You have been hacked! or What not to do with your 1and1 account…

Well, I had a nice post about how I was distracted from posting more Delphi code because I was playing with a new pear module I’d found called GameServerQuery. I was finishing that post by asking if anyone had gotten it to work because I was pretty sure I had everything correct but it wasn’t working. Before I published the post I noticed someone had telneted into my account and run some bash commands. And I knew it was not me…

They searched for my local ip address and an example file I used for Game Server Query. Very odd…

Then I got an email from 1and1 saying I was hacked and that “WordPress needed to be updated because it had many security holes”. Uhhhh, no it doesn’t.

Long story short – I wasn’t hacked my anyone but a 1and1 representitive and dumbing language down for the end user is a bad practice if you don’t also provide them with an explaination of what you REALLY mean.

I’ve got enough materials for four or five posts out of this whole thing, but if I combine all the detail here, this post will be 5 pages long and it won’t make any sense when read as a whole.

So, here’s a summary and some good things to know when working with 1and1.com shared host accounts –

1. They say: Don’t use your account to host a game server or simliar program.
They mean: We monitor and block outbound socket connections from your server. By doing this we lock out people looking for a cheap game server, and we protect our customers sites from several common attacks. We will allow FSocketOpen but the traffic is interupted and you will be contacted by a “Customer Compliance Operative”.

“Customer Compliance Operative”?!?!?!!? So, is that like one of the Men in Black or more like a Mafia enforcer? Will I be zapped by a blinky light and forget all the PHP code for openning sockets if I continue with this post?

UPDATE: I just found a reference that indicates that this is probably NOT 1and1.com fault.
Someone was investigating why Traceroute was not available on shared servers and discovered that socket traffic could not be accessed without root level access. Of course root level access cannot be givin on a shared server. If anyone can Confirm or Deny this, I’d appreciate the additional information…
2. 1and1 passwords should not be considered secure and therefore should only be used on 1and1. Any/all 1and1 account representatives have access to your root passwords and can login as you and for all intents and purposes impersonate you using your accounts. What bothers me most about this is that they don’t have a policy of notifying you that they have logged in as you to do something… That’s wrong…

3. 1and1 Support reps as a whole – as might be expected – have only general knowlege about the vast number of programs out there that could be running on your server. So they will look for alarm words and offer generic advice when they see one of these dangerous words. This could be considered a form of Red Zone Management, I guess. They get involved only when they need to and only know the hot topic of they day. So they will search for a file called XMLRPC.php since last year it had a hole in it. So, that means you were probably hacked. If they see WordPress, they know it had vulnerablities earlier in the year, so they can assume you were hacked. They will not research/know the versions of the files involved even if they are listed in the logs. Again, this is really to be expected. I would not want every customer support rep to be a $90,000 a year security expert. I sure would not be paying what I am paying right now for the service.

4. When working with support, if you want a good solid response help them give it to you. You can be in control of the calls and guiding the representative will make the call easier on both sides. This is true of any company any where in the world. Not every support rep will have the same level of training, the pressing calls of the moment can and will take priority to the detriment of other calls, if something is important to you trust but verify it has been done.

5. The latest version of the Pear module GameServerQuery is good and functional. The latest version is not what pear serves up. You have to retreive it manually. PhGStats is a MUCH more refined tool and produces more fully functional pages. There’s a place for both of these tools. That place, btw, is NOT 1and1.com – see point 1.

More on each of these topics later…