26 replies to this topic

[BuffaloHelp]

For some time I have been noticing too many patterns in problems with hosting accounts and their passwords. We have a topic that started here: http://www.trap17.co...showtopic=51508

As I manage to regain the control to these accounts I began to notice some odd incidences. Namely, I have been noticing that the last IP to enter these hosting accounts had similar origin location. The origination is from Vietnam. And account effected are passwords with simple and dictionary related passwords.

I will be dealing with the culprit. In the mean time, dear hosting members, please please follow my instructions as I have been preaching this from the beginning!

Do Not Start your password with a word that's found in a dictionary. For example "acehorse"
Do mix alphabets and numbers.
Do mix cap letters and symbols.
Do rotate your passwords regularly.
Do check your last login IP on your cpanel. This is the first indication of intrusion.
This includes your forum password as well. Your forum account is the gateway to your hosting password change.

This finding will be sent to OpaQue so that he can take the next measure of defense.

[BuffaloHelp]

I have been informed that users "punisher" and "brandon" might be experiencing some issues as well. But until they contact me I will not take any action to attempt to reset their passwords. Guys, please PM me if you read this.

[Jimmy]

Thank you for the information. This is quite worrying for all our accounts' security. I have a couple of questions that would probably answer people's first questions:

I just logged in and have not experienced a password change. I changed it from the simple dictionary word (oh dear) I was using to a much more secure code now. Does this mean that my account was unaffected?

Is it possible that our files have been altered if the password has not been changed by the "intruder"?

Have there been any instances of files modified on people's hosting? If so we will need to check all of our files.

Last but not least, Is there any way to see a list of all the recent logins, not just the last login, and their I.P. addresses?

Regards,
James

Edited by Jimmy, 26 September 2007 - 10:08 AM.

[Saint_Michael]

Jimmy, on Sep 26 2007, 06:04 AM, said:

Thank you for the information. This is quite worrying for all our accounts' security. I have a couple of questions that would probably answer people's first questions:

I just logged in and have not experienced a password change. I changed it from the simple dictionary word (oh dear) I was using to a much more secure code now. Does this mean that my account was unaffected?

Is it possible that our files have been altered if the password has not been changed by the "intruder"?

Have there been any instances of files modified on people's hosting? If so we will need to check all of our files.

Last but not least, Is there any way to see a list of all the recent logins, not just the last login, and their I.P. addresses?

Regards,
James

The only way that you will know if your files have been altered if you go through them and match them against the ones on your computer, or if your files are not displaying correctly in the browser. I would think it would be appropriate to display the IP number that is being used so the hosted members can check it against the latest visitors log. Also I believe the RAW access logs can be used to check to see who has access the account. I know at the admin level they have all those logs as well so most likely they are cross referencing that IP number to all the account and see who else this person tag, because it seems astahost got caught in this mess as well. The main question is though did the person go after individual accounts or did he get get root access in the system at all?

[Jimmy]

Saint_Michael, on Sep 26 2007, 05:38 PM, said:

The only way that you will know if your files have been altered if you go through them and match them against the ones on your computer, or if your files are not displaying correctly in the browser.

Thank you for the lengthy reply SM.Well matching files is a bit of a problem for me since I don't have an up-to-date backup that I know of. (conducted one a couple of weeks ago) Hope I can remember the code and spot any bad stuff. I think it would be much more convenient to check the I.P. logs rather than go through the files manually!!!!

Saint_Michael, on Sep 26 2007, 05:38 PM, said:

I would think it would be appropriate to display the IP number that is being used so the hosted members can check it against the latest visitors log. Also I believe the RAW access logs can be used to check to see who has access the account.

Okay, thank you I will have to check them.
I would also agree that its a good idea to put at least half / most of the offending I.P. Address for the members to check against, if not all of it so we can check the problem. I have logged into my account from a number of computers (around the country!) and would have no idea which I.P. address may be bad!

Saint_Michael, on Sep 26 2007, 05:38 PM, said:

The main question is though did the person go after individual accounts or did he get get root access in the system at all?

That is an excellent question, but from the sound of Buffalo's explanation it sounded like only accounts with weak passwords were hit. That sounds like he or she may have had a brute force or maybe rainbow table running on our cpanel accounts. Perhaps over the period of a long time. Yet another reason why if you change you're password often it's difficult to crack.

Edited by Jimmy, 26 September 2007 - 05:12 PM.

[angad619]

Probably even my password was affected. But I managed to pool up some credits and got my password changed.
Let me bring to your notice that while doing so, after I had put my forum username and pass, the page said something to the tune of:
Account verified.....
Changing Password.....
Do not reload.....


could not change password...




But then my password did change to the new one.
When I then logged into my cpanel my disc space usage was 20/20MB. I haven't uploaded anything in the past few weeks. How did the disc usage increase now??

I am now trying to pile up more credits to request for a hosting upgrade

[BuffaloHelp]

angad619

Your account came up as one of "problem" accounts but I was told probably not. Look through your directories and see if you find any suspicious files or folders. Brute force, indeed, was used to break into accounts with weak or predictable by password cracking script.

As for the process page showing some error messages, OpaQue is working on the version 2 of the Process page. Therefore you might see some error message but the service would perform as it should.

The security for Trap17 hosting accounts worked as it should (in acceptable standard) since only a hand-full of accounts were effected and not all 200+ accounts. But before the culprit was banned it did some damage. Although the penetration rate is way below the tolerance level, I do apologize for any inconveniences this has caused. I could say something in regards like you should have done this... you should have done that... but at the end at least we are able to recover from this disaster.

Let's use this experience as a learning point. Trap17 is now aware that its firewall is not perfect. And our hosting members will prepare better for the future by having stronger passwords. Hopefully, there will be no next time.

[serverph]

some more tips:

the length of the password lends to a more secure combination also, something which exponentially increases security especially when brute force technique is employed. in short -- the longer, the better.

an additional good measure is to have a separate set of password for your cpanel, VERY MUCH DIFFERENT from your forum password. it's very likely that some members here have the same passwords for both, which gives higher risks for both the forum account and the hosting cpanel. in the likelihood that one is compromised, it compromises the other as well. it's better not to compromise both at the same time.

[Saint_Michael]

I am so glad that I did change my password a few months ago or be in the same boat as everyone else, because it was a common password as well, not dictionary common but common either way. I found an interesting site, well it was the first on the top of the list, this website test the password strength (how hard it is to crack). I wouldn't doubt there are other sites like that so make sure if you do plan to use this website make sure you alter the password once again just in case for double protection. one more thing never, ever, ever use a password generator regardless how secure they say it will be because it won't take much to crack how that generator works.

Also here is a interesting article from Microsoft about security, yeah I know but it could still be useful though.

[Jimmy]

Buffalo, is there any way you can list the I.P.(s) that were used to force people's accounts? The log file on my site is far too long to check all of it. If I could just search for part or all of an IP it would seriously help speed up the checking!

Thanks

[angad619]

No problems people. Trap17 rocks. Atleast all my files are safe. My site was up n running all the time. But why didn't the hacker do any damage??

But my password wasen't weak by any measure. It was 14-17 chars long!!! Though it was made up of dictionary words. This is a wake up call to all trap17 members to backup their data on their PCs too. Is there any way we can backup our SQL databases??

On my site www.angadsodhi.com , I have just a wordpress blog with 6 themes on it. Can it take up as much as 20MBs?? The default installation of WP is hardly 3MBs. Could themes take up so much space or has the culprit done some unnoticed damage to the system that is causing it to misinterpret the disc space??

Thanks n Cheers!! Trap17 rocks!!!!!

Hey people guess what. As Buffalo said, I checked my account for any unwanted files and guess what I found: A folder named 9xYenBai.Com which had about 10 music files. How the heck did the author of 9xYenBai.Com get access to my account and put up his illegal files there??

We must be extra careful about our passwords from now on.

[Saint_Michael]

angad619, on Sep 27 2007, 03:07 PM, said:

No problems people. Trap17 rocks. Atleast all my files are safe. My site was up n running all the time. But why didn't the hacker do any damage??

But my password wasen't weak by any measure. It was 14-17 chars long!!! Though it was made up of dictionary words. This is a wake up call to all trap17 members to backup their data on their PCs too. Is there any way we can backup our SQL databases??

