Posted on 2009-07-27

HostGator, one of the many "unlimited" hosting for $4.95 providers out there (claims to host 2.2 million domains), seems to have gotten a bit scared by, or tried to capitalize on being the first to take proactive steps against a supposed 0day OpenSSH flaw.

The rumours of a 0day flaw have spread rapidly, and as is the nature of rumours, seems to be harder to quash than it was to start. The OpenBSD/OpenSSH team has stated that there are not aware of any exploits for the ubiquitous ssh daemon that provides secure remote shell access to most every unix or linux based operating system, but also maybe embedded devices such as routers, IP-KVMs, and other managed network devices. The rumours started with a group called 'Anti-Sec', who's stated goal is to change the way vulnerability disclosures are handled. With the current system, called full disclosure, when someone finds a vulnerability they report it to the affected vendors, and usually shortly after that they post about how it was done to the public, usually including a piece of example code, a proof of concept. In the view of 'Anti-Sec' this behaviour is self serving; it glorifies the security analyst, and hampering the security of the end users by allowing the less ethical side of the security sector to use the disclosure and sample code to develop exploits and malware. Anti-Sec feels that the full disclosure system has become about money, scaring people into buying the firewalls, anti-virus solutions, and other products of the security companies. The reason this system was adopted, was that vendors were not always eager to fix vulnerabilities, especially back before the internet was as popular, and automated patching systems were not possible. Full disclosure is a way to force the vendors to take on the extraordinary cost of fixing the vulnerabilities as quickly as possible. The rumours started when Anti-Sec hacked the popular image hosting site ImageShack.us and posted their manifesto. Other attacks following, including astalavista and then the systems of the security analyst who was investigating the astalavista attack. Then, someone not actually part of the anti-sec movement, started posting 'console captures' of a tool called 'open0wn' or 'openPWN', which purported to be able to break into most recent versions of openssh. It has since been revealed that this was in fact a hoax.

HostGator took the extraordinary step of entirely disabling SSH on all of their servers and claiming that they themselves were developing a patch for the unknown OpenSSH vulnerability. It is quite obvious from their single sentence post two weeks later that they jumped the gun. It is rather unlikely that they were developing their own patch, as doing so would require knowledge of the vulnerability, which no one has, because as far as is known, no vulnerability exists. So, either HostGator over reacted to rumours instead of following established procedures, or they tried to capitalize on the hype and be the first web hosting provider to "protect" their customers from this evil vaporware exploit. A few weeks without SSH access would definitely be enough to get me to take my $5 somewhere else.

By: Allan Jude
Tip: Phil Lavin