Ok first of all I had this issue of my cPanel/FTP password not working: http://www.astahost.com/cant-access-cpanel...led-t16945.html.

That raised a warning flag as I didn't change any settings of user authentication, etc.

So then I reset my password using the forum thing under "Free Web Hosting". It supposedly "failed", so I didn't use 10 credits. When I accessed my FTP account to upload some PHP files that I corrected, I found this new directory/file under my public_html folder:

/9xYenBai.Com/UploadMusic/Honey.wma

So I raised security, went to that website http://9xYenBai.Com and couldn't understand Vietnamese, so it didn't look suspicious or anything becuase McAfee SiteAdvisor didn't rate it yet.

Then, I downloaded the WMA music file, scanned it for viruses and found that it wasn't a virus, so I played it in Windows Media Player and the song was in Vietnamese, same as this site.

Now my main concern is that the directory is called UploadMusic, so do you think someone cracked my password and uploaded files to my account?

 

 

 

Reply

This sounds very odd indeed! I know Turbo had some issues this week with his Cpanel password also being 
changed for no reason.
Can you have a look at you FTP/Webstats and try to work on whos been visiting your site and look for the wma file in the logs and see if its been downloaded by anyone other than you.
Have you burned a lot of bandwidth this month you cant account for also?

Reply

First, you were definitely hacked!
Second, your hosting account has problems!
Third, you need to contact support.

Your site, for whatever reason, was, it looks like, suspended. Your member profile shows you as a HOSTED member but your profile is missing important hosting data!
When an account sites around for awhile without activity, hacker take the site over and use it for their purposes!

Now, between your suspension and member profile errors, when you earned enough credits to unsuspend your account, either the hacker had changed the password or more probable, the error in your member profile prevented you from logging into your account.

So, now that you seem to have some access to the website, you can see the file changes that were made on your account. More than likely, a script like SMF or Mambo allowed a hacker to upload files to your account or even have full control over you public_html folder. It is unlikely that he was able to crack your password.

So, once you get your account issues fixed, then you need to either remove the exploited web script or upgrade it to a more secure version!

These little issues you have, are rather common. Even I have had a similar issue with random files or folders being uploaded to my file system. It was a result of little or no activity on the website along with an exploit in one of the scripts I had installed.

Check this website to see what else they have done to your account:
old.zone-h.org/en/defacements/filter/filter_domain=YOUR_DOMAIN_HERE.COM

vujsa

 

 

 

Reply

My bandwidth is about average for 66% of the month has passed.
I couldn't find the WMA file in the logs as it was downloaded too little times I guess. The only files that I found in the log was the site to my Web Development Portal and the site to XKingdom Center (a game club site).

There weren't any usual numbers of users/hits on the last few days, just about 15 unique users and the average ~150 pages hit.

So I don't know what happened.

Reply

yay i have had no digital attacks, lol. that site you said vujsa freezes firefox, lol.

well if the problem is caused by being inactive, then i guess ill always stay active. by staying active, does that mean in astahost or your cpanel?

i havent had anything messed around with my account anyway so thats good for me.

Reply

Yeah, the site is really slow to load but it works okay most of the time. I use Firefox there without problem.

Hackers and spammers love inactive website since they can have their way with them for a long time before anyone stops them. Some spammers are even nice enough to leave a removal link in their spam posts on inactive forums so that once you get around to working on your website again, they will stop spamming your site. Just remember, most of them don't care too much is Joe Average clicks on the link, they want the searchbots to see the link!

The directory and file uploaded to the site is the hackers calling card. This is how they prove that they hacked your site. Then other hackers can check to see if the calling card is there. For most of them, it is just a game and the leave the calling card without damaging the website. Even the ones that do get a little out of hand usually just rename important files or folders so that the website won't work but the data is still there.

Usually, just uploading the correct backup files then upgrading the program you are using is the solution to the security problem. Rarely do they get into your database and delete or edit data unless they don't like you for some reason.

vujsa

Reply

Here is a related question. If someone else gets hacked on the same server that I am hosted at, how does this affect me? Is the server hardened enough to prevent any cross account hacking. I know that each account is protected from others to a certain extent but once a machine has been taken over can you really trust it?

Reply

Well, just like you can't access my account from your account, a hacker can't attack you account from his account.

The server is very well protected but from time to time, users unknowingly open security holes in their account with older scripts or self written scripts. Usually, it is older versions of popular scripts that get hacked into. Since these are generally open source, attackers can study the code and look for holes. Usually by the time a security exploit gets to the hacker mainstream, a new version that protects against the security issue is released. It is of course the job of the website owner or administrator to upgrade the script prior to being hacked.

Self written scripts have to be pretty bad for a hacker to get in through since they probably can't view the source code of the script. They can however use common security holes to probe your website for exploits so be sure to add a little security to your scripts.

vujsa

Reply

The thing is, my website was ACCESSIBLE when cPanel and FTP were down. No files were renamed/changed except for the newer uploaded directory. Also, I wasn't using any content management systems on my website, I was going to install phpBB2 but I didn't get around to uploading that yet.

And the site is pretty active, at least a few members visit it everyday. I regularly check on it also, so I don't see a problem with activity levels.

Reply

FirefoxRocks,

Was your original password found in a dictionary? In another words, was it not combined with numbers and symbols?

If your original password was a combination of words found in a dictionary, please read http://www.trap17.com/forums/index.php?showtopic=51761

And for the rest of AstaHost members, start changing your passwords as I explained in above topic ASAP!!

Reply