Incompetence in Hacker’s Clothing

First, there was the “attack”. All my Wordpress and Horde data was lost — but my Horde email messages were preserved. Since the other Horde data (I am told) is stored in a database, while the messages are stored in files, it made some sense to me that this was a strictly sql-based attack. Whoever did this found a way to execute SQL commands on my MySQL server, and blindly deleted the stuff that they knew they’d probably find.

TCH told me that they didn’t have any backups of my databases. In the course of the support incident, they told me that my site had been moved from server77 to server377. (This is a good thing, since server77 seems to be one of TCH’s most problematic.)

Then, by the grace of god, I recalled that I had copied everything over to my new host.

Come to find out, there probably was no sql injection attack. It looks like this was all just a botched migration.

In retrospect, the clue should have been that the Horde data was gone. My account didn’t have access to the databases that hold that information, and I don’t have the database name anywhere in any of my files. So, even if there was a security hole in one of the scripts on my website, there’s probably no way that an attacker could execute any kind of sql command against that database. And, if there was a hole in the Horde php scripts, they’d first have to be able to access that section of my site at all, which requires my username and password. Without that information, they’d just see a 403 error message. And if you could access my Horde account, why not delete my messages, too? It just doesn’t scan.

Anyway, today, I was looking for something from my old site, but Yahoo’s DNS servers have already gotten the update of my new IP address. I can still access the old host via IP address, so I searched my email for the original setup message that I had gotten from TCH. I found that the original setup had gone to server77.snhdns.com. Knowing that my site was moved to a newer server, and figuring that the naming scheme would be the same, I pinged server377.snhdns.com, and got the IP address so that I could FTP in and grab what I needed.

Then I thought, What if the old server still has all my stuff on it? I opened up http://server77.snhdns.com/~yaohytmw/, and Voila!, there were all my old posts! Including the one that I had written less than 48 hours before the crash! This tells me that the migration took place no earlier than January 5th, and my site went down on January 7th.

That, along with the fact that the migration happened right around the same time that my site was “attacked,” and that the Horde data all went missing, leads me to believe that this was not an “attack” at all, but rather just a very badly done migration. Simply put, they moved over the files, and half of my MySQL data, but not the other half, and none of my Horde settings. It was bad enough that server77 had been going down about 1-2 times per month for up to an hour at a time (making me look REALLY bad to the folks at Lien On Me every time it happened!) but on top of that, they completely destroyed my site while moving it to a new server. Hell, if they had just, oh, I don’t know, TOLD me that they were going to be doing this, and that a fresh backup might be a good idea, this never would have happened. If they had mentioned that the migration happened right around the same time as the attack, and had had the brains to check their old server for a copy of my site, then this would have been a 30-minute problem. But no — they were pleased as punch to let me go on thinking that this was the work of some outside attacker, and that it was completely not their fault.

Stay away from Total Choice Hosting. They may be friendly, but they’re not very good at doing their job. I can make friends on my own — I pay a webhost to adequately host my website.

Leave a Reply

Comments are moderated like crazy using a variety of plugins. There is a very high likelihood that your comment won't show up right away, especially if you have never commented here before, but it was not deleted.

Please be patient, and do not post your comment more than once. It will show up once it is approved.

You must be logged in to post a comment.