This Looks Like It Might Be Another Instance of SiteLock Partnered EIG’s Apparent Security Issue

A week and half ago we discussed a situation where there looked to be at least a hacker specifically targeting websites hosted with web hosting company EIG, which does business under the brands including A Small Orange, Bluehost, FatCow, HostGator, iPage, IPOWER, JustHost and quite a few others. The more concerning possibility is that the hacker wasn’t just targeting websites hosted with EIG but taking advantage of some security issue within their systems to breach the websites. Due to their relationship with a web security company, SiteLock, they don’t seem to have an interested in investigating this type of situation (and neither does SiteLock).

That wasn’t the first time we had run across the possibility of such a situation occurring with EIG, back in July of last year we discussed another instance, but in that case we were not brought in to clean up any websites targeted, so we had a very limited ability to assess what was going on.

We have now run across yet another instance that lines up with the others.

We were contacted about a hacked website after the person handling a replacement of that website was in contact with SiteLock (due to the website being hosted with HostGator) and then they found our blog posts about SiteLock.

What they had been told by SiteLock was the same kind of stuff we hear a lot. That included that they were told that if the website was cleaned up of the “malware”, but not protected by SiteLock going forward, it would just get infected again. Because the website was for a church, the SiteLock representative said they could provide a discounted rate of $400-600 a year (which doesn’t seem to actually be a discounted rate). Instead they hired us to clean it up for a lot less than that.

What we knew before we started working on the cleanup was that the main website in the account was serving up Japanese language spam when crawled by Google and other search engines, which lead to the search results for the website to also show that. That website was running Joomla 1.5, which was EOL’d in September 2012. There was a recently set up WordPress installation, which was being prepared to replace that website, and that website was not serving that spam content to search engines.

What would seem to be the obvious security concern there would be the Joomla installation, since it is using software that hasn’t been supported in 5 and half years. We haven’t seen evidence that Joomla installations of that vintage are currently exploitable in some mass fashion, so that seemed less likely to us. There was also the possibility of an extension installed in the Joomla installation being a security concern since those would be equally out of date.

The code causing the Japanese language spam wasn’t hard to find, it was obfuscated code added to the top of the index.php file in the root directory of the Joomla installation, which is also the root directory of the website. The last modified date for that file was years ago, which probably meant the hacker had changed it to hide that they had modified the file (which is very common).

As we started more thoroughly reviewing the files to look for any other malicious code on the website, the only place we found them was in multiple files that were located in a directory for a plugin, /wp-content/plugins/html404/, in another WordPress installation on the website. That additional WordPress installation hadn’t been mentioned to us.

That plugin contained files from version 2.5.6 of the plugin Akismet as well as files with malicious code in them. Those files were named:

  • 404.php
  • idx.php
  • jembud.php
  • wso25.php
  • xccc.php

That WordPress installation was running WordPress 4.7.9, which is an outdated major version, but should be secure due to WordPress releasing security updates for older major versions. The website was using a customized version of a popular theme and only one other plugin installed, neither of those things look like a likely source of a security issue.

In looking over the WordPress accounts for that website we found that the first account, which normally be the one created when WordPress was installed was named “html404”, which considering it matched the name of plugin’s directory, seemed like it was probably changed by a hacker (likely with the password also being changed).

In the looking at the session_tokens for that user in the wp_usermeta table of the database for that WordPress installation we could see that at nearly the same time that plugin’s files were listed as last being modified on January 25 someone had logged in to that account from an IP address in Indonesia (which isn’t where the website is located).

A non malicious file in the root directory of the website connected with the code added to the index.php file was also listed as last being modified at the same time, so it looks like the breach of the WordPress installation lead to the Joomla website being modified.

Because the web host for the website, HostGator, did not have any log archiving enabled we could only see the HTTP logging from the day we were cleaning up the hack limiting what we could gleam from that. The FTP logging didn’t show any access that shouldn’t have happened.

Looking around for any other mentions of this that might allow us to give the client better information on what could allowed what had occurred to happen, we came across a thread on the website for WordPress with other people that had been impacted. That provided further confirmation of what we had been piecing together, but nothing that shed any light on the cause.

At that point the possibility that this could be another example of whatever security issue might be going on at EIG was at top of mind. Since a hacker with either direct access to the databases on the server or access to files on it, which would give access to the configuration files with database credentials in them need to access the databases, could change a WordPress username/password like this. There was no direct mention of what web hosts the websites mentioned in that thread were using, but one of the participants username pointed to the website impacted and the website was hosted with Bluehost, another EIG brand.

In the previous instances where we found an EIG connection there was a defacement involved that had showed up on the website Zone-H. That allowed us to easily check over numerous websites to see what the host were. That isn’t the case with this hack, but we did check over a number of websites we could find that were involved and what we found was they all were hosted with EIG brands. Here are the IP addresses along with the EIG brands of websites we found reference to being impacted:

While the sample set we have is smaller in the previous instances the chances that all of the website we checked would all happen to be at one hosting company is not what you would expect if the hacking was caused by something unrelated to the web host. At best it looks like we have now run across multiple hackers that look like they are only targeting this one company, but what seems to be a reasonable possibility is that there is a security issue in EIG systems that is allow hackers to exploit them.

Several of those are from the same IP address, which would likely mean they are on the same server.

SiteLock’s Idea of Protection Doesn’t Seem to Involve Real Protection

Considering that EIG brands heavily push people to hire SiteLock to clean up websites, it seem incredibly hard to believe that SiteLock could have missed what we have picked by just dealing with a couple of websites, if they were properly dealing with hacked websites. But from what we know they don’t usually properly clean up hacked websites. Instead of doing proper cleanups they sell people on services that claim to protect websites, as what was attempted to be sold in this instance, that don’t even attempt to do that.

If you are not determining how websites are being hacked, it would be difficult to be able to protect them. If there is an issue with EIG’s system, it would unlikely that such a service could protect against it, so spotting that type of situation would be really important.

SiteLock’s lack of interest in true protection is even worse in the light of the fact that SiteLock has “partnered” with a web host that seems at best uninterested that hackers are specifically targeting their customers or worse, their customers are getting hacked due to a security issue in the web host’s systems. But it gets even worse, when you know that while the relationship between EIG and SiteLock is promoted as partnership, the reality is that the two companies are very closely connected then they let on publicly. The majority owners of SiteLock also are the CEO and board member of EIG, which neither side mentions publicly. So you have the owners of a security company that seems to be uninterested in security of websites it is supposed to be protecting also looking to be leaving websites they host insecure. On top of that both sides would profit from this insecurity as EIG disclosed that they get 55% of revenue for SiteLock services sold through their partnership, so both companies have a financial incentive to not find and fix something like this as long as their customers doesn’t become aware of what is going on and leave in mass. That seems like a good argument for keeping security companies and web hosts at arm’s length (maybe not surprisingly with the other instance of a security company closely tied with a web host the security company doesn’t seem to be interested in security either).

Wordfence Has Missed This As Well

SiteLock isn’t the only security company that seems to not be on the ball here. In the previously mentioned thread on the WordPress website one of the participants mentioned they were going to have the security company Wordfence “perform a comprehensive security review and if necessary, final clean-up” after being impacted by this. In the follow up there is no mention at all of Wordfence having made any attempt to determine how this occurred, just that “I am happy to report that the Wordfence security analyst found no evidence of malware on the website.”. Considering that trying to determine how a website was hacked is one of three basic parts of a cleanup, it seems a bit odd that there wouldn’t be a mention of Wordfence not figuring out the source if Wordfence had done things right and mentioned that they were unable to determine the source of the hack

The follow up response to that was from a Wordfence employee, who instead of being concerned about the source of hack being a mystery, just promotes a post on the Wordfence website that wouldn’t have any impact on resolving the underlying cause of these hacks. So it would seem they are unconcerned about this as well.

Hacker Behind Recent Hack of Numerous EIG Hosted Websites Claimed They Had Full Access to One of EIG’s Servers Last Year

Last Thursday we mentioned how we had come across a hacker that had recently hacked numerous websites hosted with various Endurance International Group (EIG) brands. EIG does business through brands A Small Orange, Bluehost, FatCow, HostGator, iPage, IPOWER, JustHost and quite a few others. That the hacker was only hitting websites hosted with those brands stood out, since, if say, a hacker was exploiting a vulnerability in a WordPress plugin to gain access to them you would expect to see numerous different web hosts being represented.

At the least, that seems to indicate that the hacker is targeting website hosted with EIG brands, which is possible explanation of that situation. What would seem more likely though is that the hacker is gaining access to some part of EIG’s systems allowing them access to all of the websites on a server. Considering the hacker was hitting numerous website sharing the same IP address, which would likely indicate they are on the same server, that seemed like a reasonable possibility.

Proving that EIG systems are being exploited would be difficult without information they only have access to. Our past experience is that web hosts are rarely even willing to consider that they have been breached, much less admit that it has happened. As we mentioned in the previous post, things are worse with EIG, since they are run by the majority owners of a security company SiteLock and EIG gets a cut of security services sold by SiteLock to their customers. That creates an incentive not to provide their customers the best possible security and what we have heard is when contacted about a hacked websites that they just try to push their customers to SiteLock instead of doing any checking into the situation (that includes someone that contacted us last week that has the been hit as part of this hack).

While doing some more searching around on the message left in one of the files we found on a website hit by the hacker (that is also on the other websites being hit), “Hacked By Isal Dot ID”, we found that a year ago the hacker was claiming to have full access to a server that a website had hacked was on.

At the time of the hack that website was hosted on the IP address 192.185.142.185. The listed ISP of that IP address is Websitewelcome.com, which is HostGator.

(The website is now hosted on the IP address 74.220.219.116. The listed ISP of that IP address is Unified Layer, which is Bluehost.)

While the claim of a hacker isn’t necessarily reliable, it does raise further suspicion that there may be a security issue on EIG’s end. This seems like something they should be addressing. If you have been hit by this hacker and have gotten a response related to that instead of just being pushed to hire SiteLock please get in touch with us or leave a comment on this post.

Hacker Targeting Websites Hosted With SiteLock Partnered HostGator and Other Endurance International Group (EIG) Brands

Recently we have been thinking that a way to help people to better understand why security is in such bad shape despite the amount of money spent on it, is to say to think of the security industry not as that, but as the “insecurity industry”. As security companies are not focused on improving security, but instead of making people believe that insecurity is inevitable and that they can provide protection, but not to the extent that people actually expect those companies to keep them things secure. A prime example of a company that would fit that description is SiteLock, which is a company that comes up often on our blog when it comes to bad practices of the security industry. The other day we had someone forward several messages they had received recently from them and part of one of those stood out:

Malware is a real problem that affects a lot of websites. It’s as prevalent as the common cold and can do some real damage if you don’t catch and treat it early.

So how will you know if your website gets infected with malware?

To help protect your website, your hosting provider has partnered with SiteLock to provide your website with a complimentary malware scanner. Every day this nifty little tool checks the first five pages of your website for malware, and sends you an alert if any is found.

Their idea of protecting websites isn’t making sure that websites are actually secure, which would prevent them from being infected with malware or otherwise hacked, but instead trying to detect the website is infected after being hacked and then offering services that still don’t secure the website. That is great way for them to make money, but it isn’t great for everyone else since websites can continually be hacked.

As that email indicates they are not alone in that, web hosts have partnered with them. Why would a web host partner with a company that isn’t focused on making sure their customers’ websites are secure? Well when it comes to what seems to be SiteLock’s biggest hosting partner, the Endurance International Group (EIG), a partial explanation is that the majority owners of SiteLock also run EIG. EIG also disclosed to investors at one time that they receive 55% of the revenue of services sold through their partnership. That creates a strong incentive for EIG to not provide the best security possible as that would mean less money for them and less money being made by another company owned by the people running EIG. It might explain, for example, why in the past we found that EIG was distributing known insecure versions of web software to their customers through one of the companies they own, MOJO Marketplace.

Over the years EIG has brought together numerous web hosting brands including A Small Orange, Bluehost, FatCow, HostGator, iPage, IPOWER, JustHost and quite a few others. The situation with a website hosted with HostGator that we cleaned up a hack on yesterday seems to be an example of where those incentives might have created a situation that doesn’t serve their customers well.

The website was hacked in way that it would serve spam pages with Japanese text to Google’s search crawler.

While you wouldn’t know it from many companies that cut corners when doing hack cleanups, one of the three basic steps in properly cleaning up a hacked website is to try to determine how it was hacked. With this website the files involved in the hack didn’t really seem to shed any light on that. The main piece of this hack involved code added to the index.php file of a WordPress installation that caused the code in a file at wp-confing.php to run, which would cause that code to run whenever the frontend of the website is accessed. That filename is similar to a legitimate WordPress file in the same directory, wp-config.php, which could indicate that the hacker has some knowledge of WordPress, but considering how popular it is, it doesn’t seem to be a good indication that the hack was anything WordPress related (we also didn’t find anything that was known to be insecure in the WordPress installation).

The hacker had also added the website to a Google Search Console account with the email address “xueqilve@gmail.com” and submitted a sitemap to get the spam pages added to Google’s index.

It looked like the malicious code causing the issue had been added a few days ago (though another file might have been there since November), so there still should have been logging available from when that occurred that would shed more light on the source of that. Unfortunately HostGator hadn’t had log archiving enabled by default in the website’s cPanel control panel, so we only had access to logging for the current day. That fact alone probably should tell you that the company doesn’t have much concern about security and it would be strange to not have that on if they had a legitimate partnership with a security company since that would be an obvious thing to do because of its importance for dealing with hacked websites.

As we have found though, SiteLock usually doesn’t attempt to determine how a website was hacked, so they wouldn’t have a need for that logging. Considering that they don’t usually do that, it makes it not all that surprising that services they offer to protect website don’t work well, since they don’t know how websites are actually being hacked.

We did have one last lead to follow in trying to get some idea of how the website was hacked. In the root directory of the website there was a file named bray.php that contained the following message:

Hacked By Isal Dot ID

Through the website Zone-H, which catalogs defaced websites, we could see that same file had been placed on numerous websites recently. In looking over a number of those websites what stood out was that they all were hosted with HostGator or other EIG brands. Here are examples of websites hit at several nearly sequential IP address registered to HostGator:

If a hacker was hacking websites through a vulnerability in a WordPress plugin for example, that isn’t what you would expect to see, instead you should see websites hosted with numerous different web hosts.

At best you have a situation where a hacker looks to be specifically targeting numerous websites at EIG brands. There is also the possibility they are taking advantage of some security issue on EIG’s end to hack the websites.

Even if they are just targeting website hosted with EIG brands that seems like something that the hosting company would want to investigate and try to prevent as much as possible. That doesn’t seem to be the case here because later yesterday we were contacted by someone else with the exact same hack. They said HostGator has only been interested in pushing SiteLock. When you understand the incentives involved, it really isn’t surprising that is happening.

Update March 19, 2018: We have now come across a article from year ago in which the hacker behind this, claimed to have had full access to a server that contained another website they had hacked. That website was hosted with HostGator at the time (and Bluehost now). While the claim of a hacker isn’t necessarily reliable, it does raise further suspicion that there may be a security issue on EIG’s end

Hacker Provides More Information on Fixing Defacement Hack Than SiteLock and HostGator

When it comes to claims that a website contains malware or is otherwise hacked coming from the web security company SiteLock or their web hosting partners our recommendations is to not ignore their claims despite the serious problems with false claims. Instead we recommend getting a second opinion from another company that deals with hacked websites. We are happy to do that for free and a lot of people have been taking us up on that offer.

The first thing we do when contacted about a second opinion is to find out what evidence SiteLock and or the web hosts has provided as to the claimed issue. In doing that we have seen that in most cases the supporting evidence of the claim falls in to one of two very different categories. In the first they have provided a listing of examples of impacted files and in the other they provided no details whatsoever. So far we haven’t seen a strong correlation between either of those and veracity of the claim.

In one recent instance where a website was really hacked they provided no information whatsoever, while the hacker actually provided helpful information.

In response to our question about what evidence the owner of the website mentioned they had received none despite multiple calls a day, but they had noticed a couple of pages in the Google search results with hacked content.

From that we already had a good idea as to what was going on.

When we looked at those pages we found that they had the following message:

Hacked By Not Matter who am i ~ i am white Hat Hacker please update your wordpress

The only vulnerability that has existed in the core WordPress software that has been exploited in a wide scale in years (maybe close to a decade) was vulnerability that allowed modify the content of posts, which existed in WordPress 4.7.0 and 4.7.1. As long as WordPress’ automatic background updates were working properly this vulnerability was not a threat, as it was fixed with a new version well before the vulnerability started being exploited. That issue could have explained how a hacker was able to add that message to the pages they did.

Based on all those things it wasn’t surprising to find that the website was running WordPress 4.7.1.

At that point we recommend that the website’s owner update WordPress, undo any changes made to the post content, and see about making sure that automatic updates are able to function going forward.

If SiteLock or HostGator had told them that in the first place the issue could have easily been resolved, but it likely wouldn’t have lead to a SiteLock sale, which is possible explanation why they wouldn’t do that. You might be wondering why a web host wouldn’t want their customer to be secured, the answer is in part that HostGator and other Endurance International Group brands received a lot of money when SiteLock sales are made through their partnership. Another part of the answer is that SiteLock’s owners also run the web hosting company.

It isn’t just that they didn’t provide any details; they told them something that is not accurate with this type of issue:

“During a recent SiteLock security scan of your website, malware was detected that could jeopardize the safety of your website and your customers’ data.”

The website doesn’t look to have contained any malware. The reason for the claim that malware was detected appears, based on our previous experiences, to be due to SiteLock’s malware scanner not just be used to detect malware, but any evidence of a hack, but any issue detected incorrectly being labeled as a malware issue.

HostGator Is Actively Hiding the True Nature of Their Partnership With SiteLock

When it comes the really bad practices of the web security company SiteLock, they often involve their partnership with various web hosts. Considering that long ago we had seen that SiteLock didn’t seem to very good at handling security, whether it be not properly cleaning up hacked websites or not doing a basic security check before declaring a website secure, we had long assumed that these partnerships were not based on the web hosts believing that SiteLock was the best company to best help their customers, but instead based on the web hosts being paid to push their services. Those payments, it turns out, are happening, but they tell only part of the story of the partnerships with some of the web hosts.

Last month while looking for some other information about SiteLock we can across the fact that the companies majority owners also are the CEO and a board member of the web hosting company Endurance International Group. That companies does business under the brand names A Small Orange, Bluehost, FatCow, HostGator, HostMonster, iPage, IPOWER, and many more.

Through that we also found that in the case of Endurance International Group, not only were they getting paid for the sales of SiteLock services through the partnership, but they were receiving a majority of the fees as of fiscal year 2014.

In the case of both of those facts, they were disclosed to investors, the ownership is disclosed in financials statements and the fee breakdown was disclosed in a prepared remarks for an earning conference call. To the public those things have not been disclosed in the normal course of business. And a recent interaction we had with HostGator support on twitter show that isn’t just that they don’t go out of the way to disclose them, but are actively trying to hide those facts.

The interaction starts with this tweet from HostGator Support to a customer of theirs that doesn’t mention either of those items as reason why they are partnered or “suggest” SiteLock:

Its worth noting that when it comes to cleaning up a hacked websites, you would do things the same way no matter the web host, so working well with their service is explanation that doesn’t make much sense for hack cleanups. It also worth noting, as we did before, that HostGator doesn’t make it easy to properly clean up hacked website since log files are not stored for a sufficient amount of time be default. If this was a real partnership and SiteLock actually properly cleaned up hacked websites, we would expect that issue would have been resolved a long time ago.

We sent a reply to their customer mentioning the CEO connection:

In turn HostGator starts to obfuscate (due to the limits of tweet length our tweet had not had made the distinction that the CEO in question, was of Endurance International Group, but it is clear in the linked post)

We then sent a reply clarifying that and they replied:

At that point we said that we hope they would start to disclose the true nature of their partnership:

Which in turn lead stating they could not confirm that, despite those being facts that their parent company has already confirmed (otherwise we wouldn’t know them):

At this point, they claim they can’t confirm they are getting paid:

It is one thing for them to not mention what is going in the normal course of business, but to actual being unwillingly to tell the truth is pretty telling as to what is going on.

The conversation ended after we pointed out that we were not asking them to confirm anything, just disclose what we both already know to be true:

What To Do If You Get Contacted by HostGator or SiteLock About a Hacked Website

One of the bad practices we have seen from SiteLock is to claim that website are hacked when they are not, so if you get contacted by either of them with claim that the website is hacked you should get a second opinion. We are always happy to provide a free consultation on how to best deal with a hacked website, which includes double checking as to whether the reason the website is believed to be hacked does in fact make sense (often times other issues are confused with actually hacking issues and that can usually easily recognized by someone who deals with hacked website on a regular basis).

