Complaint: Winhost.co.za

[IziWhatNow]

I am very unhappy with Winhost (aka Circle) at the moment and would urge everyone looking for Windows hosting to STAY CLEAR.

Let me explain.

First case
I needed to get into the PLESK back-end of one of my clients' site after a very long time of inactivity. I couldn't log into PLESK with the details I requested it to be reset.
On July the 19th I sent an email requesting the reset of the username and password. It is now 9 days later and I still haven't received a reply. This is unacceptable.

Second case
Another client of mine had visitors to his website tell him someone visiting their website got a virus warning from Kaspersky. I thought this was odd. Later, another visitor got a similar warning from AVG.
When I got home I looked into it and MSE also picked up a Trojan horse on the site, called JS/BlacoleRef.BV.
This is a site that hadn't been worked on for months and had been used without problems since then.
I contacted Winhost on the 25th (3 days ago) with the following message:

Hi,

Visitors to my website www.xxx.co.za have received reports from Kaspersky that the website is infected with a Trojan horse.

Can you please check the hosting server?

Thank you,
Name

In the meanwhile I found that some JS files used for Lightbox had been edited a few days ago. Like I said, I hadn't worked on the site in ages, so I knew these files were the cuplrits. I removed them and everything seemed to be okay. A Google search revealed that the virus might be the result of a security loophole in outdated PLESK versions. I checked another site of mine also hosted at Winhost and it was infected too!

The next day I mailed Winhost again with the following message:

Hi,

I emailed your support yesterday (2:12 PM) with a warning that there is potentially a trojan horse on www.xxx.co.za. It is now 34 hours later, and you don't look too worried.

Since this is a static website, and I hadn't worked on it for months, I knew I could log in via FTP and search for the most recently modified files to find the culprits. I found the following files to have been modified:
JS\Prototype.JS
JS\Scriptaculous.JS
JS\Swfobject.js.

I scanned them with Microsoft Security Essentials and they were found to be infected. I restored them from my local back-ups and it seems to be okay now.

After Googling I came across this link: "http://security.stackexchange.com/questions/17179/how-does-a-trojan-like-trojanjs-blacoleref-bv-infect-a-website" which suggests that the Trojan might have entered through a vulnerability in the hosting providers' PLESK system. If this is true, you have a problem. I visited another site of mine, yyy.co.za (also hosted with you), and found the same infection there. This site hadn't been worked on for months either.

I expect you to do a thorough investigation on these domains and the origin of the Trojan, and respond in a timely fashion.

I am very unhappy with your service at the moment (still waiting for support on www.aaa.co.za after days), and you may soon find your name on www.hellopeter.com and the MyBroadband forums.

One would think that an event like this may cause a stir at Winhost because all of their servers might be affected. But they just don't seem to care.

Needless to say, I still haven't heard of them on any of the two cases. I'm not a happy client at the moment.


Previously I had clients constantly complain about emails being down and sometimes even the entire site being down. These clients all requested to be moved to a new hosting provider.

So yeah, I just wanted to warn everyone about Winhost. They won't be receiving any more business from me.

 

[ebendl]

Did you look if there's any other way of getting support? I never trust an email alone (although some companies, such as texo.co.za are excellent when it comes to email support). First prize is a phone number, second prize is an online real-time chat, third prize is some sort of ticketing system, fourth place is email and last prize is a "Log your issue here and we'll get back to you" kind of form.

 

[IziWhatNow]

I did try to phone them once, but got no answer. They do send an auto reply that a ticket has been logged after emailing support. But that's about the only response you get.

 

[ebendl]

Mmm, then it is pretty pathetic. Close your account and move to another provider!

 

[koffiejunkie]

Do you have SSH access to the box? If you have you can find out the password.

But as it stands someone else has your passwords already (and everyone else on the box's passwords). See, the blackhole javascript exploit is making use of the fact that 1. People don't keep their Plesk installations up to date and 2. People don't rotate their passwords regularly.

Last year there was an authentication bypass vulnerability in Plesk's web interface, and more recently an SQL injection vulnerability. Parallels issued patches quickly, but Plesk doesn't auto-update, but you can initiate an update from within the panel if logged in as administrator.

I'm guessing your host didn't patch their stuff and your passwords got out.

 

[IziWhatNow]

I only have FTP access if I am not mistaken. It's*shared hosting and not self managed

 

[mic_y]

mmm, also had an issue on one of my ex-clients websites hosted with Circle. The site was blocked by google due to security vulnerabilities.

Luckily, due to them being an ex-client, it wasnt my issue any more, but there is definitely something up with the shared hosting at Circle...

 

[koffiejunkie]

I only have FTP access if I am not mistaken. It's*shared hosting and not self managed

Then get on the phone to them.

 

[The Web Space Bar]

The problem seems to run deeper,
i see their domain renewal been unpaid since 2 May..

I believe every hosting company *should* have a service level agreement to get back to you in x amount of time,
and that you should be compensated if response time is breaching service level agreement.

Where I would think it good business practice to respond with in a few hours ,
its bad when days go by and the company that hosts your website doesn't respond at all.

If they have some customer service representatives on mybb it would be good to see some feedback,
perhaps there is a rational explanation for the long wait time in not getting the email , i.e. perhaps they replied but the reply didnt deliver.
My theory for this is that I see their IP address is on a few email backlists , they should really get this sorted :
http://www.mxtoolbox.com/SuperTool.aspx?action=blacklist:196.41.139.42

In the end I do agree 100% with you , they should respond quicker and keep an eye on their IP blacklist state.

 

[IziWhatNow]

Thanks for all the comments guys.

I just received an email notification saying that yet ANOTHER website I host with them had been suspended because it exceeded its storage limit. But it's a little static HTML website that hadn't been worked on for years, so it is impossible. Gosh these people are useless

I can't access the site via FTP fir the whole day so I can only see what happened by tonight

 

[swsup97]

Move to another provider , staying with these guys seems to be more hassles than anything else ..if u not getting the desired service from there why bother to stick with them - hosting companies are a dime a dozen these days , u will find something better out there ..im currently with Hetzner and no problems experienced with them so far.

 

[The Web Space Bar]

Thanks for all the comments guys.

I just received an email notification saying that yet ANOTHER website I host with them had been suspended because it exceeded its storage limit. But it's a little static HTML website that hadn't been worked on for years, so it is impossible. Gosh these people are useless

I can't access the site via FTP fir the whole day so I can only see what happened by tonight

The problem you are describing sounds like overselling.
Meaning they have for example 1 gig , and sell not 10 x 100meg packages , but count on the fact that people dont use all their capacity so they will put , say , 50 x 100mb packages on the same capacity.
While that can work when the hosting company keeps an eye on the storage capacity and adds more when needed ,
it now sounds like you guys are running out of space when not evening using it.

 

[IziWhatNow]

Move to another provider , staying with these guys seems to be more hassles than anything else ..if u not getting the desired service from there why bother to stick with them - hosting companies are a dime a dozen these days , u will find something better out there ..im currently with Hetzner and no problems experienced with them so far.

That is the idea, soon all of my websites will be hosted elsewhere.

I just got a response to a support ticket about the exceeded disk space issue.

Hello Xxx,

This has been resolved for you.

Please let me know if you require any further assistance.

Regards,
Mark Lee
Customer Support
CIRCLE

 

[koffiejunkie]

I just received an email notification saying that yet ANOTHER website I host with them had been suspended because it exceeded its storage limit. But it's a little static HTML website that hadn't been worked on for years, so it is impossible

The disc space includes mail and log files. You probably had one or the other fill up.

The problem you are describing sounds like overselling.
Meaning they have for example 1 gig , and sell not 10 x 100meg packages , but count on the fact that people dont use all their capacity so they will put , say , 50 x 100mb packages on the same capacity.
While that can work when the hosting company keeps an eye on the storage capacity and adds more when needed ,
it now sounds like you guys are running out of space when not evening using it.

That's not how it works. Plesk has domains, clients (who can have many domains) and resellers (who can have many clients). For each tier, you can configure a variety of limits, including disc space and bandwidth. Overselling is done at a higher level, i.e. the owner of the server.

Overselling is not a bad or dishonest thing, unless you were paying for dedicated hosting. Plesk is a shared hosting solution, so in this case overselling is expected.

 

[Fishzn]

Also having issues with my account there since 02-08 - have been unable to log in to my Cpanel. So I guess its time to move on - just need to find a suitable alternative! It takes some time to find somebody whose any good here in SA.

I am considering moving offshore - just looking for a host with an international toll-free number. I don't think the load times are that much of a bogey anymore - anyone got any insight into that by any chance?

 

[The Web Space Bar]

Hi Fishzn.
There is quite a difference between load times , obviously as there are more hops to get to the destination.
Depending on the kind of site you are hosting load times will play a big role.
With blog sites for example , one might not notice the load time difference as much as for , say , a flash website or a image gallery.
Your target market should be the deciding factor , if your target market is international , host in the US / UK ,
if they are in SA , host in SA. Always give your target market the best loading speed you possibly can.
Load times also depends on how well the site is coded (Had to get it in there as Im sure some web designers will read this too)

If you need some real world examples I can put up an example site on our US and SA servers for you to test.

 

[RamblingMan]

Unless you are running a very interactive site, I don't think the international load times are all that bad.
Even mg.co.za is hosted in the US.

 

[SYNERGY]

For static websites - international is more or less fine.

For more complicated- dynamic websites, a local host will be needed sooner or later as the website expands. Costs also play a factor as well.

 

[3kwartappel]

Hi Pakka

Have you received any other feedback from Circle? My circle sites has been affected with malware as well for the past two months, with me fixing them every other week. (No help from circle)

I have lost all my frequent visitors because of this (Malware replaces the javascript, so this is making my website useless, and therefore not generating revenue through my adverts anymore).

After investigation, and giving them information of how to fix this infection more than a month ago, I have not received any feedback.

This is their servers that are infected, and I can only assume more websites are indeed affected. I am going to have to post on hellopeter now. and ask for a refund, this is not 99% uptime. my sites are broken. Im ******* frustrated

Here is one of the emails I sent a while ago, no response yet :

From: Me
Sent: 02 August 2012 11:52 AM
To: 'CIRCLE Windows'
Subject: RE: [Ticket ID: malware detected

Hi
It just happened again, but google didn’t block me this time. But these sites are now broken :

www.yyy.co.za
www.zzz.co.za
www.aaa.co.za

while investigating, I saw that yyy.co.za was redirecting to …./runforestrun?sid=boten_api… which shouldn’t happen.
Looks like the malware replaces all JS files. Attached are the one that has been infected, and the other is normal.

According to the internet, it is malware attaching itself to the JS. Please read here
http://www.securelist.com/en/blog/208193713/RunForestRun_gootkit_and_random_domain_name_generation
and here
http://blog.unmaskparasites.com/2012/07/26/runforestrun-now-encrypts-legitimate-js-files/

“Most probably, it spreads through the recent vulnerability in Plesk Panel<http://kb.parallels.com/en/113321>, so we would like to appeal to every web administrator and every hosting provider to update the Plesk software on their servers to the newest version, apply all the security patches and change the passwords to all the FTP/SFTP/SSH accounts as soon as possible.”

Please let me know once you have fixed this vulnerability, because this is unacceptable.

Please assist urgently!

 

[IziWhatNow]

I have also noticed that one of my sites has been marked by Google as being infected with malware. Since the site is of no use to me at the moment, and the lack of response from Circle, I'm just going to not renew my hosting with them when the term is over in 3 months.

You on the other hand should take action since it is affecting your business. Keep us updated

Its really clear now how much Winhost cares about their customers