

Bluehost got hacked and responded pretty badly (by lying to their customers) - sucuri2
http://blog.sucuri.net/2010/06/bluehost-talks-down-malware-percentages.html

======
dotBen
Bluehost is a Mormon-owned and run web hosting operation, which I first
discovered when I tracerouted a site they host for a copyright issue and
noticed the servers were based in Salt Lake City (odd place for a colo, I
thought, so I did some digging).

Now, there's nothing wrong per se with a business owned by people of any
faith, creed or beliefs. But they are known to police and uphold their TOS
based on their beliefs - lax on some sites and harsh on others depending on
the constitution of the site - and to me that feels wrong and inappropriate in
a business environment.

It's long, but you can read more at
[http://news.lavenderliberal.com/2009/07/17/bluehost-vs-
the-l...](http://news.lavenderliberal.com/2009/07/17/bluehost-vs-the-
lesbians/) or just google bluehost + mormon.

It's certainly fair to say that they don't operate from a neutral perspective
like I would expect all other web hosts to behave. I think they deserve to be
called out for it.

The point is, by hosting your stuff with a Mormon-operated outfit you have a
higher chance of being a target for hacking compared to a 'secular' (I want to
say 'normal' but that might be misconstrued as I'm not saying Mormons are not
normal) hosting company because there are many people out there who have
issues with the Mormon movement (like spending resource from their base in
Utah to push Prop 8 through here in California
[http://www.huffingtonpost.com/jonathan-kim/rethink-review-
em...](http://www.huffingtonpost.com/jonathan-kim/rethink-review-em8-the-
mo_b_627147.html)).

Plus they host a lot of pro-mormon controversial stuff (see the first link)
which is going to upset a lot of people.

I would argue that most hackers who are not motivated by financial gain have
some bone or issue with the people they are attacking. I know, cos I used to
be one.

Back to hosting... if I was running a site, I think I'd just want to host with
a webhost that treated all of its clients normally and didn't bring
religion/politics/etc into it's business practices and thus make myself a
target by association.

~~~
alttab
While you make an incredibly interesting point (especially considering _ALL_
of my freelanced clients are on Bluehost as it was cheap and fit their PHP
needs perfectly), I would be hesitant to pull the religion card on this one.

Not because its not possible that a disgruntled anti-Mormon hacker targeted
them for an attack (you've made a good argument for that), but that once you
play that card, its difficult to take it back.

 _Ancillary Note: I doubt the one-off nature of the attack, and because of the
way Bluehost handled it I will no longer be using Bluehost, or its subsidiary
- Hostmonster.com, in the future.

If you guys are reading this - you just lost a lot of future customers._

~~~
dotBen
I think you raise a good point, and you are right one needs to be careful
about 'the religion card'.

However, when I perform analysis of a security incident I want to consider
both the technical means that was exploited but also an understanding of why
it took place in the first place.

Apart from worms/etc, most hack attacks involve human effort, time and skill
and so people don't do them without a strong motivation. It might be financial
but if it isn't then I want to get into the head of the attacker and
understand why.

In conclusion, all I'm saying is that if you are an innocent hostee on
Bluehost who is wondering why you got attacked, it might be because some anti-
mormon hackers decided to get into their shit. And if you didn't know Bluehost
was a super pro-Mormon outfit, you'd have never known or be armed with the
information to make an informed choice of where you put your website.

------
midnightmonster
Your conclusion that bluehost was hacked smells of confirmation bias.

Suppose I wrote a password-guessing bot to spread my malware on PHP-based
websites. To increase the effectiveness of my bot, I want to target websites
where I'm more likely to be able to guess passwords, and where I'll need only
a few methods of inserting my code, optimally just one. If I can figure out
the username generating scheme of a large host, that helps make my bot more
effective. If that host hosts only or primarily PHP sites (and not asp.net or
cf or whatever), then that makes my code insertion easier.

Your evidence so far afaict: 1) you found a number of blue host sites newly
affected 2) you did not find comparable numbers of sites on other hosts
affected around the same time 3) the affected sites all had similar code
inserted in a similar way 4) there was no single application being run on all
the compromised sites

Your evidence supports the hypothesis that bluehost was hacked reasonably
well, but it supports my supposition just as well. What kind of tests would
actually give you reasons for preferring the bluehost hacked hypothesis? Well,
if we found that a large percentage of domains hosted on a single physical
server were affected, or a large percentage of consecutive customer ids, then
it would look a lot more like bluehost data or systems having been
compromised. But if there are no bluehost boxes with a large percentage of
hacked sites (we probably can't check on customer ids), then it looks more
like bluehost customers were targeted one by one by a password guessing bot. I
wouldn't call that bluehost being hacked (if you do, I can see why bluehost
disagree), and from what I see you don't have enough evidence to claim that
bluehost has been hacked.

~~~
midnightmonster
Seriously? Anyone have a counter argument to go with those downvotes? I'll
even take a "rtfa where they mentioned important evidence you ignored, jerk"

~~~
thaumaturgy
You're not wrong, but I would like to point out that I've had some
communication with Sucuri in the past, back when a number of Wordpress sites
got eaten. (I should probably narrow that down a bit more!)

They seem quite capable. Bluehost provides reasonable access logs by default
for their sites (I've had clients with sites hosted there), and if there was
password guessing going on through a web interface, I would expect that Sucuri
had noticed that.

It's possible that some sites were brute-forced via FTP or SFTP, but if
Bluehost isn't already monitoring for that and preemptively dealing with it,
I'd be very surprised.

So I think there's something else going on, and I'd really love to find out
what it is. Unfortunately, none of the hosts seem to be 'fessing up to what
compromised their sites. They keep pointing to WordPress, which is bullshit in
at least one recent case. (I was involved in that one, and it was a fully-up-
to-date-at-the-time 2.9.2 installation, and there was no evidence of a
compromise in the access logs, which I spent hours examining very, very
carefully.)

------
sucuri2
Yesterday, it was posted here on HN about a mass attack on Bluehost that even
affected their CEO blog.

Attacks like this happen (Bluehost is a victim too) and we tried to alert them
and help users fix their sites.

Well, today we found out that they were lying to their customers about this
breach saying that it was an isolated incident and that it was the users
fault. They even said that our article was a big lie.

As we tried to alert them about this issue, they banned us from their forum
and even accused us os lying, not being honest, etc.

Very bad way for Bluehost to deal with a security breach and a security
company trying to help.

------
pierrefar
The way they contacted Bluehost is very odd. They say they reached out via
LinkedIn, which is probably not the correct way to report a security breach.

Especially that the Bluehost contact page
(<http://www.bluehost.com/contact_us.html> ) has multiple methods of contact,
include a 24/7 tech support and an extended hours telephone line to report
"SPAM, fraud, or anything suspicious". Surely a security breach and malware
qualifies for one of these contact methods?

~~~
sucuri2
We did contact through that as well.

~~~
pierrefar
You should have said so in the post!

------
raimondious
I've been having the worst experience with this. First the client emailed us
because they couldn't reach their website due to a "This website may harm your
computer" warning. I isolated the script and got that warning removed (it
looked similar to the one referenced in this post:
<http://rayschamp.com/misc/spammer.html> \- scroll down for the original
obfuscated version).

When I contacted Bluehost about it, they gave me a canned response about php
script security. I wanted to check my logs for any suspicious activity on any
scripts hosted on the site, but the logs for the relevant time period weren't
available. Strange, because the Webalizer stats do show information from this
period. The current log only has information since the 29th, and the June
archive only has information from June 1.

Then I tried to contact Bluehost several times through chat and email to
retrieve the missing June data, and each time they either told me it was gone
forever (despite the Webalizer stats) or they told me it was in one of the
files I explicitly noted it was missing from. Now I realize that ALL of the
monthly raw access log archives only have 2 days of logs stored. It appears
that their logging system is broken, and no amount of contacting them will
retrieve the June 1-29 data (the period in which the site was hacked).

From my perspective, if I can't determine it's one of the scripts on the site,
I have to assume the vulnerability is with Bluehost. Bluehost hasn't notified
anyone of a breach, so I don't know if they're handling it or not. If they
were clear about what was going on, I would probably stay with them because I
could tell the client what was being done to resolve the issue. The only
logical thing I can offer my client now is to move hosts, which is
inconvenient for everyone involved.

------
e1ven
I'm sorry to sound so down on your argument, but I just don't see the evidence
that this is anything specific to Bluehost.

You say that up to .03% of their customers may be affected, at the upper
bound.

You very well might be right, but .03% really isn't a big enough number that
I'd feel comfortable delcaring that Bluehost "Got Hacked", and it looks
pitifully small to write a followup declaring that they're "Lying about it"

Those are very strong words, and so so far, you don't have much to back it up.

You might very well be right, and there very well by a problem endemic to
Bluehost customers, but so far, I'm just not seeing it.

Further, saying that you contacted them via Linked-in is particularly weak.
Seriously? That's akin to Gizmodo's telephone call to Apple HQ. A token effort
at best.

I hate to say it, since you've been a member of HN for over a year, and I want
to give you the benefit of the doubt, but it really does sound like you're
grandstanding here.

I've run hosting companies before- .03 percent of customers being infected
with something, while really unfortunate, doesn't necessarily indicate
anything by itself.

When you're dealing with that many customers, it's entirely possible that .03%
just had really bad passwords that worms could guess, or that they all used a
bad formmail script, or any number of other things.

I don't use Bluehost, and I've never heard of them before today. I have no
affiliation with them, or with you, and I do sincerely hope that things clear
up for the affected users... But You're really blowing this up out of
proportion. Right now, Bluehost's side looks a lot more reasonable than yours.

~~~
sucuri2
No, it wasn't a FTP-based attack because we analyzed the FTP logs and on all
the cases, there was no connections during the time of the attack.

In our first assessment, we checked around 1.5k sites and found 140 infected.
We also found their CEO blog hacked and some other big sites hosted in there
with the same malware. As we published the post and started to hear from
people, the number of affected sites grew to the hundreds (close to 1k).
Google says they have 240k sites, which means that we identified =~0.4% of
their sites with malware.

Those are only the ones WE identified, which is probably much less than the
actual number.

Also, we contacted them about this issue before posting (via their forms) and
also reached out to the CEO. However, since sites were already infected, we
posted explaining the issue and how to fix it. We didn't posted about any
vulnerability that could help the attackers, only information to help the
affected users.

------
Aaronontheweb
I have trouble understanding why some companies have a hard time owning up to
a mistake. When you own up to a mistake, especially to your customers, it
humanizes your business and most of your customers usually won't hold the
initial mistake against you (obviously it depends on the severity of the
screw-up.)

What good can come from trying to pull a Jedi mind-trick on all of their
affected customers and anyone else who is paying attention?

~~~
sucuri2
I completely agree with that.

They were a victim of the attack as well and I think their clients would be
very happy with an explanation of what is going on.

Instead, they tried to minimize the issue and even mute anyone mentioning it
on their forums. Pretty sad.

There is no single perfect secure company (and users known that) and specially
on shared-servers it is easy for a small mistake to spread to hundreds or
thousands of sites, but the way a company responds is what makes all the
difference.

------
alanh
I use Bluehost and have been shocked my how shoddy and insecure an operation
they run.

For example, anytime I contact support, they ask for "the last four characters
of my password." This implies that they are storing my password in plaintext
instead of hashed — even if it's just the last four characters, it’s (1)
awkward and (b) severely cuts down the entropy of the actual password. It also
implies that, should you use the same or similar passwords for other sites,
the Bluehost team now essentially has, and looks at (!), that password.

They also have absolutely terrible support for running Ruby on Rails and their
control panel's Rails controls "don't work," to quote their help team.

Stay away.

~~~
danudey
Not that I think this is even remotely likely, but they could be storing an
MD5 hash of all but the last four characters of your password, and an MD5 hash
of your full password. Since MD5 works by processing data through the
algorithm bit by bit, with each operation producing a valid MD5 hash up until
that point, they could take the first hash and 'continue' hashing with the
rest of your password, and then compare it to the full hash.

TL;DR: You can take an MD5 hash of any data and generate a valid MD5 hash of
that data plus some data of your own, without knowing what the original data
was.

~~~
alanh
Yes, of course. But still, if I had an 8-character password, it's been
effectively reduced to the entropy of a 4-letter password.

