| Posted by sonymervin, 12-09-2011, 03:02 AM | | Since 2 weeks almost hosted sites getting hacked everyday. They said the hacker got root access when I asked first time and showed me the post in their network issues page (https://k-disk.net/portal/networkissues.php). But it's been 2 weeks and they didn't able to solve the problem. Sites are getting hacked again clients are complaining every day.
I'm really satisfied with their server performance and there is no downtime happened yet. But my clients are really angry with this hacking problem.
What would you guys suggest? Should I wait more or just move on?
|
| Posted by sameev29, 12-09-2011, 04:48 AM | | I am sure they are working on it as we speak.
|
| Posted by MineHosting, 12-09-2011, 05:07 AM | | They would be working on the issue, the best thing to do would either wait or switch host, if you want to help them maybe you should not interrupt them with tickets ect to give them the most time to work on the issue.
|
| Posted by CrocWeb, 12-09-2011, 05:09 AM | | You have been patient for 2 weeks, I think it's time to move on if they still couldn't secure their servers.
|
| Posted by RRWH, 12-09-2011, 05:17 AM | | whatever else you do make sure you get backups of all your sites every day in case one is affected.
A server that is hacked is worse than having a site down - because there is so much that can be done, from stealing all content etc, changing content and scripts.
2 weeks, not fixed, time to move on.
|
| Posted by Mark Muyskens, 12-09-2011, 05:22 AM | | TOTALLY, move on.
With so many hosts willing to assist with migration, there really isn't a reason to stay.
|
| Posted by iLoveHosting-UK, 12-09-2011, 05:30 AM | | I agree, I would also take a close look at your files. Theres nothing worse than having malicious js injected.
- Ashton
|
| Posted by tmaniac, 12-09-2011, 07:36 AM | | Have you done all you can to secure yours sites? Scripts up to date/secure passwords?
Is there a possibility that these hacks are due to security flaws on your behalf? I would contact the host and get them to look at the logs and see whats happening.
|
| Posted by RC-Martin, 12-09-2011, 08:25 AM | | I am sure that k-disk are doing everything they can to solve the issue. I think they stopped the attack,and trying to restore the sites now.If you have clean backups,then you can ask them to restore these for you.
|
| Posted by kpmedia, 12-09-2011, 02:40 PM | | Focus on this. Do what's in the best interest of your clients.
|
| Posted by Server Management, 12-09-2011, 03:17 PM | | I dont think they have CloudLinux so maybe its time to invest in that if they have not, Since its based upon LVE containers, etc it adds an extra layer of security between accounts, etc
|
| Posted by ModelWebHost, 12-09-2011, 11:46 PM | | Facing same issue. They had best uptime in this history but now hacking attempts are not acceptable. So, I decided to move away.
|
| Posted by sonymervin, 12-10-2011, 12:33 AM | | This is not only my sites, their entire server is got hacked. Please have a look at their Announcement in Network issues page https://k-disk.net/portal/networkissues.php
|
| Posted by sonymervin, 12-10-2011, 12:35 AM | | Did you found any other reliable Alpha provider?
|
| Posted by joshwho, 12-10-2011, 02:24 AM | | Sounds Like a c99 Shell Script. Your host should have been patched for that along time ago.
|
| Posted by sprintserve, 12-10-2011, 06:10 AM | | Most likely a CGI / Perl script. I have seen such scripts attempt it on our clients servers although unsuccessfully. All it needs is for 1 user out of the many to be vulnerable and all hell will break lose. It's a very popular hacking attempt on poorly secured servers as it is quick to run, but take a while to recover. Especially popular with Turkish or Middle East hackers.
I suspect that they leave their backup partition mounted. So when the script scan recursively, even the backups get defaced, which is probably what is causing recovery an issue.
|
| Posted by DotAL, 12-10-2011, 06:52 AM | | Totally agree, if a host can not secure its own server from shell's that is really unprofessional.
Anyway i hope you can sort this out, and as everyone said move on
|
| Posted by ModelWebHost, 12-10-2011, 08:53 AM | | I have started providing alpha myself. Good bye k-disk.
One thing more that in these difficulties, I am much more disappointed with their support too.
|
| Posted by Dustin B Cisneros, 12-10-2011, 12:46 PM | | As a provider I must say, we are all trying our best.
Now because 1 server gets hacked you think the host is unprofessional? IT HAPPENS!
Its like saying oh since you could not lock your doors and put an alarm on your car and they still broke in thats unprofessional of the car dealer who placed the lock and alarm system you have...
It DOESN'T make logical sense we are in the real world here. (Things happen)
|
| Posted by DotAL, 12-10-2011, 12:53 PM | | Well i know this happend, but he mentioned this thing was going on for 2 weeks, i dont think this is normal, if a provider has professionalism atleast it should provide to the clients some security.
We can say that the hosting image will be damage but what about the clients who will be hosting in that server ? There are many many clients that will be ashamed from their websites getting hacked or will have an heart attack form this.
And about the example, if i didnt lock the door, i have a problem who says i wont do it again ? i mean who know that i will forget again the doors open ? If i was smart i could learn from my first mistake and purchased alarm or something that will avoid me a headache.
Please get my point, if someone is on this business they need to give security to their clients and to avoid a headache for them.
|
| Posted by Dustin B Cisneros, 12-10-2011, 12:58 PM | | Sorry I am having issues comprehending your points, for example consider the doors locked and alarm activated at ALL times you think your car is safe now? NO!!!
Same with servers you have firewall, mod_sec and all other measures in place for shells etc... you think your safe now? NO!!!
In both cases your only safer... how ever ALWAYS ways in regardless.
Give the provider a break it happens.
|
| Posted by DotAL, 12-10-2011, 01:02 PM | | Well that is sure, there are a loot of ways for someone to steel a car, but at the minimum we need to avoid the little problems that will lead to someone steel the car.
I totally understand, and nobody is safe. Even with a maximum security but as i stated someone need to close the little bugs.
And i hope the provider can solve this issue asap.
|
| Posted by J Gwynne PC Repair, 12-10-2011, 01:36 PM | | That's not good!
i read there announcements page as well, seem's like they have servers hacked, down, licence issues all the time.
i also see in their latest post about the server hack that they are unable to restore anymore backups, that's not good.
it's terrible when it happens but i guess it re-iterates "always make your own backups" store then in three places mentality.
joe
|
| Posted by JixHost, 12-10-2011, 09:29 PM | | It's kind of interesting to watch the 'hosthoppers" cycles. The perpetual move is always the solution for them that never brings the desired result.
Anyhow, that's unfortunate to see that happen to Keith. For all you who think you have your servers so secured and that it could not happen to you, your incorrect. In shared hosting, these risks exist no matter how hard you lock down your boxes. No software/os or cp is bullet proof and that's something to digest no matter who you host with or even if you have you own box/es.
|
| Posted by ModelWebHost, 12-19-2011, 11:18 AM | | Tickets are being closed without reply. No email reply, no webhostingtalk PM reply. IP's are being blocked continuously, downtimes, sites are getting hacked continuously, email problems, want to move but can't create backups.
Much more problems in the end. Keith you are not doing well. Services are becoming poorer and poorer. I want to migrate away so reply my ticket so that I can be migrate away. Never seen such kind of bad support.
I know that your services was very good in the past but now I think that it was "PAST". Anyhow, waiting for reply. Thanks
|
| Posted by Tom,, 12-19-2011, 11:27 AM | | WHMCS exploit? https://k-disk.net/portal/networkissues.php
Hmm. If it was I would expect other hosts to be affected as well. If this is true has it been reported to them to patch?
|
| Posted by jj@24khost, 12-19-2011, 11:35 AM | | To me it sounds like a rogue former employee who had root access. This type of thing happens.
|
| Posted by Tom,, 12-19-2011, 11:38 AM | | So not an exploit in WHMCS as a whole. Their own fault for not having stricter security measures.
If it is whmcs as a whole then a patch from whmcs normally shoots out quite fast.
|
| Posted by ModelWebHost, 12-19-2011, 11:42 AM | | But a single reply will not be a problem for them. Still waiting for Keith Reply.
|
| Posted by JLHC, 12-19-2011, 01:23 PM | | Yes there was an exploit and the patch is here:-
http://forum.whmcs.com/showthread.php?t=43462
Is this your personal opinion or do you have any proof to back up your claim?
|
| Posted by sprintserve, 12-19-2011, 01:29 PM | | The WHMCS exploit simply creates an entry point for a PHP script to be created in the templates directory. It still goes back to a server that's not properly secured. If it is, the damage will not be as extensive. There is no reason that a script in one of the users directory should be allowed to run havoc over the whole server.
|
| Posted by chasebug, 12-19-2011, 08:20 PM | | What is the name of this script? I would like to test it against my server.
|
| Posted by DeltaAnime, 12-19-2011, 08:43 PM | | Why in the world are you using mod_php then? That's the only time such a script can rip apart multiple users since 'nobody' would have access to those all.
Francisco
|
| Posted by JixHost, 12-19-2011, 11:18 PM | | Hopefully Keith will give an analysis once this is all sorted out so we all can learn from it and take further security measures, if needed.
|
| Posted by SOLONE, 12-19-2011, 11:41 PM | | How about install a web application firewall in front of the web site in a transparent mode to learn about the hacking technique?
Once the technique is known, we could easily prevent it from happening again.
If it is not port 80 attack, perhaps the box should be firewalled up and only allow port 80 TCP.
|
| Posted by ModelWebHost, 12-20-2011, 12:33 PM | | I have purchased 2 servers and started providing alpha myself but data migration is the problem because server is down and not all accounts have been migrated on new server.
|
| Posted by Server Management, 12-20-2011, 04:40 PM | | What planet are you on?
|
| Posted by JaJae, 12-20-2011, 04:47 PM | | One where FTP, SSH, HTTPS, etc don't exist?
|
| Posted by Server Management, 12-20-2011, 08:51 PM | | Must be
|
| Posted by sonymervin, 12-22-2011, 06:56 AM | | For me their server is not down.
|
| Posted by ModelWebHost, 12-22-2011, 07:47 AM | | You may be any other server or you did not noticed or may be your account is one of those which was migrated first.
|
| Posted by Jason_Sanders, 12-22-2011, 09:21 AM | | Hello,
Our WHMCS install is on a different server. The attacker uploaded a script that echo'ed the unhashed root passwords/access hashes from our WHMCS and used it to gain root access to 3 of our servers.
Just a note to the user on the CP4 Server. Access to the server has been turned off as all customers need to use the CP5 Server going forward. We left open port 2086 and 22 to allow us to finish transferring the final accounts over
|
| Posted by linux7802, 12-22-2011, 10:58 AM | | The simplest way to secure the site is disable all the vulnerable php function as well as delete the FTP account and change the cPanel password, download the current working hosting account backup on local machine and remove the unwanted files then scan it with the local machine anti-virus, as soon as backup completed re-upload the hosting account and check the daily row access logs to check the illegal activity and block the unknow ips.....as well as if possible remove the insecure theme/template/plugin from the hosting account and make sure that mod_security is enabled for your domain
|
| Posted by reliabilitytester, 12-27-2011, 06:17 PM | | I am finally ready to jump in here...
As a paid (reseller) customer of K-disk and after OVER 2 weeks of baloney, it's time to speak up.
My gripe list:
After my experiences with fly-by-night reseller hosting in the past, this ALL looks VERY FISHY.
Their defacement attacks are suspiciously too much like others I have seen when fishy providers took the $$$ and ran.
Their services are not reachable.
Their 'support' has become non-existent.
Their phone number rings ONCE and goes to a rapid busy.
Neither tickets nor emails are replied to.
All the above is the death knell announcing in no uncertain terms the death of some highly reputed hosting; a terrible and sad thing - but also a time to move on to a better, more reliable hosting provider.
|
| Posted by JixHost, 12-31-2011, 04:48 PM | | Web hosting companies are always changing, bad ones become good and good ones become bad. From what I have seen over the years K-Disk has, had an excellent reputation on WHT. I'm not saying he's now bad but things happen, hosts get sold, hacked, loss of interest from the owner/s, no support from the data center and the list goes on.
|
|
 Add to Favourites
 Print this Article
|
