StevenTing Posted May 27, 2012 Share Posted May 27, 2012 I know I'm not the only one as it appears to be at the server level. Support Ticket already submitted. My server is Columbus. Link to comment Share on other sites More sharing options...
boj6987 Posted May 27, 2012 Share Posted May 27, 2012 Same here, mine's the Amidala server though. Link to comment Share on other sites More sharing options...
nulll Posted May 27, 2012 Share Posted May 27, 2012 Baltimore, too. At first sight some index.php files have been added in various folders. Found and replaced all those on my site. Haven't noticed anything else being affected yet. Link to comment Share on other sites More sharing options...
StevenTing Posted May 27, 2012 Author Share Posted May 27, 2012 Ya, index.php in every folder. I've got about 20 domains running so it's a tedious task to just replace those files. I'm going through and restoring from backup from last night. Looks like my server was hacked about 2 hours ago based on teh time stamp. Link to comment Share on other sites More sharing options...
israfelli Posted May 27, 2012 Share Posted May 27, 2012 Orion Too! My site was hacked at 6:14AM. Some hacker from Bangaldesh. I'm very surprised TCH has made no announcement. Link to comment Share on other sites More sharing options...
Bob Crabb Posted May 27, 2012 Share Posted May 27, 2012 I have sites on Columbus and Ft Worth, both servers affected. Ticket submitted. Link to comment Share on other sites More sharing options...
TCH-Thomas Posted May 27, 2012 Share Posted May 27, 2012 Hello everyone, I just contacted the Help desk about this and it looks like there are several of that have this problem and that they are working on this. Link to comment Share on other sites More sharing options...
StevenTing Posted May 27, 2012 Author Share Posted May 27, 2012 I wonder if this counts against the uptime statistics. Technically the server is up. IF they get it fixed, I'll be satisfied. Link to comment Share on other sites More sharing options...
Bob Crabb Posted May 27, 2012 Share Posted May 27, 2012 That's right, Steven, the servers are up, . No worries, the gurus were on it before I submitted a ticket. TCH will get it fixed -- they always do. Link to comment Share on other sites More sharing options...
AnjaM Posted May 27, 2012 Share Posted May 27, 2012 Same here; my index.php files were replaced at 6:14am. I should probably back up my files more often . . ! Link to comment Share on other sites More sharing options...
atmospheresinking Posted May 27, 2012 Share Posted May 27, 2012 Yavin too. Google Tiger M@te. This guy needs to be brought down. Link to comment Share on other sites More sharing options...
GarthVaderUK Posted May 27, 2012 Share Posted May 27, 2012 (edited) Nubia server affected too, submitted a support ticked earlier. Been with TCH since 2005 and don't remember seeing anything like this before, godspeed to the tech guys! Edited May 27, 2012 by GarthVaderUK Link to comment Share on other sites More sharing options...
Tarpeysmom Posted May 27, 2012 Share Posted May 27, 2012 Chewbacca too! Link to comment Share on other sites More sharing options...
chip Posted May 27, 2012 Share Posted May 27, 2012 Data also! Link to comment Share on other sites More sharing options...
Diane Posted May 27, 2012 Share Posted May 27, 2012 Mine is hacked too! does anyone have clue how long it will take to fix this? this is my business site, and I have clients scheduled to log on later today. making me really nervous!!! Link to comment Share on other sites More sharing options...
claudiapatatas Posted May 27, 2012 Share Posted May 27, 2012 Mine is hacked too! I'm very distressed with this as my business depends on my website! www.claudiapatatas.com is showing a hack message. I can't even log in to the cpanel, due to obvious reasons, to send a ticket. Please email me at claudiapatatas@gmail.com I'm not happy with this. I appreciate that these things happen...but... Link to comment Share on other sites More sharing options...
