Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : SITE5 - Hacked or server issues?

[mondala]

I am hoping that someone can give me a better diagnoses then Site5 has. I am not experienced enough to know what happened but I know that it was beyond my control.

Summary:
-I had 10 or so sites with my Site5 reseller account.
-2 weeks ago I switched two more of my sites to Site5.
-Awstats was not working after one week due to the config file not being setup yet.
-Contacted Site5 and they reset the config file. Awstats started working, all was fine.
-4 days later, one of those sites went down completely. Then the other.
-I could not login to my WHM as it would not accept my password?
-Site5 told me they would not touch anything and that I did it. I let them know I have not done anything and please let me into my WHM.
-At this time, all my sites have become deleted, suspended, or just the data all missing.
-They reset my password and I notice a new IP address??
-I log into WHM on the old IP, and the new IP and all I see is some of my sites, not all of them, deleted or suspended, I see vietnamese email addresses, and a domain name in WHM that I have never even seen before that leads to some vietnamese music site?
-I contacted them again and let them know that something has happened and explained things. They again reply that they did not do anything unless I asked.
-I replied again letting them know that I guarantee them that this is not my doing and asked them, Why was WHM password not working? Why is the IP address changed? What are these vietnamese emails doing as contacts of my domains in my WHM, and what is this domain name that is not mine? Where are my other domains that are now missing and the data of all my sites? I need it all back.?
-They still tell me they have no problems on their end.


Can someone here please help me, I'm not sure why Site5 thinks this is my doing. Is there anything here that clearly hints that there is an issue beyond my control? How can a WHM password be changed on me? Where did these sites come from, where did mine go? I need my data restore and Site5 seems to think nothing is wrong.

Any ideas would be most appreciated, thanks much.

[Yapluka]

Nobody here can help but Site5, I'm afraid.
It looks like your account was somehow hijacked (password too easy ? or already used on some other places ?).
I assume you could ask Site5 to have a look at the cpanel logs and find the IP the changes were made from.
Also maybe they can restore some backups for you ?

Anyway, you need to work with them on that one. Good luck !

[mondala]

Thank you. It does appear that the account was hijacked. The password was not easy, 12 characters, upper and lowercase and alphanumeric, the password itself and my local machine are secure.

The last IP address to the account was an asian IP address and would probably explain how the vietnamese websites and email addreses got in there.

I have asked Site5 to restore the backups but for some reason they are not responding.

Any idea why a host would change the IP address of my WHM? (I can log into my WHM at two different IP addresses.) What does this mean? Sounds like they have switched servers and mixed something up.

[Yapluka]

Quote:

Originally Posted by mondala

Any idea why a host would change the IP address of my WHM? (I can log into my WHM at two different IP addresses.) What does this mean? Sounds like they have switched servers and mixed something up.

If your WHM is the same when accessed with both IPs, this is nothing but normal : WHM / cPanel can be accessed via all the IPs routed to the server.
If your WHM is not the same, this means your account has been moved to another server.

As for your password, is it written in plain text in some script config file like automated account creation or so ?
You could also have a look at your domlogs and seek for any "strange" entries.

[OnlyMP]

Which Vietnamese sites here ? Would u please give me some names ?

[Juanzo]

You can always check here if it's a server issue or else. Wait to see what they reply.

[mondala]

vuivui.info ?

[alpha]

Quote:

Originally Posted by mondala

Any idea why a host would change the IP address of my WHM? (I can log into my WHM at two different IP addresses.) What does this mean? Sounds like they have switched servers and mixed something up.

A single server's WHM can be accessed by ALL secondary IP addresses of the server and not just the IP address assigned to your domain. So for example, if you were assigned 123.123.123.123 as your domain IP, you can use this to log into your WHM as well as 123.123.123.124 (assuming this IP address is also for the same server). The only thing that is allowing you to log into your own account is the unique username and password combination.

From my point of view, Site5 could not have done anything to prevent this issue assuming that you are the only one who was affected on this server. Of course, if other resellers were affected than we may point a finger at an insecure server but I doubt this very much.

Either you had a password that was easily brute-forced or they might have used an insecure script you are hosting on your account that uses the same password as a database password or perhaps has the WHM access hash stored in some file to exploit your account.

Either way, make sure you are 1) using at least an 8-character password with letters, numbers, and capitals 2) go through your accounts and make sure they are all running the latest whatever scripts they are running.

Good luck.

[mondala]

Thanks for the insight Alpha.
I think the server was insecure and maybe that is why I now have a new ip address which I only learned of when they reset my password. I can still log into my WHM on two different ip addresses which seems odd. Does this not mean that they moved all resellers from the old ip to this new one? (for reasons they have not informed me of.)

none the less I guess my concern is with site5 is that
1. they investigate and explain things so I know what happened
2. they restore backups

No response from them for 16 hours. Some support that is.

[mondala]

Site5 has not responded to me in the last 24 hours. I have sent them 5 emails in those last 24 hours, not a single response. Their support turnaround time via email is supposed to be 24 minutes according their live ticket status system and I have not had a response in 24 hours!

Wow, I could almost cry. I need my sites back up an running and to know what happened and what I need to do. I havn't slept for two days,,,,, not sure what to do now. Perhaps these hackers still have access to all my accounts and all my data? I have no idea.

[htb]

Quote:

Originally Posted by mondala

Site5 has not responded to me in the last 24 hours. I have sent them 5 emails in those last 24 hours, not a single response. Their support turnaround time via email is supposed to be 24 minutes according their live ticket status system and I have not had a response in 24 hours!

Wow, I could almost cry. I need my sites back up an running and to know what happened and what I need to do. I havn't slept for two days,,,,, not sure what to do now. Perhaps these hackers still have access to all my accounts and all my data? I have no idea.

Watch out with him it happened to be also you we need to talk to site5 becuase they need to do some update on they server.

[bro15360]

Same thing happened to me Mondala. It's not pretty and Site5 has been anything but helpful. They're saying that my site was hacked but they don't have any proof. My IP didn't change but there's something fishy going on up there.

Quote:

Originally Posted by mondala

Site5 has not responded to me in the last 24 hours. I have sent them 5 emails in those last 24 hours, not a single response. Their support turnaround time via email is supposed to be 24 minutes according their live ticket status system and I have not had a response in 24 hours!

Wow, I could almost cry. I need my sites back up an running and to know what happened and what I need to do. I havn't slept for two days,,,,, not sure what to do now. Perhaps these hackers still have access to all my accounts and all my data? I have no idea.

[Website Rob]

Mondala, although it does sound like your account was hacked, a couple of questions for clarification.

What makes you think you were given a new IP?
Do you have Personalized Nameservers?
Have you done reverse lookup on the IP's you were assigned?

Seems really odd that backups cannot be provided to you, although, not sure what Site5's policy is on backups.

[azimpact]

Site 5 is also running open DNS servers.

Or at least on one of the last few remaining sites I have on there.

Running a DNS report shows open DNS because the server is allowing recursive lookups, (might explain the constant server load issue).

You would be wise to move to another host. Site5 is imploding from within and it is not pretty.

I only have two low usage sites left with them and am having issues with both of them now. It's been 3 hours since I submitted a ticket for a site that is dead but I guess their claim of average 25 minutes on the support page actually is a typo!

Sorry, I've completely had it with Shi*5.com and am telling the last two clients with them that if they don't let me move to a new host, they are on their own. I want nothing to do with Site5 anymore and actually hope they pull my glowing testimonial from their site that I wrote 2 years ago.

[mondala]

bro15360: There definately is something fishy with them,,, I hope you didn't lose any data or that your information was compromised. It is so frustrating.

Website Rob: It does sound like a hack but it was so odd at the same time. It just does not seem typical that hacker would add a site, add their emails and also under one of my accounts there was even some kind of database loaded for some legitimate public spanish website.
Backups of a 5 accounts were provided but they said the others were gone.
I did have private name servers if that is what you are asking.
The new IP idea is not proved, I'm not that experienced with how things work... all I know is that i used to log into 66.xx......./whm then after they reset my password because i was locked out, my reset email gave me a new ip address for my whm, 216.xx........./whm
I have confirmed though that both ips do goto the same active WHM for my account. Not sure what that means? Might be normal, they just change which one was a primary IP?

azimpact: Sorry to hear about your troubles. It seems that if you have been with them for sometime and they are now failing you then this is not a good sign for site5.



In the end,myself I am put back about 6 months of work lost. Partly my own fault for not having good backups.
My biggest issue as I've mentioned already is that site5 was not very responsive or helpful.
I think they have a lot of potential,,, they seem to be working on some great things and have some great ideas but perhaps they are delegating to many resources to their plans and growth vs taking care of what they already have.
They should slow down before all backfires on them in my opinion.