Broken Images - Thanks Dreamhost!



  • So any of my posts that had images on them, the images are 404s right now. Why? Well, the domain I use for hosting them has no hosting. Why? Well, someone at Dreamhost renamed the folder backing it to:

    schend.net_DISABLED_FOR_EXPLOIT__CONTACT_DREAMHOST

    Look guys, I'm 100% behind disabling my domain if you have good evidence there's a exploit on it-- Hell, I know for sure it was running some seedy PHP apps (<a href="http://forums.thedailywtf.com/forums/p/24646/260072.aspx>The Mother Monster Matrix</a> for one.) But seriously, why didn't you <i>email me?</i> Why do <i>I</i> have to just (luckily) <i>notice</i> my own website is broken and contact you about it? Christ. You know my fucking email address, use the fucking thing! Grr. <p>Off to get this resolved...



  • Further dickery:

    1) I log into my Panel-- no notices
    2) I click "Account Status"-- no notices
    3) I click "System Status"-- no notices (which makes sense, since it's probably just my account, but I figured I'd check)
    4) I click "Manage Domains"-- no notices on that domain



  • Further dickery:

    There's actually a notice about this in my Support History! Because of course the 4 other fucking places I checked for notices before posting a ticket weren't fucking good enough for them. The real joy here is that you don't even see the Support History page until after you submit a new support ticket, so that's some brilliant design there on Dreamhost's part. Also apparently new issues created there for me don't get emailed to me, and don't show up in any of the above-mentioned 4 locations. Grr.

    Well, at least now I know how to resolve it. Can anybody recommend a quick/dirty image gallery maker for PHP? I was using one named "snif".



  • This wasn't my site but a couple years ago, the index page of a website I was visiting got defaced so the host renamed it to index.php.moved-by-noc. I know this because they didn't disable directory listing when they renamed the index file... it's still online, too.



  • Dreamhost's shared plan looks amazing. Are they any good apart from this incident?



  • Further dickery:

    Dreamhost DID email me, but it was trapped in my spam folder. Why? Google sez: "Warning: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender with any personal information." What does that mean? Mail header set incorrectly?



  • @derula said:

    Dreamhost's shared plan looks amazing. Are they any good apart from this incident?

    I'll be honest: I've mostly used them out of inertia. Signed up in 2005, and too lazy to move my files/blogs/etc anywhere else. Also: cheap. Also: if you've been a loyal customer for a few years, you pretty much run the place-- my quotas are so huge it's basically unlimited, they move me to new servers if I ask, etc. (Which I had to do once when my shared MySQL instance got too shared.) Also they don't nickel-and-dime you for each domain you add, although I'm not sure if other hosts do that anymore or if that practice has faded away.

    Generally, though, I think they're pretty good. Before Dreamhost, I had an account in Pair.net since about 1998 or so, and found them to be both unreliable and expensive. (Probably due to their explosive growth at the time-- they might be great now.) I've only tried one Windows Server host, ReliableSite and they were complete trash, a total waste of time and money.

    Edit: man, going through every file on that server sure brought back some memories. Look, it's Vinaya's Dragon! Haha, ES stuff.


  • Discourse touched me in a no-no place

    @blakeyrat said:

    So any of my posts that had images on them, the images are 404s right now. Why? Well, the domain I use for hosting them has no hosting. Why? Well, someone at Dreamhost renamed the folder backing it to:

    schend.net_DISABLED_FOR_EXPLOIT__CONTACT_DREAMHOST

    Look guys, I'm 100% behind disabling my domain if you have good evidence there's a exploit on it-- Hell, I know for sure it was running some seedy PHP apps (The Mother Monster Matrix for one.) But seriously, why didn't you email me? Why do I have to just (luckily) notice my own website is broken and contact you about it? Christ. You know my fucking email address, use the fucking thing! Grr.

    Off to get this resolved...

     Letting you figure it out on your own seems to be SOP--that happened to me once when a background SQL query went awry, and they disabled my account to protect the virtual server, and didn't bother telling me.  I had to find out from my users the site was down.



