Jump to content

Events Of 5/27/2012


StevenTing

Recommended Posts

  • Replies 236
  • Created
  • Last Reply

Top Posters In This Topic

Baltimore, too.

 

At first sight some index.php files have been added in various folders. Found and replaced all those on my site. Haven't noticed anything else being affected yet.

Link to comment
Share on other sites

Ya, index.php in every folder. I've got about 20 domains running so it's a tedious task to just replace those files. I'm going through and restoring from backup from last night. Looks like my server was hacked about 2 hours ago based on teh time stamp.

Link to comment
Share on other sites

Mine is hacked too! I'm very distressed with this as my business depends on my website! www.claudiapatatas.com is showing a hack message. I can't even log in to the cpanel, due to obvious reasons, to send a ticket. Please email me at claudiapatatas@gmail.com

 

I'm not happy with this. I appreciate that these things happen...but...

Link to comment
Share on other sites

Dear TCH Family,

At around 9:30AM EST today, we identified a website defacement attack effecting a large number of our customers. We are still investigating, but it appears the attack was targeted at index.php files. We are currently looking at this to determine the extent of the defacement.

 

I will update you shortly.

 

Thank you for your patience and understanding during this very serious matter.

Link to comment
Share on other sites

Dear TCH Family,

At around 9:30AM EST today, we identified a website defacement attack effecting a large number of our customers. We are still investigating, but it appears the attack was targeted at index.php files. We are currently looking at this to determine the extent of the defacement.

 

I will update you shortly.

 

Thank you for your patience and understanding during this very serious matter.

 

 

Thank you so much.

Link to comment
Share on other sites

2005 here too, Garth. Never seen anything even close to this happen here. I'm confident that Tech Support is doing their best to close any vulnerabilities and restore backups. We all need to be patient.

 

Bill, thanks for the update.

Edited by Bob Crabb
Link to comment
Share on other sites

Same here; my index.php files were replaced at 6:14am. I should probably back up my files more often . . !

 

Your files are automatically backed up every 12 hours. Betcha didn't know that. If you want to do a manual restore, go here.

http://buserver4.tchmachines.com:8085/s/

 

Host Description is the name of your server. Then restore back to some time last night and you should be good. If not, go through your directory structure as sometimes they'll add an index.html as well.

Link to comment
Share on other sites

Mine is hacked too! I'm very distressed with this as my business depends on my website! www.claudiapatatas.com is showing a hack message. I can't even log in to the cpanel, due to obvious reasons, to send a ticket. Please email me at claudiapatatas@gmail.com

 

I'm not happy with this. I appreciate that these things happen...but...

 

See my message above. You can restore to last night and that should fix most of the problems.

Link to comment
Share on other sites

Dear TCH Family,

 

At around 9:30AM EST today, we identified a website defacement attack effecting a large number of our customers. We are still investigating, but it appears the attack was targeted at index.php files. We are currently looking at this to determine the extent of the defacement.

 

I will update you shortly.

 

Thank you for your patience and understanding during this very serious matter.

Link to comment
Share on other sites

Your files are automatically backed up every 12 hours. Betcha didn't know that. If you want to do a manual restore, go here.

http://buserver4.tch...nes.com:8085/s/

 

Host Description is the name of your server. Then restore back to some time last night and you should be good. If not, go through your directory structure as sometimes they'll add an index.html as well.

I did NOT know that; thank you! My site is back up but I'm filing all of this away for future reference. Now to figure out which server I'm on . . .

 

Thanks!

Link to comment
Share on other sites

I did NOT know that; thank you! My site is back up but I'm filing all of this away for future reference. Now to figure out which server I'm on . . .

 

Thanks!

Ah, I'm on unni. Thanks for the quick response, TCH!

Link to comment
Share on other sites

Ok guys, we are going to be using a canned reply to all our tech support tickets. Here it is: (just a fyi)

 

Hello,

 

Thank you for contacting us concerning your web site. Please head over to our forums for an up to the minute status on this issue.

 

We have our entire staff working on this issue and rest assured that we are working non-stop to correct this issue.

 

You can view the update here:

 

http://www.totalchoicehosting.com/forums/index.php?showtopic=42941&pid=250121&st=0entry250121

 

Thank you for your support and understanding.

 

The TotalChoice Hosting Gurus....

Link to comment
Share on other sites

Vortex too. Site is ncs-tech.org. Unless my site is actually hacked and not part of this flurry.

 

Restored my first CP backup, it failed to fix the problems. Trying another.

 

Help ticket submitted as well.

Link to comment
Share on other sites

The techs are working as fast as they can. Please give them time.

 

On a couple of my personal sites I removed the index.html file from the root folder and replaced my index.php file with a current one and it fixed them.

Link to comment
Share on other sites

My site went down, too, at about the same time. It's on the Atlanta server. I looked at the main index file and it looked normal. I got a screen shot of the hacker's boast and sent it with my request for assistance ticket...

Link to comment
Share on other sites

We have a restore script running across all effected servers. This is simply restoring index.php files from cPanel backups.

 

This will take a bit of time, and we will of course update this thread as we move along.

Link to comment
Share on other sites

We have a restore script running across all effected servers. This is simply restoring index.php files from cPanel backups.

 

This will take a bit of time, and we will of course update this thread as we move along.

Link to comment
Share on other sites

Just an update, I am on bespin server, my index.php was hacked at arround 6AM EST-time, if my FTP software is reporting the time correctly.

I have just did a restore my side a few moment ago, and now all is well.

 

What is intretsing is that I notice the error_log file, reported a lot of errors on "duplicated_ip". and that dated back the 25, possibly older. Hope this helps

 

I would like to say a special thanks to TCH for the quick update, and being transparent with us! :(

Link to comment
Share on other sites

new issue- we're not getting any emails to/from the server- is this related?

 

I'm assuming it's related; I'm having the same issue. Hopefully it will be fixed once all the restores/adjustments are made by TCH.

Link to comment
Share on other sites

No resolution for me, had to fix this myself manually....

 

Can you tell us how you were hacked and what you will do to prevent this in future?

 

Are my CC details and other identity details safe with you if this idiot can get at all your servers like this.

Link to comment
Share on other sites

Is anyone still seeing their sites defaced?

 

I am not however my site is still not restored. I am waiting patiently i'm on the Utapau Server. I just assume it takes time as you work through the servers.

Link to comment
Share on other sites

Thanks, Bill & Team.

 

All my reseller accounts are now no longer defaced and working as expected.

 

A great response to what appears to be an almighty (in terms of number of sites) defacing. The response I received from the support team was swift too under such circumstances.

 

Thanks to all involved.

Link to comment
Share on other sites

Same problem here on the Phoenix server.

 

Fortunately, just a few accounts seem to be affected on my reseller account.

 

I restored them with my own back-ups and seems to be okay now, and I don't see any databases were affected but should I trust them still?

 

Can you tell us how you were hacked and what you will do to prevent this in future?

Yes, I would like to know this, too. Restoring is one thing, but how did this happen to so many different servers?

Link to comment
Share on other sites

All is well here. Thanks again. Y'all probably still have a lot of work to do in analyzing what happened, and monitoring, but I hope that the TCH staff can get away form the computers for a while and enjoy the Memorial Day weekend.

 

Thanks, and happy Memorial Day!!

Link to comment
Share on other sites

All of my sites on montreal still seem to be defaced.

 

Can i get an update on Utapau Server........ I just assume they will use the backup from last night and life will be back to normal soon? Is this the correct thinking?

 

Please check now and let us know if you still have issues.

Link to comment
Share on other sites

Major kudos to you guys for getting things back up and running again so quickly! This is just another example of the great service I've come to expect from TCH over the years I've been a customer.

 

It's probably a bit early to ask this but do you have any idea how this guy gained entry to so many systems? It would be nice to think that whatever back door he used was closed tight so that this kind of thing becomes a great deal less likely in the future.

Link to comment
Share on other sites