Monday, November 07, 2011

Why I no longer use 1and1

My first (personal) hosting package was provided by 1and1. I used them for simple site hosting and even recommended them to friends an clients for many years. They provide shared hosting and most of my experience with them was satisfactory.

I had an experience however which changed my views on them forever (and have since learned that this problem is common to many shared hosting providers).

I started having a problem - code was being injected into my web pages to run drive by attacks - basically to use my sites to attack my visitors computers. This was accomplished by inserting a <script> block just before the </html> tag. I cleaned up the system a couple of times then decided to make the time to fix the problem.

I figured the problem fit into one of 4 categories. 1) a vulnerability in a piece of application code 2) someone had one of my account passwords 3) my personal computer was vulnerable 4) the server was vulnerable

so I started out to determine which of these caused the problem.

First to eliminate possibility #1 (the most likely in my estimation) I removed all server side scripted content from every website hosted on this account (php and perl in my case). I had to move a couple of sites to another provider to do this but when I was done 100% of my sites on this account were running plain old html (all files ending html, htm, css, js). The only file other than those was a single sh file that I used to scan for and list the inclusion of the attack code which I placed in a folder not visible to the web. No php, no perl, no ssi. And what did I find - I found that my code was still being modified by an attacker.

Next up - I changed all my passwords (1&1 control panel, ftp, shell, ssh-keys, mail) and did not share any of the new passwords with anyone. I then rechecked for any scripts - only the one mentioned above (a single shell script was present) so I cleaned up the files (again) and set the file permissions to read only (444). Another week goes by and the files have been modified again.

Next the scary #3 I checked over my computer very thoroughly - while this option seemed least likely to me (I had other hosting accounts through other providers that were not being attacked in this way which makes this scenario unlikely) I figured it was a good time to review my local security footprint. I worked through the firewall rules, ran a full scan using updated antivirus definitions, ran a full scan using updated anti-malware definitions, and ran a rootkit check (all from a bootable CD created on another system to be safe). Nothing turned up on this side (as expected). (Note that this does not entirely rule out the possibility that my system was compromised).

To the best of my ability to tell there was a vulnerability on the server that was allowing a 3rd party to access and over-write my files at will. As this attack was not being initiated through a vector over which I had control there was nothing I could do to fix the problem from my end and technical support did not believe they had a problem.

At this point I switched providers and have never looked back. To date (3 years later) I have not had any further problems of this kind.