Knowledgebase

Servage hacked yet again....

Posted by Jax2, 12-02-2008, 04:20 AM
Servage hacked yet again.... **********MODERATOR NOTE: ************** Please excuse me if this is the wrong forum to post this in, but I feel I need to warn other servage customers and give them a heads up on whats going on, seeing as how servage will never do it themselves. If there is a better forum for this, PLEASE move this thread to that forum. I didn't see one that looked better. *************************************** We've been hacked, again. By we, I mean, many many servage clients as far as I can tell. Unlike past Javascript injections, this time it is much more serious, at least to me anyhow. Here is what I know: Somehow, someone has gained full access to my (and again, many others) control panel on servage.net. While on there, they have generously created their own ftp accounts with full access. Every website I host with servage had a number of files uploaded to them. These files consisted of one or more .htaccess files that contained a number of rewrites pointing to the other files they uploaded. The new files were actually cleverly hidden inside other directories where they would go unnoticed. For example, on some of my sites that have forums, they were put into /forum/include/tmp/(bogus files), and in my galleries, put into such directories as /images/photos/(bogus files). The files themselves are as follows: a .htaccess file css.js keys.txt links.txt main.php texts.txt and tpl.php The links.txt file itself is over 1.9mb and contains links to hundreds of other infected SERVAGE hosted websites ( I have checked at least 30 of them in whois.org and found all are hosted at servage). Here is an example of the links.txt file: chipandachair.co.uk/language/include/include/topic~3312.html|black break spring chipandachair.co.uk/language/include/include/topic~1562.html|free exploited black teens ra4prints.co.uk/inc/forum/style/group~190.html|nudist photographys ra4prints.co.uk/inc/forum/style/group~3827.html|my nudist links And so on and so forth. Keys.txt is a giant list of pornographic phrases and texts.txt is just random phrases in general. I have contacted servage about this multiple times and have gotten their basic cookie cutter response of please remove the files from all your websites, change all your passwords and delete the new ftp accounts created. I asked them point blank if they've been hacked and they've continued to say no. If you are a servage customer, make SURE you log into your control panel RIGHT NOW and check to see if new ftp accounts have been created. After that, look at your website statistics and click on DISPLAYED PAGES and look for odd entries like /blabla.html/links?12982.html or some such thing and pay attention to where the link is showing up (What directory) which will help you remove all of the crap someone put on there. This is very serious guys... as I said, someone had full access to my Control panel. With that, they could enter into any of my sql databases, fully see all the passwords to each database (as servage kindly shows your password to anyone when you click on connection information) not to mention any sensitive customer data I may have had stored in my databases. This hack also kills your website in a number of ways: 1) It tries to redirect any page on your site to the index.php uploaded to your site which then directs you to porn sites. 2) This hack spams over 3000 links to google every day, coming from your website, leading to sites that are deemed bad by google. This ruins your page rank and your site, as some of mine have since I missed this latest attack for 2 weeks, will go down the drain. 3) WHen someone googles your website, it will come up with tons of porn links. My daughters site was one of the infected ones... she's 9, and when you look up her site it shows that it goes to porn. Please PLEASE comment on this and let me know if you've been targeted as well and what we, if anything, can do about it. Servage NEEDS to admit they've been hacked, in fact, the damage to my businesses because of their failure to notify my of these events seems like it should be on their shoulders. Any suggestions? I can't wait to hear from the rest of you.
Posted by Aun Muhammad, 12-02-2008, 04:28 AM
You can also ask your hosting provider to give your FTP logs of your domains.From there FTP logs you will be able to identify that from which ip's hacking attempts are being made and then you can block those ip's to avoid these, but definitely hosting provider should take serous measures int his regards... __________________ Aun Muhammad Razawww.aunraza.net
Posted by Jax2, 12-02-2008, 04:49 AM
I agree completely they should do something. I have just received another support reply from them. They are totally blowing me off:Hello Aaron, Thank you for submitting a ticket. This issue basically happens for insecure scripts. Please update your third party scripts to there latest and stable versions. Also please take the following measures to prevent these issues happen in future. ->Please delete all the effected contains from your account. ->Please give a strong password in your control panel and in your FTP accounts. ->Please restrict your FTP accounts. ->Set all of your files and folder permission to 644 and 755 respectively. Thank you!! Kind Regards Patrik, Support Servage Hosting Here they are blaming my scripts for the attacks. I don't understand their reply when it is so obvious that is not the case.
Posted by SSC4U, 12-02-2008, 04:56 AM
I can suggest you only to hire a good LAMP admin and secure your CPanel server as much as it can be done. Also please check your PC with a good anti virus software. I suppose that this hack was made by a "bot". 1. So, I suggest you first to secure your Cpanel Admin port with a firewall, and give access only to your IP(s). 2. Restore your sites from a backup (if you have) 3. Use Google webmasters panel and delete your infected links from Google search. __________________ Best network tools http://www.myiptest.comSSC [Server Support Company]
Posted by lilspen, 12-02-2008, 07:17 AM
I left from Servage a couple years ago (yay for me. ) I can only say, move to a better host. Servage are cheap and mostly they are an alright host. But this is ridiculous. They are handling it very wrong too, any other host will tell you that. Sorry. @SSC4U: Servage doesn't have cPanel, Or any kind of server access. The 2nd and 3rd points are good though. Last edited by lilspen : 12-02-2008 at 06:21 AM.
Posted by Mr_Vincent, 12-02-2008, 07:58 AM
Wow, you definitely need to harden your box. Install a Firewall, CSF maybe. Do routine Rootkit checks, RKHunter perhaps. Scan your accounts, clamav is great. Change your port number for SSH. Don't allow root login, make them use a user to log in then su into root. Limit log in attempts for SSH. And lastly, modsec does wonders!! It is true though, updating scripts helps plenty, sometimes you'll have an updated/stable script but use bogus plugins/mods, etc! Everything counts!
Posted by Jax2, 12-02-2008, 03:26 PM
I appreciate the answers I have gotten so far, but unfortunately, the advice should be given to servage. As a servage customer, I have absolutely no control over their servers or anything to do with security. Their answer to everything is change passwords, make sure I log out after being on control panel, in other words, they completely ignore and deny there are any problems. SO frustrating. I am also a dreamhost customer, and would love to transfer all my sites there, but I can't even begin to imagine how hard it will be when many of my websites have well over 800 pages each that would have to be changed to reflect the new host / new SQL databases, it just seems like an insurmountable task.
Posted by Website Rob, 12-02-2008, 03:35 PM
Quote: Originally Posted by Jax2 I agree completely they should do something. I have just received another support reply from them. They are totally blowing me off:Hello Aaron, Thank you for submitting a ticket. This issue basically happens for insecure scripts. Please update your third party scripts to there latest and stable versions. Also please take the following measures to prevent these issues happen in future. ->Please delete all the effected contains from your account. ->Please give a strong password in your control panel and in your FTP accounts. ->Please restrict your FTP accounts. ->Set all of your files and folder permission to 644 and 755 respectively. Thank you!! Kind Regards Patrik, Support Servage Hosting Here they are blaming my scripts for the attacks. I don't understand their reply when it is so obvious that is not the case. If you have provided Servage with the same information you provided within your first post and this is the type of reply you got, then MOVE... FAST. You will be beating a dead horse in trying to get them to admit/do anything and the onus is now on you to correct the situation. __________________• PotentProducts.com - for all your Hosting needs• Helping people Host, Create and Maintain their Web Site• ServerAdmin Services also available
Posted by Jonathan Kinney, 12-02-2008, 04:01 PM
Not saying who is right or wrong, but it is wise to make sure your scripts are up to date, and use long secure passwords (with upper case, lower case, numbers, symbols, etc.). I have also seen customers with exploitable scripts get into situations where once exploited, access was gained to a script config file, which contained a database username and password, which was the same as their FTP login, and control panel login, and so their entire account was compromised due to these very real factors. A host can not 100% of the time catch that their clients have an exploitable script, no matter how hard they try. I am not saying this is the case here, but it is worth taking note of. Best of luck finding the solution to this situation, it would be good of them to help you investigate and solve these types of issues. __________________ Jonathan Kinney Data Systems Specialist Advantagecom Networks, Inc.http://www.simplywebhosting.com
Posted by brianoz, 12-04-2008, 06:07 PM
This is not an exploitable script; it's too wide spread. My guess is the box has been thoroughly owned and the hacker has root access and has probably installed hidden rootkits etc. The hack looks deliberate and targetted. __________________www.whitedoggreenfrog.com - webhosting from Melbourne, Australia Simple, fast, cost effective online solutions
Posted by sillbeer, 12-08-2008, 05:52 AM
Dude I feel your pain, although my problems haven't been so rife, they're certainly just as much of a pain in the butt. I have about 5-6 clients hosted on Servage, and they along with myself were hit in November by a javascript injection for the google analistyc script. This time, it was only a couple of JS files and all sites (read different hosting accounts/password) were hit in the same fashion. I haven't even bothered with telling Servage about it this time as it would just be a massive waste of time. The support staff really are a bunch of clueless drones that only reply with preformatted replies and don't bother reading back through a support ticket. Anyway, time to suggest my clients cut their losses and move elsewhere, a pain for them and me. Cheers Bren


Was this answer helpful?

Add to Favourites Add to Favourites

Print this Article Print this Article
Also Read
Dedicated server managed services. Cons and Pros (Views: 672)
icmp_echo_ignore_all not permitted (Views: 595)
mosso down again (Views: 631)
simple (stupid??) question about jodohost (Views: 577)
BuyaVPS Thank you (Views: 625)


Language:

Client Menu

 

Client Login

Email

Password

Remember Me

Search



  
 

Clients

Hosting

VPS Hosting

About Us

Contact Us

Copyright © 2015 DC International LLC in partnership with Bragin IT Solutions Inc. - All Rights Reserved.