Web Hosting Forum | Lunarpages

Author Topic: Lunarpages hacked at the time accounts were moved to a new server?  (Read 5248 times)

Offline Comet Software

  • Spacescooter Operator
  • *****
  • Posts: 40
Lunarpages hacked at the time accounts were moved to a new server?
« on: September 06, 2016, 04:47:12 PM »
Today I received an email from Lunarpages that my site was guilty of "Windows shared account high usage and Malware found".  They cited 3 files in my httpdocs folder ("Win.Trojan.Parite-8 FOUND") that don't have 8-bit ASCII file names and one asp file ("Win.Trojan.Ace-14 FOUND").  I Googled those virus/malware names and couldn't find anything.

When I went to Plesk and looked at the File Manager, I found a few interesting things.  First, those three files were in my httpdocs folder, as well as many folders that I had not created that were dated March 7, 2016.  Looking around further, I could tell that my site was hacked, and, one file indicated that it was hacked and/or "reported" by "chinafans".

Looking back at some emails, I recognized that the March 7 to 9, 2016 timeframe was when my account was transferred by Lunarpages to a new server.  Admittedly I have not really looked at my folders since the transfer, other than at the time to identify a FTP issue and just recently to identify an issue with enabling "directory listing", so, I cannot say how long those folders/files have been there.

So, my concern is that my site was compromised at the time that my site was transferred to the new server.  Searching the Lunarpages forums I cannot find any posts related to this matter.  Has anybody else seen this issue?  Have you looked closely at your httpdocs folder recently to verify if this has happened to your site?

Offline MrPhil

  • Senior Moderator
  • Berserker Poster
  • *****
  • Posts: 6207
Re: Lunarpages hacked at the time accounts were moved to a new server?
« Reply #1 on: September 07, 2016, 07:52:17 AM »
I doubt the original trojans had those file names. That would be too obvious. They might have been renamed by the scanner.

I use Linux servers, so I'm not familiar with this event. In any case, make sure you open a support ticket and go on record pointing out to LP that someone hacked you at some point (around the time of server transfer) and that is why you have the malware there. Work with them to clean it up, and avoid being penalized.

I have an automated file listing of all my files that I regularly compare to the previous listing, to spot any new files of unknown origin, and any changes to existing files that I can't account for.

Note that canned software (WordPress, blogs, forums, stores, etc.) is frequently to blame for admitting hackers in to do their dirty work. Make sure you stay up to date with any off-the-shelf software, have good passwords, etc., and keep abreast of security news, especially for the canned applications you use.
Visit My Site

E-mail Me
  
-= From the ashes shall rise a sooty tern =-

Offline Comet Software

  • Spacescooter Operator
  • *****
  • Posts: 40
Re: Lunarpages hacked at the time accounts were moved to a new server?
« Reply #2 on: September 09, 2016, 04:46:43 AM »
I stated that Lunarpages sent me an email, but, actually it was from a support ticket.  And, I did reply with the information that I posted here and suggesting that they do some research to determine if the hacking of my site and possibly others occurring during the server transfer.  Their response was to repeat to me ALL the steps ( FTP download, scan, blah, blah, blah, etc.) that I have to do to clean up my site, but, not acknowledging any possibility or research related to the server transfer.

Offline MrPhil

  • Senior Moderator
  • Berserker Poster
  • *****
  • Posts: 6207
Re: Lunarpages hacked at the time accounts were moved to a new server?
« Reply #3 on: September 09, 2016, 07:24:49 AM »
Well, I've never heard of a site being hacked during transfer to another server, but that doesn't mean it's impossible (or not an Inside Job). More likely, something was briefly left unguarded (no password protection, etc.) during the process, and some hacker slipped in before you closed that hole. Possible? Did anything change during the process, such as account name or path to a password file? Was your server name hard coded into some security-related configuration file (e.g., .htaccess) or some script (e.g., PHP) code, and it wasn't changed immediately? Were all your canned applications up-to-date at the time? Was the new server at a higher or lower level of whatever scripts you use (e.g., PHP) than previously?

These days, too much of LP "support" seems to be simply reading scripts and checklists, with very little understanding of what's going on.
Visit My Site

E-mail Me
  
-= From the ashes shall rise a sooty tern =-

 

Share |