Head Guru Posted May 27, 2012 Share Posted May 27, 2012 Dear TCH Family, At around 9:30AM EST today, we identified a website defacement attack effecting a large number of our customers. We are still investigating, but it appears the attack was targeted at index.php files. We are currently looking at this to determine the extent of the defacement. I will update you shortly. Thank you for your patience and understanding during this very serious matter. Link to comment Share on other sites More sharing options...
claudiapatatas Posted May 27, 2012 Share Posted May 27, 2012 Nubia server affected too, submitted a support ticked earlier. Been with TCH since 2005 and don't remember seeing anything like this before, godspeed to the tech guys! Me too. This is just mad. Link to comment Share on other sites More sharing options...
claudiapatatas Posted May 27, 2012 Share Posted May 27, 2012 Dear TCH Family, At around 9:30AM EST today, we identified a website defacement attack effecting a large number of our customers. We are still investigating, but it appears the attack was targeted at index.php files. We are currently looking at this to determine the extent of the defacement. I will update you shortly. Thank you for your patience and understanding during this very serious matter. Thank you so much. Link to comment Share on other sites More sharing options...
Bob Crabb Posted May 27, 2012 Share Posted May 27, 2012 (edited) 2005 here too, Garth. Never seen anything even close to this happen here. I'm confident that Tech Support is doing their best to close any vulnerabilities and restore backups. We all need to be patient. Bill, thanks for the update. Edited May 27, 2012 by Bob Crabb Link to comment Share on other sites More sharing options...
Diane Posted May 27, 2012 Share Posted May 27, 2012 been with TCH since 2003! always been great- this is just scary because our businesses have become so internet based Link to comment Share on other sites More sharing options...
StevenTing Posted May 27, 2012 Author Share Posted May 27, 2012 Same here; my index.php files were replaced at 6:14am. I should probably back up my files more often . . ! Your files are automatically backed up every 12 hours. Betcha didn't know that. If you want to do a manual restore, go here. http://buserver4.tchmachines.com:8085/s/ Host Description is the name of your server. Then restore back to some time last night and you should be good. If not, go through your directory structure as sometimes they'll add an index.html as well. Link to comment Share on other sites More sharing options...
Head Guru Posted May 27, 2012 Share Posted May 27, 2012 I know guys. Link to comment Share on other sites More sharing options...
StevenTing Posted May 27, 2012 Author Share Posted May 27, 2012 Mine is hacked too! I'm very distressed with this as my business depends on my website! www.claudiapatatas.com is showing a hack message. I can't even log in to the cpanel, due to obvious reasons, to send a ticket. Please email me at claudiapatatas@gmail.com I'm not happy with this. I appreciate that these things happen...but... See my message above. You can restore to last night and that should fix most of the problems. Link to comment Share on other sites More sharing options...
Head Guru Posted May 27, 2012 Share Posted May 27, 2012 Dear TCH Family, At around 9:30AM EST today, we identified a website defacement attack effecting a large number of our customers. We are still investigating, but it appears the attack was targeted at index.php files. We are currently looking at this to determine the extent of the defacement. I will update you shortly. Thank you for your patience and understanding during this very serious matter. Link to comment Share on other sites More sharing options...
Diane Posted May 27, 2012 Share Posted May 27, 2012 I guess I should figure out my server name...I don;t think I have that written down anywhere Link to comment Share on other sites More sharing options...
chip Posted May 27, 2012 Share Posted May 27, 2012 Thanks Bill! Link to comment Share on other sites More sharing options...
StevenTing Posted May 27, 2012 Author Share Posted May 27, 2012 Looks like my sites are fixed. Link to comment Share on other sites More sharing options...
Head Guru Posted May 27, 2012 Share Posted May 27, 2012 We are working as fast as possible to get sites restored from backups. I don't know what is going on just yet, but trust me when we know we will disclose everything to the family. Link to comment Share on other sites More sharing options...
Diane Posted May 27, 2012 Share Posted May 27, 2012 we're back!!! thanks TCH! now, for the future, how can I find out the name of my server? Link to comment Share on other sites More sharing options...
