So I was doing some work on my ColdFusion shared account last night around 9:30PM when suddenly I was booted off the FTP server.

I called up to find out what was going on and the tech told me it was just a quick security update and that everything should be back to normal shortly.

Well it was getting late so I went to sleep, assuming I could continue my work in the morning. So I wake up this morning and I'm still blocked from the FTP server and now the site is being listed as a malicious attack site by both FireFox and Google. Neat! And since I can't get onto the FTP server I cannot remove the offending code.

I've been told by support that I just have to wait and they can't do anything for me. Is that normal? Blocking access to my compromised website so that it stays compromised? We're now at about ~18 hours. I don't understand why this is being handled in the way it is.

Same thing's happened to me - started Sunday and I didn't pick it up for 24 hours. HMS are telling me they're migrating sites to new hardware, but can't tell me when it'll be finished. I'm not happy!

PS I was informed by the technician on chat that this issue was not limited to my shared account.. Multiple sites on the same server were compromised. Almost 24 hours and no resolution.

My .NET Pro ( load balanced ) hosting account was down for 6 hours on Sunday (June 21st ). I suspect the Capital Management group that bought HMS, is forcing the staff to work with less man power and raising the prices in an attempt to increase profits. Tickets that used to be solved in a couple minutes are taking hours if not days. I don't blame the techs, but I do blame management.

They were doing moves to a new datacenter over the weekend. Might have potentially been what affected your server.

My site came up and went down again. And now Google has blacklisted it. This is a disaster and I will never recommend, or use, HMS, again.

I know the original problem wasn't theirs, but 4 days to 'move to a new server'? And getting any info from them is almost impossible. They never thought to provide their customers with updates?

Hi Guys,

It's been a little hectic here. However, I've asked management to address your questions and concerns. Some one should be commenting here shortly.

Affected customers should have received a detailed email describing the problems related to their server. If you did not receive one make sure to check your contact information in the HostMySite Customer Control Panel!

Thanks for your continued patience, while we get someone to address this thread officially.

Yeah, it's been hectic here too

I got the initial ticket (and all billing e-mails) but NO follow-ups, so to say my contact info needs looking at is a little disingenuous.

Part of the 'addressing' should how your customers can tackle the issue of their sites being blacklisted by Google. As a major hosting company perhaps you should do this for us.

yes, there was no email contact here, which was (and still is) extremely troubling. I had to call to find out why I couldn't try and clean things up myself (ftp and db access had been disabled). Was told that the entire server had been compromised over the weekend and there was no eta as to when it might be fixed. This was on Tuesday night.

For now I've pointed the DSN elsewhere. But the lack of communication from HostMySite - either news of things happening or updates - is extremely troubling. Because of the slow response potentially every one of the sites on that box is now blacklisted in Google.

What is going on?

There was no email communication regarding the problem until after the issue was resolved and even then it was only because I had a ticket open.

Even then, I still had to remove the malicious javascript that was inserted into my Application.cfm files.

We're still waiting!

Linux hosting for several of the sites I've developed has seen problems too. I've been pretty loyal to HMS, but they must be responsive to their customers. Back in the day, even on a shared plan, I felt as if they cared about my business. Now it is clear their focus is on managed hosting. I've called HMS a few times in the last 3 days, and I can hear it in the tech's voice - they are inundated with tickets and can't think about the individual site. Having been with HostMySite for four years, I know they've had ups and downs - they can still improve. But to retain our loyalty they must be more responsive - meaning they recognize certain issues and accept responsibility (they blamed one of my client's sites for causing server problems, later notified him the analysis was incorrect, but failed to apologize). I'm not jumping ship, but urge HMS to acknowledge the issues present.

Comprug,
I am in the same place as you. Except I have been using the Windows Shared hosting accounts. Been with HMS for about 5 years. Their price increase for .NET shared hosting was too much. I took my most recent client to godaddy. I hate godaddy even more. When I call them I always have to wait on hold for at least 5 minutes. Only to get a person on the phone that doesn't know anything, nor do they have any power to do anything. I guess godaddy has a system that is all automated by scripts. You can't even talk to a person in the datacenter. Tickets take 24-72 hours to resolve.

Even though this part of godaddy sucks. Once I finally got my client setup. This shared windows site runs faster than my clients at hostmysite on VPS and load balanced accounts. Plus I haven't had a single error kicked off from a web server going down or a DB server being down. Its only $5 / month for windows shared hosting ( IIS 6 or IIS 7 ). If you get IIS 7 you can even get remote MySQL DB access, for using MySQL query browser,and administrator.

I am keeping my fingers crossed, but thus far the servers at godaddy seem faster, and more reliable than the servers at HMS. I dread the day the server goes down, but if the server never goes down, I won't ever have to deal with their support. I am also considering one of their fully dedicated boxes for another client. I was able to build a fully dedicated server loaded up nicely with hardware for about $150 / month. Granted its up to me to support it, as they charge $150-$200 / month extra for the support. But I have been running VPS boxes long enough I feel comfortable doing this now.

I wish HMS would take a look at the way they run things. I too sense the techs stress levels. Used to be they were happy to help. Now they seem annoyed.

Hello,

My name is Vincent Gerbino, I am one of the technical support managers at HostMySite. This forum thread was brought to our attention, and I want to apologize for the delay in responding. I do not know who has or has not gotten an explanation for last week's outages, so I will first clear up as much as I can on that front.

On the night of June 19th, we discovered a potential security flaw in our shared ColdFusion environment. This flaw would allow for 2 major problems:

Privelege escalation to that of system administrator
Circumventing the sandbox security that was already in place

Upon discovering the problem we took immediate (albeit drastic) action, which was to disable FTP services on several shared ColdFusion servers that were affected. Over the course of the following 72 hours, we made a number of security changes to our shared environments. These changes included, but are not limited to:

Internal firewall policy changes
Hotfixes were installed on ColdFusion 7 and 8 servers
Several shared servers migrated to new hardware with clean operating systems
Disabling of certain ColdFusion features (such as the ability to parse JSP)
Complete audit of sandbox security
- Sandboxes were added where missing, and existing sandboxes were audited to verify that cfexecute and cfregistry were in fact disabled

I will admit, the customer communication over the course of this incident was nil. We did not email customers with any kind of explanation until June 24th, and of course many people still have a lot of questions. Unfortunately, we dedicated most of the company's resources to fixing the underlying problems and lost sight of our customer communication over the course of the incident.

After migrating to new hardware with clean operating systems, we thoroughly tested our servers to verify that the security threat had been mitigated. Following the major incident, however, we are still discovering security issues with specific ColdFusion applications. The difference at this point, due to the changes we have made to our infrastructure, is that the threat is no longer server wide and will only affect single websites.

One specific application we have discovered which has some security holes is called CFWebstore. We have found versions prior to the most current of an application called CFWebstore that allow for arbitrary file uploads through spoofing mime types. One of our technicians, Brent Frye, has written a more detailed explanation in his blog here:
http://www.cfexecute.com/post.cfm/cfwebstore-file-upload-vulnerability

I have spoken to a couple of you on the phone with regards to these issues, however, I am sure I haven't addressed everyone's concerns. We have almost 24-hour management coverage if you would like to speak with a manager at any time we will be happy to do so.

I have to give HMS credit for changing their issue notification system. I got this email today:



The downside is that this site is on the same server that had the problem last week. I have to wonder what if this issue is ever going to permanently resolved?

Regards,
cah