For those using inexpensive hosting, the following notice was on the Internet Storm Center tonight. (http://isc.sans.org)


The dangers of shared web hosts (NEW)
Published: 2006-06-20,
Last Updated: 2006-06-20 01:05:26 UTC by Johannes Ullrich (Version: 1)

A reader alerted us today about yet another web server compromise, affecting a large number of domains. In this particular case, the server was hosted with iPowerWeb, a provider of low cost web space on shared servers.

Space on a shared server is ok for personal use. But you should think twice before using it for commercial, in particular business critical use. Your web sites security will depend on a few hundred other users on the same system doing the right thing. A bad php script on one virtual server could lead to a compromisse of all web sites hosted on the same system.

If you have to use a virtual host, try to follow these tips to make things "as secure as possible":

* Don't go with the lowest bidder. You still rely on the hosting company to maintain the server and there is not much maintenance that can be done for $1/month.
* Check references. Look at sites like zone-h.org for defacement history and netcraft.com for stats like uptime.
* Keep solid backups of your files on a local system!
* Avoid files and directories that are writeable by anybody but yourself. In particular, avoid files writable by the web server.
* Do not rely on any access control provided by php/perl/cgi scripts. Other users may bypass it with their own scripts.

If you are providing shared web space, try to follow these rules:

* know your customers. Avoid handing out accounts before billing details are validated. Try to verify credit card payments by phone.
* consider virtual systems (xen, vmware...). While not perfect, its a lot better then housing all users on the same system.
* chrooted user accounts can be almost as good as virtual hosts. But they can be hard to maintain, and they still use the same web server process which may cross over chrooted users.
* monitor user activity carefully.
* use a host based IDS to detect intrusions quickly.
* got backups?

I checked out this notice but couldn't find out what the compromise was or how the other domains were effected. CGIs and scripts etc should only have the privileges of that user, and a capped share of the CPU, so I would have thought the only risk would be having a domain on the same server being blasted with traffic. Am I being too optimistic?

I haven't had any problems with ipowerweb for the last couple of years, until about a month ago my site went down for about 2 days. mail, ftp, http - all dead. I scrambled to find out what had happened, but all I could get out of their customer service was canned responses and apologies.

For the last couple of days my site seems to be going down intermittently too - for about 2 hours at a time. In fact, it appears to be unreachable right now! (If anyone could try it, I would be grateful - http://www.lexaloffle.com). It's really bad timing, as I've just released new versions of my games and was getting some nice traffic.

<sigh>

In fact, it appears to be unreachable right now! (If anyone could try it, I would be grateful - http://www.lexaloffle.com). (http://www.lexaloffle.com).)


It opened very quickly for me without problems.

Regards,

Opened fine here. I posted this notice for educational & reference purposes. The cheapest isn't always the best, naturally. I've tried cheaper hosting (one was a very well known company) and found myself browsing around the server into everyone else's directories. Not a good thing at all and that was of my points for this post originally. (I was using my ftp client to transfer files to my site at the time I noticed everyone else's directories).
Hopefully, the post helps someone here. I know it reminded one developer to do his site backup.

I would be grateful - http://www.lexaloffle.com).


Opened fast! :)

Thanks for the sanity check. I checked my logs and couldn't see any noticeable dips, so I'll have to put it down to internet elves.

The cheapest isn't always the best, naturally. I've tried cheaper hosting (one was a very well known company) and found myself browsing around the server into everyone else's directories. Not a good thing at all and that was of my points for this post originally. (I was using my ftp client to transfer files to my site at the time I noticed everyone else's directories).

Wow, that's incredible. You're right - it doesn't pay to have so much faith in a host. The disappointing thing is that shared hosting should be efficient if it was just set up right. For $8/m I get way more bandwidth and diskspace than I need from ipowerweb (250Gb, 10Gb), but I would happily trade half of that just to know that the whole thing was administered properly.

I checked out this notice but couldn't find out what the compromise was or how the other domains were effected. CGIs and scripts etc should only have the privileges of that user, and a capped share of the CPU, so I would have thought the only risk would be having a domain on the same server being blasted with traffic. Am I being too optimistic?
Well, if there's a flaw in one script, a malicious user can use it to gain the ability to execute shell commands on the server. If the server has an unpatched vulnerability (in the OS, or some other running process), the cracker could use wget or somesuch to download an appropriate rootkit. If the rootkit works, they'd obviously have total control over all of the websites hosted on the machine.

Someone tried this on a server I was once using! Luckily the rootkit failed.