Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5
16 posts

Geek


  Reply # 468528 12-May-2011 23:09
Send private message

I did a quick Google for the code again and it comes up with other sites that have been attacked by the same guys in the past ... none of which seem to have been hosted by Servage but it does look like they are the latest victim of the hackers.

My site was relatively easy to recover and I am lucky that our users were understanding and appreciated our quick response ... but I don't want to have to do it all over again.

299 posts

Ultimate Geek
+1 received by user: 1


  Reply # 468529 12-May-2011 23:17
Send private message

Have a look at this thread: http://www.geekzone.co.nz/forums.asp?forumid=82&topicid=78287  - I posted some tips on securing WordPress and also backing up sites.

In addition I'm now using a very good plugin called BackupBuddy that backs up all my files and databases and sends them to an Amazon S3 account.

I'd also recommend moving your sites to a more reliable and responsive hosting partner.  I highly recommend HostGator as their support is excellent.

PM me if you'd like some other suggestions or any other help with removing malware or moving your sites.




Red Jet Web Services
- Affordable websites for small businesses
- Google Email setup and Migrations

 
 
 
 


16 posts

Geek


  Reply # 468536 12-May-2011 23:59
Send private message

I'm fairly sure that the hijack is nothing to do with an insecurity in WordPress because our site doesn't have any WordPress code and the hackers still gained access to edit any PHP script in the root folder. It also doesn't look like the hackers uploaded their own rootkit or administrator script either, because they shouldn't have been able to run it in any of the folders users can upload to and there are no traces of any spurious scripts. So ... I am waiting for a satisfactory explanation from Servage ;)



412 posts

Ultimate Geek
+1 received by user: 64


  Reply # 468537 13-May-2011 00:06
Send private message

As suspected... the response:

Hello,

Due to the vast nature of the internet, we employ the same standard methods of safeguarding against malicious entry as all Web hosting companies. This is done through the standard username and passwords we assign to each of our clients. The complexity of the password chosen by the user determines the probability of hacking into a site. Our system will assign your username alphanumerically to assist you in securing your site, but we do encourage use of cryptic, alphanumeric passwords to lower the potential of unauthorized entry into your site.
Please Check and confirm on your end. If you have made your passwords more secure then none should be able to hack into your account.

For a password to be strong, it should:
* Be at least seven characters long. Because of the way passwords are encrypted, the most
secure passwords are 6-12characters long.
* Have at least one symbol character in the second through sixth positions.
* Be significantly different from prior passwords.
* Not contain your name or user name.
* Not be a common word or name.

For maximum security please ensure your account password is secure (at least 6 mixed numbers and letters) and that it is changed regularly. Ensure that permissions for your folders are set to 755 and for files it is set as 644. Also check that no folders have insecure permissions such as 777.

But, as suggested by you, we will have this issue informed to our admins.

Kind Regards

16 posts

Geek


  Reply # 468538 13-May-2011 00:14
Send private message

Hmm, yes if our passwords were insecure in the first place then I would believe that a hacker could have guessed them ... but they were quite secure. Also, I would like to know what measures Servage have in place to prevent brute-force attacks on the Control Panel login. Most network administrators will log repeated failed attempts on the authentication systems and then deny the user access for a period of time. The admins should also be aware of repeated attacks and take steps to block these as as a general measure to block hackers. I don't think it is good enough to just say that passwords must be secure because if a network allows many thousands of login attempts on the same account then any password can be cracked. I hope Servage have strong systems to protect the login process from brute-force attacks.



412 posts

Ultimate Geek
+1 received by user: 64


  Reply # 468540 13-May-2011 00:19
Send private message

They do have a captcha on their Control Panel login, so I doubt brute force was the reason. MY FTP password on the other hand MIGHT have been used. If so, shouldn't servage be able to check their ftp login history at the time the files were modified (which I could easily give them)?.

As it was a very large number of PHP files that were modified, and all within seconds of each other, my hypothesis is that somehow someone managed to upload a script and execute it...

16 posts

Geek


  Reply # 468542 13-May-2011 00:28
Send private message

It's a good theory - the CAPTCHA should prevent brute force. The FTP system would seem to be more vulnerable to attack and would give the user access to upload scripts ... and perhaps they tidied it up afterwards too ... I will scan the system again, to make sure they didn't leave anything.

8019 posts

Uber Geek
+1 received by user: 384

Trusted
Subscriber

  Reply # 468552 13-May-2011 01:36
Send private message

Sounds like their shared hosting servers are compromised at a higher level than your individual accounts.

16 posts

Geek


  Reply # 468553 13-May-2011 02:19
Send private message

Ragnor: Sounds like their shared hosting servers are compromised at a higher level than your individual accounts.

I agree, it seems like an unbelievable coincidence that in one night a group of websites all hosted on the same company were hit ... and no other forums reporting similar attacks, as yet. Is there any way to prove that it must be the host's problem though? To the best of my knowledge Servage use their own software to manage their server clusters, which would suggest that it is less likely that the hackers used a known weakness with popular software ... but it might have made Servage's systems a tempting target for someone wanting a challenge.

2 posts

Wannabe Geek


  Reply # 468560 13-May-2011 06:11
Send private message

Hello,
Today my site (hosted at Servage) has been attacked. I have found this threat looking for an answer.
I have received exactly the same answer from Servage as GeoffisPure .... funny

I am absolutelly sure that my password was not stolen (i had a quite complex one). Servage is clearly not providing the apropriate support and the security of their servers is clearly compromised. I am seriously thinking about changing to a more reliable host in case they don't give a satisfactory answer.

I really tired of being blamed for their own faults.

1 post

Wannabe Geek


  Reply # 468561 13-May-2011 06:23
Send private message

My wordpress installations at 'servage.net' was also changed yesterday (11. may 2011).
Same as other comments the top of some php files now contains the string >>...$somecrainsignvar="f6lkhukr"; echo base64_decode(str_rot13...<<

Fortunatedly the hack made 2 of 3 wordpress installations break down, so that I noticed the break in.

I have not reported this to Servage.net but will so now...

16 posts

Geek


  Reply # 468563 13-May-2011 06:39
Send private message

I had an update from Customer Support to say that the Servage admins are still working on the issue. They have tracked the point of entry to the FTP system and have advised me to change all FTP passwords and make them highly complex. I'm pretty sure that the FTP password was already complex enough but I am at least pleased to see that they are taking this very seriously and are still working on it. Anyone else who has been hacked should report it to Servage and refer the CS techs to this forum thread ;)

Initially they suspected a WordPress bug but our site has no WordPress code in it so that isn't the problem. 

2 posts

Wannabe Geek


  Reply # 468576 13-May-2011 07:53
Send private message

This problem has nothing to do with Wordpress. My site does not use wordpress at all.
I have suffered teh problem for the second time today and while i was repairing the files the attacker was still working and destroying my files again. Of course I have reported the issue again to Servage. I think that the problem is with the FTP and I have changed my password, although I am pretty sure that noone could break my password using brutal force.

1494 posts

Uber Geek
+1 received by user: 221

Subscriber

  Reply # 468603 13-May-2011 09:18
Send private message

isol: This problem has nothing to do with Wordpress. My site does not use wordpress at all.

I have suffered teh problem for the second time today and while i was repairing the files the attacker was still working and destroying my files again. Of course I have reported the issue again to Servage. I think that the problem is with the FTP and I have changed my password, although I am pretty sure that noone could break my password using brutal force.


 

It would be interesting to know if you are all on the same server?  Is it not a possibility the server as a whole has been compromised giving access to everyones accounts on there..

16 posts

Geek


  Reply # 468629 13-May-2011 09:56
Send private message

itxtme: It would be interesting to know if you are all on the same server?  Is it not a possibility the server as a whole has been compromised giving access to everyones accounts on there.. 

I think Servage has a fairly unusual system of clustered servers so it might be impossible to know (or irrelevant to know) the actual server that the sites were located on. 

They have been keeping me up to date but haven't actually come up with a convincing reason yet. 

1 | 2 | 3 | 4 | 5
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Symantec protects data everywhere with Information Centric Security
Posted 21-Sep-2017 15:33


FUJIFILM introduces X-E3 mirrorless camera with wireless connectivity
Posted 18-Sep-2017 13:53


Vodafone announces new plans with bigger data bundles
Posted 15-Sep-2017 10:51


Skinny launches phone with support for te reo Maori
Posted 14-Sep-2017 08:39


If Vodafone dropping mail worries you, you’re doing online wrong
Posted 11-Sep-2017 13:54


Vodafone New Zealand deploy live 400 gigabit system
Posted 11-Sep-2017 11:07


OPPO camera phones now available at PB Tech
Posted 11-Sep-2017 09:56


Norton Wi-Fi Privacy — Easy, flawed VPN
Posted 11-Sep-2017 09:48


Lenovo reveals new ThinkPad A Series
Posted 8-Sep-2017 14:37


Huawei passes Apple for the first time to capture the second spot globally
Posted 8-Sep-2017 10:45


Vodafone initiative enhances te reo Maori pronunciation on Google Maps
Posted 8-Sep-2017 10:40


Voyager Internet expand local internet phone services company with Conversant acquisition
Posted 6-Sep-2017 18:27


NOW Expands in to Tauranga
Posted 5-Sep-2017 18:16


Windows 10 Fall Creators Update coming Oct. 17
Posted 4-Sep-2017 14:10


Garmin introduce Garmin vivoactive 3
Posted 1-Sep-2017 18:38



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.