Sites get hacked all the time. When it happens it's a disaster. You need to do two things quickly: 1. Get the site back up and running. 2. Determine how the hacker got in and block the entry point.
If you need files to be restored you need the assistance of the server admin and fast. If you need to determine access points your need the assistance of the server admin.
Ok, with 1 & 1 you can forget that. The technical support is in India. They work off a screen. You could teach a 6 year old to prattle what they read. The server admin is in Germany. Not quite sure what he is doing.
To cut a long story short in July we had a hack attack. I reviewed the log files and I could see that the FTP ID used came from a former coder based in Eastern Europe. Thing is the moment we cut him loose we changed all passwords, deleted his FTP ID and made sure there were no loose ends.
Ok, according to the log files (and they are plain enough to see) he got in through his old and deleted FTP ID on the 1&1 servers.
The fact that it took more than a week to restore the deleted files is a subject we shall address later, mainly because the very memory of the tense and extremely angry hours (yep hours!) I spent on the phone listening to the Indian Tech support team read off a screen bring back the kind of ire that starts small wars, so for now I am cooling off.
The more interesting question is how the hack attack happened in the first place. 1&1 like to cover their ass. The first thing they ask you to do is forward the log files which chart who logged on your server and how, to their legal department. They do nothing that you can see to speed anything up.
Then their Tech team waits and waits and eventually you get back a canned reply (yep, they are HUGE on them) about how server security is your responsibility and you have a security breach in your company because someone used the master account to log in.
That in itself would be a serious allegation and one a worried, stressed out customer is not likely to appreciate even if it were true. You notice here I said the coder was based in Eastern Europe (which I let them know about) which means remote access only, therefore no access to any paperwork or physical contact with our PCs, no way to compromise our security and no Trojans either as we scan our PCs daily.
It went back and forth as few times, each time with me detailing what I just said in no uncertain terms (I have stopped trying to be professional with this outfit).
The reply comes back just yesterday (quality work takes time!):
I do not believe that your account was compromised through a security
flaw in our systems. I have already escalated a case to the
administrators in Germany and they replied that this user attempted to
login and failed. Maintaining your security is your responsibility, it
is our company policy that if you get hacked by something you did you
have to deal with it. I monitor the log files of the shared hosting
accounts on occasion, but dealing with this is your responsibility.
--
Sincerely,
Michael Lazin
Customer Compliance Operative
1&1 Internet Inc.
Yep! Exactly. Obviously Michael also decided to not bother being professional with me - no 'Dear Customer,' No niceties and no canned reply, which is probably why he could not be professional.
So you see he says that his counterpart in Germany tells him the FTP ID in question attempted to login and failed. I have to deal with the hacker. Ok, that's what I am doing but the point is on our end we did everything humanly possible to make sure that nothing like this happened. We changed master account passwords (the coder never had them in the first place), we changed FTP details, we deleted his FTP ID we did, everything in short, except what we should have done and did after we got hacked which was change hosting provider.
If the 'hole' in our defences had been through scripts we were implementing in our dynamic websites those holes would still remain in the new hosting service. We are monitoring it and they are not there.
It was Sherlock Holmes who said that after you discount the impossible whatever remains however improbable must be true. Ok, incredibly enough using this deduction we reach the conclusion that one and one are crap!
No, seriously now, the only thing that was required to guarantee the security of our site was a change in hosting providers. We have been dealing with sites and site security for about seven years so we know a few things so Michael's assurance that he occasionally checks the log files is good enough for us to speed up our efforts in transferring the few remaining sites we have with 1&1 off them!
Subscribe to:
Post Comments (Atom)
2 comments:
I was very pleased to find this great site. I want to
to thank you for ones time just for this wonderful read!!
I definitely loved every part of it and i also have you saved to fav to look at new things on your
blog.
Feel free to surf to my homepage :: siding repair in west des moines
The information were very helpful for me, I've bookmarked this post, Please share more information about this
Thanks
Post a Comment