Alert! Notice To Hosting Members! Urgent!

BuffaloHelp · September 26, 2007

For some time I have been noticing too many patterns in problems with hosting accounts and their passwords. We have a topic that started here: http://forums.xisto.com/topic/51508-my-password-changed/

As I manage to regain the control to these accounts I began to notice some odd incidences. Namely, I have been noticing that the last IP to enter these hosting accounts had similar origin location. The origination is from Vietnam. And account effected are passwords with simple and dictionary related passwords.

I will be dealing with the culprit. In the mean time, dear hosting members, please please follow my instructions as I have been preaching this from the beginning!

Do Not Start your password with a word that's found in a dictionary. For example "acehorse"

Do mix alphabets and numbers.

Do mix cap letters and symbols.

Do rotate your passwords regularly.

Do check your last login IP on your cpanel. This is the first indication of intrusion.

This includes your forum password as well. Your forum account is the gateway to your hosting password change.

This finding will be sent to OpaQue so that he can take the next measure of defense.

BuffaloHelp · September 26, 2007

I have been informed that users "punisher" and "brandon" might be experiencing some issues as well. But until they contact me I will not take any action to attempt to reset their passwords. Guys, please PM me if you read this.

Jimmy · September 26, 2007

Thank you for the information. This is quite worrying for all our accounts' security. I have a couple of questions that would probably answer people's first questions:I just logged in and have not experienced a password change. I changed it from the simple dictionary word (oh dear) I was using to a much more secure code now. Does this mean that my account was unaffected?Is it possible that our files have been altered if the password has not been changed by the "intruder"? Have there been any instances of files modified on people's hosting? If so we will need to check all of our files.Last but not least, Is there any way to see a list of all the recent logins, not just the last login, and their I.P. addresses?Regards,James

Edited September 26, 2007 by Jimmy (see edit history)

Saint_Michael · September 26, 2007

Thank you for the information. This is quite worrying for all our accounts' security. I have a couple of questions that would probably answer people's first questions:
I just logged in and have not experienced a password change. I changed it from the simple dictionary word (oh dear) I was using to a much more secure code now. Does this mean that my account was unaffected?

Is it possible that our files have been altered if the password has not been changed by the "intruder"?

Have there been any instances of files modified on people's hosting? If so we will need to check all of our files.

Last but not least, Is there any way to see a list of all the recent logins, not just the last login, and their I.P. addresses?

Regards,
James

The only way that you will know if your files have been altered if you go through them and match them against the ones on your computer, or if your files are not displaying correctly in the browser. I would think it would be appropriate to display the IP number that is being used so the hosted members can check it against the latest visitors log. Also I believe the RAW access logs can be used to check to see who has access the account. I know at the admin level they have all those logs as well so most likely they are cross referencing that IP number to all the account and see who else this person tag, because it seems Xisto got caught in this mess as well. The main question is though did the person go after individual accounts or did he get get root access in the system at all?

Jimmy · September 26, 2007

The only way that you will know if your files have been altered if you go through them and match them against the ones on your computer, or if your files are not displaying correctly in the browser.

Thank you for the lengthy reply SM.Well matching files is a bit of a problem for me since I don't have an up-to-date backup that I know of. (conducted one a couple of weeks ago) Hope I can remember the code and spot any bad stuff. I think it would be much more convenient to check the I.P. logs rather than go through the files manually!!!!

I would think it would be appropriate to display the IP number that is being used so the hosted members can check it against the latest visitors log. Also I believe the RAW access logs can be used to check to see who has access the account.

Okay, thank you I will have to check them.I would also agree that its a good idea to put at least half / most of the offending I.P. Address for the members to check against, if not all of it so we can check the problem. I have logged into my account from a number of computers (around the country!) and would have no idea which I.P. address may be bad!

The main question is though did the person go after individual accounts or did he get get root access in the system at all?

That is an excellent question, but from the sound of Buffalo's explanation it sounded like only accounts with weak passwords were hit. That sounds like he or she may have had a brute force or maybe rainbow table running on our cpanel accounts. Perhaps over the period of a long time. Yet another reason why if you change you're password often it's difficult to crack. Edited September 26, 2007 by Jimmy (see edit history)

angad619 · September 26, 2007

Probably even my password was affected. But I managed to pool up some credits and got my password changed.Let me bring to your notice that while doing so, after I had put my forum username and pass, the page said something to the tune of:Account verified.....Changing Password.....Do not reload.....could not change password...But then my password did change to the new one.When I then logged into my cpanel my disc space usage was 20/20MB. I haven't uploaded anything in the past few weeks. How did the disc usage increase now??I am now trying to pile up more credits to request for a hosting upgrade

BuffaloHelp · September 26, 2007

angad619Your account came up as one of "problem" accounts but I was told probably not. Look through your directories and see if you find any suspicious files or folders. Brute force, indeed, was used to break into accounts with weak or predictable by password cracking script.As for the process page showing some error messages, OpaQue is working on the version 2 of the Process page. Therefore you might see some error message but the service would perform as it should. The security for Xisto hosting accounts worked as it should (in acceptable standard) since only a hand-full of accounts were effected and not all 200+ accounts. But before the culprit was banned it did some damage. Although the penetration rate is way below the tolerance level, I do apologize for any inconveniences this has caused. I could say something in regards like you should have done this... you should have done that... but at the end at least we are able to recover from this disaster.Let's use this experience as a learning point. Xisto is now aware that its firewall is not perfect. And our hosting members will prepare better for the future by having stronger passwords. Hopefully, there will be no next time.

serverph · September 26, 2007

some more tips:the length of the password lends to a more secure combination also, something which exponentially increases security especially when brute force technique is employed. in short -- the longer, the better.an additional good measure is to have a separate set of password for your cpanel, VERY MUCH DIFFERENT from your forum password. it's very likely that some members here have the same passwords for both, which gives higher risks for both the forum account and the hosting cpanel. in the likelihood that one is compromised, it compromises the other as well. it's better not to compromise both at the same time.

Saint_Michael · September 26, 2007

I am so glad that I did change my password a few months ago or be in the same boat as everyone else, because it was a common password as well, not dictionary common but common either way. I found an interesting site, well it was the first on the top of the list, this website test the password strength (how hard it is to crack). I wouldn't doubt there are other sites like that so make sure if you do plan to use this website make sure you alter the password once again just in case for double protection. one more thing never, ever, ever use a password generator regardless how secure they say it will be because it won't take much to crack how that generator works.

Also here is a interesting article from Microsoft about security, yeah I know but it could still be useful though.

Jimmy · September 27, 2007

Buffalo, is there any way you can list the I.P.(s) that were used to force people's accounts? The log file on my site is far too long to check all of it. If I could just search for part or all of an IP it would seriously help speed up the checking!Thanks

angad619 · September 27, 2007

No problems people. Xisto rocks. Atleast all my files are safe. My site was up n running all the time. But why didn't the hacker do any damage??But my password wasen't weak by any measure. It was 14-17 chars long!!! Though it was made up of dictionary words. This is a wake up call to all Xisto members to backup their data on their PCs too. Is there any way we can backup our SQL databases??On my site http://angadsodhi.com/ , I have just a wordpress blog with 6 themes on it. Can it take up as much as 20MBs?? The default installation of WP is hardly 3MBs. Could themes take up so much space or has the culprit done some unnoticed damage to the system that is causing it to misinterpret the disc space??Thanks n Cheers!! Xisto rocks!!!!!Hey people guess what. As Buffalo said, I checked my account for any unwanted files and guess what I found: A folder named 9xYenBai.Com which had about 10 music files. How the heck did the author of 9xYenBai.Com get access to my account and put up his illegal files there??We must be extra careful about our passwords from now on.

Saint_Michael · September 29, 2007

No problems people. Xisto rocks. Atleast all my files are safe. My site was up n running all the time. But why didn't the hacker do any damage??

But my password wasen't weak by any measure. It was 14-17 chars long!!! Though it was made up of dictionary words. This is a wake up call to all Xisto members to backup their data on their PCs too. Is there any way we can backup our SQL databases??

On my site http://angadsodhi.com/ , I have just a wordpress blog with 6 themes on it. Can it take up as much as 20MBs?? The default installation of WP is hardly 3MBs. Could themes take up so much space or has the culprit done some unnoticed damage to the system that is causing it to misinterpret the disc space??

Thanks n Cheers!! Xisto rocks!!!!!

In your cpanel you have an option called back up it is listed in the Site Management Tool, five rows down 2 columns in, you can' miss it, it would be better to do a full site back up because that will back up everything including your MySQL. For safety measures though you can download individual backs ups of your MySQL DB's for extra protection.

As for your wordpress, once you start writing articles and blogs that folder will get bigger and biggest, themese are hardly ever that big unless the person who codes them doesn't clean them up and make hte image file sizes small.

Hey people guess what. As Buffalo said, I checked my account for any unwanted files and guess what I found: A folder named 9xYenBai.Com which had about 10 music files. How the heck did the author of 9xYenBai.Com get access to my account and put up his illegal files there??

We must be extra careful about our passwords from now on.

I think everyone who has been affected by this hacker should look for that folder 9xYenBai.Com and delete it of course. Question I have is did you have to do any digging for that folder or was it on the main directory of your file manager account?

angad619 · September 29, 2007

Question I have is did you have to do any digging for that folder or was it on the main directory of your file manager account?

It was in the main directory (the public_html folder) itself. Wonder how it missed my eye.

I have another problem. When I try to create an email address, it tells me that I have exhausted my maximum limit for email addresses whereas I haven't created any and the cpanel shows 0/unlimited!!!!

Don't know whether this problem was persistent before the hack so I'm not saying this topic has anything to do with it. But please help me out.

DeM0nFiRe · September 29, 2007

wow, this is pretty serious stuff. My password for something got stolen once, it was not fun.

HoRuS · September 30, 2007

Why people always want to mess with other peopes work Am fortunate I got helped very well by BuffaloHELP, but would have lost all my work I put into it if I didnt make any backup, my whole public_html folder was empty except for the standard maps. So peoples, make backups on a regular basis!

Sign In

Alert! Notice To Hosting Members! Urgent!

Recommended Posts

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Important Information