Warning: HostGator leaks your cPanel usernames, script path, and more

console-dos-2-small

Once upon a time the HostGator was a great hosting company – great technical support, great prices, good performance, predictable policy, etc., and positive-thinking CEO who blogs about the company, about fortunes and failures… Fast forward to year 2012. CEO and founder Brent Oxley sells HostGator to EIG. They are famous of “acquiring a large number of smaller web hosting companies” which leads to Web hosting overselling.

From that point everything goes downhill, unfortunately. I am not going to list all the problems their users have. You can find this information using any Search engine. For example, search for: “HostGator and EIG”… and you will find plenty of information about their business practices.

Note and disclaimer. I am not affiliated with any hosting provider. I believe that there exists a way, that you can hide some of the leaked details, bet I am sure, that there is no way to make it work in the reliable way, because, HostGator are constantly changing everything, and constantly consolidating servers, and even moving your server between datacenters located in different physical locations, changing Apache HTTP server to nginx server (breaking changes?), and this all without any notice or warning to its users. And most of the users are uninformed, so you can not expect that they will be able to protect their websites, scripts, assets, etc.

Now about the security issue. When you send email from HostGator, using their Web Mail, or using your Desktop email client or .PHP script, you are always leaking your username. In the case of script, you are also leaking the script name, full path to the script, and also some random domain names and email addresses you have in the same account. Some information is encoded in Base64 format, that can easily be decoded. Below are some examples. YOUR_USERNAME is your leaked username. YOUR_OTHER_DOMAIN is leaked other domain name in the same account, but not related to email address in any way.

Example 1
...
Received: from localhost ([127.0.0.1]:11546 helo=gator3211.hostgator.com)
by gator3211.hostgator.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256)
(Exim 4.85)
(envelope-from )
id XXXXXX-XXXXX-XX
for email2@example.com; Mon, 1 Dec 2015 11:22:44 -0200
Received: from 10.10.10.10 ([10.10.10.10]) by YOUR_OTHER_DOMAIN.hostgator.com
(Horde Framework) with HTTP; Mon, 1 Dec 2015 11:22:43 +0000
Date: Mon, 1 Dec 2015 11:22:43 +0000
Message-ID: XXXXXXXX@YOUR_OTHER_DOMAIN.hostgator.com
From: email@example.com
To: email2@example.com
Subject: Testing leak
User-Agent: Internet Messaging Program (IMP) H5 (6.1.4)
Content-Type: text/plain; charset=UTF-8; format=flowed; DelSp=Yes
MIME-Version: 1.0
Content-Disposition: inline
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator3211.hostgator.com
X-AntiAbuse: Original Domain - YOUR_ANOTHER_DOMAIN.com
X-AntiAbuse: Originator/Caller UID/GID - [11 13] / [11 13]
X-AntiAbuse: Sender Address Domain - YET_ANOTHER_DOMAIN.com
X-BWhitelist: no
X-Source-IP: 127.0.0.1
X-Exim-ID: XXXXXX-XXXXX-xx
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: localhost (gator3211.hostgator.com) [127.0.0.1]:11343
X-Source-Auth: email@example.com
X-Email-Count: 2
X-Source-Cap: WU9VUl9VU0VSTkFNRTtZT1VSX1VTRVJOQU1FO2dhdG9yMzIxMS5ob3N0Z2F0b3IuY29t
...

Note, that X-Source-Cap header decoded is:
YOUR_USERNAME;YOUR_USERNAME;gator3211.hostgator.com

Example 2
Received: from YOUR_USERNAME by gator3211.hostgator.com with local (Exim 4.85)
(envelope-from YOUR_USERNAME@gator3211.hostgator.com)
id XXXXXX-XXXXX-XX; Fri, 1 Dec 2015 11:22:27 -0400
To: email@example.com
Subject: Some text here...
X-PHP-Script: subdomain.example.com/folder/subfolder/your_script.php for 6.6.54.223
From: email2@example.com
Reply-To: email2@example.com
X-Mailer: PHP/5.4.45
Content-Type: text/plain; charset=utf-8
Message-Id: XXXXXX-XXXXX-XX@gator3211.hostgator.com
Date: Fri, 1 Dec 2015 11:22:27 -0400
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator3211.hostgator.com
X-AntiAbuse: Original Domain - YOUR_ANOTHER_DOMAIN.com
X-AntiAbuse: Originator/Caller UID/GID - [some random numbers here] / [and there]
X-AntiAbuse: Sender Address Domain - gator3211.hostgator.com
X-BWhitelist: no
X-Source-IP:
X-Exim-ID: XXXXXX-XXXXX-XX
X-Source: /opt/php54/bin/php-cgi
X-Source-Args: /opt/php54/bin/php-cgi /home2/username/blah/folder/subfolder/your_script.php
X-Source-Dir: example.org:/web/internal_dir/
X-Source-Sender:
X-Source-Auth: YOUR_USERNAME
X-Email-Count: 3
X-Source-Cap: WU9VUl9VU0VSTkFNRTtZT1VSX1VTRVJOQU1FO2dhdG9yMzIxMS5ob3N0Z2F0b3IuY29t

Note, that script name is not accessible from the web. It is not publicity known, and is revealed to potential attacker:
subdomain.example.com/folder/subfolder/your_script.php

I understand, that security by obscurity is not the best security practice, but anyway, revealing internal script names without any real need in nonsense.

