Results 1 to 10 of 10
  1. #1

    Hacked 3 times in 2 days

    I'm pulling my hair out. I've been hacked three times within the last two days, and across two different companies.

    In both cases a hacker created email accounts (through cpanel?) and then sent out spam through the webmail system. I don't see on the log where they accessed the cpanel, so I'm thinking they may have done it on another day, or they may have done it using some remote script.

    Here's what the log looks like.

    Code:
    83.138.172.72 - - [06/Feb/2008:04:52:56 -0600] "GET /webmail HTTP/1.0" 301 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 3.0.0 Beta2)"
    82.128.5.177 - - [06/Feb/2008:05:52:14 -0600] "GET /webmail HTTP/1.1" 301 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Crazy Browser 2.0.1)"
    82.128.34.128 - - [06/Feb/2008:06:10:24 -0600] "GET /webmail HTTP/1.1" 301 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Crazy Browser 3.0.0 Beta2)"
    212.100.250.230 - - [06/Feb/2008:06:12:18 -0600] "GET /webmail HTTP/1.0" 301 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 3.0.0 Beta2)"
    82.128.34.128 - - [06/Feb/2008:06:24:53 -0600] "GET /webmail HTTP/1.1" 301 5 "http://www.ambrowser-search.com/search?p=Q&ts=v7&w=leburgess%2ecom%2fwebmail" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 3.0.0 Beta2)"
    212.100.250.214 - - [06/Feb/2008:06:29:59 -0600] "GET / HTTP/1.0" 200 2161 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 3.0.0 Beta2)"
    212.100.250.214 - - [06/Feb/2008:06:30:04 -0600] "GET /style.css HTTP/1.0" 200 2798 "http://leburgess.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 3.0.0 Beta2)"
    212.100.250.214 - - [06/Feb/2008:06:30:10 -0600] "GET /images/marb009.jpg HTTP/1.0" 200 4222 "http://leburgess.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 3.0.0 Beta2)"
    212.100.250.214 - - [06/Feb/2008:06:30:10 -0600] "GET /images/header.gif HTTP/1.0" 200 5840 "http://leburgess.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 3.0.0 Beta2)"
    212.100.250.214 - - [06/Feb/2008:06:30:10 -0600] "GET /images/remodelors.gif HTTP/1.0" 200 1876 "http://leburgess.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 3.0.0 Beta2)"
    212.100.250.214 - - [06/Feb/2008:06:30:10 -0600] "GET /images/sidebkg.gif HTTP/1.0" 200 341 "http://leburgess.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 3.0.0 Beta2)"
    212.100.250.214 - - [06/Feb/2008:06:30:11 -0600] "GET /images/button-bg.gif HTTP/1.0" 200 950 "http://leburgess.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 3.0.0 Beta2)"
    212.100.250.214 - - [06/Feb/2008:06:30:11 -0600] "GET /pictures/ HTTP/1.0" 200 1593 "http://leburgess.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 3.0.0 Beta2)"
    212.100.250.214 - - [06/Feb/2008:06:30:11 -0600] "GET /images/bia.gif HTTP/1.0" 200 1684 "http://leburgess.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 3.0.0 Beta2)"
    212.100.250.214 - - [06/Feb/2008:06:30:11 -0600] "GET /pictures/home.jpg HTTP/1.0" 200 25080 "http://leburgess.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 3.0.0 Beta2)"
    212.100.250.214 - - [06/Feb/2008:06:30:12 -0600] "GET /images/bottom-bg.gif HTTP/1.0" 200 820 "http://leburgess.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 3.0.0 Beta2)"
    203.55.231.100 - - [06/Feb/2008:06:41:39 -0600] "GET /webmail HTTP/1.1" 301 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 2.0.1)"
    82.128.34.128 - - [06/Feb/2008:06:52:56 -0600] "GET /webmail HTTP/1.1" 301 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 3.0.0 Beta2)"
    82.128.34.128 - - [06/Feb/2008:07:07:20 -0600] "GET /wemail HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 3.0.0 Beta2)"
    82.128.34.128 - - [06/Feb/2008:07:08:42 -0600] "GET /wemail HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 3.0.0 Beta2)"
    82.128.34.128 - - [06/Feb/2008:07:09:16 -0600] "GET /webmail HTTP/1.1" 301 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 3.0.0 Beta2)"
    82.128.33.65 - - [06/Feb/2008:07:52:53 -0600] "GET /webmail HTTP/1.1" 301 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 2.0.1)"
    82.128.34.128 - - [06/Feb/2008:08:00:35 -0600] "GET /webmail HTTP/1.1" 301 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 3.0.0 Beta2)"
    203.55.231.100 - - [06/Feb/2008:09:09:10 -0600] "GET /webmail HTTP/1.1" 301 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 2.0.1)"
    82.128.9.7 - - [06/Feb/2008:09:25:30 -0600] "GET /webmail HTTP/1.1" 301 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 2.0.1)"
    74.6.19.112 - - [06/Feb/2008:11:20:24 -0600] "GET /robots.txt HTTP/1.0" 302 290 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)"
    74.6.28.26 - - [06/Feb/2008:11:20:25 -0600] "GET /gallery.html HTTP/1.0" 302 290 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)"
    207.58.145.198 - - [06/Feb/2008:11:55:20 -0600] "GET / HTTP/1.0" 302 290 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
    24.20.234.114 - - [06/Feb/2008:11:56:54 -0600] "GET / HTTP/1.1" 302 302 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; SU 3.011; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 3.1; FDM; .NET CLR 2.0.50727)"
    24.20.234.114 - - [06/Feb/2008:13:12:43 -0600] "GET /cpanel/ HTTP/1.1" 301 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; SU 3.011; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 3.1; FDM; .NET CLR 2.0.50727)"
    I thought someone had got my master password, since it happened on two different hosts (I have a resellerzoom and a hostforweb). I changed all of my passwords, but it looks like I've been compromised again.

    The one on hostforweb was leburgess.com which is one of my clients sites. The one on resellerzoom that's suspended again today, is eBeaverton.com

    I haven't had a chance to look at the server log for eBeaverton yet as they haven't responded back. I really have a hard time wiht a company with a phone number for sales, but not for support. I understand it, but in emergancies like this it is less than comforting.

    I run ZoneAlarm security suite on my computer, so I was pretty sure I didn't have some kind of keylogger on my system. also, I have a hardware firewall.

    That said, I'm open to the idea of it.

    Can anyone give me some ideas about how this may have happened, and what I need to do to protect myself better.

  2. #2
    Join Date
    Aug 2007
    Location
    Greece
    Posts
    390
    are the mail account created (can you see them in Cpanel) or is the hacker exploiting a form that you have in your site?
    NOT a webhost!helping here just for the fun of it!
    G(r)eek inside.

  3. #3
    Join Date
    Mar 2003
    Location
    WebHostingTalk
    Posts
    16,967
    Things you can check:

    1. Change your password of your email address where you are receiving your password credentials.
    2. Change your cpanel password and all email addresses password for the said domain.
    3. Update all your scripts you are using.
    4. Secure files and folders permission in your site.
    5. If you own the server, check for trojans, secure every softwares, etc...
    6. Check for users without password, with root permission, etc....

    and Yes, there are so many things to do :-) but those are some of the tips.


    Net
    Specially 4 You
    .
    JoneSolutions.Com ( Jones.Solutions ) is on the net 24/7 providing stable and reliable web hosting solutions and services since 2001

  4. #4
    Quote Originally Posted by tix3 View Post
    are the mail account created (can you see them in Cpanel) or is the hacker exploiting a form that you have in your site?
    I think they're actuall accounts being created. On eBeaverton they had removed the accounts, on leburgess I found them still in tact and I was able to go in through squrreill mail and see the sent messages.

  5. #5
    Join Date
    Nov 2001
    Location
    Ann Arbor, MI
    Posts
    2,978
    Quote Originally Posted by Justinfm View Post
    I'm pulling my hair out. I've been hacked three times within the last two days, and across two different companies.

    ...

    Can anyone give me some ideas about how this may have happened, and what I need to do to protect myself better.
    You probably created an account for them, or they've found a vulnerablity in your system. Either way, you might consider hiring a competent consultant to help you before you get hacked the fourth time or that will at least be monitoring for how the fourth hack occurs.
    -Mark Adams
    www.bitserve.com - Secure Michigan web hosting for your business.
    Only host still offering a full money back uptime guarantee and prorated refunds.
    Offering advanced server management and security incident response!

  6. #6
    Quote Originally Posted by bitserve View Post
    You probably created an account for them, or they've found a vulnerablity in your system. Either way, you might consider hiring a competent consultant to help you before you get hacked the fourth time or that will at least be monitoring for how the fourth hack occurs.
    I was thinking about this, I wasn't sure the costs involved or where to look. Any suggestions would be welcome.

  7. #7
    Join Date
    Dec 2002
    Location
    Jackson, MI
    Posts
    1,526
    I think its probably on your formmail's, but not sure as I could not exploit it to email myself, but I am not versed in exploiting them, so I would not really know.

  8. #8
    Join Date
    Nov 2001
    Location
    Ann Arbor, MI
    Posts
    2,978
    http://www.webhostingtalk.com/wiki/C...ver_management

    You want an admin with some information security experience, especially incident response.
    -Mark Adams
    www.bitserve.com - Secure Michigan web hosting for your business.
    Only host still offering a full money back uptime guarantee and prorated refunds.
    Offering advanced server management and security incident response!

  9. #9
    Join Date
    Feb 2006
    Posts
    466
    Hi !

    I would like to let you know I am having the exact same problem !! Hackers gain access to my Cpanel accounts and then they create email accounts and send Nigeria Connection emails !!

    Did you find out how they do it ??

  10. #10
    There was a serious bug with webmail in cpanel last week or so.
    Make sure that you're running latest stable release.
    PremiumReseller.com Hyper-V SSD VPS USA London Singapore
    Reseller Hosting Cpanel PURE SSD CloudLinux Softaculous
    Windows Reseller Asp.NET 4.5 MSSQL 2012 SmarterMail Enterprise

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •