hosted by liquidweb


Go Back   Web Hosting Talk : Other Forums : Web Hosting Lounge : I got compromised today =(
Reply

Forum Jump

I got compromised today =(

Reply Post New Thread In Web Hosting Lounge Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 06-21-2011, 11:16 AM
AWP-Tech AWP-Tech is offline
Newbie
 
Join Date: Jul 2008
Posts: 24

I got compromised today =(


So I've been hosting with a company for a while, but due to downtimes, slow loading times and unhelpfulness of tech support I moved to a new cloud based host yesterday.

Today, as I was finishing up a move of the Wordpress, WHMCS and IP.Board installatons, I start getting redirected to a sketchy malware site selling drugs in a wikipediaesque site.

I checked my other domains that were transferred, and noticed that they were redirecting as well. At this point, I start panicking and tried to login to WHM to revert nameservers back to the old host, but it was a no go; my WHM login had changed and I could not login.

I immediately went to my google apps accounts to change my passwords to randomized 30 character ones in case they were logged, all while sending my new webhost updates.

I get an email from the host's CEO (!) stating that my account was compromised and that it is currently suspended.

At this point I am not sure what to do. Do I sit around and wait for my host to tell me to GTFO? How could an exploit like this happen? The computer I was using has MSE on it, but I've not been infected on any personal computer of mine. For those curious, I did all my password changing on my neglected Macbook running OSX 10.7 DP 4, which was mostly my email and music computer until now.

I'll just reformat my computer in case it is somehow compromised, and I am still changing all my passwords. My websites run Wordpress with no plugins and a theme I bought from themeforest, and my forums were patched up IP.Board 3.1.4. I had WHMCS that I just updated today to 4.1.2.

What else should I do?



Sponsored Links
  #2  
Old 06-21-2011, 11:51 AM
lonea lonea is offline
Web Hosting Master
 
Join Date: Feb 2004
Location: Toronto, ON, Canada
Posts: 1,156
Are you sure its not your computer that got a virus instead of your host ?

__________________
VimHost - Premium Canadian (Toronto) Web Hosting (now with Windows Hosting & Pure SSD Hosting) - Call us @ 1-989-966-1444
Backups (Local *Daily/Weekly/Monthly* + Remote *Daily*) are included in all of our hosting plans.
.:10 Years of Quality Hosting - Premium Hosting since 2003:.

  #3  
Old 06-21-2011, 11:52 AM
AWP-Tech AWP-Tech is offline
Newbie
 
Join Date: Jul 2008
Posts: 24
I mentioned in my post that I am reformating the Windows 7 computer that I was doing all the migration on and that I am currenlt posting on a Macbook running OSX 10.7 that I used mostly for Sparrow and iTunes.

Sponsored Links
  #4  
Old 06-21-2011, 08:40 PM
unity100 unity100 is offline
Disabled
 
Join Date: Nov 2003
Location: Amidst several dimensions
Posts: 4,321
i dont think there is a reason for you to get suddenly compromised in your own personal computer right at the time you were moving the host.

i think its more likely that the host was compromised itself.

  #5  
Old 06-21-2011, 09:38 PM
Appdeveloper Appdeveloper is offline
Web Hosting Master
 
Join Date: May 2011
Posts: 553
Your host may had been compromised.

I would just recommend you change all your passwords.

Good job on formatting. You really can't do anything but format once you're infected.

  #6  
Old 06-21-2011, 09:58 PM
Techy Techy is offline
WHT Content Curator
 
Join Date: Feb 2003
Location: NY
Posts: 11,490
Yes, I would also change my passwords ... sorry that happened to you.

  #7  
Old 06-22-2011, 06:37 AM
MyResellerHost MyResellerHost is offline
Web Hosting Guru
 
Join Date: Mar 2011
Location: Asia/USA
Posts: 306
Quote:
Originally Posted by Appdeveloper View Post
Your host may had been compromised.

I would just recommend you change all your passwords.

Good job on formatting. You really can't do anything but format once you're infected.
You can download MBAM (MalwareBytes Anti-Malware) and run it in your computer.

Once you're infected, there's still a possibility of recovering things back. That's why Tech forums has this team called "HJT Team" or "HiJackThis Team". They specializes in Virus, Spyware, and Malware Removal.

  #8  
Old 06-22-2011, 05:17 PM
AWP-Tech AWP-Tech is offline
Newbie
 
Join Date: Jul 2008
Posts: 24
I don't know what to do, I just got this email:

Thank you for your patience while the issue was researched. It has been determined that your account, ******, was used for malicious activity yesterday morning and therefore your account has been terminated per our TOS.

The account was used to attempt to gain root level access to the server, redirect websites to a malware site, unauthorized activity of the /tmp directory, unauthorized activity of MySQL, and all of which was done from your IP address 173.***.***.***.

Normally in this situation we would impose additional fees for this unauthorized and illegal activity, as well as report this incident to the proper state and federal authorities for prosecution. Our security and integrity is something we take very seriously, and do not look at these situations lightly.

However, I will give you the benefit of the doubt for now and assume you too are a victim in this incident. I do not know if your IP is a business network with many users, or just yourself, but there is obviously someone using your network to perform this unauthorized activity. I would suggest performing your due diligence internally and finding the cause, and resolving this before anything else happens that could land you in a lot of trouble. We will waive any additional fees, damages, and prosecution based on this assumption.

