Web Hosting Talk : Other Forums : Web Hosting Lounge : I got compromised today =(

[AWP-Tech]

So I've been hosting with a company for a while, but due to downtimes, slow loading times and unhelpfulness of tech support I moved to a new cloud based host yesterday.

Today, as I was finishing up a move of the Wordpress, WHMCS and IP.Board installatons, I start getting redirected to a sketchy malware site selling drugs in a wikipediaesque site.

I checked my other domains that were transferred, and noticed that they were redirecting as well. At this point, I start panicking and tried to login to WHM to revert nameservers back to the old host, but it was a no go; my WHM login had changed and I could not login.

I immediately went to my google apps accounts to change my passwords to randomized 30 character ones in case they were logged, all while sending my new webhost updates.

I get an email from the host's CEO (!) stating that my account was compromised and that it is currently suspended.

At this point I am not sure what to do. Do I sit around and wait for my host to tell me to GTFO? How could an exploit like this happen? The computer I was using has MSE on it, but I've not been infected on any personal computer of mine. For those curious, I did all my password changing on my neglected Macbook running OSX 10.7 DP 4, which was mostly my email and music computer until now.

I'll just reformat my computer in case it is somehow compromised, and I am still changing all my passwords. My websites run Wordpress with no plugins and a theme I bought from themeforest, and my forums were patched up IP.Board 3.1.4. I had WHMCS that I just updated today to 4.1.2.

What else should I do?

[lonea]

Are you sure its not your computer that got a virus instead of your host ?

[AWP-Tech]

I mentioned in my post that I am reformating the Windows 7 computer that I was doing all the migration on and that I am currenlt posting on a Macbook running OSX 10.7 that I used mostly for Sparrow and iTunes.

[unity100]

i dont think there is a reason for you to get suddenly compromised in your own personal computer right at the time you were moving the host.

i think its more likely that the host was compromised itself.

[Appdeveloper]

Your host may had been compromised.

I would just recommend you change all your passwords.

Good job on formatting. You really can't do anything but format once you're infected.

[Techy]

Yes, I would also change my passwords ... sorry that happened to you.

[MyResellerHost]

Quote:

Originally Posted by Appdeveloper

Your host may had been compromised.

I would just recommend you change all your passwords.

Good job on formatting. You really can't do anything but format once you're infected.

You can download MBAM (MalwareBytes Anti-Malware) and run it in your computer.

Once you're infected, there's still a possibility of recovering things back. That's why Tech forums has this team called "HJT Team" or "HiJackThis Team". They specializes in Virus, Spyware, and Malware Removal.

[AWP-Tech]

I don't know what to do, I just got this email:

Thank you for your patience while the issue was researched. It has been determined that your account, ******, was used for malicious activity yesterday morning and therefore your account has been terminated per our TOS.

The account was used to attempt to gain root level access to the server, redirect websites to a malware site, unauthorized activity of the /tmp directory, unauthorized activity of MySQL, and all of which was done from your IP address 173.***.***.***.

Normally in this situation we would impose additional fees for this unauthorized and illegal activity, as well as report this incident to the proper state and federal authorities for prosecution. Our security and integrity is something we take very seriously, and do not look at these situations lightly.

However, I will give you the benefit of the doubt for now and assume you too are a victim in this incident. I do not know if your IP is a business network with many users, or just yourself, but there is obviously someone using your network to perform this unauthorized activity. I would suggest performing your due diligence internally and finding the cause, and resolving this before anything else happens that could land you in a lot of trouble. We will waive any additional fees, damages, and prosecution based on this assumption.

The IP is correct, how would this happen??

[Appdeveloper]

Quote:

Originally Posted by Hakaslak

I don't know what to do, I just got this email:

Thank you for your patience while the issue was researched. It has been determined that your account, ******, was used for malicious activity yesterday morning and therefore your account has been terminated per our TOS.

The account was used to attempt to gain root level access to the server, redirect websites to a malware site, unauthorized activity of the /tmp directory, unauthorized activity of MySQL, and all of which was done from your IP address 173.***.***.***.

Normally in this situation we would impose additional fees for this unauthorized and illegal activity, as well as report this incident to the proper state and federal authorities for prosecution. Our security and integrity is something we take very seriously, and do not look at these situations lightly.

However, I will give you the benefit of the doubt for now and assume you too are a victim in this incident. I do not know if your IP is a business network with many users, or just yourself, but there is obviously someone using your network to perform this unauthorized activity. I would suggest performing your due diligence internally and finding the cause, and resolving this before anything else happens that could land you in a lot of trouble. We will waive any additional fees, damages, and prosecution based on this assumption.

The IP is correct, how would this happen??

There are two ways:
1. Your hosting company is lying
2. The hacker setup a proxy under your computer, connected to it, and then used your internet connection as a proxy (giving them YOUR IP address). People do this a LOT to commit fraud (Credit card/identify fraud) because the IP doesn't showup as a proxy IP, and YOU take the blame.

[arisythila]

This is pretty common from what i've seen,

We have a bunch of developers that get comped all the time, then they comp our customers servers through thier computer.

It gets sticky at times.

I'd reformat your machine.

[AWP-Tech]

The host seems fairly reliable, and there is no suspicious activity showing up on Forefront on my local server at home.

As I said above, I did format my box, but I format fairly often as my data and files are on a file server and other partitions, and I have slipstreamed ISOs of Windows 7 that I install over the network.

[AWP-Tech]

This is from my local Server 08 R2 box, which is also my file server:


Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6922

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

6/22/2011 2:25:01 PM
mbam-log-2011-06-22 (14-25-01).txt

Scan type: Full scan (C:\|)
Objects scanned: 260386
Time elapsed: 5 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I really don't know what to do. They suspended my account, and now I'm locked out of my files and I'm not sure how to change the DNS settings.

[unity100]

get kaspersky pure 2011 and scan your computer with that. it had near 99% rates.

[Appdeveloper]

Don't worry about your DNS settings.

If you reinstalled, then you have nothing to worry about.

To setup a remote proxy on a (victims) computer, then it:
1. Must be infected (duh)
2. Must have a port open (To connect)
3. Must have a decent internet connection (To actually use it)

[AWP-Tech]

I have KIS 2011 and I'll scan with that as well, but I doubt it will find anything either.