Results 1 to 18 of 18
  1. #1
    Join Date
    Dec 2006
    Posts
    51

    Hacker Attack on <my reseller accounts>

    I have two reseller accounts with Innohosting and a hacker has got into several sites on both accounts. I have contacted Innohosting and hopefully will get an explanation soon.

    But as this is very serious, I want to put it out on this forum also.

    At first I thought they must have cracked my FTP access, but they have got into several sites on both reseller accounts so they must have gained access to the server itself, I suspect.

    Any ideas on how to stop these lowlifes striking again would be appreciated.
    The Site Managers
    Premium web hosting services;
    Website design that's designed to SELL

  2. #2
    Quote Originally Posted by plainwords View Post
    I have two reseller accounts with Innohosting and a hacker has got into several sites on both accounts.
    Your two reseller accounts are hosted on one server or different servers?
    Do your websites use a similar script?
    Usually website is hacked when there's an insecure script used on that site.
    Cpanel servers have Brute Force Protection so scan attack should be stopped after 5 failed attempts.
    PremiumReseller.com Hyper-V SSD VPS USA London Singapore
    Reseller Hosting Cpanel PURE SSD CloudLinux Softaculous
    Windows Reseller Asp.NET 4.5 MSSQL 2012 SmarterMail Enterprise

  3. #3
    Join Date
    Dec 2006
    Posts
    51
    The reseller accounts are on two different servers. It is only the front pages that have been hacked and a whole list of links to porn sites has been added with hidden code, so you can only see it when you view the source. Nothing else has been touched.

    One is a stragiht html site with no scripts at all on it. The others have shopping carts.
    The Site Managers
    Premium web hosting services;
    Website design that's designed to SELL

  4. #4
    Join Date
    Oct 2002
    Location
    State of Disbelief
    Posts
    22,953
    Quote Originally Posted by plainwords View Post
    a whole list of links to porn sites has been added with hidden code, so you can only see it when you view the source.
    Subtle. How did you discover this?
    Having problems, or maybe questions about WHT? Head over to the help desk!

  5. #5
    Join Date
    Dec 2006
    Posts
    51
    I discovered it because on one of the sites, the content on the home page also disappeared. Then I checked other sites and also found the code on them.
    The Site Managers
    Premium web hosting services;
    Website design that's designed to SELL

  6. #6
    Join Date
    Feb 2008
    Posts
    38
    May be dumb question. Do you have shared hosting reseller accaunt or VPS? What a CP do you use?
    Smart Power Asia - Electronics - Mobile Electronics Store. Sell i-mobile, Oppo, Samsung. Worldwide shipping.

  7. #7
    Join Date
    Dec 2006
    Posts
    51
    It's a shared reseller with Innohosting and uses cPanel
    The Site Managers
    Premium web hosting services;
    Website design that's designed to SELL

  8. #8
    Join Date
    Feb 2008
    Posts
    38
    I think it is unlikely that cPanel has been hacked. So, I think your account has been compromised.
    I suppose you have already changed all accounts passwords and revised your web sites' files to find any overpatching in your sripts and find any unwanted files, did you?
    In addition, it won't be needless to check up your workstation for any worms an viruses.
    Smart Power Asia - Electronics - Mobile Electronics Store. Sell i-mobile, Oppo, Samsung. Worldwide shipping.

  9. #9
    Join Date
    Feb 2004
    Location
    New Zealand
    Posts
    1,202
    Reality;

    Your server has been hacked via an insecure daemon/application and/or the PHP scripts running on the box are insecure, allowing an attacker to run an RFI exploit gaining access to a local user, then running a local exploit/vuln to gain root axx.

    Attacker has then modified httpd.conf to point to new index page with iframe vuln/exploit - further infecting more web visitors with malware/UD code.

    TBH; Its not worth posting it here, its only going to make the situation worse. All companies get a security breach at some point in time, However when and how is the question.

    Scan all data including your own box with multiple AV's, also if you get some suspicious EXE's running on your workstation/home computer, put them through anubis - http://analysis.seclab.tuwien.ac.at/

    Good luck

    Best Regards,
    Logan Douglas
    DigitalGoods.info
    FREE Shared, Mega Resellers + Dedicated Servers

  10. #10
    Join Date
    Sep 2003
    Posts
    3,854
    Quote Originally Posted by plainwords View Post
    I have two reseller accounts with Innohosting and a hacker has got into several sites on both accounts. I have contacted Innohosting and hopefully will get an explanation soon.

    But as this is very serious, I want to put it out on this forum also.

    At first I thought they must have cracked my FTP access, but they have got into several sites on both reseller accounts so they must have gained access to the server itself, I suspect.

    Any ideas on how to stop these lowlifes striking again would be appreciated.
    I absolutely see no reason why you found it necessary to post it here. You have done us no favours and done yourself no favours either.

    Quote Originally Posted by LoganNZ View Post
    Reality;

    Your server has been hacked via an insecure daemon/application and/or the PHP scripts running on the box are insecure, allowing an attacker to run an RFI exploit gaining access to a local user, then running a local exploit/vuln to gain root axx.

    Attacker has then modified httpd.conf to point to new index page with iframe vuln/exploit - further infecting more web visitors with malware/UD code.

    TBH; Its not worth posting it here, its only going to make the situation worse. All companies get a security breach at some point in time, However when and how is the question.

    Scan all data including your own box with multiple AV's, also if you get some suspicious EXE's running on your workstation/home computer, put them through anubis - http://analysis.seclab.tuwien.ac.at/

    Good luck

    Best Regards,
    Logan Douglas
    That is not what happened. Logs show the alterations were uploaded via FTP to the users account.
    InnoHosting, Performance Web Hosting || US: 1-888-522-INNO UK: 0800 612 8075
    Web Hosting - Virtual Servers - Managed Servers - Application Hosting
    Reseller Hosting with WHMCS & Preloaded KB | SSL | activGuard | End User Support
    LiteSpeed / CloudLinux / Idera Backups / True 24x7 Support / 10+ Years in Business

  11. #11
    A week before one of my client which has reseller account with us was also having same problem! we are using DirectAdmin currently. After deep analysis of log files and everything, I came to conclusion that my CLIENTS computer was some how infected as he was using Cablenet (which I told him in first place but than he also agreed when his AV detected it ). The attacker got to his ftp passwords! deleted and uploaded iframe codes which were than attacking others who were viewing it. I had to remove all the files and reload from backups.

    See if that might be the case with you too!

  12. #12
    Hi,

    A related post is open in the Reseller section of Innohosting Forums, you would like to add your comments there.

    Good luck.

  13. #13
    Join Date
    Dec 2006
    Posts
    51
    Rameen,

    Thank you for clarifying that the files were uploaded via FTP .... which presumbly means the hacker has cracked the FTP password ... or maybe the WHM password as several sites on the same reseller account were attacked, plus another site on another reseller account.

    In retrospect, I should apologise for posting here. I was so angry when I saw the hacker attack that I didn't stop to think ... just got so carried away with emotion and wanted to blame anyone I could. These kind of lowlife hackers just make me so angry. But these things happen. It's life.
    The Site Managers
    Premium web hosting services;
    Website design that's designed to SELL

  14. #14
    Join Date
    Feb 2004
    Location
    New Zealand
    Posts
    1,202

    Question

    Quote Originally Posted by plainwords View Post
    Rameen,

    Thank you for clarifying that the files were uploaded via FTP .... which presumbly means the hacker has cracked the FTP password ... or maybe the WHM password as several sites on the same reseller account were attacked, plus another site on another reseller account.

    In retrospect, I should apologise for posting here. I was so angry when I saw the hacker attack that I didn't stop to think ... just got so carried away with emotion and wanted to blame anyone I could. These kind of lowlife hackers just make me so angry. But these things happen. It's life.
    Innohosting quotes; The FTP account was used to change the files.

    FTP-Cpanel cannot be bruteforced, all connections over 5 retries gets blacklisted for a temp 5 minutes or more.

    The WHM was not breached, the FTP account of your account was used to upload the files.

    Your workstation has been breached and/or your passwords has been sniffed.

    Like i said before, why even post? Why didn't you get in contact with the support team before killing there name on WHT?
    DigitalGoods.info
    FREE Shared, Mega Resellers + Dedicated Servers

  15. #15
    Join Date
    Dec 2006
    Posts
    51
    Thanks LoganNZ. Yes I feel bad now about naming Innohosting in my post. I'm rather hot-headed at times when things like this happen. Just to counterbalance, Innohosting have been superb in terms of what they offer resellers,and their support is excellent.
    The Site Managers
    Premium web hosting services;
    Website design that's designed to SELL

  16. #16
    Join Date
    Feb 2004
    Location
    New Zealand
    Posts
    1,202
    Quote Originally Posted by plainwords View Post
    Thanks LoganNZ. Yes I feel bad now about naming Innohosting in my post. I'm rather hot-headed at times when things like this happen. Just to counterbalance, Innohosting have been superb in terms of what they offer resellers,and their support is excellent.
    Good to hear
    DigitalGoods.info
    FREE Shared, Mega Resellers + Dedicated Servers

  17. #17
    Join Date
    Sep 2003
    Posts
    3,854
    Quote Originally Posted by plainwords View Post
    Thanks LoganNZ. Yes I feel bad now about naming Innohosting in my post. I'm rather hot-headed at times when things like this happen. Just to counterbalance, Innohosting have been superb in terms of what they offer resellers,and their support is excellent.
    No hard feelings - your reaction is understandable

    I believe you have a ticket with us already, we'll work with you through that and get you back on track
    InnoHosting, Performance Web Hosting || US: 1-888-522-INNO UK: 0800 612 8075
    Web Hosting - Virtual Servers - Managed Servers - Application Hosting
    Reseller Hosting with WHMCS & Preloaded KB | SSL | activGuard | End User Support
    LiteSpeed / CloudLinux / Idera Backups / True 24x7 Support / 10+ Years in Business

  18. #18

    *

    This is good to know for Inno customers.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •