Surpass Hosting Users Beware

As most of you are aware, some issues were found with some of the CodeGrrl scripts late last year and an announcement was made with the necessary fixes. Unfortunately, despite these fixes being easily and freely available people still ignored the risks (despite hundreds being exploited) or even worse: deleted the protection.php file (which had the original issue in). Deleting protection.php opens up your script control panel to absolutely everyone.

Only recently did Amelie discover that this wasn’t a misinformed user telling people to delete this important file (as I had assumed), but in fact: Surpass Hosting! It amazes me how someone who owns their own hosting business can suggest something so ridiculous, but we won’t go in to that right now..

If you’re a Surpass + CodeGrrl-script user that has deleted their protection.php file, get it added back with the fix as soon as possible. If you’ve told people to delete their protection.php file because of Surpass’ bad advice: tell them now to add it back. Deleting protection.php is as stupid as me giving you the password to my web server control panel.

24 comments so far

  1. Li said:
    On 13 Sep at 8:02 pm

    I don’t think anyone hosted by Surpass are even allowed to use the CodeGrrl scripts anymore; sites have been getting suspended for using them… I’ll “spread the news” on the forum I’m a member of. :)

  2. Amelie said:
    On 13 Sep at 8:03 pm

    Thank you for posting this. Unfortunately, I don’t thiink Surpass are the only ones telling people that you need to delete protection.php or you’ll be hacked!!!1!1!ohnoez. Surpass are also one of the hosts who believed the hoax regarding my own script (someone said it could be hacked in a similar way to most of the CodeGrrl scripts – it can’t) and have apparently banned it on all their servers. >:( They obviously believe hype and think that to deal with any risk, affected files must be deleted. No, wrong. Argh.

  3. Jem said:
    On 13 Sep at 8:05 pm

    @Li: Well, that’s a different matter altogether. Personally I’d use BellaBuffs instead of PHPFanBase/PHPClique and my Basic Image/Ad Rotation Script tutorial at tutorialtastic (with quotes instead of images) instead of PHPQuotes, but then I’m obviously biased towards my own scripts! ;)

  4. Amelie said:
    On 13 Sep at 8:06 pm

    …by that last statement, I meant that deleting vulnerable files is not always the solution to the problem – but of course in some cases it is. If you want to eliminate the problem of hacking but don’t want/know how to patch your files, you need to delete ALL the phpfanbase/phpcurrently/phpcalendar/phpquotes/etc. etc. files, NOT just protection.php.

  5. Jordan said:
    On 13 Sep at 8:22 pm

    @Amelie: I think Surpass would rather ban the script at their DC, then have to deal with servers being overloaded, and security issues. I’d do the same thing to, even if it was all “hype.” It’s better to be precatious when you have such a huge company, versus letting the issue go unnoticed and face potential risks in the future.

  6. Amelie said:
    On 13 Sep at 9:03 pm

    On looking through the Surpass announcements I see nothing saying that they have officially banned said script. Who knows, it’s up to them at the end of the day.

  7. Shawna said:
    On 13 Sep at 9:43 pm

    Interestingly enough, I’ve also heard of some users having billing issues with surpass (i.e. surpass attempts to automatically bill you and your payment doesn’t go through. Instead of shutting down your account or notifying you, they let you go on thinking you’ve been charged automatically and contact you MONTHS later with a huge overdue payment bill) I think if I was a Surpass user, I would be switching right now.

  8. banshee said:
    On 13 Sep at 9:46 pm

    I recently had a hacking due to the PHPFanBase script – for some unknown reason I uploaded the OLD protection.php file to all of my fanlistings and left the domain vulnerable – when Surpass had a look through my files they found what caused the problem (FanBase) but didn’t ask me to remove the script. @Jem: I’d rather use BellaBuffs, but having to log into 25+ admin pages to approve members is something I’m not too keen on doing. So I’m waiting for the collective script to upgrade ;)

  9. Jem said:
    On 13 Sep at 9:48 pm

    ^ I manage all my FLs alright! ;) I am working on the collective version though.. might developed slowly though because my new job is keeping me v.busy!

  10. Xeronia said:
    On 13 Sep at 10:09 pm

    Wow. That makes me want to suspect Surpass Hosting of some hacking scheme. Codegrrl has good scripts that work well and are very secure. I remember when they were all pulled off for security issues. Plus, Codegrrl is anything but illegal and doesn’t put much load on servers. @Shawna: Yeah, I’d definitely switch servers as soon as possible.

