annie

I'll open a ticket if the problem persists, and I can rule out route problems.

There is a way to figure out if the problem is DNS or routing: Make a note of the IP address of your server. Let's say your mailserver address fails because the address is bad (ie DNS problems), immediately switch out the address for the IP number and then try again. If it works then, and you switch back to the address and it doesn't work, then either it's second to second intermittent, or you just proved that it's a dns problem, not a routing problem. Oh, and same thing with traceroute. Start two traceroutes from the same location at the same time. One with the address, one with the IP number. If the one with the IP number works, guess what, it's not the routing that's the problem.

At home my mailserver address doesn't respond right now. I also tried it here and it failed: http://network-tools.com/ (Timed out) Before I got to http://www.zoneedit.com/ , even the first one worked. And it also worked at home. So this is intermittent.

Looks like intermittent DNS problems. NS1.totalchoicehosting.com NS2.totalchoicehosting.com On two occasions today, DNS has failed. Last one a few minutes ago. Anything going on?

Thanks for letting us know. I have since seen websites compromised that seemed to have been due to this exploit. In that case, it was a webhost in the UK. I haven't heard back, so don't know for sure. But all the compromised sites were on the same IP number, so the chance was excellent it was the cpanel hack.

Webspammers have started hacking websites in order to serve up spam and do other things related to spamming. Download the php files with ftp or cpanel, in order to check what's in them. Browsing to them via a browser won't let you view the code. Some of those files are obfuscated, but it's possible to deobfuscate them. Quite often they point to another site via includes.

There's a problem with all versions of cpanel, and a fix out. I hope you guys have applied it? Hostgator was compromised because of it. Not pretty!

Since I wrote the posts here, I've found more compromised sites. And I believe some of those were due to php scripts with flaws in them. I've seen how badly they've been trying to break into my site, so I believe that's an issue these days. In my case, I've got a few blog posts with phpbb in the title, and hackers have found those in a search engine and tried highlight hacks and other hacks to get in. There's no phpBB installation on my site, so they're not getting in. I also found a hack tool on one site that allowed anyone who had found it to upload files. Truly scary.

When you get it to work, be sure to disallow search engine robots from accessing the directory where the uploaded files are, or you'll be inundated with spammy pages quickly! There is a script made for file uploads that you could use. Just search for it. Also, the more scripts you have, the more holes you put in your site, and the more risk there is of a hacker gaining control over your site.

Disable catch all e-mail. You can do that in cpanel. When you do that, the bounces will be rejected by the mailserver on your TCH server.

I heard one customer of a webhost who's had particularly many victims of this had gotten an e-mail from his hosting company saying they were under attack. That a hacker was sniffing their FTP passwords. FTP passwords are not encrypted, so they can be sniffed. Might be time to move to secure FTP? Can you guys speculate what the bad guys did in order to manage to sniff the FTP passwords? I assume they would have had to compromise a box on the webhost's net? Especially since they hacked sites on different IP numbers. It wasn't just the one box. So, if we're thinking a switched network, they'd have to sniff somewhere near the perimeter?

I've been tracking webspammers for a while, and I've discovered some spammers hacking other people's websites in order to serve up their spammy websites. They often stash a file named read.php in some directory off the root. But I've also seen other php files used. Usually the files are not supposed to be there rather than altered files. The spammers will then spam guestbooks etc with the URL's to those spammy files. I'm not saying that's happened here or even will happen here. But with this development (and most of this seems to have started in August this year), we as site owners need to be a lot more vigilant. And webhosts also should be more vigilant.

I wonder if there's another forum software that allows for premoderation? Premoderation is the only reason to stick with Invision...

I was wondering, since you guys are so good at what you're doing, if you know how to track referrer spam on a virtual webhost server? From the perspective of support/technical personell, I mean? Scenario: I complained to another webhost that I was referrer spammed from their box. They initially tried to find the script responsible, but gave up and null-routed the IP to my server instead. That got me plenty hot under the collar, since I'm a spam fighter, and they're essentially giving the spammer carte blanche to continue spamming - forever! So since those guys apparently don't know what they're doing, I thought I'd open up the field and ask you guys, since you appear to be very capable, and run a very tight ship. You know, they asked me indignantly: "Do you keep logs of every outbound connection from your server?" EDIT: How would you monitor outbound connections, that came from any port, but connected to port 80 on a remote system?

Toddcurry: You're a victim of poor planning. Catchall e-mail stopped being viable a few years ago. I know it was convenient. I used it too, years ago. And I still see people signing my blog with typical catchall e-mail addresses. And I shake my head every time...