[Solved] Account hacked?

[Guest Geoff]

Ok, well if they had access to shell, they definitely had access to SSL. There is really nothing special about CPanel, all it does is execute some shell script that djbob has defined (only he knows where this is). So, if they had access to the shell, it really would not be hard emulate the script that CPanel runs, it would just take a little creativity on their part, but nothing more.

 

What could be more of a concern is if Google, Yahoo, and other website security sites decide to warn users that the heliohost.org domain is serving malware to visitors. That would severely hurt heliohost's ability to get new customers and keep their current customers.

 

No one is going to do this, because heliohost.org has not been hacked. It is the subdomain, gauravjee.heliohost.org that has been hacked. They might, and should block that domain. But, it won't matter to heliohost because their main domain has not been blocked, and its really not their fault that their customers are irresponsible enough to keep the "hacked" page up for a week or so.

 

That would be like if somedomain.com got hacked, google would suspend all COM domains. Not likely.

[rvt]

No one is going to do this, because heliohost.org has not been hacked. It is the subdomain, gauravjee.heliohost.org that has been hacked. They might, and should block that domain. But, it won't matter to heliohost because their main domain has not been blocked, and its really not their fault that their customers are irresponsible enough to keep the "hacked" page up for a week or so.

 

That would be like if somedomain.com got hacked, google would suspend all COM domains. Not likely.

 

Umm...I've seen it happen before. It all depends how much they investigate/take the matter. Technically, ***.heliohost.org all falls under the heliohost.org domain and therefore anything that happens on ***.heliohost.org can affect other heliohost.org domains. Don't believe me, look at Google Adsense. Google Adsense got blocked on all ***.heliohost.org domains because of a problem on just 1 (or a few) heliohost.org subdomains.

 

In regards to the "not their fault..." comment. Again, this is not the view that these companies take. Anything that falls under the heliohost.org domain or is on the Helio server falls back to djbob's responsibility. That is the way these things work. This is why other hosting companies put their accounts on a different domain then their main site; because people abuse the ***.mainsite.com and get it blacklisted thus hurting the ability for the company to bring in new customers.

 

In regards to the "google would suspend all COM domains". Again, this is a completely different situation then what is happening here. The difference is that ***.somedomain.com is a subdomain of somedomain and therefore falls to the owner of somedomain. COM is a domain extension and there is no such thing as a ".com subdomain". What you can relate this to is if people with co.cc domains get all ***.co.cc domains blocked. This is because the domain extension is .cc and you are simply getting a subdomain of co.cc

[NikeJoshua]

I haven't noticed any repeat attempts to hack back in after the first 2 times, but just in case they do, here's a possible workaround:

 

Rename your index.php files to default.php

In the folder public_html, edit the .htaccess file as follows: DirectoryIndex default.php

 

Anyways, djbob, have you had a chance to check my files yet to see if the vulnerability is on our end or somewhere in the server itself?

[user]

I think they replace files automatically, because both my index.php files was modified at the same time.

I have drupal (latest version) on my website latest version and a simple php script that just shows time. There's a hole in the server. Cpanel, apache etc.

[Bad Wolf]

Hi. I have the feeling that no news are out about this problem. I just replaced the index file, however my annoying domain provider, co.cc, is asking me again to renew the subdomain. So, in the meantime, I can not check what is going on.

[Guest Geoff]

Don't believe me, look at Google Adsense. Google Adsense got blocked on all ***.heliohost.org domains because of a problem on just 1 (or a few) heliohost.org subdomains

 

No, I think that was just djbob's account that got blocked. Other, individual accounts did not get blocked.

[Bad Wolf]

Just a question: is it safe to upload files now?

[Byron]

Just a question: is it safe to upload files now?

 

Yes

 

[NikeJoshua]

@Bad Wolf:

There haven't been any more attacks on my account in the past 5 days.

Also, i don't think they actually stole any data or anything as the only things that were affected were the replacement of index.php files.

 

 

[Bad Wolf]

Just a question: is it safe to upload files now?

 

Yes

 

Thank you, Byron.

[Ashoat]

I took a look at some files and it was basically people querying public records in an effort to find some secrets.

 

Yeah, these folks did get access to shell. However, that's trivial to do using CGI. I'm still pretty sure that the hacked accounts just had bad permissions on important files.

[Pancake]

The Iranian guys are at it again. My site http://windswept.heliohost.org/ has the "HACKED BY Iranian DataCoders Security Team" thing as the homepage again. (Also getting "This server is currently not licensed. Please contact the server administrator. Other services available on this server such as web services are likely functioning normally. (Invalid License Timer, tamper prevention activated)" when I try to log into cpanel again.)

 

This time I know it's neither an improper permissions problem nor a problem with unescaped HTML/PHP/etc. - I had every single file chmoded to 644 or 600 just to see if those guys would come back and do that again. The only thing that wasn't was the mail server folder, which was at 770, which I left alone as that was already there when I first got my Heliohost site, and I've never changed it.

[Ashoat]

So I'm not entirely sure what's going on. What I know is that somebody managed to change the root password as some point, and they managed to do some stuff as root.

 

I'm going to reboot the server now to upgrade the kernel.

[madvic]

Hi Helionet I am new here! I was reading this topic to know more about the host where my new site will be.

My suggestion is that the reason you got hacked it's no php bugs, no chmod mistakes, it was a CPANEL Bug! cPanel Bug Lets Remote Authenticated Users Gain Root Access!

This happened to other hosts as well: check this http://www.goodwebhosting.info/article.py/61

Also, the index pages they replaced had a virus that was infecting Internet Explorer users.

[Guest Geoff]

No surprise there. Heliohost has gotten hacked before by djbob's pals. The only reason that Heliohost is running CPanel is that everyone is so used to it that they must have it. However, it has caused many security problems before.