Dissatisfaction with unreasonable account suspension

[davidwwatts]

What's going on at WHB? My account was suspended for the 2nd time in 2 weeks and the 2nd time was completely unreasonable.

Some history: I have 6 domains on my account. I had installed Advanced Guestbook into one of the domains (from Fantastico, NOT by hand). It turns out this version had a security flaw and my guestbook was compromised and about 2 weeks ago, someone put up files phishing for account information of another company.

The WHB operators quickly suspended my account (March 3rd, ticket NNO-298965). I spent the next couple of days convincing WHB support that I wasn't a spammer/phisher and if they let me back in I would uninstall the guest book and clean up the files.

Fast forward 2 weeks. My account was suspended again. However, this time (tickets UGI-523635, WZB-895463), I was given no reason:

the following account has been suspended due to the complaint about a fraud site we received from our bandwidth uplink provider. (..my account details..) Please contact our billing department about any hosting-related questions.

It took 14 hours to actually get information from WHB support about the complaint (14 HOURS!). Then it turned out that the complaint was the original phishing problem that had already been fixed. The original complaint listed the URL where the spammers had hacked the guest book - and of course that directory and files had been deleted 2 weeks ago.

It then took another 17 HOURS before WHB support unsuspended my account again. WHB state that they have 24/7 support, but I was not getting any response to my ticket updates for most of that time.

Even when Wayne R added this to the ticket "We are reviewing this issue and will reply quickly", it took a further 15 HOURS to fix the problem.

And in the end, all I got was:

Your account has been unsuspended. Please let us know if we can be in any further assistance.

I still have no acknowldegement as to why my account was suspended.

Here are my complaints about this situation:

• Why is it that the FIRST step in these situations is to suspend the entire account? It was very disruptive the first time, but it was particularly unreasonable to do this the 2nd time around, since the complaint was old and no longer valid - the offending files/application had already been deleted. Why not, as the first step, change the permissions on the offending directory instead, then go to suspension as the second step?
• Why suspend the entire account and not just lock out the offending domain? This is extremely and unnecessarily disruptive.
• Why did it take 36 hours to resolve this situation? In fact, why do tickets in "Suspended Accounts" seem to take an order of magnitute of time longer to be responded to compared to technical support? It should be the other way around when you consider the impact.
• WHB states they have 9am-5pm telephone support, but the number always went to voicemail after a couple of minutes on hold and no-one ever returns calls

[Matt R.]

David,

I am reviewing all of the points you raise. I will get back to you shortly.

[davidwwatts]

Any update Matt?

David.

[caucus]

Hello

Yes, this would be nice to know the answer to this one.

[Matt R.]

The timestamp on the complaint that we got was what caused it. I am going to see if we can build an 'account history' addon to our billing software so we can make a note of suspensions and resolved issues to prevent it from happening again.

As always, you can email management@webhostingbuzz.com if you feel you need a ticket looked at at the highest priority.

[davidwwatts]

Thanks for the reply. However that doesn't address any of my complaints. In particular:

* Why suspend the entire account and not just lock out the offending domain? This is extremely and unnecessarily disruptive.

As of 15 minutes ago, my account was suspended a third time! Apparently another phishing page was installed, but it is unclear when and how since that domain now only contains static pages. Of course I can't check it or do anything about it since I'm locked out.

I understand that you need to protect WHB and all it's customers, but why suspend my entire account and not just the offending domain?

David.

[Vladimir B.]

Dear David,

Please take a look to attached screen shot.

[davidwwatts]

Yes that is the page that was added by hackers. The question remains: how was it added when my domain has nothing but static pages? And why was my entire account disabled and not just this particular domain?

Update 4/4/08: To answer my first question, my guess based on what I found is that when the Advanced Guest Book was hacked in the first place, the hackers placed various PHP files throughout my domain in inconspicuous folders, including a PHP-based remote console. So even though I uninstalled the guest book and deleted all files in that directory, there were still other files left around. To fix the problem, I deleted all files from the domain and reuploaded my local copy of the site. I'm really glad that I only had static files - reinstalling applications and databases would have been a nightmare!

[Dennis A.]

David,

Here are answers to your questions one-by-one.
1. Account suspension is an emergency measure, taken in critical situations. Bank fraud compliant is one of such situations. Upstream providers don't wait in such cases, they just null-route the entire server. That's why we suspend accounts. Compliant age doesn't matter in this case.
2. cPanel doesn't allow to suspend domains. Minimal suspension unit is cPanel account. Of course we can block domain's directory or block the site like cPanel does (with .htaccess redirect), but we'll have to do it manually and changes won't be visible/manageable through cPanel. The problem is that practically person who blocked the directory is the only person who knows what to unblock. Any communication scheme doesn't practically work in 100% of cases. Information inevitably will be lost from shift to shift and while passing it to another department. So, it appears that "dumb" suspension of whole account is the only way of resource blocking, effective from administrative point. It's only advantage is that it's standard.
3. We had extra-high helpdesk staff load last weeks, so ticket response time was much longer in all departments. Regarding phone support - I heard there were some problems with our phone number recently, but I don't know details. Better ask Jef.

As I see your situation, your site was hacked, most probably using code injection possibilities existing for "advanced guestbook" script. Someone uploaded fraudulent page. The page itself was removed, but nobody did site security audit, so intruder uploaded the page again, and once again your account got suspended.

Did you change all your account-related passwords, check your local PC for trojan software and disable guestbook scripts? If no, please do it ASAP, also please be adviced to replace "Advanced guestbook" script by any alternative guestbook solution.

[Dennis A.]

Well, didn't see your previous post. One more possible vulnerable point remains - local PC. But first of all please change your passwords.

[davidwwatts]

Thanks for the reply.

I've just changed my PC password, and I run Norton AV and firwall on it already. I will change cPanel once you give me access again. Please let me know when I can get back into my account (ticket KVQ-967277). I uninstalled Advanced Guestbook from that domain weeks ago.

There are no scripts (that I installed) on that domain. I will delete the entire nsg directory (or you can do it if you like) and reupload all the static files again.

David.

[davidwwatts]

Of course the problem is that I cannot do anything with my account (including changing my cPanel password and deleting files, etc) until you unsuspend my account. It's a catch-22.

[davidwwatts]

The page itself was removed, but nobody did site security audit, so intruder uploaded the page again, and once again your account got suspended.

Dennis, would you please advise how I can do a security audit of all the domains on my account? Is it something I can do myself?

[davidwwatts]

So even though I responded 13 minutes after getting notified that my account was suspended, 10 hours later, I still don't have the ability to fix the problem.

Yes I understand that when it comes to bank fraud, you must act quickly. But surely there is a way to act quickly but still give the account owner a way to fix the problem without having to spend 10 hours asking for access. Do you see my problem?

[Andrew S.]

Dear David,

Sorry for delayed reply. Ticket has been updated too.


Please, follow these recommendations:
1. Don`t use simple passwords to access cPanel, FTP and change them regularly.
2. Never show or transfer/send your passwords to anyone
3. Regularly look for updates of the installed scripts on the script-developer web-site. Don`t use simple passwords for managing your scripts.
4. Visit sites, related to vulnerability of software (http://en.securitylab.ru/ ,
http://www.securityfocus.com/ etc.)
5. Look through the content of your home_directory.

We would also highly recommend you to use secure ports to access your cPanel (https://yourdomain:2083)
We hope, that following these instructions you will minimize the possibility of repetition of such a situation in future.

[davidwwatts]

Matt,

I understand that WHB has to react quickly to requests from the upstream provider to block access to phishing pages installed by hackers.

As a customer of yours and with customers of my own, I am very keen to fix the problem straight away and get all my domains back live again. However because you completely suspended my account I can't do anything. Instead I have to spend the next 12-36 hours pleading to have my account unsuspended so I can then immediately spend a few minutes to delete the rogue files.

Would you please consider changing your procedures? One option I can think of is that you block all traffic other than port 2082 (cPanel), thereby satisfying your upstream provider, but still allow 2082/cPanel access? That way, I can quickly log into cPanel, delete the files (or uninstall the application or whatever), and then have you restore full access again.

This way, I occupy less time of you support staff by not sending in mulitiple requests to have my acccount unsuspended, and ultimately be a more satisfied WHB customer.

At the moment, quite frankly, I would NOT recommend WHB to others because of how long it takes to recover from being hacked.

David.

[Jef S.]

If you have all these customers you're worried about, why are you reselling accounts on a non-reseller account? A startup reseller-A account is the same price as a silver package, just put in a ticket with billing and they will upgrade your account for free.

You can always contact our chat support if you have a ticket that requires immediate attention, just click on the chat icon on whbsupport.com or on webhostingbuzz.com and give them the ticket ID. The chat agents aren't technical, but they will alert someone who is to your ticket, and they will look at it within a few minutes.

My last advice is to uninstall anything that you receive a warning about as soon as possible, regardless of if it was installed via fantastico or by hand.

[davidwwatts]

Jef, thanks for the reply.

These customers I refer to aren't that sort - they are simply users of the domains (for example the 500+ volunteers that work at the local community theatre that I manage the web site for).

Re this reseller-A account. Will having that account change how account suspensions are handled?

Re chat support. Yes I tried that, but even though it said people were online, it would then report they were offline and have me fill in a form which then opened a ticket. At one stage I had three tickets open on the same topic. I also tried the phone support, but that didn't work either - it kept going to voicemail (which no-one ever returned).

[Jef S.]

The reseller account would isolate each domain into it's own account, so when that account is suspended it will only suspend that domain.

When did you put in these requests? Those tickets should still be answered, but there was a bug in our ticket system that caused some tickets to not be assigned a status, so when we sort our tickets by status(the most common way to view tickets) they drop out of view. How long are the voice mails you leave? I ask because the voice mail system deletes anything under 8 seconds because hanging up leaves a 4 second voice mail. Please PM me the number you call from, because I haven't seen any voice mails from you and I do all the callbacks.

[Alan B]

These customers I refer to aren't that sort - they are simply users of the domains (for example the 500+ volunteers that work at the local community theatre that I manage the web site for).

If one of your domains has that many users, and the domain is important, and you have multiple domains: then you should use a Reseller account. Addon domains are intended to provide a cheap method to host a few "extra" domains.

I don't actually "resell", but I host several sites through a Reseller account. I would never do that using Addon domains, as Addon is just too limited a method.

If you really want multiple sites, then you should get a Reseller account, which allows each domain to be in its own cPanel account. That way, if Support needs to disable an account, only one domain is affected.