Results 1 to 20 of 20
  1. #1

    I got compromised today =(

    So I've been hosting with a company for a while, but due to downtimes, slow loading times and unhelpfulness of tech support I moved to a new cloud based host yesterday.

    Today, as I was finishing up a move of the Wordpress, WHMCS and IP.Board installatons, I start getting redirected to a sketchy malware site selling drugs in a wikipediaesque site.

    I checked my other domains that were transferred, and noticed that they were redirecting as well. At this point, I start panicking and tried to login to WHM to revert nameservers back to the old host, but it was a no go; my WHM login had changed and I could not login.

    I immediately went to my google apps accounts to change my passwords to randomized 30 character ones in case they were logged, all while sending my new webhost updates.

    I get an email from the host's CEO (!) stating that my account was compromised and that it is currently suspended.

    At this point I am not sure what to do. Do I sit around and wait for my host to tell me to GTFO? How could an exploit like this happen? The computer I was using has MSE on it, but I've not been infected on any personal computer of mine. For those curious, I did all my password changing on my neglected Macbook running OSX 10.7 DP 4, which was mostly my email and music computer until now.

    I'll just reformat my computer in case it is somehow compromised, and I am still changing all my passwords. My websites run Wordpress with no plugins and a theme I bought from themeforest, and my forums were patched up IP.Board 3.1.4. I had WHMCS that I just updated today to 4.1.2.

    What else should I do?

  2. #2
    Join Date
    Feb 2004
    Location
    Toronto
    Posts
    2,308
    Are you sure its not your computer that got a virus instead of your host ?
    VimHost >> 30 Days Backup | cPanel + LiteSpeed + JetBackup | DMCA FREE!
    20 Years in business ~ Premium Hosting in Toronto, Canada ~ 151 Front Street (Canadian owned and operated)

  3. #3
    I mentioned in my post that I am reformating the Windows 7 computer that I was doing all the migration on and that I am currenlt posting on a Macbook running OSX 10.7 that I used mostly for Sparrow and iTunes.

  4. #4
    Join Date
    Nov 2003
    Location
    Amidst several dimensions
    Posts
    4,324
    i dont think there is a reason for you to get suddenly compromised in your own personal computer right at the time you were moving the host.

    i think its more likely that the host was compromised itself.

  5. #5
    Join Date
    May 2011
    Posts
    586
    Your host may had been compromised.

    I would just recommend you change all your passwords.

    Good job on formatting. You really can't do anything but format once you're infected.

  6. #6
    Join Date
    Feb 2003
    Location
    NY
    Posts
    11,863
    Yes, I would also change my passwords ... sorry that happened to you.

  7. #7
    Join Date
    Mar 2011
    Location
    Asia/USA
    Posts
    306
    Quote Originally Posted by Appdeveloper View Post
    Your host may had been compromised.

    I would just recommend you change all your passwords.

    Good job on formatting. You really can't do anything but format once you're infected.
    You can download MBAM (MalwareBytes Anti-Malware) and run it in your computer.

    Once you're infected, there's still a possibility of recovering things back. That's why Tech forums has this team called "HJT Team" or "HiJackThis Team". They specializes in Virus, Spyware, and Malware Removal.

  8. #8
    I don't know what to do, I just got this email:

    Thank you for your patience while the issue was researched. It has been determined that your account, ******, was used for malicious activity yesterday morning and therefore your account has been terminated per our TOS.

    The account was used to attempt to gain root level access to the server, redirect websites to a malware site, unauthorized activity of the /tmp directory, unauthorized activity of MySQL, and all of which was done from your IP address 173.***.***.***.

    Normally in this situation we would impose additional fees for this unauthorized and illegal activity, as well as report this incident to the proper state and federal authorities for prosecution. Our security and integrity is something we take very seriously, and do not look at these situations lightly.

    However, I will give you the benefit of the doubt for now and assume you too are a victim in this incident. I do not know if your IP is a business network with many users, or just yourself, but there is obviously someone using your network to perform this unauthorized activity. I would suggest performing your due diligence internally and finding the cause, and resolving this before anything else happens that could land you in a lot of trouble. We will waive any additional fees, damages, and prosecution based on this assumption.

    The IP is correct, how would this happen??

  9. #9
    Join Date
    May 2011
    Posts
    586
    Quote Originally Posted by Hakaslak View Post
    I don't know what to do, I just got this email:

    Thank you for your patience while the issue was researched. It has been determined that your account, ******, was used for malicious activity yesterday morning and therefore your account has been terminated per our TOS.

    The account was used to attempt to gain root level access to the server, redirect websites to a malware site, unauthorized activity of the /tmp directory, unauthorized activity of MySQL, and all of which was done from your IP address 173.***.***.***.

    Normally in this situation we would impose additional fees for this unauthorized and illegal activity, as well as report this incident to the proper state and federal authorities for prosecution. Our security and integrity is something we take very seriously, and do not look at these situations lightly.

    However, I will give you the benefit of the doubt for now and assume you too are a victim in this incident. I do not know if your IP is a business network with many users, or just yourself, but there is obviously someone using your network to perform this unauthorized activity. I would suggest performing your due diligence internally and finding the cause, and resolving this before anything else happens that could land you in a lot of trouble. We will waive any additional fees, damages, and prosecution based on this assumption.

    The IP is correct, how would this happen??
    There are two ways:
    1. Your hosting company is lying
    2. The hacker setup a proxy under your computer, connected to it, and then used your internet connection as a proxy (giving them YOUR IP address). People do this a LOT to commit fraud (Credit card/identify fraud) because the IP doesn't showup as a proxy IP, and YOU take the blame.

  10. #10
    Join Date
    May 2007
    Posts
    451
    This is pretty common from what i've seen,

    We have a bunch of developers that get comped all the time, then they comp our customers servers through thier computer.

    It gets sticky at times.

    I'd reformat your machine.
    Michael Wallace - michael@innoscale.net
    Innovative Scaling Technologies Inc. - A Cloud Service Provider
    24/7 Support, Call us @ 1-307-200-4880
    www.innoscale.net - Seattle, Silicon Valley, Dallas, Chicago, Washington D.C., and Europe

  11. #11
    The host seems fairly reliable, and there is no suspicious activity showing up on Forefront on my local server at home.

    As I said above, I did format my box, but I format fairly often as my data and files are on a file server and other partitions, and I have slipstreamed ISOs of Windows 7 that I install over the network.

  12. #12
    This is from my local Server 08 R2 box, which is also my file server:


    Malwarebytes' Anti-Malware 1.51.0.1200
    www.malwarebytes.org

    Database version: 6922

    Windows 6.1.7601 Service Pack 1
    Internet Explorer 9.0.8112.16421

    6/22/2011 2:25:01 PM
    mbam-log-2011-06-22 (14-25-01).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 260386
    Time elapsed: 5 minute(s), 6 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    I really don't know what to do. They suspended my account, and now I'm locked out of my files and I'm not sure how to change the DNS settings.

  13. #13
    Join Date
    Nov 2003
    Location
    Amidst several dimensions
    Posts
    4,324
    get kaspersky pure 2011 and scan your computer with that. it had near 99% rates.

  14. #14
    Join Date
    May 2011
    Posts
    586
    Don't worry about your DNS settings.

    If you reinstalled, then you have nothing to worry about.

    To setup a remote proxy on a (victims) computer, then it:
    1. Must be infected (duh)
    2. Must have a port open (To connect)
    3. Must have a decent internet connection (To actually use it)

  15. #15
    I have KIS 2011 and I'll scan with that as well, but I doubt it will find anything either.

  16. #16
    Join Date
    Nov 2003
    Location
    Amidst several dimensions
    Posts
    4,324
    kaspersky internet security scores less than kaspersky pure. both in proactive, and retroactive detection and protection.

  17. #17
    Join Date
    Dec 2007
    Location
    Indiana, USA
    Posts
    19,196
    I would ask them to give you logs showing the activity from your IP and explain to them that you're trying to track down what happened so you can make sure it doesn't happen again, with them or with another provider.
    Michael Denney - MDDHosting.com - Proudly hosting more than 37,700 websites since 2007.
    Ultra-Fast Cloud Shared and Pay-By-Use Reseller Hosting Powered by LiteSpeed!
    cPanel • Free SSL • 100% Uptime SLA • 24/7 Support
    Class-leading support that responds in minutes, not days.

  18. #18
    Join Date
    Jan 2009
    Posts
    3,878
    You don't use any unsecured wifi access by chance do you? I've seen that happen before, unsecured wifi, no SSL, etc can lead to people sniffing out your info that way from a close distance.

  19. #19
    Join Date
    May 2011
    Posts
    586
    Quote Originally Posted by MikeTrike View Post
    You don't use any unsecured wifi access by chance do you? I've seen that happen before, unsecured wifi, no SSL, etc can lead to people sniffing out your info that way from a close distance.
    His hosting should had at least of sent his details through a secured (encrypted) connection. Most encrypted connections use AES-256 encryption - which is impossible to crack (can only be bruteforced).

  20. #20
    WPA2 with a 12 character password with upper, lower, and symbols. It's also different from any other password I use.

    My neighborhood is also mostly retired gardeners.

Similar Threads

  1. VPS Compromised
    By David- in forum VPS Hosting
    Replies: 19
    Last Post: 04-19-2010, 05:57 PM
  2. Compromised???
    By Chinese Democracy in forum Hosting Security and Technology
    Replies: 4
    Last Post: 04-21-2009, 07:00 PM
  3. gmail compromised
    By pieces455 in forum Web Hosting Lounge
    Replies: 26
    Last Post: 07-28-2008, 10:35 PM
  4. compromised?
    By xcpd in forum Hosting Security and Technology
    Replies: 10
    Last Post: 07-17-2005, 09:14 AM
  5. Compromised?
    By fullroast in forum Hosting Security and Technology
    Replies: 1
    Last Post: 10-15-2002, 10:55 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •