1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[SECURITY ALERT] Stay away from iPage

Discussion in 'Bits & Bytes' started by MemphisMark, May 3, 2015.

  1. MemphisMark

    MemphisMark Old school Conservative

    In late 2013 I signed up with iPage to have inexpensive hosting for my domains. I was paying $12 a month per domain at another place, these guys offered better service at half the price. I currently have four personal domains plus I am hosting a domain for an annual conference that I have been on the executive committee for since the first conference.

    Back in March, two of my domains were hit with a script insertion attack, Someone had inserted spam keyword links into the headers. I cleaned out the problem and didn't think about it again.

    With the job I have now, I have to rebuild the website built by someone else and put it on a different hosting and CMS software (long story that is not relavant to this). I selected Joomla! for the CMS I will use because it's free and open source. I put it in a directory of my main hosting and started rebuilding content and working on the template.

    Except it wouldn't go to internal links. I had the articles and everything set up properly, however I always get a 404. It was baffling me and a friend who installs and supports Joomla for his day job.

    Then, one of the installed modules threw an error saying the PHP I was using was out of date. Sure enough, this hosting is running PHP 5.3, which went into the unsupported bin ten months ago. The current version is PHP 5.6.8. PHP has a three-year cycle for each version, two years of active and regular upgrades and security releases, then a year of "limited support" where only serious issues are addressed if there is demand for it.

    I called my hosting and had to speak with a supervisor to find out why this is so.

    I was told several bullshit reasons, "We have legacy customers," (I can select PHP 4.0, 5.2 or 5.3. I think they can put another one or two versions in there.) "We need to test the latest version to make sure it's stable," and so on. Then came the truth. They are running PHP 5.6.8, just on their Virtual Private Servers which start at $20 a month. If I wanted the current release, I would have to pay triple what I am currently paying. Hosting my domains on a VPS is overkill by several orders of magnitude. I don't have enough traffic on all of them together to justify it.

    I became very angry and laid into him like a table saw into a 2x4. I made it very clear he is exposing his customers to serious security flaws and his reasons for not keeping the server software current is active malfeasance. The next morning I obtained new hosting and I've spent the last three days moving my domains and then repointing the domains.

    So, if you have the inexpensive hosting plan with iPage, I highly suggest you find new hosting somewhere else. Your website and data are at risk. The security doors are open and no one is watching.
     
  2. Biker

    Biker Administrator Staff Member

    Shared hosting is a guaranteed way to getting nailed, regardless of the hosting company as you can not control what the other customers are doing on their little portion of the server. All it takes is one user to leave a hole open and the entire server is compromised.

    If you want to ensure your stuff stays secure, get off shared hosting. It's that simple.
     
  3. Greg

    Greg Full Member

    I've had shared hosting at 1&1 for years and never had a single problem. I think partly it depends on the host. 1&1 is pretty big, entered the US market about a dozen years ago after being big in Germany.

    (You could add your own session handler to avoid one of the biggest risks in a shared hosting arrangement.)

    I've slowly been migrating to a VPS and also have a nice dedicated server at Worldstream.nl. The basic problem is that you have to justify the expense by generating enough income to pay for a dedicated server. They are too expensive for most hobbyists and small sites.

    Another idea I've grown enamored of is to register your domains at a registrar other than your hosting service, and then host your sites as foreign domains. Among other things you have easy portability if you take a dislike to your host.

    And stay away from GoDaddy! They are IMO the bottom feeders of hosting land.

    If my Internet income becomes stable I'll just move everything to my dedicated server and leave shared hosts behind. (I have a partner in the dedicated server.)
     
  4. MemphisMark

    MemphisMark Old school Conservative

    This past weekend has been a clusterfuck of Biblical proportions. It turns out several of my domains were riddled with viruses, enough that Green Geeks (my new provider) locked my account down and limited access to a single IP address until I got it cleaned out, which I did today.

    Now that I have that under control, I was able to work on my Joomla for work, and don'tchaknow, I can now resolve internal links! (That was one of the signs things weren't Kosher in iPage) I made more progress today with it than I did all last week.

    I know about GoDaddy being a bottom feeder. I've heard that if there are several whois inquiries for a particular domain name, they will grab it and cybersquat. I had that happen to me in another IT job. A local bottom feeder cybersquatted on the obvious name for the company I was working for at the time. He was perfectly willing to let us use the domain... if we would use him for the hosting.

    As far as shared/VPS/Private hosting, I just paid $150 for three years worth of hosting. I would have had to pay over $700 for a bottom of the line VPS for the same length of time. My domains produce no income, so I can't afford a VPS.

    I have to have the time to do the research in order to set up my own server, which I probably will do by the time I'm done with Green Geeks.
     
  5. Greg

    Greg Full Member

    I pay about $100/year for my 1&1 unlimited (bullshit) shared hosting account. Unlimited file space = 50 GB. Funny, I have 65 GB of images stored in MySQL databases! (A run-away experiment, not a production feature.)

    My VPS runs about $10/month and I think 50GB, but it's naked Debian and I have to configure everything and my databases share my HDD. Doing your own server work is not for the faint hearted. I got it bare bones except for SSH. I'm about ready to install a desktop on it and use it for an RDP.

    My dedicated server costs maybe $70/month, 2TB HDD, and again bare bones Debian with only SSH, I had to install the rest myself. I installed nginx and am very pleased how easy it is to plug in support for multiple domains. I have maybe a dozen domains on it at the current time. The CPU is really hot shit! Me and my partner are getting excellent performance out of the package I chose, with the help of a genius friend to pick the right options.

    We are going to add SSD soon and move the OS, databases, etc. to SSD so as to leave the entire 2 TB for content. Really it's only my reluctance to spend a few days doing server work to move to SSD. The move requires a total rebuild and the old HDD, only the content will be reusable. After the move I'll delete the old OS, etc.

    This work is kind of fun. I never appreciated Linux before I started doing server work.

    I have a desktop at the house running Debian now, my only desktop, and I see no use for Windows in the future, except to see what the weather is like outside or let in fresh air. MSFT can go FO. Only business needs MSFT. Half of the Internet runs on open source "LAMP" (or LnMP) open source, free software. The other half pays through the nose for MSFT crap.
     
  6. Biker

    Biker Administrator Staff Member

    We used 1&1 at one point. We're no longer with them. 'Nuff said.

    Size does not denote quality, nor does it imply they're any more proactive than anyone else. OVH is one of the largest hosting companies in the world, and my logs are chock full of hits from people using their services for nefarious purposes. VersaWeb is another company who pays lip service towards security and day after day, you see spammers and other morons using their service contrary to their terms of use.
     
  7. Greg

    Greg Full Member

    Oh God, tell me about it. I've blocked many of the shared hosting services from my websites including 1&1 both US and Germany, Leaseweb, every hosting service I have identified is blocked. My favorite is to handle their request with a 120 second wait followed by die(). Nobody has any business accessing my websites from a shared host, dedicated server or VPS. All accesses from hosting services are probes and kiddie scripts.

    I also ban countries with too many hackers: RU, UA, CZ, MD, RO. I also block search engines that never send me any traffic, like Yandex. F*** 'em. If they crawl my sites frequently and I can't find my site using their search engine then they are no use to me.

    Actually I think you could block all search engines except Google and do just fine. I finally decided to lift my ban on Alexa when I realized all they want is to rank my sites.
     

Share This Page