What is it with hosting companies? An online company I have recently been trading with were using an ecommerce site set up and hosted by a uk/us based hosting company.

The issue? SQL injection, something I warned the on-line site about and the host obviously chose to ignor the warning as I had experienced a side effect of a database hack.

I use paypal and for some reason, I recieved warning emails that my paypal account had been locked down and I couldnt use it, I investigated the issue and seeing as I was only dealing with one company on-line, I crafted an email outlining my concerns and what I assumed has happened and to inform the hosting company that they were using.

The hosting company have chosen to ignor my simple security request to employ some anti-sql injection security.

Yesterday, the host suspended the on-line sellers account because it has been hacked.

Speaking with the on-line company earlier today, the guys were busy trying to salvage what is left of the on-line catalog and customer database while the hosting company sit on their hands and have as bob in sales put it, "Data***** are washing their hands of us, we have been calling all morning to get them to reslove this problem but we have decided to move host, we will be back as soon as possible, the hosting company are blaming the site code and the developer is blaming the host..."

So what is it about companys that chose to ignor reasnoble and adequate warning about a pending problem over a lack of security, had this host taken to adhear to my advise then this situation wouldnt of happened, but IM just the consumer, WTF do I know, eh? Something fat n round shoved where the sun dont shine? because it certainly seems that way to me with the hosting company.

Why do I care? YET! another "told you so" situation and these guys get paid lots of dollar for doing a bad job and me, I dont get a foot in the door. My point of view, IM laughing at them for not taking a bit of free advise when it would have saved them a lot of hassles.

The world of injections is scary. I have told some major websites about bugs and guess what they are still there months later!

With a lot of businesses, they will not do anything until it is too late. What is a backup? :)

Eric

every web site that i have seen hacked has been down to bad website code.

web blogs, guest books, forums etc.... one of my mates had it site hacked recently from having an old guest book.

its easier than you think to leave your code open to SQL injection. until recently i had ALOT of areas open up on my personal site just because of the navigation i never thought about escaping sql commands before something as simple as navigation.

cover your back check your code and code defensively. If theres a a secuirty hole in a site someone will find it.

i reckon it would have been the companies script rather than the host.

If it was the hosts code and they wouldn't do anything about it, the client should have moved host. I would have told the site owner, as well as the hosting company.

If theres a bad product on the market and people know about it they can choose not to buy it, forcing them to lift their game or go out of business.

I would post a review about them on a web hosting forum to warn others. Sure the bad code is enough not to use them but the fact that they wont listen to a customer in a situation where security is a concern....

Waylander.

also if the company is trying to salvaged a customer / orders database their not worth dealing with companies should have DAILY backups at the very least

Hosting companys are like ticket bucket shops, they clear out allot of business that the professionals turn away by simply charging too much.

In the event you want to save money, it is a bit hit and miss when it comes to something thats reliable and delivers, something IM finding allot of on the internet.

Cheap but at what cost.

Thats true for most business sectors.

I do it.

But yeah to a reasonable point however, because the clients who don't want/cant afford to pay a correct price for a quality service most probably aren't worth your time.

The other thing about things like back ups is that a lot of third rate hosting companies will lose their back ups in a hack as well, because they often do back ups just so they can re-assure their customers that they do them. They don't actually realize if the back up can be hacked at the same time as the real data then technically its not really a back up...

Waylander.

Hmm. Typically, injection attacks are like buffer overflows - a result of buggy coding and not a fault of the underlying system. Unless the code was on the backend, like CPanel or something similar, is it really the hosts fault? Most shared hosts don't want to change anything because it can affect their customers. If they change behavior, it could bring down another client's website.

That said, I wouldn't be surprised if it was simply an indifferent host. Many of the smaller ones seem unaware when it comes to security. :/

I know about that and the on-line shop was also aware of it as the developer is a friend of the shop owner.

It really is a childish case of finger pointing and the host has backed out of the "Contract" leaving the on-line shop hanging.

The host most likely saw it as a chance to offload a client after payment.

I had a problem with NamesCo. who were going to suspend my girlfreinds domain name, as they put it 'someone was spamming them and their servers' when it turned out that someone (a site member) had a trojan that was mailing out and masking the source, until I had looked at it and found who the person was, something the hosting company could have easily have done the same yet they chose to inform us that they will be suspending the account.

I put my foot in the way of their plans, I made it very clear that the industry ombudsman would be involved if they ever contemplated that kind of move and pointed out that their offices were only 3 mins away from my sisters who could get the required paperwork drawn up and served on them for breach of contract, seeing as she works for a local solicitors... They soon backed down.

You pay good money for crappy attitudes and service, makes you wonder how these companys are still trading.

Ok. I'll fess up here. Our site was hacked a few weeks back. I have no idea what they were trying to achieve, but the script that processes the return confirmation from our credit card processing merchant was generating a whole string of unverified transaction errors (it emails them to me... at least that security was in place).

They did manage to hack into a script that processes payments on customers' accounts, and it seemed like they were randomly processing payments for customers. Again, I have no idea what they were trying to achieve, and we do have an account integrity script that periodically cross checks transactions against account balances so we picked it up within a day or two.

It still took us two days to repair the damage, and the whole thing was a pain in the rear end.

We're looking at what more we can do right now, though at some point, we have to make a call between cost of implementation of new security and the potential for damage to both our business and the server.

CTB