Oh no! Where's the JavaScript?
Your Web browser does not have JavaScript enabled or does not support JavaScript. Please enable JavaScript on your Web browser to properly view this Web site, or upgrade to a Web browser that does support JavaScript.
Sign In
Not a member yet? Click here to register.

Site Hack in v6.00.305!!!

Hey all, I was looking for some help in trying to get rid of this god damn idiot that likes to wipe our website and they use it to forward our site onto adult sites.

At first I thought it could be spy ware, but after uploading the backups I created of our site via (old school MacOS 9.2.2) and we’re still getting hacked. I beginning to wonder if the asshole some how has left a line of code in my previous back-ups and is still getting in even after completely reinstalling php-fusion v.6.00.305 onto my site. I started with v.6.00.305 and still would love to use it… but at this rate it’s almost not worth it if I keep getting hacked.

I’m wondering if somehow they were able to store information to my mysql database and record my information… or even if they might be running a XML script in their signature within their profile.

All I know is once I’ve put back up our site, it usually takes the hacker a few minutes to a couple of hours & it’s gone again. They take one of the .htaccess files and make it a 403 redirect to an adult site of their choice. Now I currently have a few images I’ve upload back onto my site, and just an index.htm file.

It’s been up almost 24 hours which to me says that they must be getting in via fusion somehow because it usually is hacked every 2 hours. I have no other MySQL databases running. My cPanelx has 32 characters mix with symbols, numbers, punctuation, and letters. They can’t be accessing my cPanelx directly.

My host doesn’t know what to do when I ask them for help because they say it’s low level security issue that I should be able to fix… yet they can’t seem to do anything to help because they are pointing fingers at php-fusion or pointing fingers at me saying it’s probably a Trojan or SpyWare. Yet I uploaded the back-ups of my site via MacOS 9.2.2 and still I’m getting hacked? I wonder if there truly is an infected file or a command string within fusion I’m unaware of.


I was hoping that there were a couple things that could be done but was unsure of,

1. Is there anyway to record in php what the hacker is doing? Like recording their steps so that I can put a stop to how they are getting in? Maybe even set something up and transfer the information to another site or through an e-mail. (Just guessing here)

2. Is there anyway to make the passwords longer then 20 digits? (i.e. 32 – 64 digits) Is there also a way to make them not just alphanumeric? Like including punctuation & symbols? Here is a good password generator I use: (http://www.winguides.com/security/password.php)

I would love to know how this asshole is getting in, and if it’s a security issue then I want to let php-fusion know ASAP so it can get corrected in future versions. If you have any comments or question please reply as I’m getting rather desperate seeing how I couldn’t keep our phpBB2 discussion board alive, as they hacked the **** out of that one too. Fusion was suppose to be the alternative to phpBB2 and also be a new facelift on our site… but right now it’s not doing a damn thing.
That sounds serious. Digi should take a look.

Experiment installing a new installation of fusion and see if he can get it. If he can't, you can then start restroing your backups. Only restore the DB backups, not the code. He may have touched the code.

Restore the backups gradualy, starting with members, news, etc. and move on to comments and forums.

Also, make sure to get a completely new password for everything, and make it long - like 10-15 digits. I know my password is 19 digits long.
Is it a completely fresh setup? are there attachment/avatar files? I doubt its a hole iin .305 but a left over file from a lesser release.
I've only used v6.00.305 Digi... I've never used a previous version. So if the file is still in the v6.00.305 setup, then it wasn't removed in v6.00.305 :|

When I get home tonight I'm going to put a fresh install of Fusion on my site. I will lock the registration and see if it stays on the site. I will not restore my fusion back-up just yet. :|

I will also include a small list of the MOD’s I was using as I have a back-up of all of then last time I did a clean install. ;)

If you need cPanelX access Digi like I gave you last time, let me know. I don’t mind giving you access if this is going to help solve a security hole. The problem is if the guy does hack the site through fusion… he also tends to delete the logs. So it’s hard to tell what was done & when. :(

I will get home tonight around 7:30-8:00PM-ish (PST) -8 GMT I'll put the lists of Mods in this post... B)

If you want to review my sql Fusion back-up I can have a spot for you to download that somewhere else.

Just let me know what you'd like to review. ;)
Judging from my past experience with various web hosts, and trust me they were a lot, this sounds more like a security issue of your host and not an issue of PHP-Fusion itself.

First of all, are you on a shared hosting plan? If so, you have to be aware that there are dangers and risks involved. Your host may be doing its best, but sometimes best is not good enough.

Furthermore, if you are telling me that they deny knowledge of the problem, then I would say that their support has serious issues. I don't mean to be bad or anything, but a good host should know and record such problems.

You could also check the logs if you log into your account and see if anything is wrong, but I am 99% certain that we are talking about an attack on the server itself here. Things are worse if the 'MySQL' database is installed on the same server (localhost), since your database itself may be corrupt.

I know and I've been there myself, so try contacting your host again explaining in the best possible detail the nature of your problem. They should at least know!

Finally, don't give up and above all don't panic. I will do my best to help you and i will be tracking this thread to see if your problem has been solved.

Panos
.
Well I have over 50 replies on this one topic in a support ticket for my Host. Since they don't "Support" php-fusion it's up to me to figure it out.

I don't mind posting the ticket, of course I'll be editing it becasue it has some account details in it... in fact I'll include it below.

My current Host is Ace-Host.net - It would be great if the problem was on their end becasue it just have them pay me back for the down time and all the support that they said "wasn't their fault". I'm already ****ed with them as it is.

-------------------------------------

Quote

Last Update: 03 Apr 2006 05:01 PM
Last Replier: Acenet Inc
Status: On Hold
Department: Tech Support
Created On: 06 Mar 2006 03:39 PM
Subject: Site Hack / Abuse



Nathan Hammack
Posted on 06 Mar 2006 03:39 PM
--------------------------------------------------------------------------------
My site was hacked today and I need to get my administrative password sent to an e-mail address so I can take back control.

I'm hoping I'm still able to get a backup of our site as it has been completely altered to look like an adult site and I "DID NOT" make changes to our site in the last 3 days. (Saturday, Sunday, Monday)




Acenet Inc
Posted on 06 Mar 2006 03:44 PM
--------------------------------------------------------------------------------
Hello,

I would strong recommend regenerating your account.

There are currently many missing default directories in your account, including the public_html directory, which would contain all of your site's files.

Please post the last 4 digits of the credit card we have on file for this account for ownership verification and we will create a new account for you.

Unfortunately, our backups are configured for complete hard drive failures, not the restoration of specific files. You should maintain your own backups, on your computer, by using cpanel's backup feature. Just login to your account's cpanel and click on the backup icon. Additional information on this feature can be found within the cpanel manual. Again, you will have to upload any backups you have on hand, as our backups are not cconfigured for specifc file restoration, sorry.




Nathan Hammack
Posted on 06 Mar 2006 03:54 PM
--------------------------------------------------------------------------------
I'm hoping this is the correct one... ****




Acenet Inc
Posted on 06 Mar 2006 04:07 PM
--------------------------------------------------------------------------------
Your account has been regenerated.

(***PRIVATE***ACCOUNT***INFORMATION***)

To help prevent an issue like this in the future, be sure all of the scripts you employ on your site and in your account are the most up to date and secure available via the script's developers.

We also recommend ensuring that all of the passwords you use are secure, like the passwords generated here:

http://www.winguides.com/security/password.php

If you have any questions, please let us know.




Nathan Hammack
Posted on 06 Mar 2006 04:14 PM
--------------------------------------------------------------------------------
All of my scripts are up to date, even more up to date then your install scripts like pHpBB2, Coppermine, & phpNews. I have no clue how someone optained access to my site as I keep password security a very serious threat. Just see how often I change my password and you'll know!

the last password was a long & difficult one to decipher.

Password: subm1tth1son3

Is there anyway to trace who attacked my account at ALL???




Acenet Inc
Posted on 06 Mar 2006 04:29 PM
--------------------------------------------------------------------------------
Well, here is how I see it - it couldn't have been an FTP vulnerability, since Pure-FTPD has no known vulnerabilities. If your scripts are not vulnerable, as you say, then we can disregard that possibility (although you may want to check any vulnerability listings of the scripts you had installed). SSH access is restricted, and is not available on your account.

The way that I see it is that your password was compromised. While it is feasible that it could've been brute-forced, this method is slow and ungainly, and most likely not used. Have you used this password in any locations where the machine you were working on could've been compromised? Usually, a trojan horse or keylogger is the most common way to obtain someone's password. Have you made sure your computer is free of these?

Jeremy
AceNet, Inc. Security Administrator




Nathan Hammack
Posted on 06 Mar 2006 05:00 PM
--------------------------------------------------------------------------------
My passwords are sent to me via web-mail like yahoo or gmail. I do not send the e-mails to a e-mail account that I need to connect from outlook to open. As soon as I change my password, I delete the e-mail and change it back on cPanelX within a matter of seconds.

I'm kinda of a virus & anti-spyware freak. I'm very careful on what I open and what I use. I use all these just for safe-keeping:

Microsoft Anti-Spyware
Microsoft Defender
Spybot Search & Destroy
Adware Professional
AVG Anti-Virus
McFee Anti-Virus & Anti-Spyware

Now I know this does not garaentee that all of these would keep me free of the unknown, but it helps fight the war especially when I take things VERY careful.

I also defragment on a regular basis, & check updates EVERYDAY on all of my programs as if it were a religion. All of my passwords I use are difficult to crack due to their length and number being used. I will take the sugestion on the "Generated Password" from http://www.winguides.com/security/password.php but my original question was not answered. "Is there anyway to trace who attacked my account at ALL???"

You must have a log "legal wise" to see who had logged into my account either through cPanel or the FTP. Please if you have any information I'm begging you to please share it with me because I would like a full investigation as to how this information was compromised.

I'm also hoping that my account still has all of the same features that it had when I signed up originally with Ace-Host.net?




Acenet Inc
Posted on 06 Mar 2006 05:15 PM
--------------------------------------------------------------------------------
Roughly 80% of all accounts that become compromised become compromised through lack of updates to the scripts they utilize. It is also common in these instances when users employ scripts that were self-made, or custom made by a friend, or simply not mainstream and tested enough for exploitations.

For example, one of our clients had failed to update their phpBB forum for well in excess of a year, and this left her wide open to a numerous amount of exploits that had since long been repaired by the developers if she simply kept up-to-date with her scripts.

Below is a log of all cPanel accesses that we have. Logs are routinely cycled out for performance reasons. Thus if this has occurred prior to the earliest date in this log, unfortunately the log no longer exists.

If you see the IP listed as "127.0.0.1" this means the user had logged into cPanel via SSL secure login, and as such the actual IP is not able to be discovered.

Your account has the exact same features as it did prior to the regeneration.

Please let us know if we can do anything further to assist.




Nathan Hammack
Posted on 06 Mar 2006 05:33 PM
--------------------------------------------------------------------------------
So what you're telling me is I informed you of a site hack or abuse and before deleting my entire account you didn't check to see who accessed it last. If I didn't have access to it, and was unable to change my password after asking to have it sent in an e-mail in the FIRST POST, wouldn't that be something to look into?




Acenet Inc
Posted on 06 Mar 2006 05:47 PM
--------------------------------------------------------------------------------
My apologies it seems I had failed to provide the URL to the log I had intended to post.

http://***.***.***.***/~jdarow/cpanel_access-clanuta.txt

This is the log file mentioned in the previous response.

The very last grouping of cpanel accesses appear to be from Kuwait.

http://www.dnsstuff.com/tools/ipall.ch?domain=195.39.170.102

However they are nothing more than attempts to login and "Forbidden" errors that this user received. No successful login was achieved.




Nathan Hammack
Posted on 06 Mar 2006 06:38 PM
--------------------------------------------------------------------------------
However they were able to access the password by some means and change it. Is there anyway to tell on the logs which ones actually were able to login? I know you said there were no successful logins, but my site didn't change on its own.

Since I'm the only one that has access to it and I know I didn't change it on Saturday, Sunday, or even today THERE HAS TO BE A LOG OF A SUCCESSFUL LOGIN IF IT WAS CHANGED!!! This isn’t brain surgery, I have a brother-in-law that does similar work and he has logs of everything. I’d think legally you would do the same (keeping logs) incase you were to go to court with a customer because of issues. I have to wonder about the security on Ace-Host.net. You don't mention how secure the servers are, only that you offer services on the domain that are usually offered to those with e-commerce sites.

I would like to speak with a representative of Ace-Host.net please. Perhaps a manager, a supervisor, or someone with manager or supervisor authority. I know they exist, because when I first joined Ace-Host.net for hosting I was able to speak to a tech on the phone. Now it seems like a ghost town to try to get answers besides trying to submit a ticket and actually being able to get strait answers.

Please call me at: 1-***-***-****




Acenet Inc
Posted on 06 Mar 2006 07:22 PM
--------------------------------------------------------------------------------
Greetings,

I am the administrator on-staff today. The last two responses to this ticket (starting with the one at 5:15pm) have been from myself.

Logs are only of limited use when SSLs are involved for the previously mentioned reasons. Additionally, the only method in which a user could obtain cPanel access would be to have the current cPanel password in the first place. There are only two methods in which this password can be obtained.

[1] Having been given this information by our client (yourself)

[2] Posting a ticket with our help desk and verifying ownership through providing the last four digits of the credit card on file with the account.

It is for this reason that we traditionally do not utilize the cpanel access logs for determining compromised accounts.

The most common method that 3rd parties use to compromise an account is by exploiting old and outdated scripts. For this method, log details are extremely scarce and 90% of the time not much assistance. Unfortunately, as an account regeneration has already taken place, these log details have thusly been reset. However it is for this possibility of exploitable scripts that we had recommended the account regeneration.

I would strongly recommend that you ensure you only install the latest and greatest scripts to your account and checked at least monthly check to ensure they remain such.

As mentioned, unfortunately at this juncture the only log details we can provide are that of the cpanel access logs. Which in themselves do not provide much details in regards to a possible compromised account.

However, if you view the log file and search for "changepass" and see that the line is proceeded with "POST" versus "GET". This will indicate all password changes that have been done.

You can then place the IP in the IPWHOIS field of http://www.dnsstuff.com and find further information about what organization controls that given IP and the general geographical location of such.

Our apologies we cannot be of further help in regards to the logs.

Please let us know if we can be of any further assistance.

Thank you.




Nathan Hammack
Posted on 19 Mar 2006 01:05 AM

--------------------------------------------------------------------------------
This ticket may also have an furture effect with ticket: RSE-65345




Nathan Hammack
Posted on 30 Mar 2006 08:03 PM
--------------------------------------------------------------------------------
The site has been hacked yet again just like I had previously reported before. PLEASE DO NOT DELETE THE SITE like last time!!! I want to copy the logs!!!

I just want to have the admin password e-mailed to me again so I can login to my control panel and grab content off before having to regenerating our account.

If you need to confirm my last four digits on my credit card again I can give you this information. If you're reading this ticket for the first time, please take the time to review the entire ticket.




Acenet Inc
Posted on 30 Mar 2006 08:17 PM

--------------------------------------------------------------------------------
You can find your files at the following link: http://***.***.***.***/~jdarow/cpmove-clanuta.tar.gz




Nathan Hammack
Posted on 30 Mar 2006 10:19 PM
--------------------------------------------------------------------------------
Are you joking me??? You regenerated my account again after I clearly asked you not to???? YOU PEOPLE DID THIS BEFORE AND SCREWED IT UP THE FIRST TIME.

I ASKED YOU: "PLEASE DO NOT DELETE THE SITE like last time!!!"

I then believe I also asked: "I just want to have the admin password e-mailed to me again so I can login to my control panel and grab content off before having to regenerating our account."

Did you do this??? Not yet. So how can I get just the admin e-mail account changed to this one (*****@*****.com) and still not have the site removed?

By the looks of the file you sent, it already looks like you've deleted all the content on the site which I clearly asked you NOT TO DO.




Acenet Inc
Posted on 30 Mar 2006 10:28 PM
--------------------------------------------------------------------------------
Please post the last four digits of your credit card for account verification.

Also note that if we did clear your account we would have removed the frontpage.

Most likely that was removed when your site was hijacked.




Nathan Hammack
Posted on 30 Mar 2006 11:12 PM

--------------------------------------------------------------------------------
CC four digits: ****

Again do not regenerate my account just yet, I want to see if everything has been removed. I do not use this computer on other sites besides gmail, clanuta.com and ace-host.net esupport.

They are not hacking on my end. The security with my host (ACE-HOST.NET) seems extremely weak in my opinion and this being the second time we got hacked I'm begining to wonder how secure my host claims they are since I haven't seen proof thus far.




Nathan Hammack
Posted on 31 Mar 2006 12:23 AM
--------------------------------------------------------------------------------
This is kind of time sensitive as I want to get this information ASAP and I've been sitting here for a few hours now waiting.




Acenet Inc
Posted on 31 Mar 2006 12:51 AM

--------------------------------------------------------------------------------
ACCOUNT INFORMATION:

(***PRIVATE***ACCOUNT***INFORMATION***)




Nathan Hammack
Posted on 31 Mar 2006 12:56 AM
--------------------------------------------------------------------------------
... how many times are you people going to ignore me???? I ASKED THAT YOU DO NOT REMOVE THE SITE UNTIL I had the ADMIN PASSWORD sent to me!!!! I said DO NO REGENERATE MY ACCOUNT!!! I wanted the admin password changed!!! THAT IS ALL.

Why did you regenerate my account after specifically asking you not to do that?????? Does anybody actually read these posts & pay attention?




Acenet Inc
Posted on 31 Mar 2006 01:22 AM
--------------------------------------------------------------------------------
As far as I know no one regenerated your account, I simply posted all the login information we have available for this account.




Nathan Hammack
Posted on 31 Mar 2006 01:47 AM
--------------------------------------------------------------------------------
the information you posted is old...

I cannot log back into the site with the information you posted above. I tried resetting my password and it's not being sent to: *****@*****.com or *****@*****.com

Could you PLEASE update the e-mail address on file so I can change the password accordingly.




Acenet Inc
Posted on 31 Mar 2006 01:58 AM
--------------------------------------------------------------------------------
The email address on file is *****@*****.com, however I've reset the password for your account to "*****" you should be able to log in again shortly.




Nathan Hammack
Posted on 31 Mar 2006 02:07 AM
--------------------------------------------------------------------------------
Ok here's a stupid question... I've logged back into my ftp and everything has been basically cleaned out even asking several time that it not be cleaned out (either the hacker did it or Ace-Host.net did it)...

I go to clanuta.com and I still see this "Adult Site" (http://www.scat.tk/) that it keeps forwarding too... so I check cpanel and look in Manage Redirects and nothing is listed for that URL...

So how is this "Adult Site" showing up as our main page when we arn't redirecting people to it on clanuta.com or hosting any files that are redirecting people to it?




Nathan Hammack
Posted on 31 Mar 2006 02:12 AM
--------------------------------------------------------------------------------
I think I just answered my own question...

in the file: .htaccess

is reads within it:

Order Deny,Allow
Deny from all

ErrorDocument 403 http://www.scat.tk/

--------

I changed it to:

Order Deny,Allow
Deny from all

ErrorDocument 403 http://www.google.com

--------

Now it autodirects to google's site.




Acenet Inc
Posted on 31 Mar 2006 02:31 AM
--------------------------------------------------------------------------------
Right that .htacces file is saying when a 403 Error occurs go to http://www.google.com.




Nathan Hammack
Posted on 31 Mar 2006 03:11 AM
--------------------------------------------------------------------------------
Please regenerate this account.

I also have a few requests so that we do not get hacked again...

#1. Instead of our current IP address: ***.***.***.*** for our site, can it be possible to have an alternative IP address or change it completely?

#2. Can I change our current username from "clanuta" to something else?

I still would like to keep everyhint geared towards "clanuta.com" but I want to specify a different username for this account.




Acenet Inc
Posted on 31 Mar 2006 03:20 AM
--------------------------------------------------------------------------------
1) You can purchase your own dedicated IP. This is an extra $2.00/month and is available by filling out the following form:

htttp://ace-host.net/accountupgrades.html


2) Unfortunatly we're unable to change usernames.




Nathan Hammack
Posted on 31 Mar 2006 03:21 AM
--------------------------------------------------------------------------------
Has the account been regenerated?




Acenet Inc
Posted on 31 Mar 2006 03:50 AM
--------------------------------------------------------------------------------
Your account has been regenerated.

(***PRIVATE***ACCOUNT***INFORMATION***)




Nathan Hammack
Posted on 31 Mar 2006 11:56 AM
--------------------------------------------------------------------------------
I restored one of my previous site back-ups but it looks like it uploaded it ftp.clanuta.com

"backup-3.17.2006_12-20-37"

How can I make this back-up my current site?




Acenet Inc
Posted on 31 Mar 2006 11:59 AM
--------------------------------------------------------------------------------
To restore you would have to use the cpanel backup section located in cpanel.




Nathan Hammack
Posted on 31 Mar 2006 12:34 PM
--------------------------------------------------------------------------------
well after I uploaded the "backup-3.17.2006_12-20-37_clanuta.tar.gz" is gave a listing of all of the files it uploaded and then gave the option at the bottom to go back...

My site however hasn't changed at all to the previous site back-up.

The folder is still sitting in my ftp that I uploaded via cPanelx




Acenet Inc
Posted on 31 Mar 2006 12:35 PM
--------------------------------------------------------------------------------
You should modify your web browser to update the web page on each visit and delete all cached files.

Internet Explorer:

Select TOOLS (top menu)
Select INTERNET OPTIONS (on drop down)

Look for "Temporary Internet files" under GENERAL
within that section, click SETTINGS

Then, for "check for newer versions of stored pages:"

choose "EVERY VISIT TO THE PAGE"

Then, for "Amount og disk space to use"

choose 1 MB

and click OK

Then, click DELETE FILES under "Temporary Internet files"

click APPLY and/or OK

Close all browsers

Reboot your computer.

* for all other web browsers, you would need to consult your web browser's documentation.




Nathan Hammack
Posted on 31 Mar 2006 12:48 PM
--------------------------------------------------------------------------------
Thats great and I appreciate that info you typed out because thats the first thing I did. Hence why i'm reporting the problem now because it should have fixed the issue when I uploaded that backup onto the site.

Still clanuta.com has no index file and you can see the directories still. If the backup was being used then it would have an index file on clanuta.com. So please "TAKE A LOOK INTO THIS" because I uploaded the back-up file back onto cpanelx and it hasn't taken effect on the server and I was wondering WHY.




Acenet Inc
Posted on 31 Mar 2006 12:57 PM
--------------------------------------------------------------------------------
I noticed that you had the backup extracted and it was sitting in your root username directory. I moved your current public_html folder to oldpublic_html/ and copied the public_html folder that was in your backup folder to /home2/clanuta/public_html/

Is this correct? Let me know if you need it changed.

Ryan




Nathan Hammack
Posted on 31 Mar 2006 01:28 PM
--------------------------------------------------------------------------------
I couldn't specify what went where on cPanelX as it doesn't really let you do anything but upload the backup file. I guess that is where it places my files that I use when I want to upload a previous back-up.




Nathan Hammack
Posted on 01 Apr 2006 06:32 PM
--------------------------------------------------------------------------------
Again the site has been hacked... even with a 32 digit password.

Ace-Host.net... can you not offer more security?

This is getting stupid, I've tried doing this now on 6 different machines and everytime we are getting hacked.

This time the hacker has posted a note in our FTP taunting me that yet again we got hacked. "DexterIsOwned.Again"

Please do not tell me that it's spyware or a trojen that is causing the hacking. Like I said, this is the 6th time we've been HACKED on ace-host.net

WHAT CAN BE DONE ABOUT THIS?

I have a complete site back-up, but I don't want to be hacked anymore. I want tot talk to someone on the phone about how to get this security resolved because I feel Ace-Host.net really doesn't care that we keep getting hacked. I feel there is a security flaw & it's not on my end!




Acenet Inc
Posted on 01 Apr 2006 06:39 PM
--------------------------------------------------------------------------------
If this is happening, you are most likely infected with a trojan that records both keystrokes and clipboard activity. Either that, or you have installed insecure scripts. If it was a server side hack, it would show modification via ROOT because this is the ONLY user on the server that has shell access. Not only that but the only IP that can connect to root is our office ip. As you can see, we have a considerable amount of security in place. (not to mention our apf firewall system, and nightly security updates for server daemons).




Nathan Hammack
Posted on 01 Apr 2006 07:22 PM
--------------------------------------------------------------------------------
Again I do not have a trojan in the machines I've used. I've re-explained this I don't know how many times in this ticket alone. The only "Scripts" I've installed were databases I've created in cPanelx.

I've been using php-fusion which is simular to nuke & post nuke. It runs of of the phpMyAdmin database. Whoever what I've noticed it that the hacker don't bother hacking our php-fusion they would rather hack the entire web site that you host. They haven't changed the password this time on cPanelX which I find odd, because they usually do.

What I'm looking for is more security in cPanelx. The password I still have set on there is "hec4G!_EWUSp!cUzem*pu9#che7etHux" I used what Ace-Host.net has recomended I use in the past from "http://www.winguides.com/security/password.php"

Using all of this I'm still being hacked. I doubt that if I reformat my computer the hacking will stop. Isn't there anyway on your end to stop these hacks?

Obviously if I'm the only user getting onto clanuta.com and modifying my account there would be a red flag if I wasn't the only user. You say you keep logs, but they mean nothing to me since I don't know how to read them.

PLEASE CALL ME AT: 1-***-***-****
PLEASE CALL ME AT: 1-***-***-****
PLEASE CALL ME AT: 1-***-***-****

You use to offer Phone support when I signed up, don't flake on me now or tell me you don't that the "Resources" to do that. I feel if anything I keep getting betraied by my own hosting company because they keep reducing ways to help or push it aside and point fingers at me as a reason we keep getting hacked.

PLEASE CALL ME AT: 1-***-***-****
PLEASE CALL ME AT: 1-***-***-****
PLEASE CALL ME AT: 1-***-***-****


Acenet Inc
Posted on 01 Apr 2006 07:32 PM
--------------------------------------------------------------------------------
We no longer provide phone support. All support is done through the ticket system.

If there was unauthorized root user access, we would know about it. I just checked the logs and no one outside of accepted ips logged in via root. I would check with the developers of your cms and see if there are any known exploits.


Actually, I checked with their page: http://www.php-fusion.co.uk/news.php

and less then a month ago, their own site was hacked due to a vulnerability in their software, which you use.


I quote some relevent aritcles:

"Regarding recent events
Most of you by now are aware that php-fusion.co.uk was hacked a few days ago. I have been in contact with the group responsible for this breach and have received a reply so I am hopeful they will provide me with details on the vulnerability. Please remain calm, it is vital that no anger is directed towards this group, they are simply demonstrating a weakness in PHP-Fusion that needs to be addressed. I will do my very best to fix the problem as soon as I receive the required information. Thanks for your co-operation and support. "

And a critical update was released.


"Critical update - v6.00.305
As I promised a few days ago, I have received the required information to release a fix to close the vulnerability responsible for last week's security breach. Due to the nature of this exploit I am not able to disclose the exact details, only that it involves avatar files. The problem is fixed in this update. Credit for this discovery goes to the International Flooders Federation (IFF). I would like to thank Slash and his group for their full co-operation smile

Existing v6.00.304 users can download the file '6.00.305 update for v6.00.304'. If you are using an earlier 6.00.3 version ensure you upgrade to v6.00.304 before applying this update. Simply upload the inluded files and click upgrade under System Admin. The Sourceforge packages have also been updated as usual. Click Read more for manual update details. "




Nathan Hammack
Posted on 01 Apr 2006 07:50 PM
--------------------------------------------------------------------------------
I've only used version v.6.00.305 of php-fusion which apparently had the fix for it. Still I'm being hacked. Is Ace-Host.net up-to-date with the latest version of phpMyAdmin & SQL databases? How about with cPanelx?

It would really help if I could change my username, by you say I can't do that. Changing my username would be helpful in the security... yet I can't change it. So what else would you suggest I do?

You say, "We no longer provide phone support. All support is done through the ticket system." However one of the main reasons I signed up with Ace-Host is because you had support over the phone. I talked to one of the sale reps before I signed up with Ace-Host.net asking if I could get support over the phone. They said yes, but when Ace-Host didn't offer support by phone they didn't give any notice to me. I feel like the money I spent for the total hosting package through Ace-Host with Sales Support & Tech support has been misrepresented.

Now when I write up tickets to support I get "General Responces" and I wonder why am I even wasting my time writting up a ticket. Not only that but you techs can't even read the 41 responces on this ticket. How are you able to refer to the history on this ticket if I were to bring this to court if you can't even see all of the responces?

I need to speak to someone at Ase-Host.net, because this has been an ongoing issue. I paided for the phone support with my package upon sign up and I believe I'm entitled in what I paid for originally. That or you can refund me a percentage of what I paid for when I signed up with Ace-Host.net.




Acenet Inc
Posted on 01 Apr 2006 08:03 PM
--------------------------------------------------------------------------------
Are you sure you have always used that version? This ticket was created prior to that version even being released and im certain you have had that account even longer then that. (unless of course, you had just started using phpfusion)


Cpanel is updated nightly. We update security patches for ALL services and daemons nightly. There are currently no exploits for the mysql, ftp, ssh, email, or other linux service directly. The only way for someone to gain access to your site is through a vulnerable script (which seems like the cuplrit to me) or if they already know your password by having your computer infected (which i did not consider because you had already posted you were sure you were not).




Nathan Hammack
Posted on 01 Apr 2006 08:17 PM
--------------------------------------------------------------------------------
I installed Fusion as a resort away from our phpBB2 forum from repeatedly being hacked. I installed Fusion on March 15th, 2005 on clanuta.com. I installed version v.6.00.305. I went to Fusion because they have better security then Nuke and PostNuke.

Also the php forum that is built within Fusion is not a phpBB2 forum which means it's not subjected to some of the exploits to a regular phpBB2 forum.

I am currently using my Wife's laptop which I have not used yet to backup our site. I spent several hours last night with the backup that I had kept from the previous hack on our site I made from Fusion.

After everything was perfect I made an internal backup of Fusion & of the entire clanuta.com site (incase of another hack attempt).

If you visit our site (www.clanuta.com) you can plainly see that it's been hacked again. Not only that but the hacker left a note in our FTP which I've already mentioned. How can You, We, I track down the person hacking in our site and deleting everything in it???

I know we have "logs" but I don't understand how to read what is provided from Ace-Host. I want to see a log list where a specific person deleted our entire site after 4-5AM PST. That is the time I went to bed this morning after updating our site back to it's original state.




Acenet Inc
Posted on 01 Apr 2006 08:25 PM
--------------------------------------------------------------------------------
http://***.***.***.***/~jdarow/clanutalog.txt

Careful! Its a big one!

I think i got most relevent info, but i will be parsing other system logs to see if i can find anything else that might be useful!




Nathan Hammack
Posted on 01 Apr 2006 08:31 PM
--------------------------------------------------------------------------------
If you do find something, what can be done? I think all that could be done is banning an IP... I believe that this user has an IP spoofer.

We did get a message some an unknown user in our IRC channel the other day. Our IRC Channel is located at: irc.protium.org - our channel is #canuta

Here is what was said in IRC:

10:48pm [Join] Wtf (~poosore@c-68-52-171-234.hsd1.tn.comcast.net) has joined #clanuta
10:48pm [Mode] ChanServ sets mode: +v Wtf
10:48pm (+Wtf) dex you fat **** where u at
10:49pm (+Wtf) get the site back up cup cake booty
10:50pm [Part] Wtf (~poosore@c-68-52-171-234.hsd1.tn.comcast.net) has left #clanuta

I believe one of the hackers IP's are: 68.52.171.234




Acenet Inc
Posted on 01 Apr 2006 08:34 PM
--------------------------------------------------------------------------------
Blocking an ip would most likely do nothing. THey can just use a proxy, or like you have said, spoof the ip. As you yourself can see from this log, it was not a system based attack, because not a single one of the modifications was from a root user. They were all from clanuta. That means either a script was exploited and they gained user access, or you yourself are infected, and they know your password that way.




Nathan Hammack
Posted on 01 Apr 2006 10:45 PM
--------------------------------------------------------------------------------
I don't believe they got the password in cPanel since it was 32 digits long. It was left untouched & unchanged. So it is possible that they are somehow obtaining this information through MySQL?

I seriously doubt that I have a trojan on my machine as again I've previously mensioned in this topic that I am VERY careful what I download. I also use many Anti-Virus applications, not just one. The same can be said for anti-spyware applications as well.

Could you please regenerate my account? I will make another back-up as soon as everything is back to normal. But what then? If we get get hacked again what are my options? Isn't there something you can do to monitor that server/site and see if something major has changed?

I've reported us being hacked many times and isn't there something external you can do to monitor who is doing what? They delete pretty much everything in the FTP.




Acenet Inc
Posted on 01 Apr 2006 10:48 PM
--------------------------------------------------------------------------------
Yes we can regenerate it. Sence you previously mentioned that you wuold like a new username, sence we are completly removing the site and readding it, it is possible now. Would you like that? There is not much we can monitor that the logs dont already.




Nathan Hammack
Posted on 01 Apr 2006 11:40 PM
--------------------------------------------------------------------------------
Yes I would love if I could have a new username: ut@adm!ni$tr@t10n

I want to use letters, numbers & symbols as it becomes difficult for people to guess the cPanel admin login & pass.

I'm also going to be updating the site with my previous backup from an old Macintosh iMac (MacOS 9.2.) using fetch ftp. That I believe will solve the "Spyware" or "Trojan" theroy if it is hacked again.




Acenet Inc
Posted on 01 Apr 2006 11:46 PM
--------------------------------------------------------------------------------
usernames are limited to only 8 characters and must use only letters.




Nathan Hammack
Posted on 02 Apr 2006 12:23 AM
--------------------------------------------------------------------------------
new username = webadmin




Acenet Inc
Posted on 02 Apr 2006 12:28 AM
--------------------------------------------------------------------------------
(***PRIVATE***ACCOUNT***INFORMATION***)




Nathan Hammack
Posted on 02 Apr 2006 01:52 PM
--------------------------------------------------------------------------------
I keep trying to connect through my FTP but I keep getting "530 Authentication failed, sorry".


[11:50:34] SmartFTP v2.0.995.19
[11:50:34] Resolving host name "***.***.***.***"
[11:50:34] Connecting to ***.***.***.*** Port: 21
[11:50:34] Connected to ***.***.***.***.
[11:50:34] 220---------- Welcome to Pure-FTPd [TLS] ----------
[11:50:34] 220-You are user number 7 of 50 allowed.
[11:50:34] 220-Local time is now 14:49. Server port: 21.
[11:50:34] 220-This is a private system - No anonymous login
[11:50:34] 220 You will be disconnected after 15 minutes of inactivity.
[11:50:34] USER *****
[11:50:34] 331 User ***** OK. Password required
[11:50:34] PASS (hidden)
[11:50:35] 530 Authentication failed, sorry
[11:50:35] Active Help: http://www.smartftp.com/support/kb/index.php/51
[11:50:35] Cannot login waiting to retry (30s)...

The password is currently set to: psc2510
It's not connecting. I kept getting this same error on both PC & Mac last night and I'm still getting the same error this morning.




Acenet Inc
Posted on 02 Apr 2006 01:54 PM
--------------------------------------------------------------------------------
The password, as verified by myself, is currently *****.




Nathan Hammack
Posted on 02 Apr 2006 04:44 PM
--------------------------------------------------------------------------------
Well I have two different passwords...

cPanelx password is: *****

ftp password is: *****




Acenet Inc
Posted on 02 Apr 2006 04:49 PM

--------------------------------------------------------------------------------
We have synced the passwords to:

*****




Nathan Hammack
Posted on 02 Apr 2006 05:21 PM
--------------------------------------------------------------------------------
I've updated my password on cPanelx ... yet my password does not update for my FTP?

New password: *****




Acenet Inc
Posted on 02 Apr 2006 05:36 PM
--------------------------------------------------------------------------------
It appears that the password:

*****

is too long to be stored in our FTP authentication file.

More than likely at some point this password was truncated when it was put into the password file, however I am not sure as to how many characters it was truncated.

I would advise cutting the password in half, as even half the length of that password would still provide an unbelievable amount of protection from any sort of bruteforce (which would be stopped by our technicians within minutes).




Nathan Hammack
Posted on 02 Apr 2006 05:43 PM
--------------------------------------------------------------------------------
So then what your saying is a 32 digit password would be more then enough?

I've just made backups of my site again. Both the site & SQL Backup of Fusion.

Please note that my site is currently up to date & that is there are any major changes like "deleting" the enitre site are actions not by me, but by the hacker.




Acenet Inc
Posted on 02 Apr 2006 05:50 PM
--------------------------------------------------------------------------------
Even a 12 digit password would be more then enough. For example, an 8 digit password, on a local file, would take (assuming it is not breakable by dictionary based attacks) several years on even a top end system. Now, that is with no internet latency, testing several thousand possibilies per second. Over the internet, with a fast connection, you can maybe get 12 attempts in per second, and after maybe 5 attempts, the server will block you for failed login attempts. The important thing is to have a decent length (8-12 is good) and NOT word based, so we protect ourselves from a dictionary based attack, or guessing because the person knows you.




Nathan Hammack
Posted on 02 Apr 2006 05:54 PM
--------------------------------------------------------------------------------
Well I just changed my password to: *****

and it hasn't updated...

Everytime I change my password I'll need to tell you about it so you can updated it on the server end???




Acenet Inc
Posted on 02 Apr 2006 06:17 PM

--------------------------------------------------------------------------------
***** now works.




Nathan Hammack
Posted on 02 Apr 2006 06:32 PM
--------------------------------------------------------------------------------
Thats great, but everytime I change my password I'll need to tell you about it so you can updated it on the server end???




Acenet Inc
Posted on 02 Apr 2006 06:39 PM
--------------------------------------------------------------------------------
Leave the password like it is, we are going to investigate as to why it does not automatically sync the ftp password.




Nathan Hammack
Posted on 02 Apr 2006 07:39 PM
--------------------------------------------------------------------------------
I was also thinking about doing the $2 a month for a dedicated IP address so that we can install SSL on our server.

Is there a way I can find out how much we have left on our term we've paid for? I can't remember exactly our hosting contract expires.

I would like to set up the SSL for the $2 we have left for the remainder of our contract with ace-host.net How much am I looking at spending to do this?




Acenet Inc
Posted on 02 Apr 2006 07:41 PM
--------------------------------------------------------------------------------
You have 20 months left in your contract, so for the dedicated ip it would be 2$ * 20 = 40$.

Now, you would also need an ssl, which, we do not require that you buy from us but we do offer it.

You can see the details for that and the order form for both here: http://ace-host.net/accountupgrades.html




Nathan Hammack
Posted on 02 Apr 2006 08:34 PM
--------------------------------------------------------------------------------
So I'm looking at the "Standard 128bit SSL Certificate" for 20 months...

Do I have to buy a 2 year certificate for 20 months to be covered? If so It looks like I'm looking to spend $119.90 is this true??? This seems way too expensive for a SSL Certificate




Acenet Inc
Posted on 02 Apr 2006 08:35 PM
--------------------------------------------------------------------------------
No, you can go yaerly if you would like, as long as you have both your ip and ssl at the same time. If you discontinue your dedicated ip you will get a cert. mismatch in ssl. Also, you can purchase an SSL from whichever provider you like, if you prefer another to ours.




Nathan Hammack
Posted on 02 Apr 2006 08:49 PM
--------------------------------------------------------------------------------
Yeah but then I have to pay a $25.00 fee if I go with someone else...

My question above was not to go yearly, but monthly. Since I only have 20 months left, If I pay for a 2 year ssl I'm paying for an extra 4 months that I wouldn't be getting.

Can I pay for just 20 months?




Acenet Inc
Posted on 02 Apr 2006 08:51 PM
--------------------------------------------------------------------------------
No, ssls are created only on an annual basis.




Nathan Hammack
Posted on 02 Apr 2006 09:09 PM
--------------------------------------------------------------------------------
well I would like to pay in advance, is that possible to pay for 20 months & not 2 years (24 months)?




Acenet Inc
Posted on 02 Apr 2006 09:10 PM
--------------------------------------------------------------------------------
No it is not. We can only create SSL for multiples of years and no less.




Nathan Hammack
Posted on 02 Apr 2006 09:19 PM
--------------------------------------------------------------------------------
So I'll be paying for 4 extra months...




Acenet Inc
Posted on 02 Apr 2006 09:20 PM
--------------------------------------------------------------------------------
Well, thats assuming you cancel your service at the end. It is not possible to create a SSL for less then a year (much like domain registration).




Nathan Hammack
Posted on 02 Apr 2006 09:28 PM
--------------------------------------------------------------------------------
So now what your telling me is that I can only have it for a year if I do not continue with ace-host.net for that 2nd year




Acenet Inc
Posted on 02 Apr 2006 09:31 PM
--------------------------------------------------------------------------------
If you buy an SSL, it is linked to both the IP that you have when you created it, and the domain name you have. If you change either of these, you will get a certificate mismatch error. This is one of the security features of an SSL. For example, someone trys to clone your site and ssl, but they have a different ip! Well, you can tell because you will get an ip mismatch. Same with the domain name. This is also to keep each SSL encryption key unique and safe, by requiring a dedicated ip for each ssl.




Nathan Hammack
Posted on 02 Apr 2006 09:34 PM
--------------------------------------------------------------------------------
Do you think this would solve some of the hacking issue we seem to be having while hosted on ace-host.net?




Acenet Inc
Posted on 02 Apr 2006 09:39 PM
--------------------------------------------------------------------------------
To be frank, No. SSL adds no more server side security at all. What it does, is it encrypts traffic to and from the client, which as you could imagine is quite advantageous for its primary users, online retailers, as they can now encrypt credit card information and all other packets, preventing packet sniffers from being able to identify what is being sent. SSL is not designed to protect the server itself from hackers, only the data being sent to and from the server.




Nathan Hammack
Posted on 02 Apr 2006 10:13 PM
--------------------------------------------------------------------------------
So what else can I do?




Acenet Inc
Posted on 02 Apr 2006 10:18 PM
--------------------------------------------------------------------------------
Really there is nothing that you can do. Just make sure that your script is updated frequently and patched whenever updates are available.




Nathan Hammack
Posted on 02 Apr 2006 10:48 PM
--------------------------------------------------------------------------------
...and if the site keeps getting hacked? There is nothing you can do?




Acenet Inc
Posted on 02 Apr 2006 10:51 PM
--------------------------------------------------------------------------------
Correct, there would be nothing that we can do.




Nathan Hammack
Posted on 02 Apr 2006 10:58 PM
--------------------------------------------------------------------------------
There would be no way for you to block IP's?
There would be no way for you to track a user deleting content off our site?
There would be no way for you to be alerted when someone breaks into our site?




Acenet Inc
Posted on 02 Apr 2006 11:11 PM

--------------------------------------------------------------------------------
There would be no way for you to block IP's?
-Blocking an IP would not be effective for many reasons. The main reason would be it's so easy to achieve a new IP that blocking an IP is less than effective. Reasons including, but not only, IPs are easily changed, the domain name (path) will still stay the same to your site, so it's not hiding anything once changed.

There would be no way for you to track a user deleting content off our site?
-We do not track deleted files, this would make our logs far too large.

There would be no way for you to be alerted when someone breaks into our site?
-It would be too far fetched to detect normal usage from a hacking attempt on this level that it would be near impossible. On hosting accounts regularly users move files, remove files, and such. Even if we did log the removal of files or any modifications, this is all basic hosting usage.




Nathan Hammack
Posted on 03 Apr 2006 02:29 AM
--------------------------------------------------------------------------------
I was just going to make another back-up but the site is down... I hope... or we are being hacked again.




Acenet Inc
Posted on 03 Apr 2006 02:34 AM
--------------------------------------------------------------------------------
Not being hacked.

Server was temporarily taken down for a drive copy/replacement of a minor drive. This should be up shortly.




Nathan Hammack
Posted on 03 Apr 2006 03:03 AM
--------------------------------------------------------------------------------
Still down... I'd like to make a back up here very shortly...




Acenet Inc
Posted on 03 Apr 2006 03:27 AM
--------------------------------------------------------------------------------
You will be able to perform the backup once the server is bought back online. Currently there is still no ETA.




Nathan Hammack
Posted on 03 Apr 2006 03:32 AM

--------------------------------------------------------------------------------
I kind of assumed when the server was brought back online I'd be able to do just that... the estimated time is the problem.




Nathan Hammack
Posted on 03 Apr 2006 11:22 AM
--------------------------------------------------------------------------------
Hacked Again.




Nathan Hammack
Posted on 03 Apr 2006 11:30 AM
--------------------------------------------------------------------------------
cPanel password on file must have been changed because I can't login & when I click the link to have a new password sent it's not sending to either account: *****@*****.com or *****@*****.com



Acenet Inc
Posted on 03 Apr 2006 11:33 AM
--------------------------------------------------------------------------------
There was a redirect in your .htaccess file to the other site. I moved the .htaccess file to .htaccess.hak.

Unfortunately in a case such as this we are unable to provide with much recovery.

In an event like this the "hacker" usually already knows the password through other means. Whether it was an insecure password and easily guessed or having been told it/etc. The other main cause is an exploitable or insecure script located on the account. This is usually the case if you have not updated your scripts in quite some time.

We do not retain past backups of files on our server, we only provide RAID-10 redundancy in the event of a drive failure.

You will want to make sure you change ALL your password, update ALL scripts/software, and investigate your HTTP logs to see if you can find an IP this occured from and block that IP as well.

Unfortunately security down to this level cannot be controlled by us, it is left up to you, the client, to maintain that level of security. We will continue to do our part with overall server security.

Please let us know if there's anything further we can assist you with.




Nathan Hammack
Posted on 03 Apr 2006 11:47 AM
--------------------------------------------------------------------------------
1. I have changed all passwords so they were completely different from one another.

2. I have the latest version of php-fusion.

3. I used a Macintosh to update my site. A computer I've never access clanuta.com on before.

4. I have back-ups, infact I made one as of 6:57AM PST this morning and the site was running perfect.

5. I'm using 32 digit passwords & they are very secure from what you claimed from above. Apparently thats not enough, because you then blame it on me saying I had spyware or a trojan when I DO NOT. You then blame it on the version of my scripts which are up to date.

So what the hell do I need to do? I would love to sue this hacker but I can't get any help from Ace-Host. Why can't I get any help from Ace-Host, becasue it's left up to me to secure it. Even after I explore more security options you still tell me that it's not worth it.

So what are you saying exactly? I'm forever going to playing this game of hack & restore? This is the most idiotic thing I have ever heard. I'm paying to host through you! You can't do a damn thing?!?!?!?!?!? I keep reporting I'm getting hacked and there is "Nothing" you can do.




Acenet Inc
Posted on 03 Apr 2006 12:31 PM
--------------------------------------------------------------------------------
[1] It does not appear that the source of this abuse is a user knowing the password used for your account. Thus I would expect this issue to reocur regardless of the password set.

[2] If your backup you have is already compromised and a user has injected whatever code they need to regain access to your account, then restoring backups will not solve the issue.

[3] Given the defacing the user has been doing to your site and the method he has used, I would be extremely surprised if they had somehow gone through the trouble to attempt to compromise your home computer in attempts to grab the password from a keylogger. I would assume safe to say that this "hacker" is unwilling, unable, or simply lacks the knowledge to do such a task.

[4] Please refer to #2

[5] Please refer to #1

------------

At this point, I would say it is a reasonable assumption that the original method in which this account was hacked was either through:

[1] Insecure password
[2] Exploitable script

From that point, it is reasonable that the hacker installed and hid a script in the account for use later on.

On the same note, however, the above assumptions could all be wrong. That is part of what we are attempting to convey. In 90% of cases, it is quite difficult to nail down with any certainty how an account was compromised. The best we can usually do is offer reasonable possibilites.

However more than 90% of the time, the culprit turns out to be an insecure or exploitable script. I see not only was PHP-Fusion installed, but phpBB was installed as well. phpBB is notorious for being hacked if a user lets it go without updates for even a month. This is due to how popular phpBB is, thus it is a common target.

Based on my experiences and the behavior exhibited by this account, I would say there is a good chance that a script was at least originally responsible for the account becoming compromised.

At this point I would advise two things.

[1] Have us completely termiante and recreate the hosting accoutn for you, thus ensuring all data has been cleared from the account.

[2] I would then advise that you ONLY reupload MySQL databases, and do NOT upload files to the system. I would then recommend that you re-download the latest'n'greatest of the scripts that you use and simply reconnect the databases to those fresh downloads. This will ensure that there are no potential hidden exploits being transferred from a backup copy.

With those two steps taken, I would say there is a significant chance that you will not see this issue occur again.

Please let us know how we can further assist in this matter.




Nathan Hammack
Posted on 03 Apr 2006 02:46 PM
--------------------------------------------------------------------------------
phpBB was not installed. I never installed a phpBB board after we kept getting hacked... I said on March 15th I used Fusion for the first time. There was not MySQL database with a phpBB2 forum installed at that time nor has there been since then

Fusion has a version of a forum that is simular to phpBB but it's not the same thing since it's embedded into the site. I have already completed #1 & #2 from above. However the site keeps getting hacked.




Acenet Inc
Posted on 03 Apr 2006 03:12 PM
--------------------------------------------------------------------------------
My apologies, I see now that the references to phpbb in the logs were returning 404 errors (meaning it no longer existed).

However if your site continues to be hacked even after fresh installs are used with 0 use of any backed up file beyond MySQL databases, I would advise against using the script in question.

As there is zero indication of any server-level entity being compromised, it remains that something within the user account is permitting acces to an outside user. As to the exact method that is being used, it is difficult to determine with the public_html directory essentially being nuked each time.




Nathan Hammack
Posted on 03 Apr 2006 03:19 PM
--------------------------------------------------------------------------------
It is possible to have an e-mail sent to me with all of the orginal information for my account?

It sort of like when you regenerate my account you give me soe of the information... but I want to get all of the information, like original creation date with ace-host.net, experation date?

I guess I'll also need the account regenerated once more seeing how I'm still unable to get in an alter anything. I would ask that if you have the logs to please set them aside as I would like to know who the last person in our site & ftp was.




Acenet Inc
Posted on 03 Apr 2006 03:31 PM
--------------------------------------------------------------------------------
Welcome email has been resent to:

*****@*****.com

Start Date: 01/**/20**
Renew Date: 01/**/20**
Last Renewed: 01/**/20**
Billing Cycle: * Years

(The above information should be available for you review as well at: https://ace-host.net/**/)

To regeneration the account:

user: *********
domain: clanuta.com
server: ***.***.***.***

Please confirm the last four digits of the credit card on file with this account. This is simply needed to confirm such a destructive action on the account.

The account logs have been archived as well.




Nathan Hammack
Posted on 03 Apr 2006 03:46 PM
--------------------------------------------------------------------------------
As previously mentioned above in several posts, the last four digits are: ****




Acenet Inc
Posted on 03 Apr 2006 04:45 PM
--------------------------------------------------------------------------------
Regenerating the account now. I will repost when finished.




Nathan Hammack
Posted on 03 Apr 2006 04:45 PM
--------------------------------------------------------------------------------
was the site regenerated?




Nathan Hammack
Posted on 03 Apr 2006 04:48 PM
--------------------------------------------------------------------------------
Thanks




Acenet Inc
Posted on 03 Apr 2006 05:01 PM
--------------------------------------------------------------------------------
Our apologies for the delay in this.

The account has been regenerated:

(***PRIVATE***ACCOUNT***INFORMATION***)
Wow! That was a hell of a read!!

First of all, I can't see why your host is beating around the bush here. I cannot say with certainty that is is their fault, but their answers to your problems are vague to say the least.

What you can do from now on:

1) Make a backup copy of your .htaccess file and delete it from your public_html directory

2) Install PHP-Fusion from scratch, like Gamerguy X suggested! That is important as the new installation will generate your database with new data

3) I suggest that you install PHP-Fusion in the same subdirectory as it was before. After visiting your site, I guess it was the dir "/fusion"

4) Create an index.html file, like the one you are using now, explaining why the site is offline

5) You may also want to try and install another CMS, like for example Joomla or XOOPS or whatever in another subdirectory and see what happens

I have two more questions:

1) Did you delete the 'setup.php' file after the installation

2) Were the 'config.php' octal permissions set to '644'?

I highly doubt that this is a PHP-Fusion issue. I cannot however exclude anything, since I haven't studied the code to that extent. So far it seems really clean.

Please let us know how it went! ;)
As for your two questions (you had more then two Panos?)

1. I did delete the setup.php as it reminds you after the completion of installing it on your site.

2. I did ensure that config.php was running 644 chmod.

- - -

I can replace the site, it just a matter of time before it gets hacked again. I don't see how putting it back on the web will let you guys see whats going on with it.

I was going to also post a lit of MODs I was using on the site after I got home... well I'm hope so here is what I was using:

List of the MOD's I've used from PHP-Fusion ModsPHP-Fusion Mods & PHP-Fusion Themes

news_cat_image_set_3
v6[1].00-Admin-Bad_Login-v1.0.2
v6[1].00-Admin-Who_Is_Online-v1.10
v6[1].00-Fun-Radio_Panel-v1.70
v6[1].00-Games-eXtreme_Warstats-v1.10
v6[1].00-Misc-Automatic_URL_Parser-v1.00
v6[1].00-Misc-Event_Calendar-v1.00
v6[1].00-PM-PopUp_on_New_PM-v1.00
zoneCopper
.
Try passwording the entire site from a root .htaccess file using tips and scripts on this site: http://www.htaccesstools.com/
That will override any other passwords set, except the FTP and the cPanels passwords, of course.

I have no tips on how to protect your site, but I do recommend You to use only ONE antivirus software on Your computer.
I feel you need to test and try this ****. Seeing you've been getting hacked over 6 times in the past little bit i think you should have already been doing this.instead of contacting your host (as you saw was a useless piece of crap) deal with it yourself and test their hacking abilities. forcing them to show you how they are exactly getting in.

I've read through all of your comments and you got ahold of some pretty dumb reps. The few at the end actually seemed to be smart ones So. I advise you to the trust of a friend for some help. Don't use your own computers use someone who doesn't mind wiping their computer to upload new stuff and reconfigure your site. You might have got a custom made backdoor from IRC(very possible). Also you should try to determain the real idenity of the person that is hacking you by thinking about why they are doing it. I wish I was a tech with ace-host. I would so do something smart and actually monior your accout and not **** with your head.

Damn people are acting like microsoft. I figured out you can't rely on the people you pay but you have to do it by yourself. Get aggressive and track their ass down! You got me all excited! I'm burning to nuke this ****! The itch of a hacker is pulling me, Sorry.
Are you by any chance using the same password for ftp,cpanel and mysql? You should really use a different password for mysql.
utadexter,

I aksed you those two questions since especially the second one (chmoding the config.php permissions) is vital.

Ok now. Since you had done these things, I will have to agree with the guys that posted before me and especially with Taino.

You mentioned a .htaccess file. A .htaccess file could be either created by you or it could be there by your host (a pre-configured one). I am excluding the third possibility which would be that one was included in the PHP-Fusion package itself.

Like Taino wrote, try limiting down the possibilities of such a thing happenning and voila! That will 99% of the cases lead you to your host. This is why I told you to delete the .htaccess file from your public_html directory.

I also told you to re-install PHP-Fusion without a .htaccess file in your root directory and when it gets hacked again, pass the file to us for a closer look. The chances of having a .htaccess file "planted" each time in your root directory, if you want me to narrow down the possibilities are the following:

1) Your machine is infected with a backdoor, trojan or whatever. I'm sorry, I don't use Windows so I don't know. If you say however that you have Anti-Virus and Anti-Trojan and all those Anti things installed, under the term of course that they are fully updated, and that you had performed a complete system scan after the attack and found nothing, then write this out.

2) Which brings us here. To your host I mean. There is no other way for a .htaccess file to find its way in there unless someone has the specifics on your account [Edit after Homy's remark: In the case that your host had not put it there by default]! That could be anyone accessing cPanel directly or in the worst case scenario someone who works for your host and has access to that particular server and of course root (superuser)priviledges. Let's assume that the hypothetical person we are talking about was me. What i would do would simply involve opening a text editor, writing a .htaccess file and then copying it into your user account. I know. This seems farfetched and i am not in any way insinuating anything about your host.

Phew. Which in turn brings us here. Open a support ticket with your host and demand an explanation on why and how a damn .htaccess file finds its way into your root dir each time, since you are not putting it there yourself!

Finally, there are dangers and risks when running on a shared hosting environment. Prices are tempting but as I am sure you know, where prices go down usually quality of services goes down with them as well. You should really trust your host in order to use a shared hosting plan.

Please let us know how it went!

Panos
Panos. A .htaccess file exists in site root with many hosts. Per default.
Just part of the setup. The issue is what it says, and if that has become a way for a hacker to access the site.
Homy, I completely agree with you and I think that is the case with utadexter as well. I may have not expressed my views correctly on the previous post, but I agree totally with you that the issue is how that .htaccess file is being modified, what is written on that file and so forth.

In any event, I believe that this is an issue on the part of utadexter's host. I am not directly accusing them since I have no prior experience with the host in mention, but something tells me that this is a security issue on their part.

Moreover, what would help would be the OS the host server is running and various pieces of info. If it is a version of GNU/Linux what kernel version is it using? Is the system patched correctly etc etc etc
The .htacces file is a default in the way my host sets up my site.

Now I do have an index manager that I can set certain folders to have no index's in them. So say I make a /help directoy. If I set the index manager to not allow the /help directory to have an index you will be unable to go to: http://www.clanuta.com/help - you will actually be unable to view anything.

Although I'm sure most of you already know that but I was also using those to lock out the hacker on each one of my directories that didn't have an index.html or an index.htm in it's directory.

I'm sending Digi the site back-ups that I created on Monday the 3rd, 2006 @ 6:57AM PST. One back-up is a COMPLETE site back-up (5.44Mcool. The other is just a backed up sql of Fusion (69.9Kcool. Both files are in .gz format with WinRAR or WinZip can open. .gz is the default my site saves them as once everything have been backed up.

I'm also currently re-installing a "Fresh copy" of Fusion back onto my site as I wasn't able to get around to it last night.
My backed-up .htaccess file in my /public_html/ directory looks like so:

CodeDownload  
# -FrontPage-

IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*

<Limit GET POST>
order deny,allow
deny from all
allow from all
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>
AuthName www.clanuta.com
AuthUserFile /home2/*****/public_html/_vti_pvt/service.pwd
AuthGroupFile /home2/*****/public_html/_vti_pvt/service.grp

RedirectMatch permanent ^/html/main.htm$ http://www.clanuta.com/fusion/php-files/news.php

RedirectMatch permanent ^/fusion$ http://www.clanuta.com/fusion/php-files/news.php

RedirectMatch permanent ^/phpBB/index.php$ http://www.clanuta.com/fusion/php-files/news.php

RedirectMatch permanent ^/fusion/php-files/$ http://www.clanuta.com/fusion/php-files/news.php

RedirectMatch permanent ^/cblweb$ http://www.clanuta.com/fusion/php-files/news.php

RedirectMatch permanent ^/forum$ http://www.clanuta.com/fusion/php-files/news.php

RedirectMatch permanent ^/phpbb/nfphpbb$ http://www.clanuta.com/fusion/php-files/news.php

RedirectMatch permanent ^/cbl/nfphpbb$ http://www.clanuta.com/fusion/php-files/news.php

A wild guess in the Dark here, but if this would've been a Fusion issue, I reckon more sites than yours would have been exposed for this kind of attacks?

And I haven't heard of no other site than yours who had this happening, so, check that host out a wee bit more.
I had my host check this topic out and here is what they have to say:

Quote

Acenet Inc
Posted on 05 Apr 2006 05:06 PM
--------------------------------------------------------------------------------
It does not appear that the source of this abuse is a user knowing the password used for your account. Thus I would expect this issue to reoccur regardless of the password set.

Quote

utadexter: "I've been talking to the php-Fusion people about this and then think it may be something to do with my .htaccess files on the site."


I would advise persuing this issue with php-Fusion as it seems they will be best suited to help to secure and "lock down" your scripts to ensure it is secure.


Its like I'm trying to pry open a top-secret box to get them to look into any internal issues. Jeese, this is really sucking because I really like php-Fusion (just the little bit I played with) :(
Thread Information
Author
Replies
36 posts
Views
14,755 times
Last Post
Last updated on 14 years ago
You can view all discussion threads in this forum.
You can start a new discussion thread in this forum.
You cannot reply in this discussion thread.
You cannot start on a poll in this forum.
You cannot upload attachments in this forum.
You cannot download attachments in this forum.