Site disabled thanx to a user

wordpress

#1

One of my users was apparently using 'phising" scripts on their site without my knowledge. So, they have disabeled my account. The email said it wasn’t permanetly so thats good to hear. I have contacted them numerous times with still no response. I am freaking out because i’m getting no response, and that im also moving and will have no internet access for about 2 weeks.

Do you think they will let me delete the user and regain my account? Becuase i am really freaking out!

[Boy Named Sally]


#2

I certainly hope not! That kinda of crap is exactly what has no place on a DH server, and the fact that it was “without your knowledge” is no excuse…in fact, that’s just plain scary.

If you didn’t manage your site well enough to prevent it the first time, what reason is there to believe it wouldn’t happen again. I understand that, “It sucks”, but so does phishing…live and learn!

–rlparker


#3

Well excuse me, but i had faith and trust put in to the user. I still don’t know exactly what they suppsodly did, but i keep very good care of my account if you could only look at the support history i have. I would not only delete him i would delete all my users (5) and only keep it to myself. And how was i supposed to know he was doing it if my internet was offline due to me moving? I couldn’t.

[Boy Named Sally]


#4

Also it was on another domain hosted with another FTP account, so in fact its not scary, i dont have the time to run my company and search my users 24/7

[Boy Named Sally]


#5

Then consider yourself “excused”, if it helps you any, though obviously your misplaced “faith and trust” is not an excuse at all…it’s only a reason which excuses nothing.

You are responsible for your account, and the activities of users under your account. That is really simple.

Support history notwithstanding, you were not keeping “very good care” of your account or this could not happen without your knowledge.

What does your internet being offline or your moving have to do with your responsibility to manage your account? Nothing! You opened yourself up to this exposure by allowing others accounts under yours. That is always risky to some degree, and even more so if you can’t be regularly online to monitor what is going on.

Deleting the user(s) now is like closing the door to the barn after the horses have run away…too little, too late. You demonstrated that your judgment is not sound enough to be on a shared server.

Hey, Dreamhost is very understanding, and they may well give you another shot (or they won’t - I don’t know); it’s just disingenuous to act like this is not your fault/responsibility…because it is your fault, and it is your responsibility. I’d be less concerned about them giving you another chance if you showed any indication that you realized that, as opposed to just acting like you couldn’t have helped to prevent it. :wink:

–rlparker


#6

I agree with rlparker on this, that you shouldn’t be allowed to regain your account. But hopefully if they do re-instate your account, you’ll have learned your lesson and will not continue to host other users that you aren’t able to strictly monitor or those you don’t know well, as in people other than RL friends or family.

There’s no reason the other people can’t purchase their own DH account. If your business is partially or fully working as a reseller, then you should already be heavily monitoring your user’s activities to prevent your account from being disabled - just like your current situation.


Chips N Cheese - Custom PHP installs and the like!


#7

Wow…just, wow! Having it happen on a separate user’s FTP account/domain is completely irrelevant. It is your account, and you are responsible for what goes on with it.

Obviously, if you don’t have time to monitor what your users are doing, you shouldn’t have users, and/or you shouldn’t be allowed to operate in a shared server environment. What happens if one of your own scripts gets exploited? Do you have time to check your logs to make sure you site is operating safely?

Others sharing your server deserve better citizenship than that; your site(s) and users impact them and their sites. Would you not monitor who uses your car and what they are doing with it?

“I don’t have time to monitor” is almost as lame as “it happened without my knowledge”…meh.

–rlparker


#8

It’s really simple: It’s your account and YOU are responsible for the content.

No time to pay attention to what users are doing? Then let the people you’re giving access to your account go get their own.

Otherwise, I probably wouldn’t expect too many of the disabled notifications to say not permanent.


:stuck_out_tongue: Save up to $96 at Dreamhost with ALMOST97 promo code (I get $1).
Or save $97 with THEFULL97.


#9

Someone types faster than me. :stuck_out_tongue:


:stuck_out_tongue: Save up to $96 at Dreamhost with ALMOST97 promo code (I get $1).
Or save $97 with THEFULL97.


