
And thats it
Ive got nothing to lose at the moment
(12:28 a.m.) Lace Host: then we cant really help you,
Anyway, what i THINK happened is this. The day BEFORE, i cancelled a request on another one of my hosting accounts there. Not this one. I suspected they had deleted this account by accident then tried to fix up their mess. I didnt say ANYTHING about this to him, but out of the blue he came out and said this.
(11:22 p.m.) Lace Host: & what should I say ? I went & removed your account & then restored your old account ?
When it was all said and done. He acted like a 12 year old kid. After i said i was leaving regardless. He said he was going to “ToS” me out anyway for swearing at support staff. Which i did use Sh** and F*** with them (With the stars), because i was so pissed at waiting a whole day for something so simple. (Since this original posting he has come back to me with examples of where i used the “f word”. But to be frank, the support staff were being absolutely useless, and i didnt insult them in anyway, I said, and i quote “FOR FUCKS SAKE”, not to mention that isnt really the issue here).
And then AFTER that, he started saying giving me more offers about guranteed uptime. It was like talking to a mad man. One minute he is telling me he is going to boot me anyway, next he is like “No stay, i will gurantee you 99.9% uptime”.
Conclusion :
- Lacehost has had terrible uptime for me. Not so much in the frequency, but when it goes down you have to deal with absolute morons on the helpdesk that just bide their time. As you can see i waited almost 11+ hours for a response.
- Somehow an old version of my database got pushed onto my account, and he wont tell me why.
- They made up some story about a brazilian hacker deleting rows. Which is 100% false and made up.
- They refuse to tell me what happened to my database unless i sign up with them for another month.
I’m with Lacehost coz they’re well cheap, but ya u get what u pay for. So what host are you with now? I’m thinking of changing too, but can’t find any that are as cheap as Lacehost.
Im actually now with hostgator. I used to be against joining any large hosting company because your just another number. But to be honest, i wish i had switched sooner. The fact that i now have 24/7 LIVE support is amazing. I had a few issues switching some of my other websites over, and i got an answer and a fix immediately. It is a little more expensive, but if you have quite a few websites, get their medium package and you can pile a few domains onto one account.
Im now also with Lacehost,sometimes there is a problem about subdomain accessing.OMG,offen.for example: sub.domain.com couldnt access!!!
Yer Hostgator rly is as good as everyone says it is, I used to be with them. But for me, with only two websites, it’s not worth switching back to them just yet. I don’t mind paying $1 a month for a service that just about works. Glad u got it all sorted.
@ rexsky: search around m8, you probably won’t find a host as cheap as lacehost, but you will find a ton with better support and reliability.