Hostek is putting their customers at risk

If you are hosting your site at Hostek.com, you are probably at a higher risk of being hacked. Why? Because they do not do the proper separation of accounts internally, so anyone can access the pages of everyone else.

How do we know that? We were helping a friend with his site over there and when we checked their permissions, we found a big (BIG) security hole on Hostek. Every PHP script is executed with the permissions of the user “nobody” (used by Apache), and every site allows the user “nobody” to access its files.

It means that any user can access the files from everyone else. Even worse, you can add and even modify the files under some circumstances.

Analysis

When we realized that the PHP scripts were being executed as the user nobody, we did a simple PHP script to verify that:

echo “verify..\n”;
$myloc = `pwd`;
echo “myloc: $myloc\n”;
$myid = `id`;
echo “myid: $myid\n
“;

We got this output:

verify.. myloc: /home/XXX/public_html done
myid: uid=99(nobody) gid=99(nobody) groups=99(nobody)

Uh-oh, the PHP script is being executed as nobody. We also learned that probably every user has its own home directory at /home/[user] and their public web site is stored at /home/[user]/public_html.

We tried an additional check after with this script:

$listofusers = `cat /etc/passwd`;
echo "
users:$listofusers\n

“;

And yes, we got the list of all the users inside their shared server ( I won’t list the real users to protect them, but everyone had the home dir at /home/[user] and the shell /usr/local/cpanel/bin/noshell):


users:root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
mysql:x:100:101:MySQL server:/var/lib/mysql:/bin/bash
mailman:x:32001:32001::/usr/local/cpanel/3rdparty/mailman:/bin/bash
cpanel:x:32002:32003::/usr/local/cpanel:/bin/bash
..

That’s not too bad. What else could we do? Well, we could list the files from everyone else (I won’t show how to do it):


/home/userB/public_html

total 1524
drwxr-x--- 24 userB nobody 4096 Oct 30 01:49 .
drwx--x--x 15 userB actionin 4096 Apr 26 2009 ..
-rw------- 1 userB actionin 16 Apr 11 03:57 .ftpquota
-rw-r--r-- 1 userB actionin 93 Feb 3 2009 LiveSearchSiteAuth.xml
-rw-r--r-- 1 userB actionin 3240 Feb 10 2009 about.php
drwxr-xr-x 2 userB actionin 4096 Nov 30 2007 activate
drwxr-xr-x 7 userB actionin 4096 Mar 10 2009 admin
-rw-r--r-- 1 userB actionin 6243 Feb 5 2009 change_password.php
..

As you can see, the group nobody has the permission to read and execute the public_html directory, so every user can read the files from everyone else.

If that wasn’t bad enough, we were able to cat the passwords from wp-config.php (used by WordPress), configuration.php (used by Joomla) and even .htpasswd used to protect specific directories.

Can it get worse?

What is really bad is that some CMSs (specially Worpdress), have a directory to allow the user to upload files in there via the web. With WordPress it is inside wp-content/upload.

The permissions of this directory allowed the user nobody to add and modify any file in there. So we were able to add files into other people’s site (see test.txt on the screenshot) and even modify anything they had uploaded. Really bad.


And yes, we contacted them and got no reply.

Scan your website for free:
About David Dede

David Dede is a Security Researcher in the SucuriLabs group. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

  • http://www.blogger.com/profile/02934157746337952448 MysteryFCM

    I've just spoken to Hostek and they informed me they're aware of the issue, and it only affects one of their servers.

    Sadly, they've said it's got a "special configuration" and cannot be changed (i.e. cannot be secured), so whilst they will move the sites for customers that request such, they won't do anything to close the vulnerability.

  • http://www.blogger.com/profile/02934157746337952448 MysteryFCM

    I've heard back from "Brian A" at Hostek, who has informed me they've now secured the server. Are you able to confirm this?

  • http://www.blogger.com/profile/02934157746337952448 MysteryFCM

    Brian tried posting to the following to this blog, but it never asked him to complete the CAPTCHA, so I'm passing this along for him;

    "The server has been fully secured.

    The "Sadly" part above, was based on misinformation from one of our support techs. While the tech was correct this only affected one server, they were incorrect that we weren't going to do anything about it. We take security very seriously and got our Linux server admins working on this issue right away, which allowed us to get the server fully secured now.

    We apparently didn't set that server up correctly. That was our first Linux server we setup, many many years ago. All servers since have been configured correctly, and this one is configured correctly now too. I'm not here to make excuses. I just thought it would be helpful to know these details.

    Additionally, we are working on an email to send to all domain holders on that server letting them know of the change and that they should change any and all passwords associated with their applications and databases to be on the safe side."

  • Brian A

    What happened to the reply we posted here the day after this was initially posted?

    That issue was on one of the servers, and was resolved immediately upon learning of the issue. Since then we have tightened down security on all of the servers.

    • http://sucuri.net Andres Armeda

      Brian, we’ve since moved servers, blog platforms, and commenting systems. Some of the comments didn’t make it through the various transitions.

      If you’d like to repost, please feel free to make any clarifications you’d like.

      Thank you,

      Dre Armeda
      Sucuri Security

  • David Alexander

    This article is interesting, however it is from 2010, and it is now 3/2013. Why does the article indicate that Hostek was contacted and did not reply. The author admits that they lost comments and other information after the article was written, so they appear to have their own problems.

    I have been a Hostek customer (and a former CTO of a software technology trade association) for about three years, and have been very happy with their 24×7 customer service, the terrific stability of their Windows VPS servers (I have two of them running a combination of SQL Server, PHP, MySQL, and ColdFusion), and their pricing. Previously, I hosted with Hosting.com and it was very unstable and very expensive, so I am not sure why Shane reported a bad experience. He does not specify the particular hosting combination he is/was using.

    So, does the information in the article indicate anything about Hostek as a company in 2010? How about Hostek as a company in 2013? Since that was a Linux server (apparently) mentioned in the article, did the same issues apply to Windows setups?

    I would have liked to see Hostek provide a more complete response (although now it may be too late to get the facts of this 2010 incident) about how that happened on one server (and not others), and how they tightened up “all” the servers later. The article should have also done some more research, or possibly waited longer for a response from Hostek, before publishing and leaving some major questions unanswered.

  • http://www.facebook.com/paul.j.richardson Paul J Richardson

    Shane, I disagree completely. I’ve been with almost half a dozen major providers and thus far Hostek is THE BEST, in terms of customer service.

  • Kristin Smith Messerli

    All of my websites through hostek have been hacked and I have a couple websites hosted with BlueHost that have not. I really don’t want to have to move all of these sites over as I don’t have time. Hope this gets fixed!

  • Bob

    Digital Ocean