Australian security experts have warned they have found local hosting providers vulnerable to attack.
The hosting providers were found to have had inadequate internal security between customers, and in some cases had even secretly co-located customers who paid for dedicated environments.
"One of the providers had good controls operating, however that was certainly the minority" said Chris Gatford, director of Sydney-based penetration firm HackLabs.
He said many of the large and small providers were compromised through penetration tests run on behalf of his clients over the last five years.
Some large providers were revealed in the tests to have secretly co-located supposedly dedicated boxes. This meant that potentially sensitive customer data could be at risk if co-located customers were breached.
Hosting providers were too open in the way they allowed accesss to client information, Threat Intelligence director Ty Miller said.
"Many hosting providers allow anyone on the internet to access their clients' sensitive administrative services. This includes FTP, SSH, and even databases, which should basically never be accessible to the internet," Miller said.
"These services are attacked on a regular basis and have led to a large number of security breaches by simply guessing weak passwords to take control of the systems."
He said web-based administration interfaces to content management systems were examples of services open to internet that were commonly exploited because hosting customers did not often apply patches.
During internal penetration tests conducted to simulate attacks by a malicious hosted customer, Miller had successfully compromised other clients due to poor internal network access controls.
"In general, due to the sheer number of systems that they have, the lack of control of the security of those systems, and the flexibility that they need to provide their users, the hosting industry tends to be less secure than most, and for these reasons they are a major target."
The warnings come in the wake of a trio of attacks against registrars including Melbourne IT which impacted the New York Times among others, Google Palestine leading to a defacement on that homepage, and a China-based outfit which came under what was billed as the country's biggest-ever DDoS attack that knocked about a third of .cn sites offline.
In published analysis on the attacks Miller said:
"Although these three cases appear to be quite independent of each other, they do raise the concern around security of registrars, the security of their partners, and the key part that these organisations play in the online safety for both businesses and individuals."