I believe recent hacks have taken place here, but I can't tell who has been affected. I know I was but to know how they got in is a different story.

A noticable difference is permission settings, I know for starters we don't need execute permissions on our text files, yet this seems to be the case, a lot of files that don't need execute have it. Some of my configuration files were given write access and were Injected to make users who visited my site download a Windows dll file. The changes were made on the 13th (Server's time).

This really is serious and should be looked into right away.


MC

Could you specify the files that were affected because it would probably be the same for anyone affected. Then we could check them out. I know that I rarely remember which files should have what permissions etc.

vujsa

Just make sure that all text files, e.g. PHP, TXT, HTML anything that you're able to view as normal text has permissions 466 or rw-r-r. If any of them apart from owner appears to have write/execute then it's possible they or the server changed your permissions and have written in the files, just have a look at the date's modified of particular files to see if anything has changed that you know you didn't do.

It's definitely not the server default permissions, they seem fine. I also noticed my .htaccess file was altered to rewrite my index.php page.

I know I didn't touch any of my files on the 13th, which is how I found that my configuration file was altered by the modified timestamp date, I took my site down as soon as I noticed this. I know the script injected into my configuration.php file (part of mambo) was not affected, only altered. It did not work as intended as there were errors in their script, however if they were successful they would have had the ability to grab sensitive information from that file.

As for sturud, if he was a victum of DoS, then it would have been suspended because the people looking after the servers would have assumed his site was abusing bandwidth. I don't think I can do anything about this, so OpaQue will need to look into this.

I am just waiting to see if anything can be verified first. I know there were a few exploits floating around that could have done this, quite possibly from a member here who is a script kidiot.


MC

The 13th? Isn't that the day when Astahost went down? Well, it did for me anyway, and I had to re-login after that (Astahost always "Remembers Me"). Could that be one of the signs of the hack?

I think that was the day that astahost was shifted to another server, which is seperate from the freehosting server (Panda).

That problem then would have just been waiting till all the DNS servers were updated with the new IP address which usually is expected to be 48 hours max depending on how frequent your DNS servers update.

So far another person finaldesign has reported changes made and stuff uploaded into his flatfile database.

Just wondering if anyone can verify if anything has been changed with their files and if so, keep a log of the changes/date, your server you're on if you know how to get that (cPanel should tell you which server you're on). And all the weirdness that was found inside the files that were altered.

The most noticable thing would be if your site started producing an error, or if you look in your FTP/SSH client at the files and check that any files like PHP, TXT, HTML, etc have write access. Text files do not need write access and is not a server default to be set with write access.

Then report it to support@astahost.com.


Thanks


MC

It's just a suggestion, but maybe you can check out the dll that it makes visitors download MC. Some track and tracing might be possible.

As for myself, nothing has changed or something.

Anyway, for some reason, astahost forums don't set or don't remember the cookie they set when you select "remember me". It just pops up the, standard, not logged in forum, maybe it has something to do with the hack.

That makes me wonder if that is what is going on with my site too then...

As of last night, I was groovy with 17.50 Hosting credits, and I woke up this morning to 16.02 HC and a suspended website....

It has been down all day, and I was beginin to get a little flipped off....

Oh, well. At least I think that I might know what the problem is now. The worst part was not knowing what was up with the site, and not seeing much about any probles that have been noticed, but at least I think that I may have finally found the answer that I was looking for....

-William

Everything's fine on my end MC, would it be that your site specificaly was comprimissed?

Do you have any enemies?

And wwheeler, the forums have nothing to do with the hosting.
you were banned because Opaque ran a script to check all the posts I think, something along those lines.

Check the thread about somebody being suspended inside the members section.

Ugh....After hours of looking through servers to install on my comp to run a personal/test site I haven't found one that fits all my needs. The list so far is: Apache IIS Omnihttpd Xitami Netscape The one I've come to love the mo ...more

Do you ever wonder about what kind of servers google uses? Or why even though with all those searches per second (over 1000 times every second) they dont lagg? I was thinking about it and Google must have some monster servers like astahost does. After some research i found this: Google's server ...more

Recently the option was discussed to put servers in households. The air, that is used to cool the server, can be used to warm the house. This discussion makes the way the server centers are built interesting. When a person looks at a picture of servers it is visible, that the serv ...more