HostNine Server Hacked... Won't Respond to Restoration Requests

Portal Home > Knowledgebase > Industry Announcements > Web Hosting Main Forums > Providers and Network Outages and Updates > HostNine Server Hacked... Won't Respond to Restoration Requests

Posted by signature16, 08-29-2009, 10:16 PM
I have a reseller account on Host Nine and the server where my sites are hosted was recently hacked by "iSKORPiTX". All of my index pages have been replaced by "hacked by iSKORPiTX".

Apparently this was caused by a security breach in WHM/cPanel.

This was four days ago. I've called support, emailed support, emailed managers and they absolutely will not give me an estimated time on when my stuff will be back up. If there isn't a backup, then I need to know, but they won't tell me. My sites still all say "hacked by iSKORPiTX" and the people who are hosted under me are obviously really pissed off. HostNine continually refers me to their forums which say nothing of importance or they simply ignore me.

Is this a normal response for a hosting company?

http://www.hostnine.com/hosting-foru...rn-issues.html
Posted by net, 08-29-2009, 10:35 PM
Security breach in WHM/CPanel? or do you mean someone was able to guess the password of your cpanel account? or probably their server is not secured properly?
Posted by signature16, 08-29-2009, 11:05 PM
Does anybody know if they would be financially liable for this mess? I have to deal with this crap and they won't get back to me, so I don't know what to tell my customers hosted under me. It's not like i'm losing the world, but it could be very costly if I have to rebuild sites.
Posted by Nick H, 08-30-2009, 12:21 AM
Hello,

The last update I've had was that we were having issues with our R1Soft backups but were investigating that.

The only thing affected was the index.php file on your website. If you have your own backups (which we always recommend all our customers keep) you can just restore that 1 file and you'd be all set.

If you're using common software like vBulletin, Joomla, etc...You can just reupload your index.php file from those products.

Otherwise we ask that you please continue to wait patiently until we can investigate the issue with our backup system.
Posted by Ben_G, 08-30-2009, 01:26 PM
What is the ticket id related to your restore request?
Posted by signature16, 08-30-2009, 01:47 PM
My ticket ID is irrelevant. After FIVE DAYS you can't tell me if my stuff will be restored or not. I'm not asking for a miracle, I'm asking for an update on whats going on. If there is no backup, then I need to figure **** out on my own. If there is a backup, fantastic, restore it.

I just CAN'T understand why there is such a lack of communication. It makes everything 10 times more stressful for me.

Not to mention your 1-877-251-HOST number puts your customers on hold for hours and then nobody answers.

Again... Is this too much to ask?
Posted by Ben_G, 08-30-2009, 02:13 PM
I can understand your frustration. If you're having issues with the phones I will gladly look into that as we do not leave customers on hold for hours. As for the ticket number it is completely relevant as I need to know which account is yours in order for me to try and assist you with this.

Most of the index.php files were replicated over to the r1soft backups meaning our restores are the infected files. We're either having customers upload their copies or assisting them with reuploading an index.php for their software such as Wordpress, Joomla, etc
Posted by signature16, 08-30-2009, 02:26 PM
If the backup is infected and my site can't be restored, thats an entirely different problem that I will go ahead and deal with on my own.

What sucks is that you guys undoubtedly knew about this on day one and then pussyfooted around the problem. You couldn't straight up say that the files won't be restored and I need to deal with the problem on my own. I then spent 5 days beating around the bush with the 10 or so people hosted under me.

I can understand the server being hacked and all my stuff being screwed up. Stuff happens. The absolute failure of communication sucks on another level.

Update your forum post so your other customers don't have to stress out over a problem that won't be resolved.
Posted by jpetersen, 08-31-2009, 09:04 AM
hostnine,

In the thread on your forums about this incident titled "saturn issues" from 08-25-2009, 02:57 PM, the following is stated:

Quote:

This appears to be a whm exploit causing this

Having reported security issues to cPanel in the past myself, I am very familiar with the speed at which they work to address security issues. According to layer1.cpanel.net and changelog.cpanel.net, I'm not seeing an update of all the production trees (STABLE, RELEASE, CURRENT, and EDGE) for any security issues as of today, 6 days later.

My question to you is this: have you or have you not confirmed, with proof, the existence of a "whm exploit" and verified it with the vendor?

Thanks.