Bob Crabb Posted May 27, 2012 Share Posted May 27, 2012 (edited) My sites on columbus are fixed. Bill, thanks to you and your excellent staff for the quick response. Edited May 27, 2012 by Bob Crabb Link to comment Share on other sites More sharing options...
claudiapatatas Posted May 27, 2012 Share Posted May 27, 2012 See my message above. You can restore to last night and that should fix most of the problems. Thanks. I'm trying to restore it now. Cheers Claudia Link to comment Share on other sites More sharing options...
Bob Crabb Posted May 27, 2012 Share Posted May 27, 2012 we're back!!! thanks TCH! now, for the future, how can I find out the name of my server? Diane, log into your cPanel, and you will see the server name. Link to comment Share on other sites More sharing options...
AnjaM Posted May 27, 2012 Share Posted May 27, 2012 Your files are automatically backed up every 12 hours. Betcha didn't know that. If you want to do a manual restore, go here. http://buserver4.tch...nes.com:8085/s/ Host Description is the name of your server. Then restore back to some time last night and you should be good. If not, go through your directory structure as sometimes they'll add an index.html as well. I did NOT know that; thank you! My site is back up but I'm filing all of this away for future reference. Now to figure out which server I'm on . . . Thanks! Link to comment Share on other sites More sharing options...
StevenTing Posted May 27, 2012 Author Share Posted May 27, 2012 we're back!!! thanks TCH! now, for the future, how can I find out the name of my server? Log into Cpanel. On the left side, it says Expand Stats. Click that, and you will see a section called Server Name. Link to comment Share on other sites More sharing options...
AnjaM Posted May 27, 2012 Share Posted May 27, 2012 I did NOT know that; thank you! My site is back up but I'm filing all of this away for future reference. Now to figure out which server I'm on . . . Thanks! Ah, I'm on unni. Thanks for the quick response, TCH! Link to comment Share on other sites More sharing options...
StevenTing Posted May 27, 2012 Author Share Posted May 27, 2012 I should also say, you can get to the Restore feature directly from Cpanel. It's called R1Soft Restore Backups under the Files section. Link to comment Share on other sites More sharing options...
Head Guru Posted May 27, 2012 Share Posted May 27, 2012 Ok guys, we are going to be using a canned reply to all our tech support tickets. Here it is: (just a fyi) Hello, Thank you for contacting us concerning your web site. Please head over to our forums for an up to the minute status on this issue. We have our entire staff working on this issue and rest assured that we are working non-stop to correct this issue. You can view the update here: http://www.totalchoicehosting.com/forums/index.php?showtopic=42941&pid=250121&st=0entry250121 Thank you for your support and understanding. The TotalChoice Hosting Gurus.... Link to comment Share on other sites More sharing options...
clydejsn Posted May 27, 2012 Share Posted May 27, 2012 Thanks TCH for working so quickly on this. I hope organa is next on the list.... Link to comment Share on other sites More sharing options...
digitex Posted May 27, 2012 Share Posted May 27, 2012 Glad you are on this. Looking forward to quick resolution! Link to comment Share on other sites More sharing options...
kjarrett Posted May 27, 2012 Share Posted May 27, 2012 Vortex too. Site is ncs-tech.org. Unless my site is actually hacked and not part of this flurry. Restored my first CP backup, it failed to fix the problems. Trying another. Help ticket submitted as well. Link to comment Share on other sites More sharing options...
TCH-Bruce Posted May 27, 2012 Share Posted May 27, 2012 The techs are working as fast as they can. Please give them time. On a couple of my personal sites I removed the index.html file from the root folder and replaced my index.php file with a current one and it fixed them. Link to comment Share on other sites More sharing options...
Head Guru Posted May 27, 2012 Share Posted May 27, 2012 For those clients using the R1 restores, please make sure you choose a restore point prior to 9:30AM today. Link to comment Share on other sites More sharing options...
digitex Posted May 27, 2012 Share Posted May 27, 2012 My site went down, too, at about the same time. It's on the Atlanta server. I looked at the main index file and it looked normal. I got a screen shot of the hacker's boast and sent it with my request for assistance ticket... Link to comment Share on other sites More sharing options...