The IP is correct, how would this happen??

  #9  
Old 06-22-2011, 05:22 PM
Appdeveloper Appdeveloper is offline
Web Hosting Master
 
Join Date: May 2011
Posts: 553
Quote:
Originally Posted by Hakaslak View Post
I don't know what to do, I just got this email:

Thank you for your patience while the issue was researched. It has been determined that your account, ******, was used for malicious activity yesterday morning and therefore your account has been terminated per our TOS.

The account was used to attempt to gain root level access to the server, redirect websites to a malware site, unauthorized activity of the /tmp directory, unauthorized activity of MySQL, and all of which was done from your IP address 173.***.***.***.

Normally in this situation we would impose additional fees for this unauthorized and illegal activity, as well as report this incident to the proper state and federal authorities for prosecution. Our security and integrity is something we take very seriously, and do not look at these situations lightly.

However, I will give you the benefit of the doubt for now and assume you too are a victim in this incident. I do not know if your IP is a business network with many users, or just yourself, but there is obviously someone using your network to perform this unauthorized activity. I would suggest performing your due diligence internally and finding the cause, and resolving this before anything else happens that could land you in a lot of trouble. We will waive any additional fees, damages, and prosecution based on this assumption.

The IP is correct, how would this happen??
There are two ways:
1. Your hosting company is lying
2. The hacker setup a proxy under your computer, connected to it, and then used your internet connection as a proxy (giving them YOUR IP address). People do this a LOT to commit fraud (Credit card/identify fraud) because the IP doesn't showup as a proxy IP, and YOU take the blame.

  #10  
Old 06-22-2011, 05:30 PM
arisythila arisythila is offline
Aspiring Evangelist
 
Join Date: May 2007
Posts: 449
This is pretty common from what i've seen,

We have a bunch of developers that get comped all the time, then they comp our customers servers through thier computer.

It gets sticky at times.

I'd reformat your machine.

__________________
Michael Wallace - michael@birdhosting.com
Bird Hosting Inc. - An Applogic Cloud Hosting Certified Provider
24/7 Support, Call us @ 1-877-740-BIRD (2473)
www.birdhosting.com - Ashburn - Dallas - Seattle

  #11  
Old 06-22-2011, 05:32 PM
AWP-Tech AWP-Tech is offline
Newbie
 
Join Date: Jul 2008
Posts: 24
The host seems fairly reliable, and there is no suspicious activity showing up on Forefront on my local server at home.

As I said above, I did format my box, but I format fairly often as my data and files are on a file server and other partitions, and I have slipstreamed ISOs of Windows 7 that I install over the network.

  #12  
Old 06-22-2011, 05:35 PM
AWP-Tech AWP-Tech is offline
Newbie
 
Join Date: Jul 2008
Posts: 24
This is from my local Server 08 R2 box, which is also my file server:


Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6922

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

6/22/2011 2:25:01 PM
mbam-log-2011-06-22 (14-25-01).txt

Scan type: Full scan (C:\|)
Objects scanned: 260386
Time elapsed: 5 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I really don't know what to do. They suspended my account, and now I'm locked out of my files and I'm not sure how to change the DNS settings.

  #13  
Old 06-22-2011, 05:49 PM
unity100 unity100 is offline
Disabled
 
Join Date: Nov 2003
Location: Amidst several dimensions
Posts: 4,321
get kaspersky pure 2011 and scan your computer with that. it had near 99% rates.

  #14  
Old 06-22-2011, 05:51 PM
Appdeveloper Appdeveloper is offline
Web Hosting Master
 
Join Date: May 2011
Posts: 553
Don't worry about your DNS settings.

If you reinstalled, then you have nothing to worry about.

To setup a remote proxy on a (victims) computer, then it:
1. Must be infected (duh)
2. Must have a port open (To connect)
3. Must have a decent internet connection (To actually use it)

  #15  
Old 06-22-2011, 06:00 PM
AWP-Tech AWP-Tech is offline
Newbie
 
Join Date: Jul 2008
Posts: 24
I have KIS 2011 and I'll scan with that as well, but I doubt it will find anything either.

Reply

Similar Threads
Thread Thread Starter Forum Replies Last Post
VPS Compromised David- VPS Hosting 19 04-19-2010 05:57 PM
Compromised??? Chinese Democracy Hosting Security and Technology 4 04-21-2009 07:00 PM
gmail compromised pieces455 Web Hosting Lounge 26 07-28-2008 10:35 PM
compromised? xcpd Hosting Security and Technology 10 07-17-2005 09:14 AM
Compromised? fullroast Hosting Security and Technology 1 10-15-2002 10:55 PM

Related posts from TheWhir.com
Title Type Date Posted
Linux Malware Operation Windigo Infects 25,000 Web Servers Web Hosting News 2014-03-19 11:44:53
Could Website Hackers be Chasing Hosting Customers Away? Blog 2013-08-27 09:07:42
DDoS Attacks Increase 20 Percent in Q2 2013: Prolexic Report Web Hosting News 2013-07-18 14:44:39
Outbound Spam Causing Sleepless Nights? Blog 2013-05-13 09:52:21
SSHD Rootkit in the Wild Blog 2013-02-22 16:44:08


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?