FTP Site Hackers

@ Andy King

Is that the same chinese chap we have knocking on all of our FTP servers every weekend as well?

If your Chinese hacker uses the same list of 2300 passwords. Tries obvious usernames like "Administrator" and English First Names. Turns up most of the weekend, every weekend, with the same list... Sounds like the same guy. :)

Obviously these are my logs from the FTP site run on the end of the ADSL line supplied by Fasthosts. Gawd only knows what is going on on the Fasthost hosted website.

I just find these hackers funny... and means I earn my wage. For reading a log file. :)

Are We Being Compensated??

I got the very email off them telling me to change my passwords, what I want to know is I pay for a service am i gonna be compensated for this inconvienience and the fact my info was and could be put in the wrong hands!

Possibly the dumbest comment ever posted here {and that saying summit}

i quote

"By Dom

Posted Thursday 18th October 2007 16:37 GMT

I've yet to see anybody come up with any good reason why passwords need changing on a regular basis. They're either secure or not. The more often people change them the more likely they are to write it down somewhere or pick a weak one."

err. obviously you change your passwords to offset the possibility of brute force trial and error succeeding.

simply put if your password never changes a brute force attack will succeed regardless of the time it takes between each attempt.

if you change it regularilly trying every possible combination sequentially will likely fail as by the time they get near the correct passowrd the current one may be one they tried x amount of time ago thus will never try again.

obviously the time between changing passwords depends on the time allowed between successive attempts, for most of my systems 3 unsucssessfull events allows no more to be attempted for an hour then 2 then 4 etc. with an e-mail dispached to user with details of who to contact for recovery and the ip involved in the attempt {so they can just add it to the blocked/remove it from the allowed} list if its not themselves

thus brute force would take a long time to get through any reasonable number of attempts

for web based logins 3 failed {no time limit between} attempts causes a capcha to be involved for all subsequent attempts {with the same e-mail to user} for the same reason to help foil brute force.

BTW reg folks how about like most of these fora, allowing openid instead of us now having another id/password to have to keep track of as its so much easier than having to keep track of all these id's passwords for sites still using older methods to track users, or is it because using older methods allows you to compile our e-mails to a list for later spamming^H^H^H^H^H marketing purposes

Credit card info safe? No assurances of this being the case.... Cancelled all cards...

Not a big customer with Fasthosts by any means but the complete lack of assurances that the credit card details were not accessed and so on really worries me.

So much I've cancelled my current card and getting a new one sent right out. Also cancelling with Fasthosts, it's too amateur feeling now and I've got a couple of clients to keep happy. Nothing is risk free but not everyone one is as stupid as fasthosts...

Farcehost

"... gained access to some of our internal systems via network connections. This security breach was only possible because of a security vulnerability which was forced illegally."

So Fasthosts were only protected themselves against the legal security vulnerability I presume?

Anyone out there still using Fasthost I suggest you move quickly. This isn't the first time as we all know, and it won't be the last time that they shoot themselves in the foot. Best to part company and let it be their problem and not yours.

Farcehosts

Any company that runs its entire web hosting platform on Windows is obviously staffed by people so muppetty that they will also store passwords on the system unencrypted.

Farcehosts have a long history of lying to their customers and in the face of a major security breach they are acting true to form.

@Smell My Finger - yes, web hosts oversell their capacity, and hundreds of sites on a box is not unusual. Depends on how much traffic each site is getting as to whether it's a problem. The problem with Fasthosts is that they offer 'unlimited' reseller accounts with 'unlimited' bandwidth and disk space. Therefore they are basically not in control of the load on their platform.

Lack of confidence

Fasthosts are not inspiring me with any confidence in their security practices at the moment.

Their login page boasts "Secure Login" yet sends login details in plain text (no HTTPS).

And the password reminder page says... "Quick tip: Once you have logged in, why not update your password to a more memorable word?"

Nice to see them encouraging people to choose nice easy to remember passwords and don't worry about them being dictionary cracked because somebody's probably already read it in plain text out of our database!

Brilliant.

Ecrypting Passwords

Somewhere I worked was, for a while before they became lucicrously uncompetitive, a Tiscali reseller.

I could log in (and I bet I still could) and view every username/password combo for every DSL line we sold. Tiscali (at least as a reseller) doesn't encrypt.

I've spent enough time talking to support on innumerable customer sites to know that for damn near any DSL line you can ring up, do a DPA check, and get the password - it's not reset to a known value as it might be for a website.

Do FH present to much risk to your customers?

The commodity service that is delivered vs. the costs and risks presented to our customers appears to suggest that there is space for a hosting company providing service, support and flexibility. My experience is that FH are failing in all these respects and I suspect it won't get much better. Has the balance of power shifted to the accountants an do you want to subsisdise them sorting this mess out. More research on the alternative OR split your hosting and aggregate the risk....

Not only but also

Since many people use the same username and password for many sites, there's a good chance that the perps now have thousands of PayPal and eBay username/passwords too.

Passwords..I'd worry more about your creditcards

Ok this was about 2 years ago but Fasthosts also stored at this point the CC details all in plain text which all the staff could see.

Data protection act?

Well I had a fast hosts dedicated server for about a month in 2002. I quickly got rid of it as it was there own version of linux, quite old and would not run standard software. I've not done any business with them since.

To my surprise I got an email about this problem today.

I'm sure the data protection act has something to say about keeping account details for that long. I'm also sure I've asked them to remove me in response to past mailings.

Transferring to easyspace - must be mad - from my experience there is regular down time and they charge you for transferring domains away - which is always the first thing I check these days as its a sign of a host who wants it make it difficult for you to leave.

based on stats from ippatrol.com my friends web site (few pages, basic html) had 157 outages in 2006 (42.5 hours) and 261 so far this year (48.5 hours).

Be worried about card details, i am and 'might' have been stung!

Only two weeks ago someone fraudulently used my debit card to the sum of just over £1.5k. Until yesterday i had been trying to think how they got my details as i still have the card, don't use online, don't use in the shops, don't use it anywhere. Then it clicked, the only time i've used this card (this is a transfer account for me!) is to renew my domains with ukreg and the card details are stored within my control panel. I cannot prove it yet, but this is my only possible answer to the fraud and would urge everyone to consider speaking to your bank. I've spoken to fasthosts/ukreg about this, but they refuse to comment as its an 'ongoing police investigate' and all they said was they 'dont think' credit card details are at risk, but working on the basis that they use to (may still do) hold cc details in plain text format i have my doubts and will be considering legal action, as i'm still out of pocket for £1.5k!!!

Non Secure

Interestingly the ukreg login is on a secure site unlike the fasthosts one.

Any site that shows a padlock on the page should be avoided anyway. Always make me double check the security since I got caught out by a site that claimed to be secure but wasn't.

It sent me and the hotel an plain text email booking confirmation with all my visa card details displayed in full.

The site made all sorts of excuses, which were clearly lies as they still haven't secured it despite saying it would be done and they were just waiting an ssl certificate. I did manage to get Commodo to jump on them for displaying their logo but Visa were not interested.

Funny that...

...how there's suddenly a "Remember to change your passwords regularly!" box on the Fasthosts control panel, yet still no mention on the Fasthosts site regarding this. The Fasthosts blog url now also redirects you to the main page.

Between the control panel that doesn't work half the time and the crap customer service, well the crap service full stop, I'm pretty fed up with them. There is nothing quite like showing off your wonderful new website to a client and it constantly hanging halfway through a simple script to make you look like a cowboy.

I would love to be able to say that I shall be taking my business elsewhere, I really would, but that is sadly not the case. I think I'm going to be very stiff come billing time, thanks to the massive shafting I'll be getting.

Credit card details!

They "don't think" credit card details are at risk... I think there should have been a full stop after "don't think" - what a load of tossers!

if you move from fasthosts...

do not under any circumstances go to 123-reg - they have totally lost it ...was great once upon a time...you COULD speak to someone (at a silly call rate but you could get a human) now its email support only and DNS outages are getting silly... where to go now with my 200 + domains though? was gonna go to fasthosts! any recommendations? need control panel and advanced A TXT and CNAME DNS control...

How to create strong, MEMORABLE, passwords

Bl**dy fasthosts! I've got hundreds of passwords to change now! Off the back of this I've made a little tool which automates creating strong memorable passwords. Some of you might find it useful - if you don't, sorry, I didn't mean to spam.

60k download - http://www.davenicoll.com/downloads/ptolemy.zip (requires .net framework)

Reseller Support Forums

"The Forums are unavailable at this time."

WTF !?!?

I've had enough of this. I can still remember they were down for 3 days or so with some hard drive f**k up and the previous credit card fraud problems.

BYE BYE Fasthosts

Not just fasthosts

(Posted anon for obvious reasons)

I have an Egg Card - and you manage that account on-line.

Those account passwords are not hashed - I had forgotton my password and on phoning up, and after answering some security questions they just told me my password.

This, I feel is much more an issue.

Jeeeeeeeez....

"Any company that runs its entire web hosting platform on Windows is obviously staffed by people so muppetty that they will also store passwords on the system unencrypted."

Doesn't take long for the 'freetards' to creep out of the woodwork. I work for a shared hoster, we run hundreds of windows and loonix boxes and there's certainly not a skills problem in either area. The problem tends to be with the personal hygene and interpersonal skills of the spotty lunix know-it-alls who turn up to interviews, diss windows and then blabber pish when asked what actual experience they've had in managing and securing large scale hosting environments, be it windows or unix. I've met just as many idiot loonix know-it-all's as I have incompetent windows admins and IT staff in general, so get back to yer bedroom in mummys house and install another pointless distro.

Peace and Love.

The Fake Anonymous Coward

@"Possibly the dumbest comment ever posted here", which is dumb

"obviously you change your passwords to offset the possibility of brute force trial and error succeeding. (...) simply put if your password never changes a brute force attack will succeed regardless of the time it takes between each attempt."

You are dead wrong, but I'm too bored to explain why and it's 0700 on Saturday, too. Just consider that "brute force attack" will rarely be done at the "front door" but on a stolen file of N hashed passwords. A brute-force guessing run over that file will take less time than the average interval between changing passwords. Also look up "Rainbow Attack". The one problematic situation that "changing passwords frequently" mitigates is the case where your password is sniffed on the wire (not unlikely), then put into a database but left unused for significant amounts of time.

As "Daniel" says:

"The old advice on changing your password is mostly due to old circumstances. In the good (bad) old days, hundreds if not thousands of users would share access on a system, and frequently, those users were not trusted users (i.e., university systems)."

Thank you kind Sir for finally providing an explanation of the persistent "must change password regularly". One Free Internet for you.

Damn it...

Small-scale web developer seeks recommendations on new linux hosting provider for small projects. Must provide php5 and mySQL. Must not charge for data overusage.Must not store passwords in plaintext.

Central authentication does NOT require plaintext!!!!!!!

Centrally stored password systems do NOT need to be unencrypted. I have implemented NIS, NIS+, kerberos, and LDAP (line encrypted with SSL) authentication systems. I have authenticated RADIUS servers against LDAP. I have ran POP, IMAP, HTTP auth, etc. authenticated against NIS+ and LDAP. Not ONCE did I store unencrypted user passwords.

If you store plaintext user passwords just because you need central authentication services, you don't know what you're doing. If you're passing yourself off as a Sr. level admin, you should be hauled in for fraud.

-daniel

FTP and email standards

FTP passwords are always sent in the clear. It's in the standard. Most large ISPs use FTP by default and few have secure alternatives. Most consumers tend to use and rely on passwords being sent in the clear. There is nothing wrong with passwords being in the clear if you trust the networks between the two endpoints.

Fasthosts mentioned a network intrusion so someone was probably sniffing packets and collecting passwords. You can see how easy this is by loading up something like Etherreal on your own computer and having a look at the packets going in and out of your computer. I am sure that around 95% of the readers here (if they look hard enough) will see their passwords coming and going in the clear.

At Keen Computers we don't allow our hosting customers to have FTP accounts. Customers have to use secure FTP instead. This involves the use of certificates and software like WinSCP. We have been using this technology for more than three years now. It adds to our support costs, but it increases security. We also force the use of HTTPS for the control panels - more certificates.

We have recently implemented secure email and are testing this with a small number of users. It has taken us hundreds of hours of testing to get to this point. This again requires yet more certificates and greater customer support and education which is expensive. So I am guessing that it will take a year or two for us to migrate all of our customers onto secure email.

Fasthosts is not necessarily the company to blame here. Some of the fault lies with Microsoft and the other developers of the software in use at Fasthosts. (With windows web server 2003 for instance, only basic FTP is available and additional software has to be purchased and/or installed into the servers to add the security.)

The hosting market is very competitive and profits are almost non-existent so customers get what they want. End users want to use FTP because almost all the relevant end user applications use or support FTP. This is why web companies are still using old fashioned protocols like FTP. If the large ISPs stopped using FTP they would loose 50% of their customers overnight and would have to spend millions on support - they cannot afford either of these options.

Fasthosts are correct to say that unencrypted passwords are standard / normal etc - they will be until everyone stops using FTP. Perhaps this incident will help move the industry towards secure FTP. (Microsoft have a good opportunity to change things because they have a new server operating system in beta.)

I am not naive enough to think we are totally secure at Keen Computers because at any time, I am aware of half a dozen or more weaknesses in the security of our systems (and hence the security of every other hosting company too.) Finding an ideal solution to them is not yet possible, too expensive or just not practicable. The security experts around the world are constantly working on the problems and discussing new ideas though. Eventually, new solutions are formulated, new applications are developed, new procedures are laid out and new standards agreed upon - and so every now and again we have the ability to raise our security to a higher level.

The number and types of threats against all of us are increasing all the time. Every single computer in existence at the moment is insecure - it's just that we don't always know how they are insecure or we don't want to pay the additional costs. The safest form of hosting would be a managed dedicated server - but they cost around £50 per month. Most people though will take the risk, save the planet and go for shared hosting instead.

A lot of the security problems today are all about trust - hence the certificates with everything to define who and what can we trust. Things get very political very quickly and anyone too paranoid ends up trusting nobody. We have to trust the suppliers, the developers, Microsoft, the network engineers, the sysadmins and even the users - but at the same time we have to keep up the pressure and encourage them to do better. In the past, there was too much trust, malware didn't exist and we all thought every program could be trusted to play by the rules - those days are long gone.

Anthony Knee

CTO, Keen Computers

Unreal!

We started transferring our 2000+ domains from Farcehosts to another host earlier this year but still have 1000+ left.

It's going to be a long, long week as we finally say GTF to FH.

Can't recommend http://www.site5.com/in.php?id=43896 enough for hosting.

New internal security procedures

They just asked me to tell them my password so they can help with a problem I'm having. That's always a bad sign. It makes more sense now that I hear passwords were being stored in plaintext before. How did you hear of this? I just got the email but they were not forthcoming with an explanation. What a joke. If they've just had a security audit how can they be sending out emails asking for your password?

Another security issue they have is that they only run an old version of PHP on shared hosts. PHP5 is needed for the latest version of most applications with the best security. For example, mediawiki (as used to run wikipedia) doesn't support turing testing of new registertrants unless you upgrade to version 1.6 which needs PHP5 to run. Its not like PHP5 is a new product. Still if they're having this kind of problem with internal security no wonder they don't care much for customer security.

A very good reason not to encrypt passwords...

Resetting a password is all fair and good.. except remember that they are hosting servers - maybe dedicated ones.

If a client forgets his root password, what to you do? Send an engineer out to the server room, find the server, reboot init=/bin/bash, remount the root filesystem RW and reset the root pw ? or just start by resending the PW used to setup the system in the first place (90% of users have not reset their default password anyway...).

If they have lost their PW after resetting it, you can order a system "remote rescue reboot" by some hosting companies that can get you up and running, but not all servers are run by a half-decent sysadmin.

The final solution is a re-image, losing all your databases, website (backup? What's a backup?)

In the interest of customer security, having a password accessible is good...

But why was the password list not secured itself (ie. an encrypted document or data, descrambled with a master password), thus needing not only access, but also knowledge of that password to view...