26 replies to this topic

[BuffaloHelp]

For some time I have been noticing too many patterns in problems with hosting accounts and their passwords. We have a topic that started here: http://www.trap17.co...showtopic=51508

As I manage to regain the control to these accounts I began to notice some odd incidences. Namely, I have been noticing that the last IP to enter these hosting accounts had similar origin location. The origination is from Vietnam. And account effected are passwords with simple and dictionary related passwords.

I will be dealing with the culprit. In the mean time, dear hosting members, please please follow my instructions as I have been preaching this from the beginning!

Do Not Start your password with a word that's found in a dictionary. For example "acehorse"
Do mix alphabets and numbers.
Do mix cap letters and symbols.
Do rotate your passwords regularly.
Do check your last login IP on your cpanel. This is the first indication of intrusion.
This includes your forum password as well. Your forum account is the gateway to your hosting password change.

This finding will be sent to OpaQue so that he can take the next measure of defense.

[BuffaloHelp]

I have been informed that users "punisher" and "brandon" might be experiencing some issues as well. But until they contact me I will not take any action to attempt to reset their passwords. Guys, please PM me if you read this.

[Jimmy]

Thank you for the information. This is quite worrying for all our accounts' security. I have a couple of questions that would probably answer people's first questions:

I just logged in and have not experienced a password change. I changed it from the simple dictionary word (oh dear) I was using to a much more secure code now. Does this mean that my account was unaffected?

Is it possible that our files have been altered if the password has not been changed by the "intruder"?

Have there been any instances of files modified on people's hosting? If so we will need to check all of our files.

Last but not least, Is there any way to see a list of all the recent logins, not just the last login, and their I.P. addresses?

Regards,
James

Edited by Jimmy, 26 September 2007 - 10:08 AM.

[Saint_Michael]

Jimmy, on Sep 26 2007, 06:04 AM, said:

Thank you for the information. This is quite worrying for all our accounts' security. I have a couple of questions that would probably answer people's first questions:

I just logged in and have not experienced a password change. I changed it from the simple dictionary word (oh dear) I was using to a much more secure code now. Does this mean that my account was unaffected?

Is it possible that our files have been altered if the password has not been changed by the "intruder"?

Have there been any instances of files modified on people's hosting? If so we will need to check all of our files.

Last but not least, Is there any way to see a list of all the recent logins, not just the last login, and their I.P. addresses?

Regards,
James

The only way that you will know if your files have been altered if you go through them and match them against the ones on your computer, or if your files are not displaying correctly in the browser. I would think it would be appropriate to display the IP number that is being used so the hosted members can check it against the latest visitors log. Also I believe the RAW access logs can be used to check to see who has access the account. I know at the admin level they have all those logs as well so most likely they are cross referencing that IP number to all the account and see who else this person tag, because it seems astahost got caught in this mess as well. The main question is though did the person go after individual accounts or did he get get root access in the system at all?

[Jimmy]

Saint_Michael, on Sep 26 2007, 05:38 PM, said:

The only way that you will know if your files have been altered if you go through them and match them against the ones on your computer, or if your files are not displaying correctly in the browser.

Thank you for the lengthy reply SM.Well matching files is a bit of a problem for me since I don't have an up-to-date backup that I know of. (conducted one a couple of weeks ago) Hope I can remember the code and spot any bad stuff. I think it would be much more convenient to check the I.P. logs rather than go through the files manually!!!!

Saint_Michael, on Sep 26 2007, 05:38 PM, said:

I would think it would be appropriate to display the IP number that is being used so the hosted members can check it against the latest visitors log. Also I believe the RAW access logs can be used to check to see who has access the account.

Okay, thank you I will have to check them.
I would also agree that its a good idea to put at least half / most of the offending I.P. Address for the members to check against, if not all of it so we can check the problem. I have logged into my account from a number of computers (around the country!) and would have no idea which I.P. address may be bad!

Saint_Michael, on Sep 26 2007, 05:38 PM, said:

The main question is though did the person go after individual accounts or did he get get root access in the system at all?

That is an excellent question, but from the sound of Buffalo's explanation it sounded like only accounts with weak passwords were hit. That sounds like he or she may have had a brute force or maybe rainbow table running on our cpanel accounts. Perhaps over the period of a long time. Yet another reason why if you change you're password often it's difficult to crack.

Edited by Jimmy, 26 September 2007 - 05:12 PM.

[angad619]

Probably even my password was affected. But I managed to pool up some credits and got my password changed.
Let me bring to your notice that while doing so, after I had put my forum username and pass, the page said something to the tune of:
Account verified.....
Changing Password.....
Do not reload.....


could not change password...




But then my password did change to the new one.
When I then logged into my cpanel my disc space usage was 20/20MB. I haven't uploaded anything in the past few weeks. How did the disc usage increase now??

I am now trying to pile up more credits to request for a hosting upgrade

[BuffaloHelp]

angad619

Your account came up as one of "problem" accounts but I was told probably not. Look through your directories and see if you find any suspicious files or folders. Brute force, indeed, was used to break into accounts with weak or predictable by password cracking script.

As for the process page showing some error messages, OpaQue is working on the version 2 of the Process page. Therefore you might see some error message but the service would perform as it should.

The security for Trap17 hosting accounts worked as it should (in acceptable standard) since only a hand-full of accounts were effected and not all 200+ accounts. But before the culprit was banned it did some damage. Although the penetration rate is way below the tolerance level, I do apologize for any inconveniences this has caused. I could say something in regards like you should have done this... you should have done that... but at the end at least we are able to recover from this disaster.

Let's use this experience as a learning point. Trap17 is now aware that its firewall is not perfect. And our hosting members will prepare better for the future by having stronger passwords. Hopefully, there will be no next time.

[serverph]

some more tips:

the length of the password lends to a more secure combination also, something which exponentially increases security especially when brute force technique is employed. in short -- the longer, the better.

an additional good measure is to have a separate set of password for your cpanel, VERY MUCH DIFFERENT from your forum password. it's very likely that some members here have the same passwords for both, which gives higher risks for both the forum account and the hosting cpanel. in the likelihood that one is compromised, it compromises the other as well. it's better not to compromise both at the same time.

[Saint_Michael]

I am so glad that I did change my password a few months ago or be in the same boat as everyone else, because it was a common password as well, not dictionary common but common either way. I found an interesting site, well it was the first on the top of the list, this website test the password strength (how hard it is to crack). I wouldn't doubt there are other sites like that so make sure if you do plan to use this website make sure you alter the password once again just in case for double protection. one more thing never, ever, ever use a password generator regardless how secure they say it will be because it won't take much to crack how that generator works.

Also here is a interesting article from Microsoft about security, yeah I know but it could still be useful though.

[Jimmy]

Buffalo, is there any way you can list the I.P.(s) that were used to force people's accounts? The log file on my site is far too long to check all of it. If I could just search for part or all of an IP it would seriously help speed up the checking!

Thanks