Yesterday, it was posted here on HN about a mass attack on Bluehost that even affected their CEO blog.
Attacks like this happen (Bluehost is a victim too) and we tried to alert them and help users fix their sites.
Well, today we found out that they were lying to their customers about this breach saying that it was an isolated incident and that it was the users fault. They even said that our article was a big lie.
As we tried to alert them about this issue, they banned us from their forum and even accused us os lying, not being honest, etc.
Very bad way for Bluehost to deal with a security breach and a security company trying to help.
Bluehost is a Mormon-owned and run web hosting operation, which I first discovered when I tracerouted a site they host for a copyright issue and noticed the servers were based in Salt Lake City (odd place for a colo, I thought, so I did some digging).
Now, there's nothing wrong per se with a business owned by people of any faith, creed or beliefs. But they are known to police and uphold their TOS based on their beliefs - lax on some sites and harsh on others depending on the constitution of the site - and to me that feels wrong and inappropriate in a business environment.
It's certainly fair to say that they don't operate from a neutral perspective like I would expect all other web hosts to behave. I think they deserve to be called out for it.
The point is, by hosting your stuff with a Mormon-operated outfit you have a higher chance of being a target for hacking compared to a 'secular' (I want to say 'normal' but that might be misconstrued as I'm not saying Mormons are not normal) hosting company because there are many people out there who have issues with the Mormon movement (like spending resource from their base in Utah to push Prop 8 through here in California http://www.huffingtonpost.com/jonathan-kim/rethink-review-em...).
Plus they host a lot of pro-mormon controversial stuff (see the first link) which is going to upset a lot of people.
I would argue that most hackers who are not motivated by financial gain have some bone or issue with the people they are attacking. I know, cos I used to be one.
Back to hosting... if I was running a site, I think I'd just want to host with a webhost that treated all of its clients normally and didn't bring religion/politics/etc into it's business practices and thus make myself a target by association.
While you make an incredibly interesting point (especially considering ALL of my freelanced clients are on Bluehost as it was cheap and fit their PHP needs perfectly), I would be hesitant to pull the religion card on this one.
Not because its not possible that a disgruntled anti-Mormon hacker targeted them for an attack (you've made a good argument for that), but that once you play that card, its difficult to take it back.
Ancillary Note: I doubt the one-off nature of the attack, and because of the way Bluehost handled it I will no longer be using Bluehost, or its subsidiary - Hostmonster.com, in the future.
If you guys are reading this - you just lost a lot of future customers.
I think you raise a good point, and you are right one needs to be careful about 'the religion card'.
However, when I perform analysis of a security incident I want to consider both the technical means that was exploited but also an understanding of why it took place in the first place.
Apart from worms/etc, most hack attacks involve human effort, time and skill and so people don't do them without a strong motivation. It might be financial but if it isn't then I want to get into the head of the attacker and understand why.
In conclusion, all I'm saying is that if you are an innocent hostee on Bluehost who is wondering why you got attacked, it might be because some anti-mormon hackers decided to get into their shit. And if you didn't know Bluehost was a super pro-Mormon outfit, you'd have never known or be armed with the information to make an informed choice of where you put your website.
Your conclusion that bluehost was hacked smells of confirmation bias.
Suppose I wrote a password-guessing bot to spread my malware on PHP-based websites. To increase the effectiveness of my bot, I want to target websites where I'm more likely to be able to guess passwords, and where I'll need only a few methods of inserting my code, optimally just one. If I can figure out the username generating scheme of a large host, that helps make my bot more effective. If that host hosts only or primarily PHP sites (and not asp.net or cf or whatever), then that makes my code insertion easier.
Your evidence so far afaict:
1) you found a number of blue host sites newly affected
2) you did not find comparable numbers of sites on other hosts affected around the same time
3) the affected sites all had similar code inserted in a similar way
4) there was no single application being run on all the compromised sites
Your evidence supports the hypothesis that bluehost was hacked reasonably well, but it supports my supposition just as well. What kind of tests would actually give you reasons for preferring the bluehost hacked hypothesis? Well, if we found that a large percentage of domains hosted on a single physical server were affected, or a large percentage of consecutive customer ids, then it would look a lot more like bluehost data or systems having been compromised. But if there are no bluehost boxes with a large percentage of hacked sites (we probably can't check on customer ids), then it looks more like bluehost customers were targeted one by one by a password guessing bot. I wouldn't call that bluehost being hacked (if you do, I can see why bluehost disagree), and from what I see you don't have enough evidence to claim that bluehost has been hacked.
I admit this has been nagging me for a while (especially as it is with some regularity they find hosts whose sites have been widely hacked); I keep meaning to do some digging and find out one way or the other but never had the time.
Seriously? Anyone have a counter argument to go with those downvotes? I'll even take a "rtfa where they mentioned important evidence you ignored, jerk"
You're not wrong, but I would like to point out that I've had some communication with Sucuri in the past, back when a number of Wordpress sites got eaten. (I should probably narrow that down a bit more!)
They seem quite capable. Bluehost provides reasonable access logs by default for their sites (I've had clients with sites hosted there), and if there was password guessing going on through a web interface, I would expect that Sucuri had noticed that.
It's possible that some sites were brute-forced via FTP or SFTP, but if Bluehost isn't already monitoring for that and preemptively dealing with it, I'd be very surprised.
So I think there's something else going on, and I'd really love to find out what it is. Unfortunately, none of the hosts seem to be 'fessing up to what compromised their sites. They keep pointing to WordPress, which is bullshit in at least one recent case. (I was involved in that one, and it was a fully-up-to-date-at-the-time 2.9.2 installation, and there was no evidence of a compromise in the access logs, which I spent hours examining very, very carefully.)
The way they contacted Bluehost is very odd. They say they reached out via LinkedIn, which is probably not the correct way to report a security breach.
Especially that the Bluehost contact page (http://www.bluehost.com/contact_us.html ) has multiple methods of contact, include a 24/7 tech support and an extended hours telephone line to report "SPAM, fraud, or anything suspicious". Surely a security breach and malware qualifies for one of these contact methods?
I have trouble understanding why some companies have a hard time owning up to a mistake. When you own up to a mistake, especially to your customers, it humanizes your business and most of your customers usually won't hold the initial mistake against you (obviously it depends on the severity of the screw-up.)
What good can come from trying to pull a Jedi mind-trick on all of their affected customers and anyone else who is paying attention?
They were a victim of the attack as well and I think their clients would be very happy with an explanation of what is going on.
Instead, they tried to minimize the issue and even mute anyone mentioning it on their forums. Pretty sad.
There is no single perfect secure company (and users known that) and specially on shared-servers it is easy for a small mistake to spread to hundreds or thousands of sites, but the way a company responds is what makes all the difference.
I'm sorry to sound so down on your argument, but I just don't see the evidence that this is anything specific to Bluehost.
You say that up to .03% of their customers may be affected, at the upper bound.
You very well might be right, but .03% really isn't a big enough number that I'd feel comfortable delcaring that Bluehost "Got Hacked", and it looks pitifully small to write a followup declaring that they're "Lying about it"
Those are very strong words, and so so far, you don't have much to back it up.
You might very well be right, and there very well by a problem endemic to Bluehost customers, but so far, I'm just not seeing it.
Further, saying that you contacted them via Linked-in is particularly weak.
Seriously? That's akin to Gizmodo's telephone call to Apple HQ. A token effort at best.
I hate to say it, since you've been a member of HN for over a year, and I want to give you the benefit of the doubt, but it really does sound like you're grandstanding here.
I've run hosting companies before- .03 percent of customers being infected with something, while really unfortunate, doesn't necessarily indicate anything by itself.
When you're dealing with that many customers, it's entirely possible that .03% just had really bad passwords that worms could guess, or that they all used a bad formmail script, or any number of other things.
I don't use Bluehost, and I've never heard of them before today. I have no affiliation with them, or with you, and I do sincerely hope that things clear up for the affected users... But You're really blowing this up out of proportion.
Right now, Bluehost's side looks a lot more reasonable than yours.
No, it wasn't a FTP-based attack because we analyzed the FTP logs and on all the cases, there was no connections during the time of the attack.
In our first assessment, we checked around 1.5k sites and found 140 infected. We also found their CEO blog hacked and some other big sites hosted in there with the same malware.
As we published the post and started to hear from people, the number of affected sites grew to the hundreds (close to 1k). Google says they have 240k sites, which means that we identified =~0.4% of their sites with malware.
Those are only the ones WE identified, which is probably much less than the actual number.
Also, we contacted them about this issue before posting (via their forms) and also reached out to the CEO. However, since sites were already infected, we posted explaining the issue and how to fix it. We didn't posted about any vulnerability that could help the attackers, only information to help the affected users.
I've been having the worst experience with this. First the client emailed us because they couldn't reach their website due to a "This website may harm your computer" warning. I isolated the script and got that warning removed (it looked similar to the one referenced in this post: http://rayschamp.com/misc/spammer.html - scroll down for the original obfuscated version).
When I contacted Bluehost about it, they gave me a canned response about php script security. I wanted to check my logs for any suspicious activity on any scripts hosted on the site, but the logs for the relevant time period weren't available. Strange, because the Webalizer stats do show information from this period. The current log only has information since the 29th, and the June archive only has information from June 1.
Then I tried to contact Bluehost several times through chat and email to retrieve the missing June data, and each time they either told me it was gone forever (despite the Webalizer stats) or they told me it was in one of the files I explicitly noted it was missing from. Now I realize that ALL of the monthly raw access log archives only have 2 days of logs stored. It appears that their logging system is broken, and no amount of contacting them will retrieve the June 1-29 data (the period in which the site was hacked).
From my perspective, if I can't determine it's one of the scripts on the site, I have to assume the vulnerability is with Bluehost. Bluehost hasn't notified anyone of a breach, so I don't know if they're handling it or not. If they were clear about what was going on, I would probably stay with them because I could tell the client what was being done to resolve the issue. The only logical thing I can offer my client now is to move hosts, which is inconvenient for everyone involved.
I use Bluehost and have been shocked my how shoddy and insecure an operation they run.
For example, anytime I contact support, they ask for "the last four characters of my password." This implies that they are storing my password in plaintext instead of hashed — even if it's just the last four characters, it’s (1) awkward and (b) severely cuts down the entropy of the actual password. It also implies that, should you use the same or similar passwords for other sites, the Bluehost team now essentially has, and looks at (!), that password.
They also have absolutely terrible support for running Ruby on Rails and their control panel's Rails controls "don't work," to quote their help team.
Not that I think this is even remotely likely, but they could be storing an MD5 hash of all but the last four characters of your password, and an MD5 hash of your full password. Since MD5 works by processing data through the algorithm bit by bit, with each operation producing a valid MD5 hash up until that point, they could take the first hash and 'continue' hashing with the rest of your password, and then compare it to the full hash.
TL;DR: You can take an MD5 hash of any data and generate a valid MD5 hash of that data plus some data of your own, without knowing what the original data was.
It's been a while since I used Bluehost (2-3 years), but think I remember seeing my password in plain text somewhere, so they did store it in plain text back then.
Attacks like this happen (Bluehost is a victim too) and we tried to alert them and help users fix their sites.
Well, today we found out that they were lying to their customers about this breach saying that it was an isolated incident and that it was the users fault. They even said that our article was a big lie.
As we tried to alert them about this issue, they banned us from their forum and even accused us os lying, not being honest, etc.
Very bad way for Bluehost to deal with a security breach and a security company trying to help.