  • @blakeyrat said:

    Before Dreamhost, I had an account in Pair.net since about 1998 or so, and found them to be both unreliable and expensive. (Probably due to their explosive growth at the time-- they might be great now.)

    Not from my company's very recent experience.

    We ordered a dedicated server, and it seems this is not something they're used to.



    Maybe it was the fact we had a large number of IPs assigned to it, but from the start their own logging processes caused issues.

    Dedicated does not give you root access - you're just a user on their 20Gb ram machine, probably a re-purposed shared host. They have a few logging processes, and one of those caused an average of 1.0 load on the server. It's not ideal, but liveable I suppose.

    The other logging process cause our 1Tb drive to completely fill up. Before we had anything actively running on the server.



    If we wanted anything done that required root access, we had to pay $50 per request. Hooray!

    So when we asked for a specific version of Erlang, R12B03, what did they install? The latest, incompatible, version, of course.

    We eventually got things running, and never had issues!



    ...until their reaper process kicked in, enforcing its default settings of "max 64Mb ram, max 1 minute runtime" clause. On a dedicated server.

    Their response was that "it shouldn't have enforced this", and despite their initial "this reaper process controls critical server functions and cannot be disabled", their eventual solution was to just turn the damn thing off, because it wasn't able to ignore our specific user.



    They may be good for shared hosting, if you can fit within their 64Mb limit/1 minute runtime (I suppose most people would), but steer clear if you want a dedicated server.



    EDIT: I have to manually br?



  • Two years ago, on a shared host, one day our AJAX app stopped working. No email, no ticket, no nothing. After a moment we realized the directory has been chown'd to root and chmod'd to 000. Odd. Well, as we still had write access to the parent directory we renamed that 000'd directory, restored backup, and chugged along. A week or so later, same thing. Then the owner of the site (I'm just a tech of sorts) emailed the host, and they're like "Yeah, it was causing a large system load, so we disabled it. ToS lets up delete or disable anything we wish with no responsibility, yanno?"

    Few days later we were running on a VPS at Linode. Full root, full freedom (as long as it's legal), and performance a few orders of magnitude better. 😉

    TRWTF? That shared host was running PHP as plain old CGI, the type that spawns a new 20+MB PHP process on each request. Did I mention we were running a multiuser AJAX app?



    Anyway, what I was trying to say is that I still have to see a shared host that DOES email/alert you when they fuck up your site. "Block it, then wait until they notice" seems to be a standard policy everywhere.



  •  My host called me on the phone when there was a thing.

    Pretty cool.



  • @dhromed said:

     My host called me on the phone when there was a thing.

    Pretty cool.

    GoDaddy alerts you as well.



  •  I like how this thread is basically "QQ I broke my host's TOS and they disabled my site, please join me in deriding them for committing such a dastardly WTF"



  • @Zolcos said:

     I like how this thread is basically "QQ I broke my host's TOS and they disabled my site, please join me in deriding them for committing such a dastardly WTF"

    Well, over time the WTF evolved to:

    1) Their "site disabled" notification emails are caught by Gmail's spam filter

    2) This really, really important support notice isn't displayed in any of the obvious places you'd expect it to be displayed.

    So yeah. It's still a WTF, but only a little teeny one. I make no apologies.

    Edit: Oh and BTW, I didn't break their TOS, some hacker broke into my site and broke it on my behalf. And I'm still looking for a replacement for snif.php if anybody knows of one.



  • @Zolcos said:

     I like how this thread is basically "QQ I broke my host's TOS and they disabled my site, please join me in deriding them for committing such a dastardly WTF"

    On my part, we're supposed to be exempt from those clauses. They couldn't figure out how to exclude us from their reaper process 😛



  • @blakeyrat said:

    @Zolcos said:

     I like how this thread is basically "QQ I broke my host's TOS and they disabled my site, please join me in deriding them for committing such a dastardly WTF"

    Well, over time the WTF evolved to:

    1) Their "site disabled" notification emails are caught by Gmail's spam filter

    2) This really, really important support notice isn't displayed in any of the obvious places you'd expect it to be displayed.

