The other day I was helping a friend with her unused WordPress site. She had asked me to install Simple:Press (a forum plugin for WordPress) so she could try it out for a new site she will be creating. Her site is hosted by the same company that hosts several of my own and my clients’ sites.
I uploaded and installed the forum software, then password protected her site, as she had asked me to do.
A few minutes later I was unable to access her site, and when I went to work on one of my own sites while this presumably temporary problem resolved itself, I found I was unable to access that too.
I’d try to visit the site with my web browser, or my FTP software, and after several moments of a ‘working’ cursor either the access attempt would just silently fail, presenting me with a blank page, or some kind of ‘timeout’ error message would appear.
This was worrying. I hadn’t come across this particular forum software before and I was worried that perhaps it carried some kind of malware that was maybe creeping across the hosting company’s server.
I tried a traceroute, using Apple’s Network Utility (freely available in the Applications – Utilities folder on all modern Macs).
The traceroute showed that for all the affected sites, my MacTips and Oddity59 sites and my friend’s site, the traceroute would stop at one particular point along the route. I concluded this was some kind of spontaneous network error.
Skipping ahead a few days, in which we made a quick trip to Hamilton and back, I carried out a lot of investigation. TelstraClear Helpdesk were involved — they are my ISP. They didn’t help. Webgrrls were involved. They did help. I eventually discovered several interesting facts:
- it seemed everyone else on the planet could see the affected sites, including those using TelstraClear.
- I could see the affected sites if I used a different network, such as my iPhone through Vodafone, my Hamilton friend’s Inspire network, a cloaking service that masked my static IP address.
- I couldn’t see any client sites hosted at the same company, unless the site was on a different server. I used You get signal to find other sites hosted on the same server.
- The forum software didn’t have any posts on its own support forum about this problem and googling didn’t locate anything helpful. I didn’t find any suggestions that this forum software was in any way malware. In fact, some reputable looking sites were using it.
A reverse IP domain check takes a domain name or IP address pointing to a web server and searches for other sites known to be hosted on that same web server.
I eventually concluded that the problem was very specific to one particular server, so finally submitted a help ticket to the hosting company. By now 5 days had gone by since the problem originally appeared and I was very frustrated. I couldn’t reach my own blogs — including sites that had worked perfectly for a decade.
Within a few minutes all my sites were back. Here’s what the hosting company said:
That issue a local firewall block. It appears a file/action on the [sitename] simple-forum addon generated a false positive (xss cross site scripting attack), result was your static ip got blocked. I’ve now cleared that block, also whitelisted [static IP], and removed the individual firewall rule that caused the false positive (firewall history checking showed the rule is virtually redundant and no longer needed).
I’m very glad to know the hosting company has such protections in place, but the block caused me a lot of wasted time and effort and frustration. The biggest problem was that faced with blank pages I had no idea what was going on. My assumption that it was a network problem wasn’t correct, and it was only as a last resort that I contacted the hosting company.
I hope this post may turn up in a search for anyone suffering a similar problem, plus provide links to a couple of useful tools, such as the cloaking site and the reverse IP lookup site.