|
danielpferreira
|
 |
« Reply #45 on: September 04, 2007, 09:50:43 PM » |
|
My site was hacked too. All my pages were overwritten.
This is extremely serious and I expect some explanation from Lunarpages.
|
|
|
|
|
Logged
|
|
|
|
JJ
Trekkie
 Offline
Posts: 18
|
|
« Reply #46 on: September 05, 2007, 01:45:12 AM » |
|
 Thinking that it was just my index. and login. files affected, I just briefly opened up my forum so I could get into the admin panels to change all the admin accounts. Not only did I find the admin panels corrupted (missing options etc.) but I immediately got a phishing warning from Norton that my site was at risk and under investigation. Now I am really angry. This makes me want to drop LP and just go and find another web provider. Having said that, I guess the damage is already done now because the phishing warning is associated with my URL, right? 
|
|
|
|
|
Logged
|
|
|
|
|
SteveW
|
|
« Reply #47 on: September 05, 2007, 05:31:51 AM » |
|
the phishing warning is associated with my URL, right? I don't know Norton, but I'd imagine so. However, you'd also expect that Norton, like Google, knows that many of these are the result of hacks. If Norton provided any means to do so, contact them and describe what happened. Once you believe the site is clean, contact them again and tell them so. Maybe check your site at http://www.siteadvisor.com/, too. They do provide an opportunity for comments from the site owner. |
|
|
|
|
Logged
|
|
|
|
|
JeremyD
|
|
« Reply #48 on: September 05, 2007, 01:52:55 PM » |
|
Thinking that it was just my index. and login. files affected, I just briefly opened up my forum so I could get into the admin panels to change all the admin accounts. Not only did I find the admin panels corrupted (missing options etc.) but I immediately got a phishing warning from Norton that my site was at risk and under investigation. Now I am really angry. This makes me want to drop LP and just go and find another web provider. Having said that, I guess the damage is already done now because the phishing warning is associated with my URL, right? First off, Open a ticket with the Helpdesk. They will restore your site from a backup once they have validated you are who you say you are. Second, Contact Norton and let them know about this and the issue at hand if Lunarpages has not already contacted them and let them know about this. |
|
|
|
|
Logged
|
|
|
|
|
danielpferreira
|
|
« Reply #49 on: September 06, 2007, 01:25:58 AM » |
|
My situation is ridiculous.
They blame on me that the site was hacked. They want me to pay $75 to get the latest backup restored.
The funniest thing is that they suggest that the hacker used the 'HTML.Iframe.FileDownload' exploit to get my password. Maybe they think I'm dumb or something? It's not only that I've never used Internet explorer or Outlook. My box is protected through anti virus, firewall and a router, I never open a single e-mail from an unknown sender, I never open any script / code / executable attachments from e-mail and I don't visit shady pages.
I've been with lunarpages for four years. At the beginning I was very happy. Support was fast and very helpful. Now I'm pretty upset if that's the way customers are treated, and will start looking for another hosting company. Will have to clean all the mess that the hacker added to my files manually...
|
|
|
|
|
Logged
|
|
|
|
|
Cher
|
|
« Reply #50 on: September 06, 2007, 05:33:33 PM » |
|
My situation is ridiculous.
They blame on me that the site was hacked. They want me to pay $75 to get the latest backup restored.
That is ridiculous. I use to be a LP customer up until a few months ago. I've since changed hosts and have different FTP ids and passwords set up. Today I happened to be browsing a log file, only to discover that someone was trying to use my old LP FTP id to log into my server. Sounds like something was compromised on LP's side to me, as only LP has record of that account anymore. I'm glad I jumped ship a while ago. |
|
|
|
|
Logged
|
|
|
|
JJ
Trekkie
Offline
Posts: 18
|
|
« Reply #51 on: September 07, 2007, 12:24:25 AM » |
|
First off, Open a ticket with the Helpdesk. They will restore your site from a backup once they have validated you are who you say you are.
Second, Contact Norton and let them know about this and the issue at hand if Lunarpages has not already contacted them and let them know about this.
You would not believe how much trouble I am having getting LP to restore my files back to last week. I pay extra for the restore service and it is unbelievable that they still have not got their act together to do it. I have also tried to download copies of my databases and each transfer just keeps timing out (that never used to happen). So I cannot even get a soli dcopy of my database on my local machine to then get my forum up and running on another site. That is ridiculous.
I use to be a LP customer up until a few months ago. I've since changed hosts and have different FTP ids and passwords set up. Today I happened to be browsing a log file, only to discover that someone was trying to use my old LP FTP id to log into my server.
