GoFuckYourself.com - Adult Webmaster Forum - View Single Post

Magg · 12-01-2004, 11:32 AM

I have once before and got bashed.

A free hosted virtual client, uploaded (or had his password jacked) a script into his FTP, which they then used to replace all the index files on the virtual server with their own.

That was the second time.

The first time, a user had a vulnerable "tagboard" script, which I believe allowed uploading, which the same or similar script was uploaded and then accessed, which replaced the files again.
It was the same site which was targetted, so we had to let the user go and he had some kind of bad following and was causing harm to the other free hosted virtual clients.

Theres not much a hosting company can do in the way of restricting a user to uploading only legitimate files, especially since the files which were uploaded were disguised as JPG of GIF files to begin with. So it wasnt an obvious problem either, as they looked like regular image files but had a more devious motive.

(IE: did you see that OXEO drama a while back where Repetitive Monkey uploaded a file and browsed the system?)

What happened to us, could happen to ANY host, thus the disadvantage of shared server hosting. Theres no way to be completely hack-proof, just ways to make it harder. You'll notice other than that, we've had 0 complaints.

12-01-2004, 11:32 AM
Magg Confirmed User Join Date: Feb 2004 Location: ICQ: 132497047 Posts: 4,467	I have once before and got bashed. A free hosted virtual client, uploaded (or had his password jacked) a script into his FTP, which they then used to replace all the index files on the virtual server with their own. That was the second time. The first time, a user had a vulnerable "tagboard" script, which I believe allowed uploading, which the same or similar script was uploaded and then accessed, which replaced the files again. It was the same site which was targetted, so we had to let the user go and he had some kind of bad following and was causing harm to the other free hosted virtual clients. Theres not much a hosting company can do in the way of restricting a user to uploading only legitimate files, especially since the files which were uploaded were disguised as JPG of GIF files to begin with. So it wasnt an obvious problem either, as they looked like regular image files but had a more devious motive. (IE: did you see that OXEO drama a while back where Repetitive Monkey uploaded a file and browsed the system?) What happened to us, could happen to ANY host, thus the disadvantage of shared server hosting. Theres no way to be completely hack-proof, just ways to make it harder. You'll notice other than that, we've had 0 complaints. Last edited by Magg; 12-01-2004 at 11:34 AM..