As you can see, the headers that was included to track the service abuse, is actually abusing you. And YOUR_ANOTHER_DOMAIN.com is yet another domain that is in the same account and is leaked too. It is different domain from OTHER domain… so at least two different domains (at random?) are leaked.

And in the second example, the full Linux path to the script is embedded into header:
/home2/username/blah/folder/subfolder/your_script.php

This script may be your Cron job or other script, and path and script name should not be revealed to email recipient. If they really wanted to track abuse, they could store this all sensitive information in the local DB, and embed only unique ID/key to that information, in case it is later needed.

And to abuse your valuable time even more, they have placed SPAM filters for your outgoing emails with always changing filtering parameters. So you can wonder, why some of your emails are lost somewhere.

Note. This article was written at the time we still used HostGator intensively, both as Shared hosting and as Dedicated servers, but now we have switched away. And believe me, the overselling, security problems and poor support is only the tip of the iceberg, unfortunately.

Did we tried to some these issues with HostGator support. Of course. You can try too. Good luck! 🙂 Usually they reply with, we are sorry, but we can’t do anything because of very high support volume right now.

And almost forgot to mention, that they constantly hijack your 403, 404, 500, and other error pages. They inject their own ads and banners into your page. Maybe at the time, when GeoCities and Angelfire ruled the free web hosting world that was somewhat acceptable, but now in the era of web 2.0?!

Google Drive may be silently renaming your files

Just a friendly warning. If you try to store copy of standard Apache HTTP Server web root, git repository, some Linux directories, etc in the Google Drive, then do not be surprised when Google silently corrupts the filenames by renaming dot (.) to underscore (_). For me this is happening to nix hidden files (begins with a dot), but some of colleagues remember to happen to regular PDFs as well.

Solution. Upload only archived files to the Google Drive. And preferably encrypted (just in case).

Windows Update – Service not running or Windows System apps appear as from unknown publisher

There are two symptoms to the same problem in Microsoft Windows:

  1. Windows Update cannot currently check for updates, because the service is not running. You may need to restart your computer
  2. When you Run As Administrator mmc.exe, notepad.exe, regedit.exe and any other program, you get — Do you want to allow the following program from an unknown publisher to make changes to this computer?

These errors started to appear after one of the Intel RAID 1 (Intel ICH8R/ICH10R SATA RAID controller) drives have failed, and was replaced with the new drive. The RAID rebuilt was successful, however the above symptoms have appeared.

Where is the problem?

Windows Cryptographic Services. The service have two folders under Windows/System32 directory:
C:\Windows\System32\catroot
and
C:\Windows\System32\catroot2

One of them have the log file – edb.log, that was full of the error messages.

CatalogDB: 18:50:01 AM 05/16/2016: JetInit Corruption
CatalogDB: 18:50:01 AM 05/16/2016: catadnew.cpp at line #1900 encountered JET error -583
CatalogDB: 18:50:01 AM 05/16/2016: catadnew.cpp at line #901 encountered JET error -583
CatalogDB: 18:50:01 AM 05/16/2016: JetInit Corruption
CatalogDB: 18:50:01 AM 05/16/2016: catadnew.cpp at line #1921 encountered JET error -583
CatalogDB: 18:50:01 AM 05/16/2016: catadnew.cpp at line #911 encountered JET error -583
CatalogDB: 18:50:02 AM 05/16/2016: JetInit Corruption
CatalogDB: 18:50:02 AM 05/16/2016: catdbsvc.cpp at line #755 encountered JET error -583
CatalogDB: 18:50:02 AM 05/16/2016: catdbsvc.cpp at line #969 encountered JET error -583
CatalogDB: 18:50:02 AM 05/16/2016: catdbsvc.cpp at line #6724 encountered JET error -583
CatalogDB: 18:50:02 AM 05/16/2016: catdbsvc.cpp at line #6918 encountered JET error -583
CatalogDB: 18:50:02 AM 05/16/2016: catdbsvc.cpp at line #7075 encountered JET error -583
CatalogDB: 18:50:02 AM 05/16/2016: catdbsvc.cpp at line #3454 encountered JET error -583
CatalogDB: 18:50:02 AM 05/16/2016: catdbsvc.cpp at line #2702 encountered JET error -583

Also in the GUID-named subfolders there are two database files called “catdb”.
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb
and
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb

They both were missing. Folders were empty… And do not try to copy them from another PC. It would not work. Windows will automatically delete them after Cryptographic Service is started.

Where is the solution?

Update your RAID driver! Yes simple as that, update driver (to at least version: 11.7.0.1013 from 12/3/2012), and these files are regenerated automatically. On modern Intel i7 CPU it took about 1 hour.

P.S. I believe that this applies not only to Windows 7, but also to Windows 8.1 and Windows 10.
P.S.S. Running Microsoft Windows Resource Checker (SFC.exe) does not do anything useful in this case.

Real men don't make backups