my server Stolen!!!

**gool** · May 6th, 2006, 6:02 AM

Hi,

my server stolen please anybody PM me the dedi emargancy phone number, i have an open tecket many Hrs ago and still no response SQZ-385403

the hacker can stole my root password many time in the same day, i have complex long password with a specail character but the hacker can stole it many time, it looks a whm hole bug issue.

i need to know the Phone asap

**David** · May 6th, 2006, 6:10 AM

Sorry, I don't know what the number is. I would think that it's more likely they got it from packet sniffing or from a keylogger on your computer. Or other various ways.

**gool** · May 6th, 2006, 6:40 AM

the hacker is the competator of customr.com he wase redircting custmor.com to his site hacker.com

when the hacker found that we fixed the issue more than 5 times he changed our root password and redicet custmor.com to hacker.com again

when he found that we cantacting surpass and get and changed our root pasword and removed the redirection again, he get can login again and redirected it again and make all the server down only his site is redircted and working!.

now you asking that he stolen the password from my PC?

now he did not stolen it from our PC, we have a deepfreez installed and norton, when we restart the windows all windows restored to it's fist instlation state and all password or any istalled programes are removed once we restart the windows.

the last password changed within 30 min. only, it is 13~15 long password with specail character.

so no way to stoling the password from my end and within 30 min.

it is a whm issue and now all server out of our control

**Geoff** · May 6th, 2006, 8:34 AM

Well after you got your server back, did you try upgrading to the latest version? update all your server software? remember, they could be getting it via an SSH exploit just as easily as a WHM hole. In fact, ive seen more SSH explots floating around then I have WHM explots, but i havent been a part of *that* community in a few years lol.

Also try removing the Remote Access feature, or changing the Hash thats its using. If youve got a script like WHM.AP or modernbill or whois.cart (and so on) they could have found your access hash and possibly be doing a lot of that damage that way. Although it would be stupid for WHM to allow your remote administration access for scripts, to allow you to change the root pass. that sounds like its asking for problems.

Anyways, keep an open mind, there are probably more than a few points of interest available on a dedicated webserver, especially one running something like cpanel which is so comprehensive.

**gool** · May 6th, 2006, 8:53 AM

i did not updateing thae last versign, i see that whm adjested to be automatic update "stable versign", i have not scripts like WHM.AP or modernbill or whois.cart

i was thinkong that this updates are monitored and checked by surpass

i called surpass by phone now and opened another ticket for this emargancy state

**gool** · May 6th, 2006, 9:43 AM

still no sepense, i called by phone 2 times, still not resonse to my tickts 5 hrs ago

**Geoff** · May 6th, 2006, 7:01 PM

Well it could be a while. If its not something due to your own fault, and it is a hole in WHM, it could be difficult to get fixed. It would require finding out where the hole was, and then creating a patch, which often requires the help of the developer(s).

Finding a fix isnt always as simple as adding a rule to a firewall or mod_security.

**gool** · May 7th, 2006, 2:45 AM

the root password changed around 6 times up to now, i toled this to support but i do not know why thay do not understand this issue, thay only give me a new password untill it changed again, i crayied to them many times to check the server security, but thay come back ufter 3~6 Hrs and only changing to a new password.

i do not know why the 3rd level support are became to slow todays it wase very fast before

the server now down and i hve no root password

**Skipdawg** · May 7th, 2006, 2:55 AM

Next time you email them send them the link to this thread/post here in the forum.

Maybe that will help them better understand. Plus some of the staff do come around the forum now and then. But this is mostly a user to user forum.

But maybe we can help support better see what is going on. For what it sounds like is your site has been hijacked. Some one seems to have found a whole in something someplace to keep getting to your root password. To me that sounds like someone has left them self a backdoor after the first breach into your server.

Maybe others here can help you explain more what is going on. And if support can look here to these post maybe they can better trouble shoot your situation there.
Best of luck to you with this messed up problem.

May 6th, 2006, 6:02 AM	#1 (permalink)
gool Surpass Fan Comfy Contributor Joined in May 2004 125 posts Gave thanks: 0 Thanked 0 times	my server Stolen!!! Hi, my server stolen please anybody PM me the dedi emargancy phone number, i have an open tecket many Hrs ago and still no response SQZ-385403 the hacker can stole my root password many time in the same day, i have complex long password with a specail character but the hacker can stole it many time, it looks a whm hole bug issue. i need to know the Phone asap __________________ Gool

May 6th, 2006, 6:10 AM	#2 (permalink)
David says GIMME SOME MORE! Resident. Joined in Mar 2004 Lives in fear of Obama. Hosted on Pass 7 13,092 posts Gave thanks: 8 Thanked 34 times	Sorry, I don't know what the number is. I would think that it's more likely they got it from packet sniffing or from a keylogger on your computer. Or other various ways. __________________

May 6th, 2006, 6:40 AM	#3 (permalink)
gool Surpass Fan Comfy Contributor Joined in May 2004 125 posts Gave thanks: 0 Thanked 0 times	the hacker is the competator of customr.com he wase redircting custmor.com to his site hacker.com when the hacker found that we fixed the issue more than 5 times he changed our root password and redicet custmor.com to hacker.com again when he found that we cantacting surpass and get and changed our root pasword and removed the redirection again, he get can login again and redirected it again and make all the server down only his site is redircted and working!. now you asking that he stolen the password from my PC? now he did not stolen it from our PC, we have a deepfreez installed and norton, when we restart the windows all windows restored to it's fist instlation state and all password or any istalled programes are removed once we restart the windows. the last password changed within 30 min. only, it is 13~15 long password with specail character. so no way to stoling the password from my end and within 30 min. it is a whm issue and now all server out of our control __________________ Gool

May 6th, 2006, 8:34 AM	#4 (permalink)
Geoff Yabadabadoo Super #1 Joined in Nov 2004 Lives in B.C., Canada Hosted on Dedicated 1,013 posts Gave thanks: 7 Thanked 28 times	Well after you got your server back, did you try upgrading to the latest version? update all your server software? remember, they could be getting it via an SSH exploit just as easily as a WHM hole. In fact, ive seen more SSH explots floating around then I have WHM explots, but i havent been a part of that community in a few years lol. Also try removing the Remote Access feature, or changing the Hash thats its using. If youve got a script like WHM.AP or modernbill or whois.cart (and so on) they could have found your access hash and possibly be doing a lot of that damage that way. Although it would be stupid for WHM to allow your remote administration access for scripts, to allow you to change the root pass. that sounds like its asking for problems. Anyways, keep an open mind, there are probably more than a few points of interest available on a dedicated webserver, especially one running something like cpanel which is so comprehensive. __________________ Geoff Ellis - Surpass Dedicated Server Customer www.adepttechs.net

May 6th, 2006, 8:53 AM	#5 (permalink)
gool Surpass Fan Comfy Contributor Joined in May 2004 125 posts Gave thanks: 0 Thanked 0 times	i did not updateing thae last versign, i see that whm adjested to be automatic update "stable versign", i have not scripts like WHM.AP or modernbill or whois.cart i was thinkong that this updates are monitored and checked by surpass i called surpass by phone now and opened another ticket for this emargancy state __________________ Gool

May 6th, 2006, 9:43 AM	#6 (permalink)
gool Surpass Fan Comfy Contributor Joined in May 2004 125 posts Gave thanks: 0 Thanked 0 times	still no sepense, i called by phone 2 times, still not resonse to my tickts 5 hrs ago __________________ Gool

May 6th, 2006, 7:01 PM	#7 (permalink)
Geoff Yabadabadoo Super #1 Joined in Nov 2004 Lives in B.C., Canada Hosted on Dedicated 1,013 posts Gave thanks: 7 Thanked 28 times	Well it could be a while. If its not something due to your own fault, and it is a hole in WHM, it could be difficult to get fixed. It would require finding out where the hole was, and then creating a patch, which often requires the help of the developer(s). Finding a fix isnt always as simple as adding a rule to a firewall or mod_security. __________________ Geoff Ellis - Surpass Dedicated Server Customer www.adepttechs.net

May 7th, 2006, 2:45 AM	#8 (permalink)
gool Surpass Fan Comfy Contributor Joined in May 2004 125 posts Gave thanks: 0 Thanked 0 times	the root password changed around 6 times up to now, i toled this to support but i do not know why thay do not understand this issue, thay only give me a new password untill it changed again, i crayied to them many times to check the server security, but thay come back ufter 3~6 Hrs and only changing to a new password. i do not know why the 3rd level support are became to slow todays it wase very fast before the server now down and i hve no root password __________________ Gool

May 7th, 2006, 2:55 AM	#9 (permalink)
Skipdawg Insanely Super #1 Joined in Jul 2005 Lives in Northwest USA 4,154 posts Gave thanks: 39 Thanked 78 times	Next time you email them send them the link to this thread/post here in the forum. Maybe that will help them better understand. Plus some of the staff do come around the forum now and then. But this is mostly a user to user forum. But maybe we can help support better see what is going on. For what it sounds like is your site has been hijacked. Some one seems to have found a whole in something someplace to keep getting to your root password. To me that sounds like someone has left them self a backdoor after the first breach into your server. Maybe others here can help you explain more what is going on. And if support can look here to these post maybe they can better trouble shoot your situation there. Best of luck to you with this messed up problem. __________________

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search