That would be great because rather than move from hostgator witch I like very much it would be better to try to get them to install a brute force protection of some kind. That would benefit hostgator customers that experience the same thing also.
brute force protection is free and integrated with paypal. Config Server Firewall = firewall and brute detection, works great! I use it on my servers.
it seems hostgator is run by some lame kids since they must value there customers problems and help them thats y i never liked them, there whole site seems childish
Hostgator tells me that: "the account password was compromised and the files were uploaded through FTP and you should update your CPanel and FTP passwords as soon as possible to prevent further issues." Then I ask for brute force protection and they say that: "Brute forcing only works if the password is weak enough, otherwise attempts will take much longer than anyone would be willing to wait."
More than likely it isn't a security risk within hostgator themselves, it is probably related to the coding on your website. I had one of my websites "hacked" quite a while ago. It was due to a loophole in my own code, I fixed it and recieved no more problems. Some kids just like to do dumb things to make them feel special. Supposedly they wanted to just "let me know I had a loophole". A simple email would have done the trick though. -Travis T.
Give me an account name and I can get the password in 72 hours at the most. unless your password happens to be 19 characters long.
Please do me a favor and actually read the thread next timed. he could have been brute forced also, which IS their fault.
Brute Force is one way to hack a server but so is finding security holes in outdated programs used by users.
Your account has had a total of 20 login failures since october 5th to october 25th so obviously this wasn't the cause. I've yet to see a site we host "brute forced" that wasn't a beyond stupid password. So why did a hostgator staff member tell you this was the cause? I'm not sure as I'll have to talk with him still, but honestly it was probably because of this reason.... User logs are rotated daily because a 32bit unix system can't read files larger then 2gb by default. This 2gb would fill up in a little over a days time which would result in things on the server breaking thus it's rotated daily. Without these logs the only way to find out how it was exploited is by going to the site and trying to figure out how to exploit it again. He probably tried doing this couldn't figure out how as it was above his skill level so he responded back saying the pw was hacked as an easy copout. (he's in trouble for doing this) If he responded back saying... your site is insecure you would force him / us to prove it. And that could take anywhere from hours, days, to eternity to figure out how it was exploited. We usually make somewhere around $10 a month per account so while we try to help as much as we can on this type of matter it really does come down to the webmaster's responsibility to secure their own site. Time and time again a site gets exploited the webmaster goes posting it's our fault that we are "insecure" etc. It's a lot easier to blame someone then accept responsibility especially when we can't always show you how it was exploited. We never can 100% say exactly how it was unless we have the logs which are rotated in some cases. If it was our fault the entire server would be rooted not just a single site or two running insecure scripts. I had our CTO go to your site and in a few minutes time he was able to find multiple ways to exploit it. I'll be pm'ing you in a second with what he found. I can have him help you get it all secured, but it won't be cheap. He gets paid over a $100 hour and believe it or not is my cheapest paid employee based on what he accomplishes for us. Anyone that says were insecure and can easily be brute forced all I can say is here's a little math for you.... A 5 character password with all lowercase letters and just numbers would have 60466176 combinations. Anyone that does close to a dozen tries in a few seconds will be dropped. You could do a try a second and get 86,400 attempts in a day and in about 700 days yes you would have it hacked. Keep in mind this math is on a 5 character password! There's a reason I've yet to seen even a medium strength password "bruted" on our hosting since we have rate limiting. One positive thing that will come from this thread is that I've talked to our cto and he's working on something to archive that 2 gig usr file every day. So hopefully the next time this happens we will be able to easily show the customer how they were exploited without playing the guessing game. I am very sorry this wasn't in place already so we could have been of more assistance on this particular case.
Shared accounts are very vulnerable, I've had mine hacked many times. But it's usually easily fixed.. I'm even afraid to follow that link cause it's most likely some kind of spyware ~MG
hostgator, are you an official representative from hostgator.com on DP? Put some info in your profile so people know btw, I've got a dedicated server and 2-4 shared accounts at hostgator ~MG
ahh i see, you are promoting hostgator, thats y u found my words foolish dont worry m8, i know wat i am talking