Sounds like something was compromised on LP's side to me, as only LP has record of that account anymore. I'm glad I jumped ship a while ago. Now that about sums it up for me. |
|
|
|
« Last Edit: September 07, 2007, 12:27:41 AM by JJ »
|
Logged
|
|
|
|
|
Peak
|
|
« Reply #52 on: September 09, 2007, 05:21:55 AM » |
|
Changing passwords did help anyway.. :p vsftpd:
Unknown Entries:
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=58.65.235.1 user=*****: 2 Time(s)
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=58.65.235.1 user=*****: 1 Time(s)
What I do not really understand is why LP don't comes out with what happened. It still seems to be going on (this was today's Logwatch on my server) and if everyone hasn't changed their passwords, their sites will continue to be hacked. |
|
|
|
|
Logged
|
//Peak
|
|
|
|
SteveW
|
|
« Reply #53 on: September 09, 2007, 12:48:28 PM » |
|
Peak, what are those log lines exactly, someone trying to log in by tty, or ftp or...? The reason I ask is that I'm banning IP addresses mentioned in these hacking threads, in case they're running through a list of LP sites. If those lines are hack attempts, that entire Hong Kong ISP will be banned. Actually, I'm banning them at this moment. Only kind words from you will unban them.  The range is 58.65.232.0/21.
|
|
|
|
« Last Edit: September 09, 2007, 12:57:38 PM by SteveW »
|
Logged
|
|
|
|
|
Peak
|
|
« Reply #54 on: September 09, 2007, 12:59:51 PM » |
|
Ftp.
I, and it looks like more than me according to this thread, have been hacked through ftp. No brute force or anything. Just logged in and (I suppose) uploaded the infected index.php-files. The only way for someone to know the ftp info for those two accounts is to get them from LP. I'm the only one (except LP) who knew the PW:s for the accounts. After I got the dedicated server, I just (lazy.. :p) moved over the two accounts that was hacked earlier with the same PW.
After that, I created a third account that wasn't hacked. I changed the passwords for the two accounts directly when I found the changed files. I was a bit surprised that the didn't do anything else to the server (if you have the password, you can always login on SSH and do some more nasty stuff), but I deduced that the ones that was hacking didn't know that the two accounts is on a a dedicated server at the moment. There was another one here that had moved to another host and had someone trying to login on his ftp with his old (LP) login. So my guess is that a lot of passwords are out in the wild at the moment.
|
|
|
|
|
Logged
|
//Peak
|
|
|
|
SteveW
|
|
« Reply #55 on: September 09, 2007, 01:22:45 PM » |
|
Thank you. The .htaccess ban actually won't keep them out of ftp, but they're staying banned anyway. Frequent password changes (no matter how strong the passwords are) seem to be worthwhile at this time. Once a week might not be too often. Plus, if there is any reason your password might have passed through another computer (such as from filing a helpdesk ticket), changing your password as soon as the problem is resolved is something that might help and can't do any harm, unless you go through so many passwords that you forget to write one down and wind up locking yourself out and having to spend several minutes racking your brain before you recall it. But who'd do that??  Edit: I was a bit surprised that the didn't do anything else to the server If all they want to do is make money off your site, they prefer to disrupt it as little as possible and go unnoticed so you don't repair it. |
|
|
|
« Last Edit: September 09, 2007, 09:19:13 PM by SteveW »
|
Logged
|
|
|
|
|
Windsun
|
|
« Reply #56 on: September 09, 2007, 06:36:15 PM » |
|
I am suspecting this was that zero-day Cpanel hack from what I can find out from searching. cpanel was patched quite some time ago, but if the latest version with that fixed patch (it appears that the first patch that Cpanel issued was bugged, and would not install unless forced) was not used, that might explain why so many varied sites got hit.
|
|
|
|
|
Logged
|
|
|
|
JJ
Trekkie
Offline
Posts: 18
|
|
« Reply #57 on: September 11, 2007, 12:35:34 AM » |
|
Just wondered if anyone had had any more problems since they changed their passwords?
For the pages I have restored everything appears to be secure again. However, I have been waiting over 4 days for LP to restore some other files back to a safe moment in time (26th August).
Just wondered, of those that were attacked, were any of you NOT running a bulletin board system? I was using a PHPBB system running at version 2.0.21 (one version below current release) and I just want to rule out whether this was a possible point for intrusion. If some of you were attacked without running a forum then this helps for the post mortem.
|
|
|
|
|
Logged
|
|
|
|
|
kakdela
|
|
« Reply #58 on: September 11, 2007, 01:14:55 PM » |
|
Just wondered if anyone had had any more problems since they changed their passwords? No, I have not seen anymore attacks since I changed my password. Just wondered, of those that were attacked, were any of you NOT running a bulletin board system? I was using a PHPBB system running at version 2.0.21 (one version below current release) and I just want to rule out whether this was a possible point for intrusion. If some of you were attacked without running a forum then this helps for the post mortem. No, only one of my defaced sites had the PHPBB forum (the forum files, index.php's were defaced, just like the static ones), the other 90% of my sites had nothing that would indicated a security hole in scripting. So, it's probably nothing that you did. I think that somehow the hackers got a hold of LP's FTP password list to a bunch of LP accounts. |
|
|
|
|
Logged
|
|
|
|
|
leighsww
|
|
« Reply #59 on: September 11, 2007, 09:50:35 PM » |
|
I haven't had any recent attacks either, but I disabled all the index pages, so that wouldn't be any gauge as they can't hack something that's not there, lol  (I had a blank index page for that domain, because it's not used as a website, and the employees didn't use the forum much, so I just disabled that altogether). The last attack to another of our accounts back in January, we weren't running any forums/bulletin board scripts, and was strictly an html page that got hacked, so I have to agree with kakdela on this. |
|
|
|
|
Logged
|
|
|
|
|
