LinkBack URL
About LinkBacksMy colleague was briefly able to access WHM and got the following stat:
Server Load 276.24 (8 cpus)
There is something seriously wrong here....
New Bee
My colleague was briefly able to access WHM and got the following stat:
Server Load 276.24 (8 cpus)
There is something seriously wrong here....
New Bee
Indeed, I've just managed to grab this...Originally Posted by larwilliams
... in case you can't open the bitmap below, that's a server load of 185.37.
And just as I post this:-
cpsrvd - Failed
ftpd - Failed
httpd (1.3.39 (Unix)) - Failed
eximstats - Failed
clamd - Failed
exim (exim-4.68-1_cpanel_maildir) - Failed
This is getting very frustrating.
Look like there ia a mailer worm, since all the mailers seem bogged. Someone has an open relay, or a cron job set to mail once every second, and is failing...
Turn off the mailer for a day, and they will quit, if it is an open relay... otherwise scan for malicious open-relay code, or over-zealous cron-jobs, or possibly someone using a FILEWRITE php counter... LOL
"Invasion of the spider crawler bots!", Run....
(So much for my reseller account today!)
Might want to see if some bandwidth throttle control might help... I think it works both ways... in and out.
http://ask.metafilter.com/31817/What...che-web-server
Last edited by JasonD; 11-22-2007 at 08:20 PM.
New Bee
RS9 down again!:mad:
Move me, please, to another server!
server load: more than 40
ftpd: failed
pop: failed
exim: failed
Last edited by fgynetco; 11-23-2007 at 08:25 AM.
New Bee
Another thing I noticed as well, using FTP causes the load to increasw very quickly, and logged out has the same effect in reverse (drops very quickly).
Guys, I need you all to do me a big favor... Please read below. (Even if you are NOT on this server.)
I noticed yesterday that I had entries in my "Recent Visitors" list that looked like this...
NOTICE: For the record, this is a fresh account, without PHPBB2 and without WEBMAIL setup yet.
IP: xxx.xxx.xxx.xxx
Path: /
Reply: 404
Path: /PHPBB2/setup/setup.php
Reply: 404
Path: /PHPBB2/setup.php
Reply: 404
Path: /PHPBB2/setup/admin.php
Reply: 404
Path: /webmail
Reply: 404
Path: /index.shtml
Reply: 404
Path: /favico.ico
Reply: 404
________________________________________ End of log entry...
There were about 40 attempts from different IP's that all resolved to ownership of the same identity, through four IP block ranges...
"Xxxx unnamed block owner xxxX"
Range: 209.0.0.0 - 209.128.255.255
"Xxxx unnamed block owner xxxX"
Range: 201.0.0.0 - 201.128.255.255
"Xxxx unnamed block owner xxxX"
Range: 196.0.0.0 - 196.128.255.255
The above details are not factual in numeric or name representation, because I am still digging further into the actual offenders.
They seem to be digging for known exploits, and looking for setups to our forums, giving themselves admin privileges, or becoming members on "Fresh Installs". (They use the BBS exploits to gain access to the mailer code and user-list of emails, for harvesting.)
All this activity was from my https connection on my undocumented/unpublished index.shtml page. Which led me to this discovery.
Us resellers and WHB are being hijacked by some competitors. They are loading OUR https and http index.htm files as their own page, in an attempt to steal our sales and exploit our customers personal information.
I found this out by looking at my "Counter Logs" hosted through an exterior service, and found these "Visitors" and "Referring links"
My real page: www.imvytoys.com
The hijackers pages, that stole my page, and tried to put it as their own pages. (Notice, I have created code to redirect back to my site, if I am hijacked, so you will eventually end up back on my page, once the page detects that it has been hijacked.)
Offender URLs:
https://www.iiwhosting.com/
https://www.equipeadn.webtuga.net/
https://www.claudiodoggy.webtuga.net/
https://www.ezacchi.webtuga.net/
https://shehab.ps/
https://www.shehab.ps/
https://www.eastcom.ca/
https://www.pokemokas.webtuga.net/
Most are dead now, from my code. (I put a report page, that reported any offending hijack attempt, as a complaint launched in javascript, directory from the offending domain. LOL, I love this crap. Because they swiped my page, I had all their privileges of their domain, including e-mailing ABUSE, directly from their servers.) This will help capture them.
