Page 2 of 2 FirstFirst 12
Results 26 to 36 of 36
  1. #26
    Join Date
    Mar 2007
    Location
    Phoenix, AZ, United State
    Posts
    1,525
    Quote Originally Posted by Patrick View Post
    Script kiddies, yawn. Keep your server up to date and you'll be OK. Most of these morons are using publicly available exploits to compromise servers. I would guesstimate that 99.5 to 99.9% of these script kiddies couldn't code a line of Perl, never mind find an actual buffer overflow along with the relevant shell code to make a useful exploit.
    This wasn't a script kiddie. Thinking so is what makes this whole topic ridiculous. This wasn't an entire datacenter run by incompetent employees who just happened to never bother to update their their servers to the latest public security threats. How on earth you think someone compromised an entire datacenter with thousands of servers, without knowing any programming is beyond me. What script did this kiddie run? These were either exploits private to the hacker, or zero day exploits. There is no reason to think this wouldn't have worked on any of the small hosts boasting better security in this thread.
    drew@slicie.com - Vertical Scaling Servers
    30 Minute Backups - Pay for what you use

  2. #27
    my friends website was hacked few days ago allso

  3. #28
    Join Date
    Apr 2011
    Location
    Virginia Beach
    Posts
    13

    No, not 700,000 sites

    Hi WireNine,

    This is Brad with InMotion Hosting.

    Question: Is it indeed a world record?

    I don't have specifics on this one, but the hacker was off by quite a bit on his 700,000 mark. From what I hear from our Systems Team, he counted many domains. For example, he counted domain and www domain as 2 different sites. It does seem like his 700,000 target is actually quite lower.

    Thanks,
    - Brad

  4. #29
    Join Date
    Mar 2007
    Location
    Phoenix, AZ, United State
    Posts
    1,525
    Quote Originally Posted by imh-bradm View Post
    Hi WireNine,

    This is Brad with InMotion Hosting.

    Question: Is it indeed a world record?

    I don't have specifics on this one, but the hacker was off by quite a bit on his 700,000 mark. From what I hear from our Systems Team, he counted many domains. For example, he counted domain and www domain as 2 different sites. It does seem like his 700,000 target is actually quite lower.

    Thanks,
    - Brad
    So... tell us about the exploit
    drew@slicie.com - Vertical Scaling Servers
    30 Minute Backups - Pay for what you use

  5. #30
    Join Date
    Apr 2011
    Location
    Virginia Beach
    Posts
    13
    Hi kpmedia,

    This is Brad with InMotion Hosting.

    I've been with InMotion Hosting for over 4 years now. I've seen our company grow from roughly 30 employees to now over 150+. It is great that some people think of us as "big unlimited hosts", (yes I understand the 'unlimited' reference, looks a little off when I quote it). While it is not an excuse, many large companies (not just web hosts) have been hit very hard by hackers, which goes to show how tough it can be to be 100% secure (if that even exists).

    We take security very seriously. I'd like to state that we have very technical System Administrators, but unfortunately sometimes these things happen. We have learned quite a bit from this experience, and as a hosting company, we are taking a lot from this.

  6. #31
    Join Date
    Apr 2011
    Location
    Virginia Beach
    Posts
    13
    Hi HostSentry,

    The main exploit path was through an internal management server that can control Cpanel on other servers. Cpanel keys (not ssh keys) used to do this are stored on the internal management server. The hacker then used those Cpanel keys to change passwords on the Cpanel servers then login with those passwords. It does not appear that gaining passwords was a goal or was accomplished, just password changes were used. Access to the management server was gained from an exploited customer's server that was within our network.

  7. #32
    Join Date
    Mar 2007
    Location
    Phoenix, AZ, United State
    Posts
    1,525
    Quote Originally Posted by imh-bradm View Post
    Hi HostSentry,

    The main exploit path was through an internal management server that can control Cpanel on other servers. Cpanel keys (not ssh keys) used to do this are stored on the internal management server. The hacker then used those Cpanel keys to change passwords on the Cpanel servers then login with those passwords. It does not appear that gaining passwords was a goal or was accomplished, just password changes were used. Access to the management server was gained from an exploited customer's server that was within our network.
    Correct me if I'm wrong, I'm just trying to understand.