    So yeah. It's still a WTF, but only a little teeny one. I make no apologies.

    Edit: Oh and BTW, I didn't break their TOS, some hacker broke into my site and broke it on my behalf. And I'm still looking for a replacement for snif.php if anybody knows of one.

    From a quick read of this it appears that a simple trim() would fix the exploit. I'd advise you to mail the author with that info and/or a patch, but the "email" link on his own page is broken, so yeah. Yes, I know you don't like maintaining other peoples' code, but it might be your only option.



  • @blakeyrat said:

    "Warning: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender with any personal information." What does that mean? Mail header set incorrectly?
    Usually this means that the domain in the From field has SPF set up in DNS, but the e-mail server from which the message originated isn't listed as a valid source for that domain. Which would mean dreamhost fail.



  • @The_Assimilator said:

    From a quick read of this it appears that a simple trim() would fix the exploit. I'd advise you to mail the author with that info and/or a patch, but the "email" link on his own page is broken, so yeah. Yes, I know you don't like maintaining other peoples' code, but it might be your only option.

    I read that too, but I don't know if snif.php was the source of the break in. I just removed all PHP from the server (including that weird mega mother lady gaga whatever thing). But I figured there might be something better out there-- from looking around, it looks like snif.php is basically it, unless you want to spend hours configuring.

    So I dunno. I'll go without image previews for awhile and decide what to do.



  • @ender said:

    Usually this means that the domain in the From field has SPF set up in DNS, but the e-mail server from which the message originated isn't listed as a valid source for that domain. Which would mean dreamhost fail.

    Yah, I told the support person that. She didn't seem to care.



  • FWIW, the CMS I made for myself can generate galleries of pictures based on directory structure. It creates and caches thumbnails, caches everything, and has many more CMSy features (which can be disabled... or just ignored). No database needed, little configuration needed for that simple purpose (but if you do want to configure it, it's a simple ini file). Default HTML templates might be weird, but based on "box model", thus easy to change via CSS. I didn't feel like advertising it because well it's not commonly used except by me and I can't tell for sure it doesn't have a similar exploit. Although I can't imagine how.

    It's even on sourceforge, but the latest version there doesn't work with PHP5. I could send you my current version though.



  • @derula said:

    FWIW, the CMS

    I don't want a CMS, I just want a drop-in replacement for Apache's lame-ass folder browser. Snif.php was excellent because you just rename the thing index.php and dump it in the parent directory, and bam you're done. I like quick and easy.



  • @blakeyrat said:

    @derula said:
    FWIW, the CMS

    I don't want a CMS, I just want a drop-in replacement for Apache's lame-ass folder browser. Snif.php was excellent because you just rename the thing index.php and dump it in the parent directory, and bam you're done. I like quick and easy.

    I know. My CMS can do that. It lists everything within a special "home" directory, plus shows thumbnails for images. Other CMS features can be ignored (or disabled). But admittedly, to make it look more like a folder browser you'd probably want to change the HTML template. Here is an example of how the folder browser part looks by default; file details are shown as a floating hint. (the page isn't entirely default, the image comment page module has been disabled. and if you disable a few more modules that'll leave you only with the file browser) Well, decide for yourself.

    Edit: also, yes, it's not a single php file. So if that is a deal breaker for you, I'm sorry.



  • @derula said:

    Edit: also, yes, it's not a single php file. So if that is a deal breaker for you, I'm sorry.

    Look, if you have a drop-in replacement folder browser that will run on Dreamhost, then I'll give it a go, just send me the link. The more you post about this thing, the more confused I get.



  • @blakeyrat said:

    @derula said:
    Edit: also, yes, it's not a single php file. So if that is a deal breaker for you, I'm sorry.

    Look, if you have a drop-in replacement folder browser that will run on Dreamhost, then I'll give it a go, just send me the link. The more you post about this thing, the more confused I get.

    Try this. Folder new/cache needs to have write permission for FTP user. It will list all the files in "home" directory. To change that, change new/new.ini. If you don't like it then blergh, delete it. Note: there's a .htaccess inside that it requires to work.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.