Hostgator and their poor security

Printable View

12-10-2004, 07:29 AM
AaZmaN

Hostgator and their poor security

Hi, everybody!
I was working as a DB Admin & Webmaster on a site that is hosted by hostgator. I found a big security hole on their (hostgator's) server and I could view and copy everything from their's server. I sent a letter to support and told them that if they give me a free hosting account I will tell them where that security hole is.
Instead of saying "ok" or "no, we can't give you such a reward" they suspended my boss's account and accused me by blackmail. As a result of account suspendation my boss dismissed me from the job. Now I am without of a job because their security is poor.
I tried to write about that on another forum but they sims to have a deal and everithing I writed about hostgator on that server was removed from the forum. And now I understand why there is writen only good things about hostgator.
So what can you suggest to me? What could do now? I also want to buy a host. What is the best host for a resonable price?

Thanks!
12-10-2004, 08:29 AM
2mhost.com

Hi,

It looks like blackmail, you asking for a reward to tell them the secuirty hole If they said no, they in risk to do bad thing to their server, I understand that you are good person, but as hosting business owner I can not take any risk.

and for that the suspension of account is normal re-action, and for me I'd terminate the account not just suspend it.

I'm sorry for you but you sent wrong message and hostgator did their job.
12-10-2004, 09:12 AM
AaZmaN

Quote:

Originally Posted by 2mhost.com

Hi,

It looks like blackmail, you asking for a reward to tell them the secuirty hole If they said no, they in risk to do bad thing to their server, I understand that you are good person, but as hosting business owner I can not take any risk.

and for that the suspension of account is normal re-action, and for me I'd terminate the account not just suspend it.

I'm sorry for you but you sent wrong message and hostgator did their job.

So as you say - I am obligated to tell them where the hole is?
They could better give me a free account and they could fix the hole.
And I think you missunderstand the meaning of blackmail. If I see that there is a broken window on your house and I tell you that I saw that broken window but do not tell wich window and I say that I can tell you where the broken window is but I want $1 dollar fo this, is this blackmail????
12-10-2004, 11:09 PM
hostgator

hostgator doesn't deal with terrorists

"I could sell that info on internet and put some money in my
pocket but I thought it would not be nice for you. So I thought
that it would be better if we will cooperate. I can tell you where
the hole is for a reward." This is what he sent us.

The only security issue on the server was him. He was actively trying to
hack the box uploading php shell scripts etc. We had open base directory
disabled for his site, and rather than it being used for good it was used to
gain further access on the server. (The very reason we have it on)

If he was able to view any important information I'm sure the box would have
been hacked by now. The truth is there was no security exploit he gave up on trying to hack the box and got a little useless information / tried blackmailing us into giving him what he wanted.
12-13-2004, 04:54 AM
AaZmaN

Quote:

Originally Posted by hostgator

"I could sell that info on internet and put some money in my
pocket but I thought it would not be nice for you. So I thought
that it would be better if we will cooperate. I can tell you where
the hole is for a reward." This is what he sent us.

The only security issue on the server was him. He was actively trying to
hack the box uploading php shell scripts etc. We had open base directory
disabled for his site, and rather than it being used for good it was used to
gain further access on the server. (The very reason we have it on)

If he was able to view any important information I'm sure the box would have
been hacked by now. The truth is there was no security exploit he gave up on trying to hack the box and got a little useless information / tried blackmailing us into giving him what he wanted.

Hah... ok... I will publish all the information I gothered from you on the internet and you will see how useless is that information. By the way: and user's files and content of databases, and the content of your databases with all your users, user types, bills and...... and so on.... I will see how happy will be your clients then and how many clients will you have after that.
If your mind is too short to understand that I was trying to cooperate with you then you will see what means a real blackmail. But not... that will not be blackmail too. I will just publish it. I DO NOT NEED ANYTHING FROM YOU!.

Have a nice business, hostgator.
12-13-2004, 12:06 PM
1PlanHost

It sure looks like blackmail to me. Or better yet, extortion. Either way what you are threatening is highly illegal. I am no lawyer but I would be very surprised if Host Gator lawyers don't jump all over this extortion tactic of yours. Host Gator is a fine company and is known for running a quality business. Your attempts to extort money or credit from them is wrong, plain and simple and I applaud them for the manner in which they are handling this.
12-13-2004, 01:20 PM
Jilly

Hey! 2 thumbs up for Hostgator :D The way they handled the situation was professional, and I also vote for the Blackmail thing. Yeab, AaZman, your mail to hostGator is genuine Blackmail.... :eek:
12-14-2004, 03:46 AM
AaZmaN

What is wrong with you all??? You do not know what is blackmail but you all talking about it....
Imagine that you buy a safe and I find a hole in that safe (just find it, I'm not making this hole). And I tell you that I found a hole in your safe and somebody could take everything from it, and I can tell you where the hole is for $1 (I do not tell you to give me $1 or otherwise I will take everything from safe). So if you want me to tell you where the hole is you give me $1 otherwhise you serch for your hole for yourself and I do not touch you. IS THIS BLACKMAIL? It's more a service for service but not blackmail, don't you think so?
And I asked not for money, just for a free account, this would not cost them anything. If I had a hosting company and somebody would find a security hole on my server I would give a free account. But not hostgator. They think that they know, but they still do not realy know where the hole is..
12-15-2004, 10:09 PM
Khun

Quote:

Originally Posted by AaZmaN

What is wrong with you all??? You do not know what is blackmail but you all talking about it....
Imagine that you buy a safe and I find a hole in that safe (just find it, I'm not making this hole). And I tell you that I found a hole in your safe and somebody could take everything from it, and I can tell you where the hole is for $1 (I do not tell you to give me $1 or otherwise I will take everything from safe). So if you want me to tell you where the hole is you give me $1 otherwhise you serch for your hole for yourself and I do not touch you. IS THIS BLACKMAIL? It's more a service for service but not blackmail, don't you think so?
And I asked not for money, just for a free account, this would not cost them anything. If I had a hosting company and somebody would find a security hole on my server I would give a free account. But not hostgator. They think that they know, but they still do not realy know where the hole is..

If who can find the hole, get the safe free.
Snow ball's rolling, other hacker will keep looking for a hole in other safe for the reward. Hope you understand this :o
12-16-2004, 02:40 PM
1PlanHost

According to dictionary.com

blackmail

1. Extortion of money or something else of value from a person by the threat of exposing a criminal act or discreditable information.
Something of value extorted in this manner.
2. Tribute formerly paid to freebooters along the Scottish border for protection from pillage.

Either definition sounds appropriate in this situation.
12-20-2004, 03:05 AM
AaZmaN

Humm.... I think I have just learned a fery useful lesson....
If I find a open to everybody security hole on a host I will not tell to hosting stuff anything. I will just sell that info to somebody on the internet. And I should do exactly the same with hostgator.
Yeah... I will do so in the future.

There is a say in my country. I don't know the english version but it is something like "If you try to help somebody - be careful, you may be hurt".
04-02-2011, 09:52 PM
amk2010

well i think otherwise ... Help should not be mixed with job/contract. Helping someone and asking for a reward dosnt make you great so if you can help someone then just do it and dont expect any reward. In your case, there are chances that if Hostgator or any other company realize your capabilities and technical brilliance then they might hire you for their support.