    1. Hacker gets access to a "management server"
    2. Hacker goes from that server, to a server which has a database of remote access keys
    3. Hacker uses these keys, which gives him the ability to change the root password on the servers
    4. Changes root passwords, executes code that defaces customer sites


    Or are you saying he used the remote key to change individual customer site passwords, then defaced those individual sites using those individual accounts?


    Quote Originally Posted by imh-bradm View Post
    Access to the management server was gained from an exploited customer's server that was within our network.
    Can you elaborate on that? Whether or not the customer's server was exploited, why wasit allowed access to the management server? Are you saying any customer who had a server within your network could have gained access to your management server?
    Last edited by Drew@Slicie; 10-03-2011 at 02:26 PM.
    drew@slicie.com - Vertical Scaling Servers
    30 Minute Backups - Pay for what you use

  8. #33
    Join Date
    Apr 2011
    Location
    Virginia Beach
    Posts
    13
    Hi HostSentry,

    I don't have more specifics other than what I posted. I know you're looking for clarification on exactly what happened, but I don't have that right now. The hacker gained access to the management server, and from there was able to obtain the cPanel keys.

    In regard to your last question, the compromised dedicated server had access to the management server due to the fact that it wasn't blocked at the firewall level. The management server was not "open" as in you could simply walk in and take what you wanted, it was open as in the internal networked IPs were not denied by the firewall.

    Thanks,
    - Brad

  9. #34
    Join Date
    Mar 2007
    Location
    Phoenix, AZ, United State
    Posts
    1,525
    Quote Originally Posted by imh-bradm View Post
    Hi HostSentry,

    I don't have more specifics other than what I posted. I know you're looking for clarification on exactly what happened, but I don't have that right now. The hacker gained access to the management server, and from there was able to obtain the cPanel keys.

    Thanks,
    - Brad
    I understand. I'm sure only a few people actually know what happened at this point.

    Quote Originally Posted by imh-bradm View Post
    In regard to your last question, the compromised dedicated server had access to the management server due to the fact that it wasn't blocked at the firewall level.

    The management server was not "open" as in you could simply walk in and take what you wanted, it was open as in the internal networked IPs were not denied by the firewall.
    That still sounds kind of open


    ... anyway, thanks for shedding some light on the situation for me. Interesting stuff.

    Edit:
    http://www.ngenuity-is.com/
    Last edited by Drew@Slicie; 10-03-2011 at 02:51 PM.
    drew@slicie.com - Vertical Scaling Servers
    30 Minute Backups - Pay for what you use

  10. #35
    Join Date
    Oct 2003
    Posts
    9,264
    From what I'm aware, a sysadmin's external VPS was exploited (A 3rd party vps) which had access to an internal network within inmotion -- one that didn't have any outside access beyond that.

    From there, they gained access to the internal network which held all of the keys to the kingdom, so to speak. Note 100% of this is hearsay though.

  11. #36
    Join Date
    Mar 2007
    Location
    Phoenix, AZ, United State
    Posts
    1,525
    Quote Originally Posted by David View Post
    From what I'm aware, a sysadmin's external VPS was exploited (A 3rd party vps) which had access to an internal network within inmotion -- one that didn't have any outside access beyond that.

    From there, they gained access to the internal network which held all of the keys to the kingdom, so to speak.
    Yikes

    Quote Originally Posted by David View Post
    Note 100% of this is hearsay though.
    Well that's okay if the person who you heard say it was correct
    drew@slicie.com - Vertical Scaling Servers
    30 Minute Backups - Pay for what you use

Page 2 of 2 FirstFirst 12

Similar Threads

  1. Dedicated Inmotion Server Hacked: 9-25-11
    By Larry_D in forum Dedicated Server
    Replies: 6
    Last Post: 09-28-2011, 12:13 PM
  2. Replies: 1
    Last Post: 04-06-2005, 06:32 PM
  3. Replies: 2
    Last Post: 03-28-2005, 01:42 PM
  4. Replies: 0
    Last Post: 02-20-2005, 01:39 AM
  5. Replies: 4
    Last Post: 02-07-2005, 11:14 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •