Bluehost Talks Down Malware Percentages – Offers Sucuri a Forum Ban

June 29, 2010 by 26 Comments

On Sunday we reported that a number of sites hosted by Bluehost had been hacked (including their CEO’s blog).

On Monday while browsing through some of their forums, we noticed a thread regarding the exploit with remarks from forum moderators and administrators to curious customers that didn’t quite make sense.

#1 from one moderator:

Since such a negligible percentage of Bluehost sites were hacked it is just about guaranteed that it is an individual script issue rather than anything more widespread.

If it were something other than individual scripts being vulnerable then a lot more than 0.00006% of accounts would be affected.

It would be interesting to learn what Bluehost considers a negligible percentage for something like this. We’re also curious to learn more about how the .00006 percentage was determined. More on the numbers we calculated included below.

No matter how you look at this, there is a “script” causing problems for various people across the Bluehost service.

#2 from a bluehost system admin:

Bluehost is looking into it, yes, and the article referenced claiming “a good number of sites hosted at Bluehost have been hacked and infected” is very misleading. What is considered “a good number”? Less than 0.00006% of the domains we host actually show this compromise, which is much lower than most of the wordpress compromises we usually see, which is the cost of allowing people to run whatever they want on their site.

According to Bluehost, only .00006% of their customer sites were exploited. Even using their “NOW HOSTING OVER *1,000,000 DOMAINS” as a baseline, that would be less than 1 site infected.

Based on the infected sites we found and Bluehost’s advertised user count, we found that at least .03% of their client base has been affected. Now, you may say that is a small number, and we would agree, but that’s still hundreds of sites infected and serving malware on your network with no root cause for how the script propagated.

*According to Google, Bluehost has around 250k indexed sites in their network. If this in fact is a more accurate count of active sites they host, the percentage of infected sites is a lot higher than what we’ve estimated.

We replied to them on their forum and talked to the numbers a bit:

Hey,

I don’t think the numbers are so small as mentioned. Even Bluehost’s CEO blog got hacked…

We (during our initial assessment) found more than 140 sites hosted at Bluehost with this malware. Note that we don’t have access to all sites hosted in there to do a complete check, so it is probably a LOT more than that.

Google says bluehost have 240k sites (they claim over 1 million). With just those 140 sites we found, it would be at minimum 0.01% of the sites infected.

We fixed already a few sites in there, some were using WordPress, some Joomla, so it doesn’t look like anything that you can blame the user.

*just trying to clear the facts.

Only to get bashed and banned from their forum by an admin. Was our comment outside of the forum acceptable use policy?

ok, posts like this just create FUD and confuse people.

Consider that Sucuri did NOT contact bluehost about what they are seeing before they went public, before they attempted a grand stand and a “look at how good we are, come buy our product”, I would take what they say with a grain of salt and think about the reason they are doing and saying what they are. Real and honest security groups will always try to get a situation resolved and fixed by working with the victims before they show it to the world. Look at the motivations involved.

Bluehost cares a lot about it’s customers, we are looking into the issue, and will do whatever we can for our customers.

We reached out to Bluehost via LinkedIn about the exploits we discovered. We stated we would be releasing an article about the discovery, and that various other sites hosted by Bluehost had been affected.

We are a business that finds malicious issues on the internet, and tries to fix them as soon as possible. If you want to call that a grand stand, that’s your right, but don’t down talk us or our product without better research and understanding of how we help people when providers fail to provide adequate assistance to their customers. Get your ducks in a row.

Our service pointed out an exploit we discovered on Bluehost accounts, including the CEO’s blog, only to have them question our honesty and intentions, then ban us from their forum. Very Interesting posture from one of their senior leaders.

This isn’t a matter of disclosing some obscure vulnerability that hadn’t already been exploited, in fact, to recap, Bluehost has admitted that some percentage of their customers had already been exploited.

We’re doing our part to assist and have offered up a free clean-up script to those affected.

Check out some of the comments on our original article.

Bluehost has historically offered a great service, and we’re sure they truly care about their customers. We’d like to learn more about how they typically handle situations like this. In the end, we wonder what valid information they’re disclosing to those who own a site in the “negligible percentage of Bluehost sites” that were exploited.

Update 1: This is a poor response from Bluehost regarding this security problem. Clients are calling them to ask about this attack and their support personal are saying that nothing happened and it is probably an isolated incident. Someone sent them a link to our site and they responded that our article is a lie.

We have numbers to prove and a list of sites affected. We can send upon request.

Bluehost: some sites got reinfected today, including your CEO blog (which is currently down). Why not step up and take responsibility? This is not a small incident, since the number of affected sites are in the thousands now.

If you are a Bluehost client, call them up and ask for an answer.

If you have any questions about this article, the “domainameat” script issue, or just want to say hello, feel free to leave a comment below, or email us at support@sucuri.net.

Protect your interwebs,

Dre Armeda
Co-Founder
Sucuri.net

Filed Under: awareness, bluehost, hacked, Malware, sucuri Tagged With: , , ,
About Dre Armeda

I'm a Harley enthusiast, and a Chargers fan. I wear many hats, and love tacos. I'm infatuated with WordPress, web design, and web security. I work at Sucuri Security. I hope to help make the web a safer place! ~dremeda

  • Pingback: 0-day wordpress vulnerability results in many Media Temple malware infections

  • David

    I was affected on Sunday too. Happily I discovered it quickly and made a fix based on my experience a few weeks ago when I was affected with the zettapetta malware. Otherwise I might not have even known.
    I suspect a lot of users are affected without even realising it.
    If Bluehost are aware of a problem, then I would have appreciated some sort of acknowledgement or notification.

    • victorcab

      Hello David, you happen to have a quick fix, my site was affected also.

  • Charissa

    well…I am one of the microscopic minority of BlueHost sites having issues with this. Looking at the forums over there on BlueHost, it is evidently the "smaller sites owned by individuals and small companies without an IT department", who are too stupid to maintain their sites properly, that are being affected…I really do not appreciate arrogant comments. I keep my sites up to date and use BlueHost's SimpleScripts, etc. Is it really helpful to put people down when they are having issues like this?

    If it weren't for you guys at Sucuri, I would not have even known this was on my site in the first place. Now I am trying to figure out what to do to keep it from happening again, and I guess there's really no point asking anyone over there at BlueHost for any help…

  • http://www.kelvinlomboy.com Kelvin

    Sucuri, keep up the good work. If it were not for you guys I wouldn’t have known about the incident.

  • http://www.luisramirez.cl/blog/ Luis Ramirez

    Hi there,
    I am affected too, at least from Monday 28June. All my sites under BLUEHOST are currently hacked by the script you reported.
    Unfortunately BLUEHOST response this time has been totally unsatisfying. The usually have reasonable service but in this opportunity, all I am getting is standard copy/paste answers that I can probably Google myself.
    I’ve been exchanging emails with those guys since yesterday and still no one offers real help.
    It’s really disappointing.
    regards,
    Luis

  • anapologetos

    dre:

    Though I agree with you that the way bh is handling it is not the best, you have to admit that when you say something like "a good number of sites at hosting company x" is very ambiguous–Maybe next time you could give an actual estimate, from what you guys have seen: ie "At least 350 websites at hosting company x"

    Just my two cents.

    -Anapologetos

  • David Dede

    We said a good number because it is very hard for an external entity to fully determine the scope of an attack. We during our initial assessment, found around 150 sites hacked (but we checked only around 1.5k sites hosted in there). It would mean 1% of sites if we extrapolated, but we didn’t want to give hard numbers to avoid misinforming.

    Now we have found a lot more sites affected than that, but but haven’t check the 240k sites that they host, so it is a lot more… Even if it were only 200 or 300, it is still a good number for us, specially if the attack happened due to their fault (considering that even their CEO blog got hacked).

  • alekseykorzun

    Seems like you are trying too hard. You have no actual numbers and can only provide guesses on the issue.

    • Bobby

      That's probably because Bluehost gives false (guessed) numbers and doesn't have any solid numbers or facts before they start shutting people down.

  • jayrox

    Considering when you call bluehost tech support they ask for your account password. It does surprise me at all.

  • Kevin

    Ouch. I run several bluehost sites. I’m going to call them right now.

  • Pingback: Bluehost got hacked and responded pretty bad to it (by lying to their customers) » News, Hacker, View, Comments » App Developer Tyler Johnson Blog - tjoozey.com

  • Chris M

    @David Dede
    150 sites in 1.5K is not 1%, it is 10%

  • Ray

    I was trying to investigate how this happened (before I discovered it was a Bluehost-wide exploit), and discovered that my raw access logs for June 1 – 29 were gone. I contacted them and they simply said sorry for the inconvenience — is anyone else noticing this issue?

    Further, when I contacted them about it, they just gave me a generic response about securing php scripts, and that they can’t determine which script is malicious since it’s 3rd party code so they don’t know what is supposed to be on my site and what’s not. It’s difficult for me to determine which php script to secure without the access logs, which is what I was expecting them to do.

  • Kevin

    Bluehost support: "Sir, we haven't had a security incident in two years. If you didn't read it on our official website, it's most likely hearsay [that we can't verify]."

  • http://www.sidecarsally.com Sidecarsally

    Why do you guys even use Bluehost? I always expect them to have problems and lie about shit. Used them for 2 years, but I wouldn’t do it again if they offered me free hosting for the rest of my life.
    My recent post “Don’t taze my granny-”

  • JohnR

    If they’re smart, Bluehost should pay attention carefully and learn from all the mistakes that GoDaddy has made…

    • Bobby

      Bluehost is nothing like GoDaddy and their business practices are nothing alike so why would they care what GoDaddy has done?

  • victorcab

    I was hacked too, very odd. I don't have lots of experience dealing with these issues. Any suggestions appreciated? What files are usually compromised to cause the redirect?

  • http://www.josephdickerson.com joseph

    VERY angry with Bluehost right now. My sites are hit and I’m redirecting right now to a page on mobileme. Anyone have any suggestions on a new host provider?

  • Frank

    BH is the New BP. Why can they just come clean so people know what to expect and take proper action? Thanks Sucuri for exposing this.

  • Nonnegotiable

    Bluehost needs to just be up front and not make up statistics that 75% of their client base won't understand. Yes, I do think they make things up to butter it up for customers…why? Because I've been where they are and that's just what a company will do to try to cover up a deeper issue. I don't think the issue is because Bluehost is necessarily insecure – it's because they're not taking responsibility for the compromises and getting it fixed by providing their customers with more detailed and researched information by covering it up with dirt and putting daisies around it…it's stupid and everyone has a right to be upset. The responses are mostly canned and their CEOs or management think of the most appropriate way for their tech support to relay it to you. But don't expect the tech support to actually know what is going on. The interdepartmental communication sucks at Bluehost.

    But please also understand that they are only providing an easy solution for application software download. They're not securing your scrips and typically exploits on medium to large networks like Bluehost are seen more frequently than on smaller networks. If you all know your stuff, Bluehost is comprised of 3 different companies (what they call sister companies including Fastdomain and Hostmonster).

    So, if you do not keep your scripts up-to-date you'll be compromised. If you're using 3rd party plug-ins and themes, you could be compromised by means of those as well. Are you checking your file permissions? It sounds all very paranoid but if you're a web dev like me you know it's possible for even the smallest exploit to turn into a huge mess of things.

    If it were a server wide compromise due to a server being rooted maliciously, and if it were in fact Bluehost on the side of negligence, the entire server would be exploited.

    The fact is, it's a shared host and this happens more frequently than you think on other hosts as well. Also, and this is just by biased 2 cents, if you're running a PHP based application software for your web site, you're just asking for it.

  • Pingback: Ataque a clientes Bluehost | villacorp.com

  • Lisa

    Hello, We have been on Bluehost for probably 5 years now… In the past 5 weeks, we have been hacked SEVERAL times, and the last being just yesterday at 14:35 EDT. The problem is that we have to log into the control panel hourly to see if there is security updates. We logged in yesterday morning, no updates, hacked at 14:35, logged into our control panel and there was an update for word press.

  • http://joshuadance.com/ Joshua Dance

    I run two BlueHost sites. How would I check to see if I was hacked? Kinda new still to this whole thing.