Hosting Switch

Recently I switched my personal hosting from Dreamhost to WebFaction. I’d been butting up against the resource limits on Dreamhost’s cheap plan for ages, and an annoying multi-day outage was the last straw.

The outage was actually pretty interesting, in its way. I discovered that all sites served from a particular user account were having their host processes instantly killed. Okay, I assumed that I was being hit by some crazy-aggressive spider, and I’d have to go throttle something. Then I tried to ssh in, and discovered that my login shell got insta-killed. Problem.

Eventually, via their web panel, I migrated all the sites on that user account to a different user account, and thus discovered that there was no unusual load at all. The process killer had just gone mad, and was killing any process owned by that user, without any reason. Dreamhost did eventually restore access to that account, but it took something like three days.

In that time I did a bit of research about alternatives! WebFaction came highly recommended from some of my coworkers and had a 60 day money back guarantee, so I felt they were worth a shot. They’ve turned out to work very well.

What I get out of this is:

  • Less resource constraints. For one thing… CPU and memory consumed by the server-wide Apache/MySQL/Postgres instances don’t count against your plan limits.
  • Less heavily-loaded servers. This article is accurate, from my own tests.
  • Focus on long-running apps. Dreamhost was very much a PHP host. You could run other stuff on it, but it clearly wasn’t what they intended.
  • Memcache installed on all servers. Thank $deity.

I’ve lost:

  • A bit of hand-holding. Dreamhost was pretty good at doing things for you with a checkbox, like redirecting www to the subdomainless domain if you wanted. With webfaction I had to write my own little www-remover app for it. (Which was simple, but still.)
  • Sites hosted under multiple user accounts. I always liked that as an extra little burst of security.
  • (Related to that last point…) a collection of cracker backdoor scripts that had been installed via some compromised WordPress themes and eventually been neutered by me.

All in all, I think I’d still recommend Dreamhost to relatively non-technical people. If all you want is to host a generic PHP package, WebFaction is going to be confusing.

One final note: it having been a long time since I last switched hosting plans (I’d been on Dreamhost since 2005), I was slightly amused to notice that it took me longer to bzip up a multi-gig database dump than it probably would have to just scp the uncompressed file across.

Vulnerable

One of my sites got hacked. How?

  1. My wife tried out a number of WordPress themes while setting up her blog a year or two ago.
  2. One of them contained something called timthumb.php, which just this August was found to have a great big security vulnerability.
  3. Someone exploited this vulnerability, probably by scanning for every possible theme that contained it and put a cracker console in the cache directory of that theme.
  4. They used this console to find and edit every .htaccess on that user account to include a some malicious code. (This was several sites, because I was lazy.)
  5. It redirected to a quite nasty URL whenever a referrer from a longish list of search engines was seen.

So that’s not terribly nice. I take some small comfort in knowing that at least I have a lot of company. Also, I feel validated in moving off WordPress.

The cracker console was actually quite interesting. If you’re curious, you can see it on this gist, slightly expanded for readability (or just a screenshot).

It was obfuscated by being a big string that ran through preg_replace using the e flag, which executes the result. Yes, this is a genuinely insane feature. That turned some unicode-escaped characters at the beginning into eval(gzinflate(base64_decode(', which revealed the rest of the huge string to be a base64 encoded gzipped blob of source code.

The lesson I’m taking from this is: security is hard to enforce when themes that non-technical people are expected to use can contain executable code. Or even technical people… I wouldn’t have caught that if I’d been looking for a WordPress theme.