#10

I know this, but i have known this person for almost 2 years so thats why i trusted him. I sure love this supporting community. It really helps when your down in trouble. I bet if this happened to you, you’d be in the same boat…

[Boy Named Sally]


#11

Hold on a minute. Are people here SERIOUSLY suggesting that the OP monitor each and every thing done by his customers (I’m assuming they are) ?
Of course action should be taken to minimize this kind of incident (you can choose your customers, you can have strict policies, etc.), but ultimately, crap will happen. It is a matter of how it’s dealt with, then.

I can’t believe that MONITORING each and every action a user may or may not take (and DH allows us to separate our accounts into quite many users) can be the spirit of things. That kind of thing is actually illegal in quite a few countries (with stricter privacy laws), and just plain doesn’t make sense. Of course if you’re notified of such, you have to take action.

Look at it from another angle. Go one step up the ladder. Dreamhost has many user accounts. Some of them will be spamming other company’s servers on the internet and doing shady things. Should Dreamhost’s upstreams cut off power, bandwidth, support, etc. because one user did something bad without Dreamhost’s direct knowledge ? Shouldn’t Dreamhost have been MONITORING who to put their trust in ? Shouldn’t they have been CENSORING stuff that MIGHT be illegal (but then again, might not be – to hell with it, lawyers are too costly to check every incident, better be “safe” than “sorry”, eh ?)

There is such a thing as micro-managing, and it’s not effective nor practical. Freeze the user account in question (not the DH account, the user account this occured on) until the matter can be resolved (or further account action taken). Anything else is just bad faith in your customers. Some of them deserve it, most of them don’t. (Hypothetical : say a 0-day vulnerability gets exposed in Wordpress with no fix yet, and nobody knows about it yet. Cracker XYZ infiltrates 100 Dreamhost-hosted wordpress sites and starts their fishing op. Tell me that is the customer’s fault …)

Only my $0.02.


#12

thank you /eike\

i am just freaking out because of this and quite sad, since my sole purpose of my host is to hosty my buisness… and this is just cutting back everything…

[Boy Named Sally]


#13

It appears to me like they WERE in fact monitoring who they “put their trust in” and have taken the appropriate steps to remove that user. Unfortunately for them, it was someone else under their account who was caught, but they are ultimately responsible for the actions of that user since it is in fact their account. That’s how DH’s policy has always been, and so yes, one must always monitor the activities of their users. I’m unaware of such a thing being illegal in the US, as long as the owner of the account makes his/her users aware that their accounts will indeed be monitored for illegal activities. In fact, DH’s policy is thus.

Furthermore, freezing a user’s account under the primary account is not practical whatsoever. Many of us, myself included, have several “user” accounts under which we run our various websites (domains, subdomains, etc). If the user account in question was in fact being run by the account owner, what’s to stop them from using one of their other user accounts to continue on with said ‘illegal’ activities?
As such, freezing the entire account to determine who was at fault and ultimately what to do about the situation, is exactly what DreamHost is doing. This benefits all users, including the account owner in some cases, as one could easily imagine several user’s accounts being “taken over” by some exploit, thus affecting more than just a single user under their account.

I truly do feel sorry for colorhim, as it does indeed sound like they were basically “screwed over” by someone they trusted, but anyone offering “resold” accounts should be perfectly aware that their user’s actions ultimately affect them, and likewise every other user under their account.
Thus monitoring, especially in cases of reselling, is required. Unless of course you don’t care that you lose your account and clients.


Chips N Cheese - Custom PHP installs and the like!


#14

You don’t have to monitor them, but you also don’t get to say you don’t want to be responsible for them, just because they’re not you.

Dreamhost’s responsibility is to their paying customers–not everyone those customers let use their account.

It would be like expecting your insurance company to let you slide on your deductible if a drunk friend totals your car. Hey, it’s not your fault… all you did was give him access to it and he seemed sober the day you handed him the keys.

As soon as you give users access to your account, you’re accepting full responsibility for what they do. If you have 75 users with access to your account, you can’t expect DH to treat each as a unique customer for a whopping total of $9.95/month.

Keeping it that way should help keep the account owners on their toes. If you tell them their users are a loophole around the TOS, they’d pay even less attention than they do now.

You would also get account owners running trash from their own account, under a different user, thinking the rest of their account would be safe. You’d have no reason to obey the TOS if you can just push it off on a single user and keep everything else up and running.

Personally, I would never put a site that’s important to me in an account where other users have access. These situations are very easy to avoid. It’s common sense.

It’s also not like we always get the full story when people complain here. I could do something evil with one of my user accounts, get shut down, then come here and say it was someone else’s fault.

If they don’t deal with it, they do get blocked, and plenty of innocent people complain that they’re blacklisted when it happens. That’s how it works.

Are you saying that all of the blacklists out there should just keep a list of billions of individual email addresses, instead of IPs? That would be nice, then we could just keep spamming from new email addresses and always have a clean IP.

They do. See all the complaints from people that can’t get past the fraud detection? :wink: Manual account activation also helps.

And their job is a lot harder than it is for a single customer to control a couple users on their own account.

There are hosts without fraud detection, instant account setup, etc… They can usually be found in e-commerce forums, complaining that their merchant account is shut off over a measly 140 chargebacks in one week. :stuck_out_tongue:

It should also be obvious that if you want the same treatment as people higher up the ladder, then you need to be higher up on the ladder. A cheap shared hosting account is pretty much the bottom of the ladder.

The problem is that most people would rather sit around complaining than blow the dust off their wallet and actually pay for the level of service they’re expecting.


:stuck_out_tongue: Save up to $96 at Dreamhost with ALMOST97 promo code (I get $1).
Or save $97 with THEFULL97.


#15

Just wanted to chime in with a couple of things.

  1. I feel bad that you were betrayed by your friend. It’s a terrible thing when that happens, particularly when it results in repercussions for you.
  2. Although you weren’t directly responsible for the phishing, you are accountable for all sites under your account. I’m pretty sure those were the terms we signed up under.

So you’re not responsible, you are accountable, and pray that you’re not financially or legally liable.

Good luck.

Free unique IP and $67 off with promo code [color=#CC0000]FLENSFREEIP67[/color] or use [color=#CC0000]FLENS97[/color] for $97 off. Click here for more options


#16

[quote]Hold on a minute. Are people here SERIOUSLY suggesting that the OP monitor each and every thing done by his customers (I’m assuming they are) ?
Of course action should be taken to minimize this kind of incident (you can choose your customers…[/quote]
Well, yeah…that actually is what I am saying, if you are talking about “customers” as “other users” functioning as sub-users of your main account. Is this ideal? Probably not, but then again, DH is not particularly well suited for “reselling” in that sense anyway, and doesn’t pretend to be (not with the obvious limitations of the custom control panel for re-branding, poor user account segregation of databases hosts, etc.).

The ability to host multiple domains under an account and have separate machine users allows you to do this, but it is not without risk…a risk that you take on if you choose to do so. You can choose to require your “customers” to have their own accounts, and doing so would make this whole point moot. If you choose not to do it that way, then you assume certain risks, and sometimes it doesn’t work out.

I can see how that might seem to be the case if you are treating your own account as an ISP; the fact it that such accounts on a shared server (notwithstanding the huge quotas of disk and bandwidth) is not what Dreamhost is providing. There a lots of legitimate uses for multiple machine users in your account, but the TOS is very clear that you are responsible for them all. Those Terms of Service apply to you, as proxy for another to whom you grant access as a user.

To argue otherwise is an attempt to rewrite the TOS, which we all agreed to when we signed up. Again, the solution for avoiding such personal responsibility is for those other users to have their won account, where they will have the responsibility to comply with the DH TOS (and which much more accurately describes the situation you are describing).

I think seiler and mousee already addressed the problem with that approach very well, and I agree with him. Do you really think that DH intends to provide the infrastructure and support for you to resell in that segregated a sense for what they charge? The management of that would be a total disaster. I think it is great that they allow you to host unlimited domains and have many users; I don’t see that as an invitation to, or a method by which you can, absolve yourself of responsibility for what happens under your account.

I’d expect that in such a situation DH would likely close down all those sites, and leave them down until each site fixed the problem. It would be very easy to tell what had occurred, and no, I don’t think that DH would consider that to be “the customer’s fault” (particularly if they were using a one-click installed WordPress :wink: ).

As described, the original poster’s situation is something different; he had a rogue user run amok under his account - he allowed the user and, therefore, the activity. Had that user had his own account, it would only be him for it (and DH would have had some additional revenue to compensate for having to deal with his activity). As it was, All Dreamhost got out of the deal was the grief and aggravation.

I’m also impressed by the fact that the original poster seems to have no concern whatsoever that his resources were used in this manner, only frustration that he is inconvenienced by the enforcement action. That is the main reason I am having a hard time feeling much sympathy for his situation. If it were me, while I would try to lobby for a second chance, I’d be mortified that this had happened, and deeply concerned that my account had been so misused.

Absent that recognition of the severity of the problem, and my responsibility for it (this might not have happened had I not given the phisher the user account - or at least it wouldn’t have happened on my dime), I wouldn’t expect DH to be anxious to reinstate my account. Maybe the original poster does feel that way, and just hasn’t indicated it here, but his posts seem to indicate he feels he is the injured party and should not be held responsible.

–rlparker


#17

I think that is well said, and is a good, and generous, way of looking at it. It gives (as it should) the original poster the full benefit of “assume the best” thinking. Thanks for posting that.

I realize I’ve probably been the hardest on the original poster over this; we all I have opinions and my opinion on such things is rather strident. :wink:

Maybe this poster was just badly abused by his “friend” and this lesson is all that is needed to educate him as to his responsibility/accountability for his user’s actions.

That said, the position that DH elects to take regarding whether or not to reinstate his account is their decision to make, and I’m supportive of whatever DH decides to do (they have always been more than fair, in my experience, so I’m sure they will “do the right thing”) :wink:

–rlparker


#18

[quote]Do you really think that DH intends to provide the infrastructure and support for you to resell in that segregated a sense for what they charge?

[/quote]

I really think you provide MB of opinion for what you charge, so why not.

[quote]I have contacted them numerous times with still no response. …

[/quote]

With a 24-hour response time, “numerous times” is less effective than one time.

:smiley: I hate to imagine the webcams or other monitoring rlparker or seiler would set up for loaning somebody keys to their car or 2nd home. :smiley: It’s tricky for the police to decide if somebody is an accomplice or dupe, but if they can do it for what they charge, then DreamHost can too, and better. :cool: Dey hab da techno and da brainz.


$1 for me << [color=#00CC00]SE7ENOF9[/color] | [color=#CC0000]SE7ENOF97[/color] >> All for you


#19

HA ha! :slight_smile: I like that! Hey, my opinions are worth exactly what you pay for them! :wink:

Another good point! I do occasionally loan both of those things, but only very carefully, and I expect that I could be held responsible for how someone uses them.

[quote]With a 24-hour response time, “numerous times” is less effective than one time.
[/quote]
I think you are probably correct on that point! :wink:

And he get’s the “hat trick” - three salient points in one post! :slight_smile: . There is a big difference though, between the police and DH:

The police have a *moral obligation* to apprehend the *guilty*, while DH is less than interested in *punishing* or *policing* anyone at all - they are just trying to run a *business* within economic constraints - deciding not to do business with someone is very different that determining their guilt or innocence. I'm *glad* that DH tries very hard to be "fair", but really all I can reasonably *require* of them is to follow the TOS...and in this instance, that is very clear (whether or not it is always "fair") ;)

–rlparker

**Edit: I knew I forgot something! Welcome back, Bob! er…whoever…we missed you! :wink: