HACKED! Trials of self hosting


Okay folks, for the last two days (April-May 2012) my domain www.sumitmaitra.com was hacked and was showing a hackers’ page!  As soon as I found out I redirected my domain to this blog instead of the hacked name servers of dotnet-host.

Before I go into lessons learnt if you are still having trouble with the hacked site content, try to log in to your panel at http://panel.dotnet-host.com/ (Update: August 3, 2013 this is not valid anymore, sorry). The forgot password was also working till yesterday.

Delete all the Index.php, Index.chm, Default.asp, Default.html, Index.html and Index.chm files. These were injected by the Hacker. I tried it but before I could see the results my name server change kicked in so I can’t vouch it works but most people have been able to restore their sited by deleting these files recursively off every folder.

Multiple lessons learnt

1. For all my love for Scott Hanselman, I should set the default home page of my favorite browser to my site. Sorry Scott, nothing personal, you are still my fav tech blogger! Basically keep an eye on your site. I dropped the ball for two full days (facepalm).

2. When a hosting provider is giving a deal that’s too good to be true, it might just be so! I think I was paying $4 per month. It was an awesome deal and I paid for the whole year in advance! Doesn’t look like my provider will last till the end of the year! Next time on, I am trying out a provider for a month before I put more money into them. There were some feelers I got about the amateurish-ness of http://www.dotnet-host.com but hey it was a suggested site from www.asp.net so I just went with it. I think dotnet-host cancelled monthly subscriptions but I don’t think anyone heard of reversal of yearly subscriptions pro-rated!

3. Things to look out for

– Are they sending you passwords in plain text?

I cringed when they sent me the password in plain-text via email, but by then I had paid them for the year, so thought heck go with it. Didn’t work out well.

– Do they have a good admin console?

Their admin console was very amateurish, functional but amateurish. GoDaddy.com on the other hand is a over done pile to junk! Need something in the middle but better be on overdone side than underdone and amateurish.

– SQL Server access

Their SQL Server access gave me access through Management Studio. Though an awesome feature this is one less layer of security. So be warned. However if you are able to see every other database on the server then your alarm bells should be ringing loud and jangling!!! I had a screen shot of this and I wanted to send it to them but never did! My bad, if you see something like that, raise hell!

4. If you are doing any serious hosting don’t be cheap look around and be safe. I wanted a place to host my .net code and play around. My home page was actually a pass-through to this blog. In other words it was non-critical hosting. I probably lost some SEO points and looks silly to people who visited my URL in the last two days (sorry folks from LinkedIn). My sample apps on a subdomain are still working. Now I gotta find a new provider and move them.

UPDATE:

5. Having domain registrars different from hosting providers help! Make it a policy if you can.

In case of the dotnet-host fiasco, my domain registrar was different from dotnet-host so I was quickly able to change the name server and forward my domain to this blog through my domain registrar (took about an hour to propagate).

6. If the hosting provider is so thoroughly hacked rest assured your credit-card info and passwords are NOT safe anymore. Take precautions as required.

That was my first ‘getting hacked’ experience, not a nice feeling!

Stay alert and stay safe folks!

UPDATE (August 2, 2013):

Removed dead links from above.

Advertisements
Tagged , ,

8 thoughts on “HACKED! Trials of self hosting

  1. I feel your pain, I am a customer of theirs too. I was able to delete the files that the hacker created and the rest of may files were fine, and my sites are back up. I had a couple sites that had a ton of sub folders so I created a script to delete the files the hackers made.

    You can create file named deletehackedfiles.asp in your wwwroot folder and add the below code to the file and run it from your web browser.

    0 or instr(file.name,”index”) > 0) and file.size = 5606 then
    response.Write(file.path & ” | ” & file.size &” “)
    response.Flush()
    file.delete()
    end if
    Next

    set foldercollection = folder.SubFolders
    for each folder in foldercollection
    call deleteLckFiles(folder)
    next
    end sub
    %>

    This loops through the folders and deletes files with index or default in their name and = 5606 bytes long.

    I recommend backing up your files before and after you run this.

    Hope this helps.

    good luck

  2. For some reason it (wordpress) deleted the top part of my code. If you want it email me.

  3. Sumit says:

    Thanks Eric, you can send it to me at sumitkm(dot)dev(at)gmail(dot)com. I will update the blog.

    I managed to log in to their panel and take backup of the database that was being used primarily in my site. As of now I don’t see a point in continuing to host anything there.

    Fortunately I can afford the downtime but quite a few cannot.

    It will be interesting to know if the people who got subscription cancellation notices got it before the hacking or after the hacking. I am more interested to know why was the service abandoned like this? Was the hacking incident so brutal? Or was it that soon after the service was abandoned, the hackers took over!!!

  4. Hi, we too were customers to dotnet-host. I have been following this tread in regards to the hack since it seems it is the only one http://www.webhostingtalk.com/showthread.php?t=1150820

    Apparently, dotnet-host is a reseller of Enom.com
    http://www.enom.com/help/reseller_lookup.asp

    If you try looking for your domain there it will show that dotnet-host is the reseller.I tried other domain names hosted on other places 1and1.com and it did not find those domains in their system. So, this shows me that Enom is the parent seller for dotnet-host.

    I am going to contact Enom tomorrow and hopefully I can get the authorization code I need in order to have the domain transferred to 1and1.com

    Do you have any luck finding your authorization code? I did not see it in the control panel. It might have been my oversight.

    • Visu says:

      Hello Mr.David,

      Did you have any luck with getting authorization code from enom. I am in the situation as you.

      Thank you in advance
      Visu

  5. Jeff Lei says:

    My personal blog is hosted in dotnet-host too and my domain name won’t even show up the hacked pages… it shows a Server take too long to respond… I tried to (backup) delete the whole folder but same error shows up. I am still within the 60days limitation period that I cannot transfer my domain name away….yet….. 😦

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: