My Site Got Hacked

So I go away for the Thanksgiving weekend and come home to find out my site has been hacked. The attack consisted of setting up some elaborate phishing attacks for multiple Canadian and US banks. The main damage was done at a site that I maintain for some friends of mine, namely, Will Stroet's site. It is in a subdirectory of this site, set up with a domain pointer. I had ftp access enabled to the directory ONLY and so I had assumed that the attackers had come in that way, through FTP. Then I noticed 3 files in my drupal modules/month directory. That got be really worried that there is some sort of security hole in Drupal or that my SSH credentials had been compromised in some way, because there is no FTP access to that directory (or at least there shouldn't be).

So far I have changed email passwords for the 2 email addresses set up through my hosting company site5 and changed the FTP password. Next, I am going to change my Drupal passwords and ssh password.

The good news is that I haven't lost any data as far as I know. One file was overwritten but it was easily recovered from an old backup (it was a template file that hadn't changed since the last backup anyways).

site5 is Annoying me Today

I never have access to wget or ssh for any of my site5 accounts by default. I always have to file a ticket asking them to give me access. Half the time it takes 2 or 3 tries for them to get their 'fix' right as well. This time it is really bothering me because I filled out the ticket 24 hours ago and they still haven't responded.

Update: I switched to slicehost a long time ago. Much, much better.

site5 Hosting

This website is hosted at Site5 as well as 4 other sites on mine, among them are: and I have owned this web hosting account since last October and I have found the speed to be satisfactory although not amazing, which is what you would expect from shared hosting.

Recently, however, the service got worse and worse and finally there were a couple of occasions where I could not connect to my site for 30 seconds, and running time svn status at the command line could take anywhere between 0.2s to 2 min. I have always had good experiences with site5's customer service. I started bugging them, mainly complaining about the slow svn status command because that seemed more repeatable and not dependant on network slowdowns at all (it is strictly a local command). Eventually after a lot of nagging, the people at site5 said they found a spammer operating on my server, then after I complained that there was still a problem, they found another spammer. Apparently there were a lot of exim processes running on the box. Anyways, the service has been great lately and I hope it continues.

Site5 has taken some flack lately but I still think that they are one of the best shared hosting sites around.


Subscribe to RSS - site5