Jump to content
StevenTing

Events Of 5/27/2012

Recommended Posts

Okay, at first glance, things look fixed. The first page looks good but when you click any link, everything else is broken after that. I can't get into cpanel so not much I can do right now.

Share this post


Link to post
Share on other sites

Bill/TCH, can anyone verify why access is denied currently? Is this something initiated by TCH or a symptom of the hack. Can't even log into the R1 Backup service.

Share this post


Link to post
Share on other sites

I received a response rom my ticket- saying all was fixed, but not yet...

Share this post


Link to post
Share on other sites

Okay, at first glance, things look fixed. The first page looks good but when you click any link, everything else is broken after that. I can't get into cpanel so not much I can do right now.

 

Having the same problem as StevenTing. I trust TCH will have this fixed in no time.

Share this post


Link to post
Share on other sites

Have to say thanks to tch. I run my friend's business site and she called in an absolute panic about the hacking thing about an hour ago while I was tied up with another problem not website related. By the time I got to check things, tch fixed the issue. I am not finding any broken links and the site appears to be running well. I am not going to log into the CPanel at this time until I hear an all-clear note here. Thank you for being on top of the problem and hope it is resolved soon and blocked from ever happening again.

Share this post


Link to post
Share on other sites

Guys -

 

Thank you for your patience. We are working this as fast as possible. I have a complete update coming soon.

Share this post


Link to post
Share on other sites

Sidious may have been hacked and fixed... I came home and found my index.htm file had been reverted to the version from just before last weekend's hack and my cPanel password was not working. Had to reset my cPanel password to get back into cPanel and FTP.

Share this post


Link to post
Share on other sites

I have asked the techs to not reply to tickets until we give the all clear.

 

Stand by please. We are going to be ok.

Share this post


Link to post
Share on other sites

Hello,

 

We have identified a security flaw in the cPanel services that allowed a remote party to inject code into your web sites. This is being actively worked on and I will update everyone shortly.

 

Services are being restored across all servers shortly.

Share this post


Link to post
Share on other sites

Multiple threads and topics have been all merged into this thread.

 

Updates to follow.

Share this post


Link to post
Share on other sites

Services are being restored now. FTP will be coming on line shortly.

Share this post


Link to post
Share on other sites

Since everyone's cPanel password has been changed couldn't you automatically email everyone a new password instead of handling them through support tickets?

Share this post


Link to post
Share on other sites

Hi,

 

cPanel passwords should be working without issue. If your have issues with your cPanel password just open a ticket and let us know.

 

We are not seeing cPanel password issues currently.

 

We did lock out all users from cPanel and FTP for a bit, but that has now all be restored.

Share this post


Link to post
Share on other sites

I can log into my cPanel on various sites, but I can't access phpMyAdmin or WHM.

 

Steve

Edited by Pony99CA

Share this post


Link to post
Share on other sites

Hi,

 

cPanel passwords should be working without issue. If your have issues with your cPanel password just open a ticket and let us know.

 

We are not seeing cPanel password issues currently.

 

We did lock out all users from cPanel and FTP for a bit, but that has now all be restored.

 

Just submitted a support ticket. Thanks

Share this post


Link to post
Share on other sites

WHM is still locked down. We are still working thru this cPanel issue.

 

Everything is going well and will update soon.

Share this post


Link to post
Share on other sites

This being the second successful multi-server hack to take place in a week... I'd greatly appreciate a technical response to what the vulnerability is, and how its being addressed. This has caused me many hours on the phone already, and I can't imagine what the fallout will be if it happens yet again.

Share this post


Link to post
Share on other sites

I wanted to give everyone a update.

 

We are still monitoring and working thru tickets on the help desk.

 

If you are having any issues, we ask that you please submit a ticket.

 

Only a few servers were effected with the site defacement and we are very aware of how this happened.

 

cPanel is also very aware of the issue and they have released an notice on their site.

 

http://www.cpanel.net/2012/05/targeted-security-release-20120531-announcement.html

 

We will be posting more in the coming days but at this point please know that we are here working in our clients best interest.

 

Thank you

Share this post


Link to post
Share on other sites

I have been a client with total choice for a very long time. I think everyone needs to remember that software is only as good as the person that wrote it.

 

Like the owner of total choice has pointed out they have plugged the hole and are still monitoring things.

 

I for one love this place, and it will take a lot more than a simple site defacement to make me look for a new host.

 

My site is always online and the support people here have always been really good to me.

 

Thank you to every one at total choice for making my stay on the internet as smooth as possible.

 

shoes

Share this post


Link to post
Share on other sites

I've been with totalchoice for nearly 10 years, and nothing like this has ever happened. That's why I know it's serious!

Share this post


Link to post
Share on other sites

cPanel is also very aware of the issue and they have released an notice on their site.

 

http://www.cpanel.ne...nouncement.html

 

That notice (posted 5/31/2012 -- yesterday) that you linked to says the following:

 

The resolved security issues were identified during the course of cPanel’s normal Quality Assurance testing. There is no reason to believe that these vulnerabilities are known to the public. As such, cPanel will only release limited information regarding the vulnerabilities.

"Identified during the course of normal QA"? "No reason to believe that these vulnerabilities are known to the public"? Really? Is having client sites get hacked "normal Quality Assurance testing"? :thumbup: Are they just lying?

 

If they really did identify these as part of QA, shouldn't the patch have been available earlier?

 

They also mentioned automatic updates. Does TCH have cPanel and WHM automatically update?

 

Steve

Share this post


Link to post
Share on other sites

Shit happens man. My site is online and has been for like 10 years with TCH. I trust what they tell me and I know its not like they are sitting around letting my account get hacked.

 

oh did i say

 

:thumbup: :) :twisted: :w00t: :xmas: :yawn: :yes: :tchrocks:

Share this post


Link to post
Share on other sites

Thanks for your long term business and support.

My pleasure. It was meant as a compliment.

 

Hackers need to die in a fire.

Share this post


Link to post
Share on other sites

Mine went down yesterday with "cannot commect to mysql database" Is this the same issue?

Share this post


Link to post
Share on other sites
Mine went down yesterday with "cannot commect to mysql database" Is this the same issue?

 

I think that could happen if you have been using your cPanel userID/password to connect to your database, and if you then changed your cPanel password in cPanel. Your database script would still be trying to connect to the database using the old password.

 

Does that sound like it describes your situation?

 

Most software applications store their database connection data in one file, called something like config.php, config.inc.php, or settings.php, in one of the folders used by that application.

 

The solution would be to edit that file in a text editor (such as the one you can launch from cPanel > File Manager), and change the password to the new one. It's usually easy to find the right location to make the change: it's where you find the old password. (Before you make changes to the file, make a copy of the file for yourself as a backup. If something goes wrong, you can put the old one back.)

 

This isn't the only reason you could get that error message, but it's the first one worth checking out, if you've been doing password changes.

Edited by SteveW

Share this post


Link to post
Share on other sites

I've been with TCH for 8-10 years as well and I've always received great support whenever I've needed it. My problem with TCH has always been it's lack of forwardness with situations like this. I had no idea of these happenings until sites went down. I've been in the help desk area with tickets for 3 of my domains (accounts) over the past two weeks and I've been asking "hey, by the way does anyone at TCH have an idea why/how my site was compromised" ... etc ... thinking the issue was my own. I've asked repeatedly about weird happenings ... why all of the folders on my sites have changed last modified dates, why malicious scripts have been detected ... never receiving and answer and then I come out to the forum and have to search to find this thread.

 

I understand you don't want to make things like this too public, but when a long-time customer is asking questions all around these issues, you should let them in on the secret.

Share this post


Link to post
Share on other sites

I understand you don't want to make things like this too public, but when a long-time customer is asking questions all around these issues, you should let them in on the secret.

 

No argument from us on that.

 

If your issues were related to the recent defacement attacks, which I can see that appears to be the case on your Joomla ticket, then our techs should have informed you of such. Failure of that sort will be deserving of some head knocking on our end, that I assure you. However, I do see one recent incendent, that while that site would have been affected by the defacement, the other isssues were due to a site level attack, like ftp or a script. Regardess of the reason on either, if you feel you any of those tickets are not fully resolved or answered, please update them again and requesst review from a mananger.

Share this post


Link to post
Share on other sites

 

 

I think that could happen if you have been using your cPanel userID/password to connect to your database, and if you then changed your cPanel password in cPanel. Your database script would still be trying to connect to the database using the old password.

 

Does that sound like it describes your situation?

 

Most software applications store their database connection data in one file, called something like config.php, config.inc.php, or settings.php, in one of the folders used by that application.

 

The solution would be to edit that file in a text editor (such as the one you can launch from cPanel > File Manager), and change the password to the new one. It's usually easy to find the right location to make the change: it's where you find the old password. (Before you make changes to the file, make a copy of the file for yourself as a backup. If something goes wrong, you can put the old one back.)

 

This isn't the only reason you could get that error message, but it's the first one worth checking out, if you've been doing password changes.

 

 

Great tip SteveW! We actually see this a lot and sometimes I wish cPanel would force not allowing use of the main cPanel user as a MySQL user. I always recommend that you create at least one separate MySQL user for your databases. If you choose to use the main cPanel user for MySQL, just remember to update your scripts if your password changes.

 

For reference, the following are services that are affected when your cPanel password changes:

system(cPanel user password)

ftp(only affects access via main cPanel user)

mail(the default mail account cPanelUser@)

MySQL(only affects access via main cPanel user)

 

 

Share this post


Link to post
Share on other sites

create at least one separate MySQL user for your databases.

 

As you said, it's best not to use your cPanel userID/password for database connections, for two reasons:

 

1) Your cPanel password is a very powerful one that allows a high level of access to your website. It should never be stored in a text file inside your website. But database connection passwords MUST be stored in a text file inside your website. Therefore, the one in the text file should not be your cPanel password.

 

2) When you use a separate MySQL userID/password for your database connections, you can change your cPanel password anytime you want, without breaking your database connections.

 

For anyone who wants to migrate from using your cPanel password to a dedicated MySQL user and password, here's how:

 

Go to cPanel > MySQL Databases.

 

At "Add New User", create a new username. Give it a strong password.

 

Notice that this new username actually has, before the name you just typed, a prefix consisting of several characters and an underscore. In your database configuration scripts, you should use the entire string as the database username.

 

Near the bottom of the page, at "Add User To Database", select the user you just created. Also select the database you want that user to be associated with. Click "Add".

 

On the resulting page, you'll see a list of privileges. Your cPanel user had ALL privileges, which was probably more than it really needed. Your new user can probably do everything it needs to do with fewer privileges, but, unfortunately, describing all the privileges here would take way too long. So just give the new user all privileges, and click "Make Changes". If you can determine later which privileges aren't needed, you can revoke them later on this same screen.

 

Now go and edit your database configuration file (config.php, or whatever, as described in my earlier post). In it, find the location where your cPanel username is mentioned, and change it to the user you just created (using its full name, underscore and all). Also find the location where your old password is mentioned, and change it to the new MySQL user's password. Save the file.

 

Test the application that uses this database. It should be working just the same as before, except it's now using the new user for the db connection.

 

You can do a final test by changing your cPanel password. Your application should continue to work as before, because it's no longer dependent on your cPanel password.

Share this post


Link to post
Share on other sites

I believe the hack being discussed here involves the addition of code that looks like this:

// #(a hex code)#

Some actual injected malicious code (I think it's part of a DOS attack)

// #(that hex code again)#

 

This gets inserted into HTML pages just after the body tag. It gets inserted to the end of php files, or perhaps just before the first code closure (?>).

 

This happened to my files today (6/14, around 1pm Pacific time), but I have repaired it. I mention it because the theory seems to be that the hole has been plugged. Perhaps they found another one, or perhaps the hack on my account is different from the one being discussed.

 

I detect these changes using a cron job that does an ls of my entire account to a file and compares it to the one generated the previous day. It's a nice simple review of any changes made to my files. If anyone wants it, contact me. Makes it easy to find and repair the damage (using my local copy of my account).

Edited by dscotese

Share this post


Link to post
Share on other sites

Time for a ticket with the help desk and see if they can do something I would say.

Link in my signature. :)

Share this post


Link to post
Share on other sites

If your account has been hacked it is not due to a system wide issue, it is a account level issue on your files. Update your scripts, check your code and if you need help notify our help desk.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×
×
  • Create New...