LowEndBox - Cheap VPS, Hosting and Dedicated Server Deals

Friday Was National Popcorn Day and We Had Some Drama

On Thursday, a provider on LowEndTalk noticed that another provider’s web server was misconfigured.  Specifically, the PHP handler was borked, which means that instead of processing the PHP and executing it as a script (the normal behavior), it simply dumped the text of the PHP script to the web browser.


Specifically because WHMCS’s stores its configuration info in a file called configuration.php, what became visible were things like database credentials, WHMCS config, etc.

The provider who screwed up was @Calin of iHostART.  The provider noticing this was @FlorinMarian, who runs hazi.ro.

@FlorinMarian then posted on LowEndTalk:

I frequently check the website of my competitors to see what changes they come up with.

It seems that the ART did not have a PHP interpreter and the PHP files were downloaded raw.

I know that I will get haters for this post, but it was not good for me either to see my infrastructure down and my friend to like each of my haters every time.

…and included screenshots of the configuration.php exposing all the details.  There was some minimal blacking out of parts of passwords and hashes, but a lot of details were shared in public.

The biggest risk here is not that someone would access this database over the Internet.  Typically, direct DB access is closed off.  But if someone already has a VPS with iHostART and is trying to access from “inside” iHostART’s network, the risk is very real.  (Best practice would be to only allow access to the DB from the WHMCS app server, or colocate the DB on the app server and only allow local non-network connections).

Regardless of theoretical exploits, it’s a disastrous leak.

The Background

@FlorinMarian and @Calin are rivals in a commercial sense, and they’ve sparred a bit on LowEndTalk.  They’re both offering service in the red-hot Romanian hosting market.

@FlorinMarian has had some DDoS attacks and I think at one point he was blaming @Calin though I don’t remember seeing any evidence posted (someone correct me in the comments on this if I’m wrong).

Now, imagine you’re @FlorinMarian.  You’re checking up on your competitor’s web site, which in itself is perfectly normal.  All providers do this.  You stumble upon a misconfiguration that exposes the provider’s infrastructure.  What do you do?

You could, of course, ignore the problem. After all, it’s not your job to monitor and alert a competitor that they’ve forgotten to lock their back door.

But the right thing to do – and certainly the classier thing to do – would be to privately notify the provider.  This allows them to rectify the issue.  Then you could post a comment on LowEndTalk saying “by the way, this happened” because pointing out that a provider is incredibly sloppy with their security is fair game.

The Wrong Thing to Do

Just posting the creds is wrong.

First, you’re putting all iHostART’s clients at risk.  These are innocent members of the public.  This is like running a bank and noticing that another bank has forgotten to lock its vault – do you really want that bank’s customers to lose their money?

Second, it runs counter to widely-accepted IT culture where you notify privately and allow time for remediation before you advertise.  That’s how exploits are handled.

Finally, it just looks very petty.  You want to compete based on service, price, etc. not low blows like this.

The Community’s Reaction Was Swift

The very first comment on the thread looked like this:

FlorinMartin Reaction 1

Some other typical comments:

FlorinMartin Reaction

FlorinMartin Reaction

@Calin replied:

Calin Reply

To be clear, @FlorinMarian did not first notify @Calin:

At the 25th minute I did the post and at the 32nd minute I wrote to him privately.

The thread blew up to over 540 comments last I looked.

The Inevitable…

Sometimes people on LET say that the staff will allow any scam or bad behavior as long as people pay for their Provider Tag.  This episode shows how false this is:

Florin Banned




No Comments

    Leave a Reply

    Some notes on commenting on LowEndBox:

    • Do not use LowEndBox for support issues. Go to your hosting provider and issue a ticket there. Coming here saying "my VPS is down, what do I do?!" will only have your comments removed.
    • Akismet is used for spam detection. Some comments may be held temporarily for manual approval.
    • Use <pre>...</pre> to quote the output from your terminal/console, or consider using a pastebin service.

    Your email address will not be published. Required fields are marked *