Considering how bad of a job SiteLock has been doing with cleaning hacked websites as of just the last month and their bad practices you would probably be best off avoiding them when you are dealing with a hacked website. You also might want to consider moving to a web host that doesn’t partner with SiteLock, as that partnership seems like it is pretty clear warning of how they treat their customers and a lack of concern for security.

One of SiteLock’s Owners is Also The CEO of Many Of The Company’s Web Hosting Partners

SiteLock is a web security company that we had originally became aware and wrote a number of posts about due to our seeing the poor quality of their services when working on client’s websites that had previously used their services. Due to those posts we started started getting contacted about more serious issues with them, namely that in a lot of cases they seem to be scamming people. One of the things that has stood out to us in looking into the situation was the fact that so many web hosts have partnered and continued to stay partnered with them. Was the money that we assumed SiteLock was paying them for the partnership worth the damage to their reputation, seeing as in complaints about them the web host who had partnered with them is frequently brought up?

In looking for some information for another post about the company we ran across the fact that the CEO of a major web hosting provider is also the one of the owners of SiteLock (the other owner is a director of the same provider), which does a lot to explain their partnerships and also raises even more question as to the probity of what is going between them.

On the about page of SiteLock’s website there is no mention of the ownership of the company, doing a Google site search of their website didn’t bring up any mention of either of the two entities that appear to be their parent company.

On the website of one of those, UnitedWeb, SiteLock is shown as one of their brands of the company, while the web hosting companies Endurance International Group and IPOWER are listed as public companies:

unitedweb-brands

The connection between of all of those entities isn’t clear based on that, though.

A little searching brought us to this page that seemed to point to a direct connection between SiteLock and Endurance International Group, which with more checking seems to be confirmed. In Endurance International Group latest quarterly report it states that:

The Company also has agreements with Innovative Business Services, LLC (“IBS”), which provides multi-layered third-party security applications that are sold by the Company. IBS is indirectly majority owned by the Company’s chief executive officer and a director of the Company, each of whom are also stockholders of the Company.

What is Innovative Business Services? That is the entity that owns SiteLock (referred to as a member on that page). So the CEO and a director of Endurance International Group are the owners of SiteLock.

It not clear where UnitedWeb falls in that, but it looks like it might be the owner of Innovative Business Services, and then in turn that is owned by the CEO and directory of Endurance International Group.

Unless you are very involved in website hosting you probably don’t recognize the name Endurance International Group, but they own many well known web hosts. The brands page of their website they highlight some of the more high profile ones including A Small Orange, Bluehost, FatCow, HostGator, iPage, and IPOWER:

endurance-international-group-brands

But that just scratches the surface, here is the all of their current brands (most of them appear to be web hosting companies) as listed on the Wikipedia page for the company:

  • 2slick.com
  • AccountSupport
  • Arvixe LLC
  • A Small Orange
  • ApolloHosting
  • AppMachine
  • Berry Information Systems L.L.C.
  • BigRock
  • BizLand
  • BlueBoxInternet
  • BlueDomino
  • Bluehost
  • BuyDomains
  • CirtexHosting
  • Constant Contact
  • Directi
  • Dollar2Host
  • Domain.com
  • DomainHost
  • Dot5Hosting
  • Dotster
  • easyCGI
  • eHost
  • EmailBrain
  • EntryHost
  • Escalate Internet
  • FastDomain
  • FatCow
  • FreeYellow
  • Glob@t
  • Homestead
  • HostCentric
  • HostClear
  • HostGator
  • HostNine
  • HostMonster
  • HostV VPS
  • hostwithmenow.com
  • HostYourSite.com
  • HyperMart
  • IMOutdoors
  • Intuit Websites
  • iPage
  • IPOWER/iPowerWeb
  • JustHost
  • LogicBoxes
  • MojoMarketplace.
  • MyDomain
  • MyResellerHome
  • MySocialSuite
  • NetFirms
  • Networks Web Hosting
  • Nexx
  • PUBLICDOMAINREGISTRY.COM
  • PowWeb
  • PureHost
  • ReadyHosting.com
  • ResellerClub
  • Saba-Pro
  • SEO Gears
  • SEO Hosting
  • SEO Web Hosting
  • Site5
  • Southeast Web
  • SpeedHost
  • Spertly
  • StartLogic
  • SuperGreen Hosting
  • Typepad
  • Unified Layer
  • USANetHosting
  • vDeck
  • Verio
  • VirtualAvenue
  • VPSLink
  • Webzai Ltd.
  • WebHost4Life
  • webhosting.info
  • Webstrike Solutions
  • Xeran
  • YourWebHosting

Who’s The Worse Party In HostGator’s and SiteLock’s Security Partnership?

The web host HostGator has a partnership with the security company SiteLock where if your website is hacked HostGator suggests you hire SiteLock to fix it, which if you followed our previous post’s on SiteLock would seem like a bad idea. The actual results also back that up, as situation we we dealt with recently highlighted.

A website we were going to be doing an upgrade on once HostGator changed the PHP version on the server, got hacked and was rendered non-functional due to it being defaced. HostGator recommend SiteLock to clean up the website. Getting the website back up and running should have taken just a few minutes (by replacing the index.php file in the root directory), with a full cleanup taking a few hours. Four hours after they were supposed to have started it was still not functional and we were contacted to see if we had any suggestions. The website only became functional later in the day after the website’s developer followed our advice to replace the index.php file, by the next morning SiteLock had removed the defaced index.php file. When we double checked SiteLock’s work later we found that they had not removed a backdoor script, which allows a hacker remote access to a website, that had been added to a core Magento file in the root directory of the website. While things can be missed during a cleanup, this seems to be a case where corners were probably cut instead of an understandable mistake since a simple file comparison of the website’s file with a clean copy of Magento would have spotted that backdoor script.

All this would point to it being a bad idea for HostGator to have partnered with SiteLock, but there are problems going the other way as well.

A couple of weeks ago we discussed the fact that HostGator misrepresents what security SSL certificates provides. If SiteLock was actually concerned about security it seems like the kind of thing they would want to make sure a partner isn’t doing. But a much more important issue that we have noticed with HostGator when comes to a security, particularly when comes to the cleanup of hacked websites, is that HostGator doesn’t have it set so that log files for websites they host are archived. By not doing that it is much harder to determine how a website was hacked (since the evidence often resides in those logs) and therefore makes it harder to make sure the website has been secured against the hack happening again. We have trouble understanding why a security company would want to partner with a web hosting company that makes doing a good job more difficult than it needs to be. Especially when archiving logging isn’t some obscure feature, it prominently featured on the Raw Access Logs page in cPanel:

host-gator-cpanel-raw-access-logs-page

Incidentally, if you are hosted with HostGator or another web host that uses cPanel, now would be a good time to make sure you have archiving enabled in cPanel.

HostGator’s Dangerous Misrepresentation of the Security Value of An SSL Certificate

While working on a client’s website hosted with HostGator recently we noticed this odd ad in their cPanel account:

Install An SSL!, Stop Evil-Doers!, ADD SSL Today!

SSL is a protocol, so isn’t something that you would install. It seemed like they were probably referring to installing an SSL certificate, which would have a decidedly non super-human ability to stop evil-doers. Clicking the image took us to this page, where they were selling SSL certificates, but again they referred to SSL in a strange fashion:

Why get an SSL certificate?

An SSL reduces your risk by keeping sensitive data collected on your website safe. The data is encrypted and backed by a warranty worth up to $1.75M.

Having HTTPS in the address bar and displaying a seal of trust increases customer confidence in your website and drives more sales.

It seems like they marketing something they don’t really understand on basic level, which leads to the aspect we find more troubling than there odd phrasing, the claim that SSL keeps sensitive data collected on your website safe. To understand why, first it helps to have a basic understanding of what SSL is. SSL is a series of protocols for transferring data from one location to another in encrypted form. An SSL certificate is used identity that that the SSL connection is in fact being made to the website you are connecting to.

SSL should protect against someone gaining access to data being transmitted from a customer’s computer to a website while it is being transmitted, but that is where SSL’s role ends. Once the data is decrypted on website’s end its safety relies on the website being otherwise secure. If someone were to believe that getting SSL certificate is going to keep the data safe, they would be more likely to not take the other measures they need to keep that sensitive data secure (which isn’t an insignificant issue these days).

On top of all of this you can get an equivalent SSL certificate from other providers for significantly less money.