Mang Photo Posted May 27, 2012 Share Posted May 27, 2012 I've been with TCH since the early 2000's and I have no doubts everything will be back in order as quickly as possible. Link to comment Share on other sites More sharing options...
AnjaM Posted May 27, 2012 Share Posted May 27, 2012 I should also say, you can get to the Restore feature directly from Cpanel. It's called R1Soft Restore Backups under the Files section. Thank you; very helpful to this newbie! Link to comment Share on other sites More sharing options...
Mang Photo Posted May 27, 2012 Share Posted May 27, 2012 I've been with TCH since the early 2000's and I have no doubts everything will be back in order as quickly as possible. And just like that, my website appears to be back up! Link to comment Share on other sites More sharing options...
Head Guru Posted May 27, 2012 Share Posted May 27, 2012 We have a restore script running across all effected servers. This is simply restoring index.php files from cPanel backups. This will take a bit of time, and we will of course update this thread as we move along. Link to comment Share on other sites More sharing options...
kjarrett Posted May 27, 2012 Share Posted May 27, 2012 We're back. Not sure if it was my efforts or TCH's. Appreciate the help. Link to comment Share on other sites More sharing options...
Diane Posted May 27, 2012 Share Posted May 27, 2012 I have learned SO much today! thanks everyone! I'm saving all of this info Link to comment Share on other sites More sharing options...
The Shopper Posted May 27, 2012 Share Posted May 27, 2012 Three of my sites hacked Will wait for your update before anything. Link to comment Share on other sites More sharing options...
Head Guru Posted May 27, 2012 Share Posted May 27, 2012 We have a restore script running across all effected servers. This is simply restoring index.php files from cPanel backups. This will take a bit of time, and we will of course update this thread as we move along. Link to comment Share on other sites More sharing options...
Head Guru Posted May 27, 2012 Share Posted May 27, 2012 Please follow our up to the minute details on this post: http://www.totalchoicehosting.com/forums/index.php?showtopic=42941&pid=250143&st=0& Link to comment Share on other sites More sharing options...
atmospheresinking Posted May 27, 2012 Share Posted May 27, 2012 The timestamp on my files said everything was altered at 6:14 a.m. this morning. Link to comment Share on other sites More sharing options...
atmospheresinking Posted May 27, 2012 Share Posted May 27, 2012 You need to check index.html as well - mine was replaced. Link to comment Share on other sites More sharing options...
digitex Posted May 27, 2012 Share Posted May 27, 2012 We're back up! Thank you tech team! Link to comment Share on other sites More sharing options...
Diane Posted May 27, 2012 Share Posted May 27, 2012 new issue- we're not getting any emails to/from the server- is this related? Link to comment Share on other sites More sharing options...
GoodBYtes Posted May 27, 2012 Share Posted May 27, 2012 Just an update, I am on bespin server, my index.php was hacked at arround 6AM EST-time, if my FTP software is reporting the time correctly. I have just did a restore my side a few moment ago, and now all is well. What is intretsing is that I notice the error_log file, reported a lot of errors on "duplicated_ip". and that dated back the 25, possibly older. Hope this helps I would like to say a special thanks to TCH for the quick update, and being transparent with us! Link to comment Share on other sites More sharing options...
claudiapatatas Posted May 27, 2012 Share Posted May 27, 2012 My server skywalker seems to be OK. I have a back up of everything so I will just update some html files. Many thanks, guys! That is why I am renewing my subscription again! Link to comment Share on other sites More sharing options...
AnjaM Posted May 27, 2012 Share Posted May 27, 2012 new issue- we're not getting any emails to/from the server- is this related? I'm assuming it's related; I'm having the same issue. Hopefully it will be fixed once all the restores/adjustments are made by TCH. Link to comment Share on other sites More sharing options...
Head Guru Posted May 27, 2012 Share Posted May 27, 2012 We are aware of sporadic email issues across a few servers. We are working them as fast as possible. Link to comment Share on other sites More sharing options...
Mang Photo Posted May 27, 2012 Share Posted May 27, 2012 (edited) I'm also impressed that despite the chaos, Tech Support still managed to respond to my ticket and direct me to this thread within 45 minutes! Edited May 27, 2012 by Mang Photo Link to comment Share on other sites More sharing options...
mrkablooey Posted May 27, 2012 Share Posted May 27, 2012 I'm also impressed that despite the chaos, Tech Support still managed to respond to my ticket and direct me to this thread within 45 minutes! definitely impressive :-) way to go TCH! Link to comment Share on other sites More sharing options...
ostrich99 Posted May 27, 2012 Share Posted May 27, 2012 new issue- we're not getting any emails to/from the server- is this related? We are having the same issue on kashyk No emails being received and when I try and send from an account it gives us an SMTP error. Link to comment Share on other sites More sharing options...
vaneram Posted May 27, 2012 Share Posted May 27, 2012 Your files are automatically backed up every 12 hours. Betcha didn't know that. If you want to do a manual restore, go here. http://buserver4.tch...nes.com:8085/s/ How do we sign in? My totalchoicehosting username and password do not work. Link to comment Share on other sites More sharing options...
GarthVaderUK Posted May 27, 2012 Share Posted May 27, 2012 My website is back, hurray! Thanks for the quick work TCH! Link to comment Share on other sites More sharing options...
StevenTing Posted May 27, 2012 Author Share Posted May 27, 2012 How do we sign in? My totalchoicehosting username and password do not work. Make sure you select the Cpanel login from the drop down and enter your server name as well. It should work. Link to comment Share on other sites More sharing options...
claudiapatatas Posted May 27, 2012 Share Posted May 27, 2012 (edited) Mail is working fine too. Thanks Edited May 27, 2012 by claudiapatatas Link to comment Share on other sites More sharing options...
The Shopper Posted May 27, 2012 Share Posted May 27, 2012 My sites are back, great work TCH on a large scale attack. Will still watch for updates from you guys though. Link to comment Share on other sites More sharing options...
Head Guru Posted May 27, 2012 Share Posted May 27, 2012 Thanks for the kudos, but lots of work left still to do. Link to comment Share on other sites More sharing options...
vaneram Posted May 27, 2012 Share Posted May 27, 2012 Yes, my site is working now. I am also grateful for quick responses to my inquiries. Thank you, TCH. Link to comment Share on other sites More sharing options...
Head Guru Posted May 27, 2012 Share Posted May 27, 2012 Email issue has been identified and fix is being applied. Update soon... Link to comment Share on other sites More sharing options...
Bob Crabb Posted May 27, 2012 Share Posted May 27, 2012 sites on Ft Worth are working now. Thanks again to TCH for the quick resolution of such a large scale problem on a holiday weekend. Link to comment Share on other sites More sharing options...
TammyK Posted May 27, 2012 Share Posted May 27, 2012 Thank you TCH... I have been a customer with you since 2004 and I am very pleased with how quickly you guys are working to fix the problems. My site is back up! THANK YOU!! Link to comment Share on other sites More sharing options...
btrfld Posted May 27, 2012 Share Posted May 27, 2012 These people obviously don't have a clue who they are dealing with. Thanks, Bill and all the gurus, for your watchful care and dedication to keep us all safe. Link to comment Share on other sites More sharing options...
Nicky Rhodes Posted May 27, 2012 Share Posted May 27, 2012 No resolution for me, had to fix this myself manually.... Can you tell us how you were hacked and what you will do to prevent this in future? Are my CC details and other identity details safe with you if this idiot can get at all your servers like this. Link to comment Share on other sites More sharing options...
Head Guru Posted May 27, 2012 Share Posted May 27, 2012 We did not have any internal servers defaced, all client details are secure and safe. Link to comment Share on other sites More sharing options...
Head Guru Posted May 27, 2012 Share Posted May 27, 2012 Email issues should be now corrected. However, we are still motorizing email server status and will correct any issues that may arise. Link to comment Share on other sites More sharing options...
Head Guru Posted May 27, 2012 Share Posted May 27, 2012 Is anyone still seeing their sites defaced? Link to comment Share on other sites More sharing options...
dsbnet Posted May 27, 2012 Share Posted May 27, 2012 Do we need to reset our CPanel passwords? Or were they not compromised? Link to comment Share on other sites More sharing options...
Head Guru Posted May 27, 2012 Share Posted May 27, 2012 Do we need to reset our CPanel passwords? Or were they not compromised? It never hurts to rotate passwords, however passwords were not compromised. Link to comment Share on other sites More sharing options...
Squash Posted May 27, 2012 Share Posted May 27, 2012 Is anyone still seeing their sites defaced? I am not however my site is still not restored. I am waiting patiently i'm on the Utapau Server. I just assume it takes time as you work through the servers. Link to comment Share on other sites More sharing options...
OJB Posted May 27, 2012 Share Posted May 27, 2012 Thanks, Bill & Team. All my reseller accounts are now no longer defaced and working as expected. A great response to what appears to be an almighty (in terms of number of sites) defacing. The response I received from the support team was swift too under such circumstances. Thanks to all involved. Link to comment Share on other sites More sharing options...
Ray_Bman Posted May 27, 2012 Share Posted May 27, 2012 Same problem here on the Phoenix server. Fortunately, just a few accounts seem to be affected on my reseller account. I restored them with my own back-ups and seems to be okay now, and I don't see any databases were affected but should I trust them still? Can you tell us how you were hacked and what you will do to prevent this in future? Yes, I would like to know this, too. Restoring is one thing, but how did this happen to so many different servers? Link to comment Share on other sites More sharing options...
Bob Crabb Posted May 27, 2012 Share Posted May 27, 2012 All is well here. Thanks again. Y'all probably still have a lot of work to do in analyzing what happened, and monitoring, but I hope that the TCH staff can get away form the computers for a while and enjoy the Memorial Day weekend. Thanks, and happy Memorial Day!! Link to comment Share on other sites More sharing options...
pkrohnert Posted May 27, 2012 Share Posted May 27, 2012 All of my sites on montreal still seem to be defaced. Link to comment Share on other sites More sharing options...
TCH-Dick Posted May 27, 2012 Share Posted May 27, 2012 All of my sites on montreal still seem to be defaced. OK, Checking that now. Link to comment Share on other sites More sharing options...
Head Guru Posted May 27, 2012 Share Posted May 27, 2012 Working on Montreal now. Link to comment Share on other sites More sharing options...
Squash Posted May 27, 2012 Share Posted May 27, 2012 Can i get an update on Utapau Server........ I just assume they will use the backup from last night and life will be back to normal soon? Is this the correct thinking? Link to comment Share on other sites More sharing options...
Head Guru Posted May 27, 2012 Share Posted May 27, 2012 @ squash - your sites should be restored. Hit me on Instant Messenger if not. Link to comment Share on other sites More sharing options...
TCH-Dick Posted May 27, 2012 Share Posted May 27, 2012 All of my sites on montreal still seem to be defaced. Can i get an update on Utapau Server........ I just assume they will use the backup from last night and life will be back to normal soon? Is this the correct thinking? Please check now and let us know if you still have issues. Link to comment Share on other sites More sharing options...
TCH-Dick Posted May 27, 2012 Share Posted May 27, 2012 Same problem here on the Phoenix server. Please check now and let us know if you still have issues. Link to comment Share on other sites More sharing options...
dawilson Posted May 27, 2012 Share Posted May 27, 2012 Major kudos to you guys for getting things back up and running again so quickly! This is just another example of the great service I've come to expect from TCH over the years I've been a customer. It's probably a bit early to ask this but do you have any idea how this guy gained entry to so many systems? It would be nice to think that whatever back door he used was closed tight so that this kind of thing becomes a great deal less likely in the future. Link to comment Share on other sites More sharing options...
Squash Posted May 27, 2012 Share Posted May 27, 2012 It's not restored...the page up is old, not the one it should be at all Link to comment Share on other sites More sharing options...
Recommended Posts