Well, I got to say, thanks for the hits guys... but you've been busted.
Also note... the offending domains are all web-hosing companies, and all have their names from (NameCheap.com), the same place WHB buys our names from. Chance are, they are reading the "New WWW domains list" and searching for keywords "Hosting". Then hijacking our pages, knowing they we will be listing ourselves in search engines. (Thus, giving them a cross-site advertisement in the process.)
The code you need to add to any page that you don't want to be hijacked is this...
<SCRIPT TYPE="text/javascript">
var $vE = window.location.href;
if ($vE.indexOf('mysitename.com') == -1) {
if ($vE.indexOf('https://') == -1) {
window.location.href = 'http://www.mysitename.com/index.htm';
}else{
window.location.href = 'https://www.mysitename.com/index2.shtml';
}
}
</SCRIPT>
What does that do?
If they hijack your page, the HREF = https://fakesite.com/
The code says...
If (mysitename.com) is not part of (this page HREF) then...
Next check, (See if this is http or https)
If (https://) is not part of (this page HREF) then...
- it loads the normal (http://.../index.htm) real page
else
- it loads the secure (https://.../index2.shtml) real page
[NOTE: I use index2.shtml, because index.shtml will stop index.htm from loading]
Simple, but effective. (There is a separate code if your page is in frames.)
You can also force hijacked pages to reload a dirty site, (Whick will make them look bad in google. Thus reversing the idea of possibly doing that in the future to others.)
Just replace (window.location.href) with (parent.window.location.href), but you have to provide error trapping, since pages in another domain will return the HREF as "Undefined" or "", since that is not your domain, you can not read that data. (Which should indicate a hijack also)
The above code is still good for FRAMES and IFRAMES, as it will take the customers to your real site, which the hijackers will not have access to the inner page code and links.
Exactly what are they doing with the page?
Picture this... You visit their link... (Loads your page, so it seems.)
The visitor signs-up for a plan... (But wait, they are not on YOUR page, they only seem to be!)
The transactions get intercepted, and that data such as CC and passwords and emails, all get logged as errors on that fake site. (Since they can not actually process the page requests.)
It is your HTTPS page they are on... your guests would be trying to log-in on that page. (Starting to see the plan now.)
This is how they gain access to your accounts.
The page is not intended to function properly, just a pot-luck play of the dice, looking for GET and POST commands to send NAMES and PASSWORDS of logged in people. (Or for those with BUY NOW areas on their home-pages index.shtml.)
NOTE: I use an external counter from www.StatCounter.com, which shows the "Recent Visitors" refering URL, Page, IP, Physical world location, etc...
I also use tools located here, http://www.dnsstuff.com/ which is a link provided by the WHMAutoPilot page...
Great tools to help get an understanding of the evil world wide web.
This explains it in a bit more detail...
http://www.loriswebs.com/hijacking_web_pages.html
Funny, these hijackers may be on this server... Beware, I am on a hunt for those guys! (The competition likes to own similar sites, so they can hijack the competitions shared servers. Suggestion, find all IP's and websites owned by your competitors, and simply block them from site access. EG, if IP:127.0.0.1 hijacks my page/site from this shared IP:192.0.0.1, you simply block IP:127.0.0.1 (Which is a hosting IP), from being able to connect to IP:192.0.0.1. That stops them from hijacking, because the hijacked URL and content being directed from 127 is being blocked. Our content will never appear to be on that page, unless they physically steal our page, by downloading it.)
This web-hosting service should block all IP ranges related to NON-ISP related IP's. Other website hosts have no reason to be requesting our website content. (They are not visitors, they are servers.)
The only exception would be something like RSS or XML or BLOGS, which you can instruct us to "ALLOW", or you can simply unblock those "Safe" IP's. (Just give us a web-page that can "Check" if an IP or HOST is being blocked, so we can request to unblock it, for our site, if needed. Obviously, popular ones like GOOGLE's BLOG, would be removed from that list for all of us.)
That might help stop a lot of these DIGGS and DDOS attacks related to page hijacking, and username/password theft, resulting from those page-hijacks.
Last edited by JasonD; 11-24-2007 at 01:07 AM.
OMG, the DNS shows these sites all belong to a client on here!
http://www.dnsstuff.com/tools/dnsrep...dn.webtuga.net
http://network-tools.com/default.asp...st=webtuga.net
We are being hijacked by our neighbors, who are also hijacking WHB pages.
Oh, you are sooo busted... Soooooooooooo owned...
Last edited by JasonD; 11-23-2007 at 07:22 PM.
New Bee
Good work bro!
Seems like someone is keeping an eye on this, as rs9 load has been steady (low) for a while now. Perhaps a new WHB firewall rule?
Jason
We have been keeping an eye on this account. For now this account has been suspended until Den or Igor complete their investigations.
Seems he was using the IP address's an routing them to his own. (Redirection through .htaccess to other IP's on the same accounts.)
Take note, that he has accounts on three other servers that are not reseller accounts.
One way you can find these guys, and prevent this activity from happening again...
- Create a fake account on every server, without a dedicated IP.
- Fill it with a SKELETON index.shtml
- Inside that index.shtml, fill the page with keywords related to, "hosting, login, secure, password, reseller, discount, etc..."
- On that page, have a counter from an exterior service, not of this IP.
- Watch those logs, for "Came from" hits... (These guys are stripping the referrer, so it shows "/" in our logs, but on exterior counters, it shows the referring web-page.
- If you start to get hits on these accounts, just click on the referrer link. (That is the page they supposedly came from.)
In this case, I saw my own page on those listed sites. My secure site, on his https:// domain. (They are only targeting https pages, for obvious reasons.)
Check his logs, I am sure you will find ERROR: 404, https://fakesite.htm/hijackedpage.ht...jackedpassword
That is how they gather names/passes... since the login CONTINUE page will not exist on their server pages, it throws errors with the unsecure/unencrypted data in plain view. (Since they don't have our security certificate... but they have no intentions of having a secure transaction.)
I also noted, as with my other accounts... that AWSTATS is running. (You disabled our ability to turn it on/off, but did not disable it in our accounts. All new accounts are being created with AWSTATS running.)
Hehe, check his AWSTATS data for incriminating evidence. Also feel free to check mine. (On my reseller account www.imvutoys.com is the one that was hijacked from rs9.whbdns.com )
Last edited by JasonD; 11-24-2007 at 12:09 PM.
New Bee
Hi there, I'm Teotónio Ricardo, one of WebTuga.com/.net admins.
Today we have received an e-mail where we can read that our reseller account was suspended.
We have up to 700 accounts in our reseller account, most of them are empty. We already have plaining to make a cleaning of accounts ( agended to december ( hollidays time = + free time to do that )).
But it seems that this is not the reason for the suspension.
We provide free and paid hosting.
All the free accounts are hosted in the reseller account at your server and the WebTuga.com Community and WebTuga.net WebHosting Site is hosted at our dedicated server ( 208.53.131.182 ).
These websites are from our users:
https://www.equipeadn.webtuga.net/
https://www.claudiodoggy.webtuga.net/
https://www.ezacchi.webtuga.net/
https://www.pokemokas.webtuga.net/
What i get is that these accounts are making domain hijacking (?). Is that anything about iframes?
We want to solve this problem to all of us be fine, please help us to solve this.
thanks
( Sorry my english )
New Bee
I need a backup, there are websites from students in these reseller accounts, works for school and university.
Please, give me a answer.
New Bee
My account was suspended, my account at whbsupport.com deleted and no one give the backup files.
What's next?
Thanks for all WebHostingBuzz...
:|
Cenourinha,
1. You have broken AUP by commercially providing free hosting services which we strictly prohibit. We do not apply this rule strictly if you are just hosting your friends or your colleagues for free. The problem arises when you offer them commercially and then to top it off other domains being hijacked. This is not acceptable at all.
16) Account Holder agrees not to provide free services such as free hosting, free subdomains or free email accounts. Account holders found violating this section will be terminated immediately and all payments forfeited.
http://www.webhostingbuzz.com/?hosti...t-usage-policy
Needless to say your account was cancelled and terminated.
2. Your subdomains were involved in fishy domain hijacking cases. We received complaints from Enom regarding this as well. Your accounts caused terrible downtime for other users on RS9.
Under normal circumstances we fully cooperate with the client but in your case we cannot. Your data apart from the domain(s) that were involved in hijacking case has been removed from our network just incase we need it for any investigations.
Im afraid we cannot help you any further not when you do not have basic respect for the rules set. Good luck with your future.
Last edited by Saf M; 11-24-2007 at 04:06 PM.
cenourinha
You are ONE of the admins. You might want to inform the OWNER. Admins do not have authority to handle things related to the owner of the account.
No, there was no frames. (It was a direct IP hijacking. Internal redirection of my content, into your servers website.)
Yes, MY website was hijacked by you or your clients, on the servers hosted here.
WHB is investigating the situation.
Last edited by JasonD; 11-24-2007 at 04:04 PM.
New Bee
These accounts are basically for students, foundations without monetary ends, portfolios of my friends.
JasonD, i'm sorry for my friends cause you problems.
Anyway, i think i don't have already understood what is domain jacking.
Can someone explain me?
Ok, here is the short version...
When someone goes to this page, [fakesite.anysite.com] (Your clients)
That website has a file called ".htaccess", which sees that someone is visiting [fakesite.anysite.com], but it rewrites the page that it shows.
Instead of showing the real website located at [fakesite.anysite.com], it goes to [mywebsite.com], and shows [mypage.htm], but the name it shows is not [mywebsite.com/mypage.htm].
The name the page visitors and web-crawlers see, is [fakesite.anysite.com/mypage.htm].
Now, here is the hijack part... MY customers, and MY potential future customers, try to enter data into, what appears to be, [mypage.htm].
They enter their login information, name/password, or they possibly try to purchase one of my web-hosting packages.
However, the link they click to continue, will not work. It throws an error, because the page does not exist on [fakesite.anysite.com], where they actually are.
That error gets logged, in your error logs, and then your main site loads. (Advertising your web service.)
That error holds my clients personal information, since [fakesite.anysite.com] does not have my {SECURE CERTIFICATE}. That means that all the clients info is NOT ENCRYPTED, and can simply be read by looking at the logs.
That thief/hijacker then comes back to MYSITE.com, and uses the NAME/PASSWORD they just stole, to buy things, edit things, sell things, mail things, create new accounts, cancel accounts, create back-doors so they can get in later, without a password...
See where this MAY be a problem...
That is what you are allowing your clients to do, on your "FREE" and possibly your "PAID" hosting services. They are doing this to OUR sites, and also possibly to yours.
I suggest that you contact the website owner of the account that was suspended, and have him/her fill-out a support ticket. (If you are just an ADMIN, you will not be able to speak for the owner. This is a matter that has to be handled by the owner/payee of the WHB account.)
http://www.whbsupport.com
Last edited by JasonD; 11-24-2007 at 04:44 PM.
New Bee
Fudge...
Now i have understood.
Please, take the time you need to verify wich accounts are doing this. But don't remove my data.
Edit: there is any way to protect against this?
Last edited by JasonD; 11-24-2007 at 04:50 PM. Reason: Removed bad word
Yes there is a way to protect against it...
Do not let people create free accounts. Use your own servers for your own accounts. Monitor your sites. Watch for suspicious activity related to traffic. Have your ABUSE department setup properly. Answer and follow through with ABUSE investigations. Ultimately, suspend abusers on your websites.
It is impossible to look at every page...
Your duty is to understand what signs to look for, and handle them appropriately.
(You still need to be collecting personal information about your "Free" accounts. You should have each "Free" accounts users personal information, just incase they break into your website, or WHB's or ours, or the FBI, using your "Free" accounts.)
There are many places you can send people to get "Free" accounts. Do not harbor them among us.
TY, Jason D
Last edited by JasonD; 11-24-2007 at 05:05 PM.
Cenourinha
Im not sure how make this any clearer to you. We have terminated your reseller agreement. Your accounts are no more on our server.
Posting Permissions
