My company is currently dealing with an "issue" with our website hosting provider. The issue is that the provider's disaster recovery plan is laughable at best, and at worst, simply does not exist.

So, I will be providing some information and background so that you can determine who your dealing with, what their capabilities are, and what recourses you have.

Cityscape Solutions use(s)/(d) a shared web hosting provider, Fragged Hosting, for its primary website, primary email, and database hosting services. Fragged Hosting is a sole proprietorship, determined through investigation, of Cody Vineyard, an 18 year old who's run the business since he was 16 under a "fake" unregistered corporation in Kentucky, Fragged Hosting, Incorporated. (Verification: Internet Wayback Machine, 2004,, all pages are signed "Fragged Hosting, Inc.")

In June of 2005, an account manager was appointed by the owner to Cityscape Solutions, and several beneficial business relationships were created. Fragged was growing, with sales in the estimated 50,000 dollar gross annual bracket.

Now, fast forward to October of 2005, when elements of an islamic activist group, Bakr150, attacked the primary hosting box, and replaced the front page of Fragged Hosting with an islamic message in Arabic.

The hosting company did not report to anyone that their site was compromised. At 0426 CST, my own site was compromised, the first indication was that my email passwords were changed. Using the cPanel (A Commercial Web Reseller Management Package) interface, I reissued myself a password and went into console using secure shell to assess the damage. Taking a complete backup of the directory in its compromised state for evidence, I checked in with the duty manager for that time period. This is where the trouble starts.

From that moment, the duty manager was clueless. He was aware only that the Director of Operations, Craig Reeves, had removed a rootkit (a backdoor superuser account) from the server earlier that day, and that he could not get into the server to do anything. The hacker(s) had changed the superuser password (root), and had altered the DNS entries for all websites, so that there were no records for DNS. In other words, would fail to resolve with "DNS Error," and you can't find it without knowing the IP.

The DNS server had been hijacked, pointed to, which is a pro-islamic hacking group's web hosting company. Other DNS entries which were added included some links to bakr150's site, which is part of the "Islamic CyberJihad," of which I have no threat profile.

The owner of the company, coming home from school at 4 PM, ordered his "upstream," the company he leases server space from to turn off the computer. Around 6 PM CST, this occurs, as the upstream reseller must contact the real owner of the box, Savvis/Layered Technologies, and request that a rech remove the network cable.

This was last saturday. It is now Monday night, and Fragged Hosting is waiting for Savvis to reinstall Linux onto their box, and give it back to them. There are clients, including myself, asking why its taking so long. We're aware of one communication medium that the owner uses, Internet Relay Chat, those who aren't so fortunate are in the dark about what's going on.

So, how can you prevent yourself from going through this issue? Most will say, "Use a reputible webhost." How can you identify a reputible webhost from a disreputable one? The use of company names and "bling" rich-media websites are not indicators. Most professional webhosting company websites are actually templates, all you do is open the file in a standard text editor (Not even Word) and find/replace [WEBSITE] with your website name. And, you have an instant website company.

For 65 dollars per month, a tier 2 webhost will sell anyone a "silent reseller" account. This is one computer, with high availablity very fast network jacked in, an operating system, and a copy of Plesk, cPanel, or Ensim. All three programs are designed to simplify the administration of website hosting for resellers. The tier 2 webhost will disavow all knowledge of the account, and requires the person paying for the account to provide all support. Some may say that "If it runs Windows 2003, its obviously a real company," but this is incorrect. For 10-20 dollars a month, the box comes with Windows 2003 Small Business Server, or Web Server, preconfigured with Plesk, so that Windows Web Apps are able to be run.

When investigating a web hosting company, due diligence is required. I did due diligence on Fragged Hosting, determining that its run by an 18 year old kid out of Kentucky, helped by a 23 year old in Britain and a few others. My host provided quite a bit of bandwidth and drive space for the low fee of 3 dollars per month, and through business alliances, I usually had a surplus credit on my account.

However, the moment disaster struck, the clients of Fragged Hosting found out that the company does not communicate with them, unless they are exclusive enough to be aware of the IRC Support channel. Their VoIP phone system works, however, few know the number. Their email may or may not work, most people have said no emails have been sent by Fragged Hosting, nor are their emails being recieved.

The official position of the owner is that they're waiting for the datacenter (The people who own the box that Fragged leases) to act on a reformat and OS reload ticket. It has been approximately one week and a day since the ticket was submitted to Layered Technologies by Fragged Hosting's upstream reseller, and no further information.

Ask these questions when considering a web hosting company:
  • Who is the company in reality? Do they exist? Do they post a physical address or telephone number? If not, determine why or move on.
  • What is their disaster recovery plan? Do they know what one is?
  • What disclaimers are in their Terms of Service, and do they look enforcable in small claims court? Fragged Hosting disclaims all liability, however, failure to maintain standard of care will invalidate such disclaimers instantly.
  • What are the support methods, and will they operate when something fails? Are alternate email servers, DNS servers, VoIP servers, and a physical address present? If not, ask them why.
  • Who are the checks/credit card/paypal going to? If the site is that of a coproration, why are you paying an individual? Explain why.
  • Who on the staff, or outsourced personnel, has technical knowledge of the WHM, cPanel, Operating System, and internet technologies? Are they certified through LPI, Red Hat, Microsoft, Sun, Novell, etc? If not, explain why? (Certification is not always an indicator of retention of knowledge, especially when there's an MCSE on staff for a Linux box.)

We are willing to wait this out, because our business operations are not impacted that much by the loss of a website, merely our advertising potential.