How Your Webhosting Account is Getting Hacked

Published: 2013-03-25
Last Updated: 2013-03-25 02:51:08 UTC
by Kevin Liston (Version: 1)
5 comment(s)

If you're like me you actually have your own little website project hosted on one of the many inexpensive website hosting companies.  Perhaps you've recommended one as a solution to a small business, or organization.  You may also be aware that they are pretty attractive targets for professional computer criminals.  Brian Krebs has a nice writeup of the value of your standard PC to a criminal here:

The Value of a Web-Hosting Account

I want briefly expand on the added value of compromising a box sitting in a rack in one of these hosting companies.

The first is that since they're already webservers, they do a better job with all the standard exploit-hosting, phishing-site, and other webserver values identified in Brian's analysis.  Secondly, they usually enjoy more bandwidth access than the average home/business PC, which a big advantage for criminals interested in launching Distributed Denial of Service (DDoS) Attacks (  Thirdly, compromising a single session on a shared server opens up all of the other accounts on that server as well as other servers in that data-center.

How They Are Gaining Access

A webserver has a different attack surface from the normal workstation.  This is how they're being compromised in no particular order.

Many webhosting providers limit the customer us using a web-based management tool like cpanel or webmin.  They may have their own vulnerabilities that let an attacker in that way (if the hosting company isn't updating regularly or following good security practices.) 

Many customers use these services because they don't have a lot of experience running servers, so they make make poor choices in selecting which applications they install and may be lax in keeping them up to date.  Popular packages like wordpress, or drupal need to be regularly updated and configured securely.  This is not always intuitive and there are a lot of vulnerable builds running out there.

FTP credentials are commonly targeted by other malware.  For example, if your home PC stumbles upon an exploit site, one of the intermediary payloads will search for registry settings identifying FTP applications on the system and will attempt to extract the username/password and feed that up to the botnet controller.  So while that botnet-for-hire is installing whatever banking trojan that they've been contracted for, they're also building up a database of credentials to other potential future hosting sites.

Once a criminal has an account on a server, it become easier for them to attack other accounts on the system or escalate privileges to take over the entire system.  If a criminal has a stolen credit card or paypal account, they can easily gain access to an otherwise secure server.

What You Can Do

While you can't patch the server, cpanel, etc. you can keep your own services patched and configured securely.  We live in an environment where you can't be certain that everything is secure, so you have to plan on something getting compromised and having a plan.  In this case, you plan on the server being compromised some time in the future, and develop a recovery plan.  This mean regular backups and inspection of the site.  Logs should be exported off regularly for analysis and alerting.  You want to quickly detect when things begin to go awry.  So you should already work out what the best emergency/security/abuse contact process is for your hosting provider.  These are things you will have to keep in mind when you recommend an inexpensive hosting solution to a friend, family member, or volunteer organization.

5 comment(s)


Kevin, you point out several problems that customers face when on shared hosting. Things like their outdated or insecure applications. Stuff that many website owners never think of. But you have this line
"Thirdly, compromising a single session on a shared server opens up all of the other accounts on that server as well as other servers in that data-center", which I believe is inaccurate at best.
Just because a single customers website gets popped, do not allow the attackers access to all the other customers and most definitely not the other servers in the data centers. Hosting companies fight this type of generalization all the time.
An attacker is most likely limited to only that customers directories, and the exploit they used to access the hosting account, is not the same vulnerability that would be used to move into a different directory, owned by a different user.
Consider the chain of a web vulnerability allowing the attacker to upload a file, they upload a PHP backdoor, which allows them shell access. This is leveraged to introduce a local exploit to elevate privileges to root. Account hashes are exported and then cracked to be used on other systems in the network.
Agreed. A good attacker can leverage one vulnerable site and gain root access. However the typical attack is less likely to move past the account they are on. They get a shell up, but cannot break out of the directory. I think I would be more understanding if the phrase "opens up all of the other accounts on that server" was something like an attacker could then potentially gain root access if they were skilled.
The majority of websites popped are not done by anyone with enough skills to get root, they are skilled in google searches to find a vulnerable site. Companies that have shared customers have to explain, that the reason a customers account was hacked was not due to some security issue with the server, as the quoted phrase suggests, but more likely their 3 yr old Joomla application.
The second time Kevin mentioned this phenomenon, under How They Are Gaining Access, he wrote: "Once a criminal has an account on a server, it become easier for them to attack other accounts on the system or escalate privileges to take over the entire system." I think we can all agree that that phrasing is more accurate than the one you quoted, which did seem to imply that once you've popped one account owning the server is simple.
I think the thing Kevin didn't say - which then bolsters his statement - is that once you have local access, you probably have extra information about the other accounts/sites on the system, and can probably apply the same initial remote vulnerability to enumerate through the other accounts/sites.

Obviously, a DNS search service (returning sites on the same server IP) would also show other vulnerable sites....

Diary Archives