Page 1 of 2 12 LastLast
Results 1 to 40 of 43
  1. #1

    Server Hacked - by niroda

    My VPS with EUK Host got hacked yesterday. All sites on it have had all content deleted and replaced with a hacked message. EUK can't restore any of the sites as their backups were also compromised. Luckily I have a recent backup of the most important site that I DL'd on Saturday. The rest of the sites have no backups, sadly.

    I am interested to know if I have been misled with the circumstances of the hack. The support people tell me that it's my fault and my problem as my root password is weak (it was not weak at all) plus I was running wordpress sites and that's where the breach took place. I was under the impression that sites COULD get hacked but that hack could not gain access to the server itself. This was my understanding anyway. Also, I note that their VPS Node : EL58 is under attack and that "Mar 05, 2012 Urgent Maintenance : backup4 server". Coincidence that all my sites have no backups? Any advice on what I can or should do? Suspect you will all say it's my own fault for not taking backups for the other sites etc!

    I will be looking for a new host. I have been messed about all day. Promised info, calls and ticket updates. Just had one of the chat operators getting quite terse with me too. EUK were OK but the end of last year and this year have been terrible.

    Can anyone recommend a good UK host? I do need it to be UK though.

  2. #2
    Join Date
    Mar 2009
    Location
    Miami, Florida
    Posts
    19,169
    Quote Originally Posted by Jezsez View Post
    My VPS with EUK Host got hacked yesterday. All sites on it have had all content deleted and replaced with a hacked message. EUK can't restore any of the sites as their backups were also compromised. Luckily I have a recent backup of the most important site that I DL'd on Saturday. The rest of the sites have no backups, sadly.

    I am interested to know if I have been misled with the circumstances of the hack. The support people tell me that it's my fault and my problem as my root password is weak (it was not weak at all) plus I was running wordpress sites and that's where the breach took place. I was under the impression that sites COULD get hacked but that hack could not gain access to the server itself. This was my understanding anyway. Also, I note that their VPS Node : EL58 is under attack and that "Mar 05, 2012 Urgent Maintenance : backup4 server". Coincidence that all my sites have no backups? Any advice on what I can or should do? Suspect you will all say it's my own fault for not taking backups for the other sites etc!

    I will be looking for a new host. I have been messed about all day. Promised info, calls and ticket updates. Just had one of the chat operators getting quite terse with me too. EUK were OK but the end of last year and this year have been terrible.

    Can anyone recommend a good UK host? I do need it to be UK though.
    Hello,
    When a provider posts that a server is under attack, it typically involves a DDoS attack, not a defacement. May I ask if you were running a control panel and using a strong password. It almost sounds like the attacker managed to get your root codes.
    Keith I Myers
    KMyers.me The rantings of a lunatic
    Geek Survival Guide - Reviews and Advice for Geeks

  3. #3
    If their backups got compromised too, doesn't that mean their server was hacked? If that is the case, it wasn't your fault at all. Seems they need to do server audits a bit more often and setup their servers better.

  4. #4
    Quote Originally Posted by KMyers View Post
    Hello,
    When a provider posts that a server is under attack, it typically involves a DDoS attack, not a defacement. May I ask if you were running a control panel and using a strong password. It almost sounds like the attacker managed to get your root codes.
    Yes, it has control panel. I would say that the password was very strong.

    It's alwasy possible that somehow my security has been compromised locally. I would be surprised though. Why go for the server (just one server ((so far!!)) at that) and not the paypal account or something worse? My local machine has good security but I doubt it would stop something new or really good, if any security would.

  5. #5
    Join Date
    Mar 2009
    Location
    Miami, Florida
    Posts
    19,169
    Quote Originally Posted by JoeBates View Post
    If their backups got compromised too, doesn't that mean their server was hacked? If that is the case, it wasn't your fault at all. Seems they need to do server audits a bit more often and setup their servers better.
    That may not be the case. A backup server is often a separate machine. I not see if they did backups of the VMs so I asked and confirmed they do
    Keith I Myers
    KMyers.me The rantings of a lunatic
    Geek Survival Guide - Reviews and Advice for Geeks

  6. #6
    Quote Originally Posted by JoeBates View Post
    If their backups got compromised too, doesn't that mean their server was hacked? If that is the case, it wasn't your fault at all. Seems they need to do server audits a bit more often and setup their servers better.
    That was my thought too. But they are merely saying that their backup was taken after the hack. Conveniently.

  7. #7
    Join Date
    Jun 2003
    Location
    Spain
    Posts
    4,213
    Quote Originally Posted by Jezsez View Post

    Can anyone recommend a good UK host? I do need it to be UK though.
    FutureHosting without a doubt!

  8. #8
    Join Date
    Jun 2011
    Location
    Internet
    Posts
    2,579
    Quote Originally Posted by Jezsez View Post
    That was my thought too. But they are merely saying that their backup was taken after the hack. Conveniently.
    Was your VPS control panel password where you start the backup the same as any other that you use elsewhere?

  9. #9
    Quote Originally Posted by Jezsez View Post
    That was my thought too. But they are merely saying that their backup was taken after the hack. Conveniently.
    That would make more sense, that sucks!

  10. #10
    Quote Originally Posted by Flapadar View Post
    Was your VPS control panel password where you start the backup the same as any other that you use elsewhere?
    I think it may be the same password for the mail server, possibly.

  11. #11
    Join Date
    Dec 2011
    Posts
    91
    Quote Originally Posted by Jezsez View Post
    My VPS with EUK Host got hacked yesterday. All sites on it have had all content deleted and replaced with a hacked message. EUK can't restore any of the sites as their backups were also compromised. Luckily I have a recent backup of the most important site that I DL'd on Saturday. The rest of the sites have no backups, sadly.

    I am interested to know if I have been misled with the circumstances of the hack. The support people tell me that it's my fault and my problem as my root password is weak (it was not weak at all) plus I was running wordpress sites and that's where the breach took place. I was under the impression that sites COULD get hacked but that hack could not gain access to the server itself. This was my understanding anyway. Also, I note that their VPS Node : EL58 is under attack and that "Mar 05, 2012 Urgent Maintenance : backup4 server". Coincidence that all my sites have no backups? Any advice on what I can or should do? Suspect you will all say it's my own fault for not taking backups for the other sites etc!

    I will be looking for a new host. I have been messed about all day. Promised info, calls and ticket updates. Just had one of the chat operators getting quite terse with me too. EUK were OK but the end of last year and this year have been terrible.

    Can anyone recommend a good UK host? I do need it to be UK though.

    Sounds fishy. Backups compromised!?! C'mon. Really? Only way to have compromised backups is not taking them frequently. Check out /var/log/messages. Compare root login IPs against your own. Unless that was compromised too.
    BigInstance.com
    [+] VPS - KVM HVM - 4GB & up
    [+] Dedicated CPU core(s)
    sales [@] biginstance.com

  12. #12
    Join Date
    Feb 2012
    Posts
    156
    Quote Originally Posted by XTremo View Post
    FutureHosting without a doubt!
    I was going to recommend them too, they also will be able to ensure that your VPS is up to date, secure, and give you proper managed support and security, along with monitoring. I would check 'em out.

  13. #13
    This is the incomprehensible support ticket reply:

    "As per your telephonic conversation with Suzanne, we have tried to restored data from our backup system but unfortunately, there are the same files available as they are on your VPS.

    We can do one thing, if sites on your VPS other than the sites available in backup with you are not important for you then we can create a new VPS for you with the same configuration, apply all the security tweaks and then restore important sites backup on it. This way, you will get secured VPS with all important data."

    Seems to me that the last VPS was not secure, by their own admission.

    Thanks for the recommendation on host - but it needs to be a UK host I'm afraid.

  14. #14
    Join Date
    Apr 2010
    Location
    North Carolina
    Posts
    430
    Quote Originally Posted by Jezsez View Post
    Seems to me that the last VPS was not secure, by their own admission.
    Is this a managed VPS? If not, securing your VPS is your job.

  15. #15
    Quote Originally Posted by Jezsez View Post
    My VPS with EUK Host got hacked yesterday. All sites on it have had all content deleted and replaced with a hacked message. EUK can't restore any of the sites as their backups were also compromised. Luckily I have a recent backup of the most important site that I DL'd on Saturday. The rest of the sites have no backups, sadly.

    I am interested to know if I have been misled with the circumstances of the hack. The support people tell me that it's my fault and my problem as my root password is weak (it was not weak at all) plus I was running wordpress sites and that's where the breach took place. I was under the impression that sites COULD get hacked but that hack could not gain access to the server itself. This was my understanding anyway. Also, I note that their VPS Node : EL58 is under attack and that "Mar 05, 2012 Urgent Maintenance : backup4 server". Coincidence that all my sites have no backups? Any advice on what I can or should do? Suspect you will all say it's my own fault for not taking backups for the other sites etc!

    I will be looking for a new host. I have been messed about all day. Promised info, calls and ticket updates. Just had one of the chat operators getting quite terse with me too. EUK were OK but the end of last year and this year have been terrible.

    Can anyone recommend a good UK host? I do need it to be UK though.

    This happened to a client of mine. They were using Avail[-bleep-]. Their VPS software had a vulnerability in it and all of my client's domains were hacked. Had nothing to do with negligence of my client. No weak passwords, vulnerable software, etc.

  16. #16
    Join Date
    Feb 2006
    Location
    Kepler 62f
    Posts
    14,774
    I'm seeing more and more hosts blame customers, and not take responsibility for the craptastic non-security of their own servers. It's ghastly how many "hosts" are not running suexec, complex server security, etc. Just plop up a box with a default deploy, fill it up, rake in the dough. When it crashes, for whatever reason, blame the customers.

    This is why I'm so selective about which hosts I'll use (or recommend to others).
    || Need a good host?
    || See my Suggested Hosts List || Editorial: EIG/Site5/Arvixe/Hostgator Alternatives
    ||

  17. #17
    Join Date
    Jul 2008
    Location
    Seminole, OK
    Posts
    1,575
    Sorry to hear your VPS got hacked. But if your root pass was the issue be sure to check your logs. I suggest you quit using your root password and setup SSH to use a key + pass phrase authentication. Gives you a bit more security.
    Inode Hosting - Reliable Web Hosting for the right price.
    Shared & Reseller hosting featuring the industry leading cpanel
    99.9% Uptime Guarantee ,30 Day Money Back Guarantee ,24/7 Support
    Established since 2011

  18. #18
    Join Date
    Jul 2002
    Location
    London, United Kingdom
    Posts
    4,359
    Quote Originally Posted by Jezsez View Post
    Seems to me that the last VPS was not secure, by their own admission.
    They didn't say that at all.

    The offered to setup a new VPS for you and perform initial securing of it - ongoing security and management will be your responsibility, and (from the posts) it sounds like you allowed something nasty through one of your wordpress sites.
    Rob Golding Astutium Ltd - UK based ICANN Accredited Domain Registrar - proud to accept BitCoins
    Buying Web Hosts and Domain Registrars Today @ hostacquisitions.co.uk
    UK Web Hosting | UK VPS | UK Dedicated Servers | ADSL/FTTC | Backup/DR | Cloud
    UK Colocation | Reseller Accounts | IPv6 Transit | Secondary MX | DNS | WHMCS Modules

  19. #19
    Quote Originally Posted by othellotech View Post
    They didn't say that at all.

    The offered to setup a new VPS for you and perform initial securing of it - ongoing security and management will be your responsibility, and (from the posts) it sounds like you allowed something nasty through one of your wordpress sites.
    I'm gald you were able to glean some actual sense out of that mesage, as I struggled.

    Actually, in the telephone conversation they alluded to the security not being as good as it should have been. "We will tighten up the security on your VPS" is what they said they would do. How does it sound like I let something in via a WP site?

  20. #20
    Update on this:

    All my sites, emails and everything magically came back at 10pm last night. Even though they didn't have any usable backups! I have asked in the ticket how they managed this. Glad they are all back, but now I trust this host even less. They really seem to have no clue at all. I don't see how they could make a mistake like that and then suddenly find that they did, in fact, have all the backups after all.

    I have paid for the year for this VPS (mistake I now realise, that will never happen again) so I will try and swap it with my other more relaible VPS and put much less important sites on this one and get rid of the whole thing when the paid term finishes.

    I'll let you know what they say in the ticket later.

  21. #21
    Quote Originally Posted by kpmedia View Post
    I'm seeing more and more hosts blame customers, and not take responsibility for the craptastic non-security of their own servers. It's ghastly how many "hosts" are not running suexec, complex server security, etc. Just plop up a box with a default deploy, fill it up, rake in the dough. When it crashes, for whatever reason, blame the customers.

    This is why I'm so selective about which hosts I'll use (or recommend to others).
    Reading up on EUK Host on review sites and forums this has happened to a lot of people - lots of complaints and issues like mine (though not quite as drastic).

  22. #22
    Join Date
    Apr 2010
    Posts
    65
    I'd suggest posting a message in their forums outlining the problems and asking them how they're going to prevent it happening again.

    As an ex-customer, I learnt that you can kick up a fuss on their forums and it will remain there - they don't delete/censor genuine complaints. You'll also get the attention of the guys higher up. EUK's first level techs are standard level, crappy, read from script, low level employees - but they have some solid techs higher up.

    But, as a company that prides itself in being FULLY managed (they'll install 3rd party scripts going the extra mile over many managed providers), how they can blame you for poor security is beyond me, unless your root pw really was pants.
    www.SneakSMS.com
    Anonymous text messaging
    Send SMS messages from anybody's number

  23. #23
    Quote Originally Posted by sneaksms View Post
    I'd suggest posting a message in their forums outlining the problems and asking them how they're going to prevent it happening again.

    As an ex-customer, I learnt that you can kick up a fuss on their forums and it will remain there - they don't delete/censor genuine complaints. You'll also get the attention of the guys higher up. EUK's first level techs are standard level, crappy, read from script, low level employees - but they have some solid techs higher up.

    But, as a company that prides itself in being FULLY managed (they'll install 3rd party scripts going the extra mile over many managed providers), how they can blame you for poor security is beyond me, unless your root pw really was pants.
    Thanks sneaksms. The root password was in no way whatsoever weak. Strong to the point of being incredibly difficult to a, remember and b, type!

  24. #24
    Join Date
    Jul 2002
    Location
    London, United Kingdom
    Posts
    4,359
    Quote Originally Posted by Jezsez View Post
    How does it sound like I let something in via a WP site?
    You said thats how you were exploited in the first post
    Rob Golding Astutium Ltd - UK based ICANN Accredited Domain Registrar - proud to accept BitCoins
    Buying Web Hosts and Domain Registrars Today @ hostacquisitions.co.uk
    UK Web Hosting | UK VPS | UK Dedicated Servers | ADSL/FTTC | Backup/DR | Cloud
    UK Colocation | Reseller Accounts | IPv6 Transit | Secondary MX | DNS | WHMCS Modules

  25. #25
    Quote Originally Posted by othellotech View Post
    You said thats how you were exploited in the first post
    No, that's what EUK Host said. A sort of belt and braces type blaming. They said root password was weak AND I was using wordpress sites. I don't actually know how I was exploited yet. Doubt I will unless they are honest and tell me. Which I don't think they will as I think they were at fault.

  26. #26
    Join Date
    Jul 2002
    Location
    London, United Kingdom
    Posts
    4,359
    Right, my misunderstanding of the initial post then

    Things we see a lot on shared-hosting are
    * attacks/attempts to use WP/TinyMCE to abuse/deface/replace sites
    * old versions of forums allowing uploads of "nasties"
    and more recently
    * a *lot* of valid logins with the clients valid (sometimes very strong) credetnials, with no previous invalid logins - the hackers _knew_ the username/password - imply keylogger/virus/malware locally

    As to fault/blame in your case, all comes down to who is it that is "managing" the VPS - you or them - if it's a machine-wide issue, or who manages the site - you or a client - if a localised exploit.
    Rob Golding Astutium Ltd - UK based ICANN Accredited Domain Registrar - proud to accept BitCoins
    Buying Web Hosts and Domain Registrars Today @ hostacquisitions.co.uk
    UK Web Hosting | UK VPS | UK Dedicated Servers | ADSL/FTTC | Backup/DR | Cloud
    UK Colocation | Reseller Accounts | IPv6 Transit | Secondary MX | DNS | WHMCS Modules

  27. #27
    Join Date
    Jul 2011
    Location
    Ireland
    Posts
    187
    It's quite easy to break in a WP site (well any site) given that you have a couple of 777 permission folders there. If you use one and the same password for your root/ftp/db/whatever else, these can be read through configuration.php and then just tried against ftp/ssh.
    I wouldn't be blaming provider to 100% even for not having several points of backup unless this is the service that you are paying for.
    So unless there are logs available to see what happened in real we can't blame one side or the other.
    www.VMotionHost.com
    Web Hosting, XenServer VPS, Dedicated Servers in Ireland
    24/7 technical support. Professional Service

  28. #28
    Update:

    This was my question to support after they restored my sites and server:

    "Thanks for sorting out the problem and getting the sites back.



    I don't understand something though. I was told that all the backups were corrupted by the hack and that you would not be able to restore any of them at all. I don't understand how you managed to restore them all in this case. Glad you did obviously, but can you explain please?"

    This was their reply:

    "Hacker had set some redirection rule for Error code 403 and changed the permission of the main root directory (/) to 100.
    We have found that in the investigation and so we have done necessary changes for the same .
    We have also done some necessary security patches to prevent this.

    If you will find any issue or malware code then please update us on the same ticket for the same.
    We shall be happy to render any further assistance or clarification that you may require.
    For further queries, please feel free to get back to us"

    No answer as to why they thought they could not restore the sites. At least I don't think there was!

  29. #29
    Join Date
    Apr 2010
    Posts
    65
    Quote Originally Posted by Jezsez View Post
    If you will find any issue or malware code then please update us on the same ticket for the same.
    Tell them that's their job!

    Think I got away from EUKhost at just the right time.
    www.SneakSMS.com
    Anonymous text messaging
    Send SMS messages from anybody's number

  30. #30
    Join Date
    Apr 2011
    Location
    Las Vegas, NV
    Posts
    1,627
    Quote Originally Posted by Jezsez View Post
    I am interested to know if I have been misled with the circumstances of the hack. The support people tell me that it's my fault and my problem as my root password is weak
    I'm guessing that it wasn't a password problem. There are a lot easier ways to do it if there are security holes in your system.

    No doubt, you're going to rethink your security strategy from the bottom up. That being the case, now might be a good time to post what your security strategy was before the attack so we can get an idea of how to recommend improvements. Specifically, this information will be helpful.

    • Which operating system do you run?
    • Which control panel?
    • How often do you do OS updates?
    • Which firewall do you run, if any?
    • What other security software are you running?
    • Are you running any regular server-to-server transfers with rsync?
    • Are you running webmin as root for administration?
    • Do you allow passwords for Telnet or SSH sessions?

  31. #31
    Join Date
    Apr 2010
    Posts
    65
    Quote Originally Posted by ajonate View Post
    I'm guessing that it wasn't a password problem. There are a lot easier ways to do it if there are security holes in your system.

    No doubt, you're going to rethink your security strategy from the bottom up. That being the case, now might be a good time to post what your security strategy was before the attack so we can get an idea of how to recommend improvements. Specifically, this information will be helpful.

    • Which operating system do you run?
    • Which control panel?
    • How often do you do OS updates?
    • Which firewall do you run, if any?
    • What other security software are you running?
    • Are you running any regular server-to-server transfers with rsync?
    • Are you running webmin as root for administration?
    • Do you allow passwords for Telnet or SSH sessions?
    I reckon the security strategy was relying on the FULLY MANAGED host
    www.SneakSMS.com
    Anonymous text messaging
    Send SMS messages from anybody's number

  32. #32
    Quote Originally Posted by sneaksms View Post
    I reckon the security strategy was relying on the FULLY MANAGED host
    You are correct! :-) I know nothing about most of what he asked!

    I am moving the VPS to where my other VPS is hosted. The support is better and the VPS I have there has been up and running without major issues for 2 years now. I did look at tagadab.com and I have to say that I was very tempted by them. They seem quite solid. But on contacting my other VPS host I will leave it in their cabable hands, I think.

  33. #33
    Join Date
    Apr 2011
    Location
    Las Vegas, NV
    Posts
    1,627
    Quote Originally Posted by Jezsez View Post
    You are correct! :-) I know nothing about most of what he asked!

    I am moving the VPS to where my other VPS is hosted. The support is better and the VPS I have there has been up and running without major issues for 2 years now. I did look at tagadab.com and I have to say that I was very tempted by them. They seem quite solid. But on contacting my other VPS host I will leave it in their cabable hands, I think.
    What reason do you have to believe that your security situation will improve at your new VPS host?

  34. #34
    Quote Originally Posted by ajonate View Post
    What reason do you have to believe that your security situation will improve at your new VPS host?
    I don't necessarily. The support is better and they seem to know what they are talking about without giving ******** or fobbing me off if it goes wrong. They have certainly never told me anything like all my sites were irreparably corrupted and could never be recovered and then 10 hours later they all come back!

    Security has never been an issue with with the other VPS host so I am hoping that will continue.

  35. #35
    Join Date
    Apr 2011
    Location
    Las Vegas, NV
    Posts
    1,627
    Quote Originally Posted by Jezsez View Post
    Security has never been an issue with with the other VPS host so I am hoping that will continue.
    You got hacked. That's a security issue.

  36. #36
    Quote Originally Posted by ajonate View Post
    You got hacked. That's a security issue.
    I don't get what point you are trying to make.

    I am moving from the host that I got hacked with to the one that I haven't been hacked with (yet). I realise that I run the risk of getting hacked anywhere but the support that I received after being hacked was less than good.

  37. #37
    Join Date
    Apr 2011
    Location
    Las Vegas, NV
    Posts
    1,627
    Quote Originally Posted by Jezsez View Post
    I don't get what point you are trying to make.

    I am moving from the host that I got hacked with to the one that I haven't been hacked with (yet). I realise that I run the risk of getting hacked anywhere but the support that I received after being hacked was less than good.
    The point is simple; if you continue to rely on others for server security you will continue to be disappointed. The old saying that if you want something done right you need to do it yourself has never been more true than with server operation.

    This board has some of the best minds in the business willing to provide advice on how to manage your own VPS. I suggest that if you are willing to roll-up your sleeves and accept that advice that you will be a lot better off in the long run.

  38. #38
    Quote Originally Posted by ajonate View Post
    The point is simple; if you continue to rely on others for server security you will continue to be disappointed. The old saying that if you want something done right you need to do it yourself has never been more true than with server operation.

    This board has some of the best minds in the business willing to provide advice on how to manage your own VPS. I suggest that if you are willing to roll-up your sleeves and accept that advice that you will be a lot better off in the long run.
    It's something that I know nothing at all about. Not even where to start. The only reason that I took on a VPS in the first place was that one of my sites got too large for the hosting that it was on and the move was suggested by the host. You are probably right though - as with everything, it's always all about doing it for yourself. Can you point me in the right direction to start? How do I know what's already installed? If anything?

  39. #39
    Join Date
    Jun 2001
    Location
    Cheltenham
    Posts
    2,617
    Doesn't seem quite right that a hacker could access their backups from your server unless the two were linked in some way.

    Any word from euk?

  40. #40
    Join Date
    Apr 2011
    Location
    Las Vegas, NV
    Posts
    1,627
    Quote Originally Posted by Jezsez View Post
    It's something that I know nothing at all about. Not even where to start. The only reason that I took on a VPS in the first place was that one of my sites got too large for the hosting that it was on and the move was suggested by the host. You are probably right though - as with everything, it's always all about doing it for yourself. Can you point me in the right direction to start? How do I know what's already installed? If anything?
    This is a VPS setup guide. It's geared towards running a hosting business with Kloxo, but you can just skip those parts.

    http://entomy.com/VPS-Server-Configuration-Guide.pdf

Page 1 of 2 12 LastLast

Similar Threads

  1. Can my blog be hacked on shared hosting if my neighbour is hacked?
    By zobe in forum Hosting Security and Technology
    Replies: 17
    Last Post: 03-10-2011, 04:09 AM
  2. Server hacked : how can I find out how they are uploading files to my server?
    By listenmirndt in forum Hosting Security and Technology
    Replies: 4
    Last Post: 04-14-2007, 12:44 PM
  3. Replies: 6
    Last Post: 08-24-2006, 04:11 PM
  4. Plesk server hacked, hiring to move clients to new server
    By DaveNET in forum Employment / Job Offers
    Replies: 3
    Last Post: 07-30-2005, 09:56 PM
  5. Replies: 5
    Last Post: 08-05-2001, 10:50 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •