Did My Account Get Hacked Into? Some suspicious issues

[FirefoxRocks 0]

Ok first of all I had this issue of my cPanel/FTP password not working: http://forums.xisto.com/topic/94173-topic/?findpost=1064377691.

That raised a warning flag as I didn't change any settings of user authentication, etc.

So then I reset my password using the forum thing under "Free Web Hosting". It supposedly "failed", so I didn't use 10 credits. When I accessed my FTP account to upload some PHP files that I corrected, I found this new directory/file under my public_html folder:

/9xYenBai.Com/UploadMusic/Honey.wma

So I raised security, went to that website http://forums.xisto.com/no_longer_exists/ and couldn't understand Vietnamese, so it didn't look suspicious or anything becuase McAfee SiteAdvisor didn't rate it yet.

Then, I downloaded the WMA music file, scanned it for viruses and found that it wasn't a virus, so I played it in Windows Media Player and the song was in Vietnamese, same as this site.

Now my main concern is that the directory is called UploadMusic, so do you think someone cracked my password and uploaded files to my account?

[Markymark2 0]

This sounds very odd indeed! I know Turbo had some issues this week with his Cpanel password also being changed for no reason.Can you have a look at you FTP/Webstats and try to work on whos been visiting your site and look for the wma file in the logs and see if its been downloaded by anyone other than you.Have you burned a lot of bandwidth this month you cant account for also?

[vujsa 0]

First, you were definitely hacked! Second, your hosting account has problems!Third, you need to contact support.Your site, for whatever reason, was, it looks like, suspended. Your member profile shows you as a HOSTED member but your profile is missing important hosting data!When an account sites around for awhile without activity, hacker take the site over and use it for their purposes!Now, between your suspension and member profile errors, when you earned enough credits to unsuspend your account, either the hacker had changed the password or more probable, the error in your member profile prevented you from logging into your account.So, now that you seem to have some access to the website, you can see the file changes that were made on your account. More than likely, a script like SMF or Mambo allowed a hacker to upload files to your account or even have full control over you public_html folder. It is unlikely that he was able to crack your password.So, once you get your account issues fixed, then you need to either remove the exploited web script or upgrade it to a more secure version!These little issues you have, are rather common. Even I have had a similar issue with random files or folders being uploaded to my file system. It was a result of little or no activity on the website along with an exploit in one of the scripts I had installed.Check this website to see what else they have done to your account:old.zone-h.org/en/defacements/filter/filter_domain=YOUR_DOMAIN_HERE.COMvujsa

[FirefoxRocks 0]

My bandwidth is about average for 66% of the month has passed.I couldn't find the WMA file in the logs as it was downloaded too little times I guess. The only files that I found in the log was the site to my Web Development Portal and the site to XKingdom Center (a game club site).There weren't any usual numbers of users/hits on the last few days, just about 15 unique users and the average ~150 pages hit.So I don't know what happened.

[Sten 0]

yay i have had no digital attacks, lol. that site you said vujsa freezes firefox, lol.well if the problem is caused by being inactive, then i guess ill always stay active. by staying active, does that mean in Xisto or your cpanel?i havent had anything messed around with my account anyway so thats good for me.

[vujsa 0]

yay i have had no digital attacks, lol. that site you said vujsa freezes firefox, lol.
well if the problem is caused by being inactive, then i guess ill always stay active. by staying active, does that mean in Xisto or your cpanel?

i havent had anything messed around with my account anyway so thats good for me.

Yeah, the site is really slow to load but it works okay most of the time. I use Firefox there without problem.

Hackers and spammers love inactive website since they can have their way with them for a long time before anyone stops them. Some spammers are even nice enough to leave a removal link in their spam posts on inactive forums so that once you get around to working on your website again, they will stop spamming your site. Just remember, most of them don't care too much is Joe Average clicks on the link, they want the searchbots to see the link!

The directory and file uploaded to the site is the hackers calling card. This is how they prove that they hacked your site. Then other hackers can check to see if the calling card is there. For most of them, it is just a game and the leave the calling card without damaging the website. Even the ones that do get a little out of hand usually just rename important files or folders so that the website won't work but the data is still there.

Usually, just uploading the correct backup files then upgrading the program you are using is the solution to the security problem. Rarely do they get into your database and delete or edit data unless they don't like you for some reason.

vujsa

[tansqrx 0]

Here is a related question. If someone else gets hacked on the same server that I am hosted at, how does this affect me? Is the server hardened enough to prevent any cross account hacking. I know that each account is protected from others to a certain extent but once a machine has been taken over can you really trust it?

[vujsa 0]

Well, just like you can't access my account from your account, a hacker can't attack you account from his account.The server is very well protected but from time to time, users unknowingly open security holes in their account with older scripts or self written scripts. Usually, it is older versions of popular scripts that get hacked into. Since these are generally open source, attackers can study the code and look for holes. Usually by the time a security exploit gets to the hacker mainstream, a new version that protects against the security issue is released. It is of course the job of the website owner or administrator to upgrade the script prior to being hacked.Self written scripts have to be pretty bad for a hacker to get in through since they probably can't view the source code of the script. They can however use common security holes to probe your website for exploits so be sure to add a little security to your scripts.vujsa

[FirefoxRocks 0]

The thing is, my website was ACCESSIBLE when cPanel and FTP were down. No files were renamed/changed except for the newer uploaded directory. Also, I wasn't using any content management systems on my website, I was going to install phpBB2 but I didn't get around to uploading that yet.And the site is pretty active, at least a few members visit it everyday. I regularly check on it also, so I don't see a problem with activity levels.

[BuffaloHelp 24]

FirefoxRocks,

Was your original password found in a dictionary? In another words, was it not combined with numbers and symbols?

If your original password was a combination of words found in a dictionary, please read http://forums.xisto.com/topic/51761-topic/?showtopic=51761

And for the rest of Xisto members, start changing your passwords as I explained in above topic ASAP!!

[iGuest 3]

I think I'm safe. My password fits those criteria. Single word or word and one number passwords are dangerous. I think there's a topic somewhere about making secure passwords.

[FirefoxRocks 0]

My password was not a dictionary word. It was sufficiently long at 9-10 characters and had a symbol in it. There weren't any numbers and none of those ALT+numpad things. Case-sensitivity was used to the advantage that I inserted capital letters into it.So it wasn't wasy to guess.

[.:Brian:. 0]

FirefoxRocks,
Was your original password found in a dictionary? In another words, was it not combined with numbers and symbols?

If your original password was a combination of words found in a dictionary, please read http://forums.xisto.com/topic/51761-topic/?showtopic=51761

And for the rest of Xisto members, start changing your passwords as I explained in above topic ASAP!!

Maybe this link should be posted in the announcements section?

Anyway, something I suggest that people do is use a random password generator to get your passwords, that way you'll have a nice secure password that you can use (and if you use firefox you don't really have to worry about remembering your password, because you can simply use the password manager, of course other browsers such as opera and IE provide this as well, but I tend to find firefox's works the best)

Also, a good random password generator can be found here: https://identitysafe.norton.com/password-generator/

Another thing I would recommend to people is not to use the same password for anything...use a different one for every single website that you use, as it'll greatly decrease the chance of something getting hacked into, or if something does, it'll decrease the chances that they'll get into your other stuff as well.

[FirefoxRocks 0]

Acutally, there is a vulnerability with Firefox/Flock's password manager. Search Secunia for details, I found this: http://secunia.com/advisories/23046/.

I use Opera's wand, Internet Explorer autocomplete and I don't know if Safari has one or not, but I still use Firefox Password Manager regardless of the vulnerability. Do you think that this has something to do with this situation?

[BuffaloHelp 24]

I do not know... but OpaQue tells me that most of accounts, I had to reset their passwords, were compromised by FTP brute force method. And once passwords were found the perpetrator then accessed those cpanels and started to use up their disk spaces.I noticed that when I went into each account and saw the last IP to log from 222.252.*.* (the last two values were not consistent). I'm wondering if you noticed out of ordinary IP as the last logged when you finally got into your cpanel...?