On Sunday we reported that a number of sites hosted by Bluehost had been hacked (including their CEO’s blog).
On Monday while browsing through some of their forums, we noticed a thread regarding the exploit with remarks from forum moderators and administrators to curious customers that didn’t quite make sense.
#1 from one moderator:
Since such a negligible percentage of Bluehost sites were hacked it is just about guaranteed that it is an individual script issue rather than anything more widespread.
If it were something other than individual scripts being vulnerable then a lot more than 0.00006% of accounts would be affected.
It would be interesting to learn what Bluehost considers a negligible percentage for something like this. We’re also curious to learn more about how the .00006 percentage was determined. More on the numbers we calculated included below.
No matter how you look at this, there is a “script” causing problems for various people across the Bluehost service.
#2 from a bluehost system admin:
Bluehost is looking into it, yes, and the article referenced claiming “a good number of sites hosted at Bluehost have been hacked and infected” is very misleading. What is considered “a good number”? Less than 0.00006% of the domains we host actually show this compromise, which is much lower than most of the wordpress compromises we usually see, which is the cost of allowing people to run whatever they want on their site.
According to Bluehost, only .00006% of their customer sites were exploited. Even using their “NOW HOSTING OVER *1,000,000 DOMAINS” as a baseline, that would be less than 1 site infected.
Based on the infected sites we found and Bluehost’s advertised user count, we found that at least .03% of their client base has been affected. Now, you may say that is a small number, and we would agree, but that’s still hundreds of sites infected and serving malware on your network with no root cause for how the script propagated.
*According to Google, Bluehost has around 250k indexed sites in their network. If this in fact is a more accurate count of active sites they host, the percentage of infected sites is a lot higher than what we’ve estimated.
We replied to them on their forum and talked to the numbers a bit:
I don’t think the numbers are so small as mentioned. Even Bluehost’s CEO blog got hacked…
We (during our initial assessment) found more than 140 sites hosted at Bluehost with this malware. Note that we don’t have access to all sites hosted in there to do a complete check, so it is probably a LOT more than that.
Google says bluehost have 240k sites (they claim over 1 million). With just those 140 sites we found, it would be at minimum 0.01% of the sites infected.
We fixed already a few sites in there, some were using WordPress, some Joomla, so it doesn’t look like anything that you can blame the user.
*just trying to clear the facts.
Only to get bashed and banned from their forum by an admin. Was our comment outside of the forum acceptable use policy?
ok, posts like this just create FUD and confuse people.
Consider that Sucuri did NOT contact bluehost about what they are seeing before they went public, before they attempted a grand stand and a “look at how good we are, come buy our product”, I would take what they say with a grain of salt and think about the reason they are doing and saying what they are. Real and honest security groups will always try to get a situation resolved and fixed by working with the victims before they show it to the world. Look at the motivations involved.
Bluehost cares a lot about it’s customers, we are looking into the issue, and will do whatever we can for our customers.
We reached out to Bluehost via LinkedIn about the exploits we discovered. We stated we would be releasing an article about the discovery, and that various other sites hosted by Bluehost had been affected.
We are a business that finds malicious issues on the internet, and tries to fix them as soon as possible. If you want to call that a grand stand, that’s your right, but don’t down talk us or our product without better research and understanding of how we help people when providers fail to provide adequate assistance to their customers. Get your ducks in a row.
Our service pointed out an exploit we discovered on Bluehost accounts, including the CEO’s blog, only to have them question our honesty and intentions, then ban us from their forum. Very Interesting posture from one of their senior leaders.
This isn’t a matter of disclosing some obscure vulnerability that hadn’t already been exploited, in fact, to recap, Bluehost has admitted that some percentage of their customers had already been exploited.
We’re doing our part to assist and have offered up a free clean-up script to those affected.
Check out some of the comments on our original article.
Bluehost has historically offered a great service, and we’re sure they truly care about their customers. We’d like to learn more about how they typically handle situations like this. In the end, we wonder what valid information they’re disclosing to those who own a site in the “negligible percentage of Bluehost sites” that were exploited.
Update 1: This is a poor response from Bluehost regarding this security problem. Clients are calling them to ask about this attack and their support personal are saying that nothing happened and it is probably an isolated incident. Someone sent them a link to our site and they responded that our article is a lie.
We have numbers to prove and a list of sites affected. We can send upon request.
Bluehost: some sites got reinfected today, including your CEO blog (which is currently down). Why not step up and take responsibility? This is not a small incident, since the number of affected sites are in the thousands now.
If you are a Bluehost client, call them up and ask for an answer.
If you have any questions about this article, the “domainameat” script issue, or just want to say hello, feel free to leave a comment below, or email us at firstname.lastname@example.org.
Protect your interwebs,