Results 1 to 15 of 15

Thread: well, its over

  1. #1

    well, its over

    hey

    i get home today to find my server has been hacked and all accounts terminated. whats the next step now?

    regards,

    jordan

  2. #2
    Sorry to hear about that. The only thing you could do is to order an OS Reload so that you get a fresh server then secure the server before restoring all your clients data back to the server and continue from there.

    Make sure that you change the root password and ensure that there is no backdoor to your server.

  3. #3
    i cant get to the server as of yet, im with ev1, would you reccomend anywhere else or is this a safe bet?

  4. #4
    Join Date
    Dec 2004
    Location
    New York, NY
    Posts
    10,574
    I would probably order a whole new box as EV1 has instant setup anyway. Just cancel this box first..As for the accounts, THIS is exactly why I love backups. They seem unncessary at first, but once something like this happens they are a life saver

    Cheers
    MediaLayer, LLC - www.medialayer.com Learn how we can make your website load faster, translating to better conversion rates for your business!
    The pioneers of optimized web hosting, featuring LiteSpeed Web Server & SSD Storage - Celebrating 10 Years in Business

  5. #5
    well im ok as of backups, i have all my sites OK but im my terms of service and disclaimer it is clearly stated that users have to make their own backups and we take no responsibility. Although, when i get back on my feet im definately going to start doing them for clients.

  6. #6
    Join Date
    Apr 2005
    Location
    Atlanta, GA
    Posts
    107
    If you're gonna use EV1, be sure you have your server hardened by a pro. rack911.com does a great job and so does fastservermanagement.com

    Well worth the minimal cost.

  7. #7
    this must have been some serious noob hacker, or somebody who managed to guess/get the password. We have his IP and have matched it with all the commands run through cpanel....

    ***.***.***.*** - root [03/May/2005:18:45:54 +0000] "POST /scripts2/domultikill HTTP/1.1" 0 "http://www.glookifree.com:2086/scripts2/multikilllist" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

    plus the logs of when he was in / out of SSH. We have tracked the IP down to a specific ISP and contacted their abuse department.

    Anyone have any ideas what we should do next?

    Regards,

    jordan

  8. #8
    Join Date
    Apr 2005
    Location
    Oz
    Posts
    3,498
    Take legal action

  9. #9
    seeing as all the accts were deleted, i was wondering if UNIX is like windows. Are the files marked as free and set to available for writing over? If so are any files recoverable?

  10. #10
    Join Date
    Jun 2002
    Location
    Phoenix, AZ
    Posts
    189
    I assume he got root.

    Which means he can do anything he wanted.


    Clint
    Clint Chapman ** www.ubiquityhosting.com ** www.ubiquitycloud.com
    Ubiquity Hosting ** Colocation ** Dedicated ** Cloud Servers ** VPS ** IP Transit
    Chicago ** Dallas ** Los Angeles ** Seattle ** Atlanta ** Newark ** Phoenix ** AS15003

  11. #11
    Join Date
    Oct 2003
    Location
    Long Island, New York
    Posts
    220
    It's a lesson learned - don't even accept customers before you have a viable contingency plan. It is catastrophic to a hosting company to lose customer data... as the host you're expected to protect their data from loss.

    Have the server reloaded by ev1 first, then have someone harden the server for you. Keep in mind passwords that are easily guessed may as well not be passwords at all. Then, restore your customer accounts and email them to apologize.

    Once you've taken care of your customers, you should definitely look into a backup solution that's off-server. You have to operate on the assumption that even if you lose the entire server (meteor strike, nuclear blast, EMP bomb, space aliens), you will have recourse.
    TWSites.com - Business Web Hosting Solutions & Server Management Since 2003

  12. #12
    Join Date
    Jan 2004
    Location
    North Yorkshire, UK
    Posts
    4,163

    Anyone have any ideas what we should do next?

    Regards,

    jordan
    Invest in a gun and shoot their *** off, then hit yourself on the head with it for not making backups of customer sites!

  13. #13
    Actually from the original poster's signature, it appears that he is offering free hosting so if it is free, the customers cannot really insist on anything because you get what you paid for.

    Even without backup, all you need to do is if it is still worthwhile a business then start from fresh with a new machine and make sure the machine is secured and monitored for any vulnerability and access. Shut off whatever services that you do not need and keep it as lean as possible.

  14. #14
    Join Date
    May 2004
    Location
    Atlanta
    Posts
    412
    Get a lawyer. Have a subpoena sent to the ISP to have his information released. Pursue criminal charges. Hacking in some cases is a 3rd degree felony.

  15. #15
    the site in the signature is not up, i run glookihost.com which is paid hosting.

    thanks to all with the advice...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •