hosting problems - need some advice

Joined: Sep 21, 2008 Posts: 3

Hi - this is probably not the right forum board for this - but couldn't find an appropriate board - admins please feel free to move this post.

Basically a couple of days ago my VPS server got hit with a virus/hack - what this virus/hack did was to add malicious code in to all php and html files.

I wasn't the only one affected by this with my hosting company and lastest count for them was 380 clients affected. When this virus/hack was first detected, due to the nature of it the hosts couldn't help much as no host out there would be prepared to go through individual website files.

Anyway i was given the advice to go in to each file and remove this malicious code and hopefully that would sort out the problem - but 24 hours later when i was expereincing ftp issues when trying to overwrite the infected files with clean one i was getting transfer failed errors.

I again emailed the hosts and basically told them - that i cannot sort out this mess unless they had a slook at the server because obvioulsy any attempts at fixing it were being blocked.

To cut a long story short - my hosts looked further in to this issue - as i was not the only one emailing them - so they decided as the servers had been serioulsy compromized they had to bring in a security specialist to remove the SHS rootkit virus.

This sounded great as he was going to not only sorty out each individual problem and occurance of this virus from website files, but he was also going to rid the server of any underlying virus and beef up the security.

However i was told that this would cost me, and everyone else that was hit - a total of $275 per domain - question is can they do this? I understand singular website security is not their call and is classed as custom work and incurrs a fee - but this virus was server related that altimately affected every website on the server - so why was i being charged to rid our site of this problem?

I was told that this particular hack/virus couldnt be removed by simple editing out some code from each file and that to completely remove it u must get to the root problem - which of course is the server - now because i'm on a managed VPS i do not have either the access or even the knowledge to get to the root problem - and surely i am not the one who should be looking after their server security?

End result was i didn't have that sort of money to immdeitely pay them - and also i didn't believe i should be charged for this mess - logging on to my webmil still proves this virus is still present - so what should i do?

Sorry about the long winded post - any advice is greatly apreciated

Site Admin Joined: Oct 25, 2004 Posts: 756

Well, that is very unfortunate and sounds like a huge mess.

Now, if you are having trouble with your FTP connection while trying to fix these problems, I would try to get a complete backup and download it to your local machine and try to fix it there. I would try to get a backup anyways so you can switch hosts right away.

If you have "managed" VPS hosting, it is your host's responsibility to "manage" fixing it! If they are trying to charge you $275 per domain(That is just ridiculous) then you should tell them to f@$# off, seriously. I know managed VPS's aren't cheap but part of that cost is for the "managing", which they seem to be outsourcing. They should have staff on hand that knows how to make the servers secure so this type of thing doesn't happen to begin with. And if it does they should have a plan of action to fix it quickly, before it spreads to 400 other clients.

You deserve better from a host, there are way too many good ones out there to put up with crap like this. Focus on getting a complete backup downloaded(including database backups) to your local machine. Once you do that, you may have to go trough all the files individually to remove the malicious code. You may also be able to use a text editor that can do search and replace operations on folders ( http://jedit.org ). Next find a new host, I wouldn't give you current host another dime since they are trying to get you to pay for their mistake/ignorance.

Good luck and let us know how this all works out.

Joined: Sep 21, 2008 Posts: 3

Hi, thanks for the reply

basiaclly that $275 cost per domain was only a special rate due to high volume of servers/websites the specialists were bought in to fix, this discount was also factored in to the fact that the specialist were going to fix every affected server/website within such a small space of time (24hours).
Ive spoken to them this morning asking about the cleanup process - and because we didn't pay the money for the security spoecialists to clean it up, our VPS container was the only one that wasn't touched - so the virus still remains.

When i explained that the money they were asking for would take me several days to accumulate (due to me not having an endless pot of money available) - they replied with:

I truly wish you guys all the best but that virus will eat away at your server environment

The average server had between 9,000 and 14,000 items

Now my only issue is that we are stuck when you make mention of a new host - seriously - who's gonna wanna host a site that has over 9,000 instances of malicious code.

To get an idea of excatly what went on with our server please refer to the following link (to be honest i dont understand a single word of it - but my hosts have made it out to me that this is one of the biggest server attacks they have ever seen):

http://forums.permaculture.org.au/viewtopic.php?f=8&t=8905&st=0&sk=t&sd=a

As you can imagine i'm at a loss as to what to do. - cuz the way i'm reading it is that it's the server that is infected with the virus - all the malicious code is just an end result. From what my hosts said, this also wont go away by simply removing the malicious code - the root problem needs to be dealt with - and the root problem as i see it is the server - this in turns means they are responsible aren't they?

TRhey have also given me the opportunity to have the security specilaist re-called back in to fix our probvlme - but they have said the original $275 could be multiple that cost as they would then only be dealing in a sungular domian.

Thanks for all your advice - any more help would be greatly appreciated.

Code Authors · Joined: Dec 09, 2006 Posts: 249

Sorry but they are taking the p*ss.
It is their responsibility to fix the issue not you and you should never ever be asked for money.
If they offered managed hosting, they are not providing it so you should ask for your money back and go elsewhere.

They should not even have to be outsourcing 'specialists', if they do not know how to secure a server they shouldn't be in business.
Sorry but they sound like cowboys to me.

Ask yourself this question - if you have a rack full of servers and only one is infected, are you seriously going to leave that one connected so it can infect the rest?
That is exactly what they say they are doing!

Code Authors · Joined: Dec 09, 2006 Posts: 249

Just looked at your link.
LayeredTech, that says all I need to know as I block numerous IP's from them for spam and open mail relays.

Joined: Sep 21, 2008 Posts: 3

Hi Guardian,

I'm not hosted with LayeredTech, i think when the virus first hit people automatically jumped to the conclusion that it was hosting provider related, then as time went on they thought it was software related - now i'm just lost Surprised

I'm not entirely convinced - if i read what my hosts have said about this virus and the fact that is like nothing they have ever seen before - that they would be happy to leave their one container virused allow it to eat away at the container environment - with not a care in the world.

The problem i have is my particular host provide the VPS managed sedrver as part of a sponsorship - we place a prominent banner on our front page and they provide the VPS at no charge to us.

It is because of this that i'm starting to think that i'm being charged because they are wanting to claw back some of the VPS charges - the way they do this? tell me the virus is so bad and panic me in to coughing up money any normal web site admin would struggle to get within 2 hours.

They have me over a barrel - because at any point in time they could tell me to get lost and the end result is i lose my website. Self inflicted i know - but saddening nevertheless.

Thanks for all your comments - but with my web site on the line - how do i tell them they are in the wrong - and don't get me wrong ive tried to in a nice way - but fact of the matter is their attitude right now is this:

- our servers got infected with a virus - this unfortunately messed up your site
- the only solution for you to rid yourself of this problem is to get rid of the virus from the server - but unfortunately we cannot give you access to the server because of your managed option.
- so what we are going to do out the goodness of our heart is give u an option of our guys fixing it - but it's gonna cost you $275 to do so. If you don';t take us up on this offer and pay us within the next couple of hours this highly discounted price won't be avilable.
- now as you chose not to partake in fixing the issue and because you wouldn't cough up $275 - we have not touched your server
- out of the 380 client affected by this virus - you were the only ones who didn'ty pay us to fix it
- as you didn't get the problem fixed - everyone else on your VPS has been secured so your site wont affect theirs - but at the same time your container will eventually deteriorate and your site work ruined
- but if you want us to syill fix the problem i will now have to charge you double possibly triple the original quote.
- if you dont want to do this your site can continue to rot as we have nothing more to do with this situation

Putting it all down a one long list don't look good does it? But i know where i stand and where i dont - and at this point in time i'm having to look around my home, find things i can sell just to keep my website open.

I dont expect any sympathy for taking a sponsored deal - but honestly - what can i do?

Thanks for all your replies - if you know of a way i can deal with this without upsetting anyone - that would be great (one lives in hope).

Code Authors · Joined: Dec 09, 2006 Posts: 249

It should not matter that you have a sponsored deal with your host but I agree that it does seem they are trying to claw back service costs. The fact is that some so called 'specialist' probably just ran some automated script to rid the racks of the virus so there is no ethical reason why they could not have done it on every machine. To run it one machine would take no longer than running it on a whole rack.
I am quite disgusted at this hosts behaviour. I know it doesn't really help you but their actions are just plain wrong.

If you said to them "ok, I'll go elsewhere" they would fix the problem so they can lease the container to someone else.
They have you over a barrel and they know it, b*st*rds.

Would you mind sharing who you are hosted with? You can PM me if you want. If they are just a reseller, I might be able to do something.
How much disc space are you using and what sort of bandwidth are you consuming a month?

Site Admin Joined: Oct 25, 2004 Posts: 756

Also, if you had a true VPS, you would have complete access to the machine (root access). It seems to me they have you on more of a shared hosting type deal. Pretty screwed up situation. Please do post the name of this company so nobody else has to deal with these shady people.