  11. Belinda said:
    On 13 Sep at 10:50 pm

    Wow, talk about stupid. Surpass was one of the hosts I was actually considering when I was switching, thankfully, I decided they were too expensive. XD

  12. Carina said:
    On 13 Sep at 11:16 pm

    Oh jeez that makes me pretty mad. It’s like they hate CodeGrrl. I happen to love Codegrrl, it’s a fabulous resource. What makes me mad is the way she talks on that forum- it’s like Codegrrl doesn’t know what ‘she’ is doing.

  13. Aithnea said:
    On 13 Sep at 11:16 pm

    Surpass will defently be added to my list of hosts to avoid when my package expires next year. It’s scarry to think that a company would get people to delete part of their script that would help keep people from hacking you. I’m surprised they just didn’t sit there and say, “Either get the upgrades or removed these scripts from you site. If you have a non-upgraded version and you are hacked we will charge you millions of dollers in labour fees to clean up the mess.”

  14. Andrea said:
    On 14 Sep at 12:00 am

    @ Belinda: If you consider Surpass expensive, where are you at now? Seriously. I’m on Surpass right now and I switched to them because they were cheaper (a lot cheaper) than Netrillium.

  15. Julie said:
    On 14 Sep at 12:14 am

    Delete the protection file? Why do they think it has been called “protection”?

  16. Bubs said:
    On 14 Sep at 4:41 am

    That just blows my mind!

  17. Jordan said:
    On 14 Sep at 3:09 pm

    @ Xeronia, Aithnea, Carina: If you hadn’t known of the authors personal site(s) to be able to read them, do you think you’d have the same comments to make in regards to the scripts? I’m not that big into php at the moment, so I would have to base most of my decisions off of what I read elsewhere on the internet. I’m sure the same could be said for Kayla, who had posted that. Now I know I can’t speak for her knowleddge of lack of it in regards to php, but I agree that maybe she should’ve had one of ther Sysadmins or someone else with the knowledge, to look into the script’s issues before posting about it… But if she posted it due to hype she saw on the internet, then you can’t blame her for thinking that whomever she originally found it from, knew what they were talking about. Just my common two cents about it. *shrugs* @ Shawna: The main thing to always watch, since they use paypal (and 2checkout), is to get notices and invoices. If you don’t see anything being deducted from paypal or your debit/credit card, then it’s the individuals fault for not keeping up with their payments, automatic or not. I understand that most think, hey i’m paying! But who doesn’t check their statements to make sure payments are going through? It’s kind of like creating an automatic bill pay for your credit card, and never checking to make sure that it goes through each month. And then you start getting collection calls for months upon months of missed payments… Do you blame the credit card company, or yourself?

  18. banshee said:
    On 14 Sep at 11:53 pm

    @Shawna – I’ve been with SurpassHosting for quite a few years now and have never had a problem like this. They had a rough patch with their support for a while, but they seem to be well over it. I daresay one person has had this freak problem and after a game of Chinese Whispers “one person” turns into “some users”. To that I say: Accidents Happen. I’d hardly stop using them because of that. I’d also like to add that if you’re using a PHP script you should be going to the author/site to verify information regarding security issues, not taking the word a random website forum. (Or not so random if you’re a member). Common sense, I feel.

  19. Maggie said:
    On 15 Sep at 12:11 am

    I use Surpass and love them deeply. I’ve never been so happy with a hosting company and I’ve been through many! I have read that they don’t allow codegrrl scripts. Which is fine with me since I don’t actually use them. Thats to bad that Surpass was misinformed though. I know that they where giving out bad advice and thats upsetting. At the same time though I’m happy that they where at least trying to help. Most companies just don’t care. I can’t blame them for being concerned about what makes it onto their servers. Thank you Jem for letting people know about not deleting the protection file. I’m sure a lot of Codegrrl users will appriciate it :)

  20. Kayla said:
    On 15 Sep at 7:41 am

    Hi, We have made a note on that post that the info was incorrect, it should have been ‘replace’ the new file, and the file should not be been removed. During that time I was not the one who came up with that answer, I only copy and pasted from another resource. The main thing I knew was that protection.php was causing a slew of problems and I was busy trying to fix those. ;)

  21. Jordie said:
    On 15 Sep at 8:21 am

    Sigh… :( We must trust our hosts so much and they let us down so hugely like this. Hope nobody suffered any permanent damage as a result of Surpass’ mistake…?

  22. King Echo said:
    On 15 Sep at 11:47 pm

    *fashioning Jem a cape*

  23. Heather said:
    On 16 Sep at 5:23 am

    :S Even though I’m not using any CodeGrrl scripts right now, I hope that I’m not exploited because of some dimwit deleting the protection.php file elsewhere on the server (I’m hosted by Surpass.)

  24. Kayla said:
    On 19 Sep at 7:09 am

    Heather- Someone deleting a file in their directory will only affect their own account. Nothing can happen to everyone on a server unless there is a major issue such as kernel exploitation which is extremely rare.