On my site www.angadsodhi.com , I have just a wordpress blog with 6 themes on it. Can it take up as much as 20MBs?? The default installation of WP is hardly 3MBs. Could themes take up so much space or has the culprit done some unnoticed damage to the system that is causing it to misinterpret the disc space??

Thanks n Cheers!! Trap17 rocks!!!!!

In your cpanel you have an option called back up it is listed in the Site Management Tool, five rows down 2 columns in, you can' miss it, it would be better to do a full site back up because that will back up everything including your MySQL. For safety measures though you can download individual backs ups of your MySQL DB's for extra protection.

As for your wordpress, once you start writing articles and blogs that folder will get bigger and biggest, themese are hardly ever that big unless the person who codes them doesn't clean them up and make hte image file sizes small.

angad619, on Sep 29 2007, 10:44 AM, said:

Hey people guess what. As Buffalo said, I checked my account for any unwanted files and guess what I found: A folder named 9xYenBai.Com which had about 10 music files. How the heck did the author of 9xYenBai.Com get access to my account and put up his illegal files there??

We must be extra careful about our passwords from now on.

I think everyone who has been affected by this hacker should look for that folder 9xYenBai.Com and delete it of course. Question I have is did you have to do any digging for that folder or was it on the main directory of your file manager account?

[angad619]

Saint_Michael, on Sep 29 2007, 08:55 PM, said:

Question I have is did you have to do any digging for that folder or was it on the main directory of your file manager account?

It was in the main directory (the public_html folder) itself. Wonder how it missed my eye.

I have another problem. When I try to create an email address, it tells me that I have exhausted my maximum limit for email addresses whereas I haven't created any and the cpanel shows 0/unlimited!!!!
Don't know whether this problem was persistent before the hack so I'm not saying this topic has anything to do with it. But please help me out.

[DeM0nFiRe]

wow, this is pretty serious stuff. My password for something got stolen once, it was not fun.

[HoRuS]

Why people always want to mess with other peopes work
Am fortunate I got helped very well by BuffaloHELP, but would have lost all my work I put into it if I didnt make any backup,
my whole public_html folder was empty except for the standard maps.

So peoples, make backups on a regular basis!

[Saint_Michael]

angad619, on Sep 29 2007, 12:18 PM, said:

I have another problem. When I try to create an email address, it tells me that I have exhausted my maximum limit for email addresses whereas I haven't created any and the cpanel shows 0/unlimited!!!!
Don't know whether this problem was persistent before the hack so I'm not saying this topic has anything to do with it. But please help me out.

That might be account related as each hosting account should have only 99 and not unlimited, you will have to send in a support ticket, however, the end results might be the same and that is you would have to terminate your hosting and re-register for a new one. I could be wrong about that though, but either way just send in a support ticket about your email account being set to unlimited.

[angad619]

Is unlimited something like -1??
Heres a screenshot of my cpanel

Attached Files

•  cpanel.gif   9.08K   7 downloads

[BuffaloHelp]

You know what's surprising even after this ordeal?

1) some hosting members are still not aware of this situation and have not request any help on their hosting accounts. I cannot perform the proper course of action unless I have hosting members' permission or request. My hands are tied until then.

2) even after resetting their cpanel password, their contact email addresses are still not of their own--which makes my effort of resetting and regaining control of hijacked accounts meaningless--hackers can request your current password since your cpanel contact email address is set to hackers! This is ridiculous.

I need every hosting members to double check your cpanel to see every information relating to your private information is all correct and updated.

I do not mind administrating your hosting accounts due to Trap17's security issues but I do mind administrating for hosting member's disinterest and lack of urgency when it comes to checking and updating a simple thing as cpanel contact email address.

[delivi]

I've double checked my cPanel and all my settings are secure.

I've updated the email and has set a very difficult password. So rest assured.

I regulary monitor the last login IP so that I can make sure that one one else has accessed my cPanel.

Thanks a lot BH for the concern.

