EH-Net

I would like to have some inputs from you all on the following scenario.

A web site / application is hosted with a web hosting service provider (HSP). However, there is vulnerability in the web site that gets exploited and the sites functionality is affected. Whenever a end user is visiting the website, some malicious code is called from a remote malicious website. Note that the malicious code is not stored on the hosting service provider’s server.

Under such a scenario, does the HSP provide any kind of support to analyze the website / code and rectify the issue? I know most of the answer is going to be – “It depends on the agreement with the HSP”. However, there is no specific agreement other than the standard hosting agreement exists between the HSP and the client. I have come across people saying that the client is paying to the HSP, so they are supposed to help remove the vulnerability. I believe, the scenario is clear.

Hi,
Hosting providers generally do not provide any such assistance to their customers. Providing hosting is after all very different to providing application support. I'm my experience the response is to do nothing at all, to notifty the customer or to suspend the hosting account.

Jimbob

I agree jimbob.

Assuming the client wrote the website, then the vulnerability is theirs and they would (should) fix it.

Yup, I'm going to agree with Jimbob as well. The hosting provider is not going to spend the time/effort to analyze the code of one of their customers to find out where/why a vulnerability exists. This costs them time (money) and they may not have the expertise to do a proper code review.

Also as Jimbob mentioned, the likely action for the hosting provider is to choose one of those 3 options. Most often, they suspend the account (as that also "fixes" the vulnerability), especially if the vulnerability in question is found to effect other hosting customers.

I'm with everyone else on this with one major caveat.

As a client, you are most likely on a shared server.  If the hosting provider doesn't have a secure setup (and many don't), a vulnerability in one user's site that provides a shell escape can impact every user on the box.

I've seen cases where a client's site was defaced.  I looked at the server via SSH and was able to determine (pretty quickly) that other sites on the same server had been compromised as well.  Without root access (which the hosting provider obviously didn't give me) I can't say for sure which site was the compromise vector but everyone was impacted.

Sure hosting providers could provide each client their own "server" with virtualization, but this brings new challenges (particularly with resource  monitoring).  I would also say that any company that can't configure shared hosting boxes more securely certainly isn't up to the task with virtualization.

Basically, if one client is screwing up other clients, it is the hoster's responsibility to either help the offending client or get them off the box.  They've likely expended all the work to find the offending client (and what security problem they're having), seems like a perfect opportunity to fix it for a nominal fee (especially if the alternative is expulsion).

Generally, this is how it would work. The HSP is responsible for nothing more than the hosting, anything that's done with the applications that are run on the server is the responsibility of the client.

I would imagine that if the exploit causes server-wide damage, the HSP would take more interest as it would affect more that just the one client.