[Soby]

Like I put up a thread in the suggestion area, people should use complex password rather than easily crackable passwords. Even though special case characters are not allowed, there are way to set up passwords that are not easily crackable until someone has access to your brain lol.
my thought would be to use an alph-numerice with uppercase and lower case character. Thats equal to a middle case security, max security obviously to include special case characters.

[hitmanblood]

angad619, on Sep 26 2007, 07:27 PM, said:

Probably even my password was affected. But I managed to pool up some credits and got my password changed.
Let me bring to your notice that while doing so, after I had put my forum username and pass, the page said something to the tune of:
Account verified.....
Changing Password.....
Do not reload.....
could not change password...
But then my password did change to the new one.
When I then logged into my cpanel my disc space usage was 20/20MB. I haven't uploaded anything in the past few weeks. How did the disc usage increase now??

I am now trying to pile up more credits to request for a hosting upgrade

Hmm I was experiencing similar problem that is exactly the same problem as I have forgot my password, and then tried to reset it, however now it is OK. However I though and assumes that this is in fact some sort of glitch in the trap17 script and so on.

I assume that this might have affected all those members who use trap17 to host their real files and web sites will have most problems. Eventhough everz member probably cares a lot about their security.

And thanks for info about this problem.

Also I would like to know whether it is possible that this guy is trying to hack into all system or he is targeting particular users. That is if webmasters and admins of trap17 are aware of intentions of this hacker and can he be traced.

[leoncreations]

Thanks for the warning and advice. I think I have to be extra careful of my hosting account and password from now on. One more thing is I hope the admin side can allow those affected to change their passwords right away without the need for hosting credits so that they can solve their problem asap.

[BuffaloHelp]

Yes. Members who are affected by brute force FTP hacking can contact me ASAP so that I can regain their accounts.

I still see 8 accounts with yahoo.com.vn as their cpanel contact email address. This is the very hacker's email address that caused all this. Please check the contact email address in your cpanel if you already have not done so.

[Galahad]

Jeez! Didn't even notice this topic until today... I was lucky though, that my account was not affected by this, probably due to a fact that I don't use dictionary words, and like to make my p4S5w0rDs a bit complicated

It appears to me, that the hacker wanted to use someones bandwidth, or something, to host those files found in that directory... I got curious (as I always do), and checked a whois on that domain... Here's what I got:

Quote

Visit AboutUs.org for more information about 9xyenbai.com
<a href="http://www.aboutus.org/9xyenbai.com">AboutUs: 9xyenbai.com</a>

Registration Service Provided By: Google, Inc.
Contact: apps-support@google.com
Visit: www.google.com/a/

Domain name: 9xyenbai.com

Registrant Contact:

Ban Me Corp (banmecorp@gmail.com)
+1.3215488754
Fax:
21 wall
alaska, as 32515
US

Administrative Contact:

Ban Me Corp (banmecorp@gmail.com)
+1.3215488754
Fax:
21 wall
alaska, as 32515
US

Technical Contact:

Ban Me Corp (banmecorp@gmail.com)
+1.3215488754
Fax:
21 wall
alaska, as 32515
US

Status: Locked

Name Servers:
ns1.10sec.com
ns2.10sec.com

Creation date: 23 Jul 2007 02:06:39
Expiration date: 23 Jul 2008 02:06:39

And, copied from AboutUs, containing this sites' description:

Quote

Entertainment, Free Music Online, VietNam, thatlong,9xYenBai.Com,thatlong

I suppose this guy (or girl, or many of them ) are trying to perform large scale bandwidth theft from Trap17 members, obviousely succeeding in that for a short period... Lucky for us we have such vigorous admins that keep an eye for us...

I would also join the appeal to disclose perpetrators IP's, in order to include them in my scripts, and effectively ban them from my websites, to prevent any future hassle with them...

Also, because of this, my password just doubled in length, so now, crackers would have about 12,401,769,434,657,526,912,139,264 combinations to go trough... So I guess, in about 39,325,752,900.35 years, they could reach the solution yay me...

Check these pages for some info on passwords... Calculate your password strength, and Calculate time needed to crack you password

[Sprnknwn]

Oh, I'm in the same situation. I've just noticed this. Fo tunately I haven't had any problem yet but I'm going to change my password right now just in case...