New Exploit???

I think that there is a new exploit out as we've been hacked twice in two weeks by the same guy. We didn't have the latest hotfix the first time but the second time we did. The first time they created a webmin account, changed our default reseller & hostadmin passwords. I wanted to study what all they had done so I didn't delete their usernames or websites, just disabled them and changed the reseller/hostadmin profiles & passwords.

I upgraded to HF3.3 and then noticed tonight that our reseller password had been changed again, they didn't get the hostadmin this time. They created a new site and webadmin and deleted their previous websites.

From the looks of the logs they were doing it through our default HC admin (8077) site and I'm guessing that it was some sort of SQL injection since they had completely blanked all fields except e-mail of our reseller account.

The IPs I see in the logs for those dates were:
222.252.126.175
165.228.129.11
222.252.123.24
222.252.116.225
58.187.84.228

The first site they added to our server was http://caonguyendn.biz/ which has been moved to another server which I see is also HC based.

We'll be migrating our sites & HC install to a new server soon anyways so we shouldn't have to worry too much about them knowing our user's passwords or anything.

Sounds interesting but being unpatched is a bad idea as 3.3 fixed a major security bug.

It could be the guy left a backdoor, one thing you can do in windows change the user to cannot change password for hcadmin and resadmin etc.

I would look closely at what users he has created and remove them all

If he directed the domain to your servers change NS etc you should report it to the abuse department of the registrar

__________________
Chris Daley
Dwebs Ltd Director :: Company No. 05603664 :: Phone No. (UK) 0870 803 4423
www.hc7.co.uk - HC7c Launch 27th December 2006
www.Dhosting.co.uk - Web Hosting, Domain Registration, Windows 2003 NLB Cluster with HC 6.1!!!
www.Dwebs.ltd.uk - Web Design & Other Services
My views are my own and not those of my company.

Well HC here is someone else that it happened too.

We where on HF3.3 since it came out and it still happened. I have already reported this to HC but I kind of got the "Well no one else is reporting the issue you might want to check you security settings." Maybe they will take my request a little more seriously now.

There are something’s that I have done to try and stop them but I am not going to post them here. If you want to know what they are send me an email offline.

Rick

From what I can tell from the logs, they are somehow changing our reseller profile and then using the forgotten password feature to have our password mailed to them. I just haven't been able to find out how they are changing the profile.

There are actually two IPs hitting the site at this time but one IPs first entry in the log is a POST to /hosting/addreseller?htype3

No attacks yet apart from two weeks i ago i noticed someone tried to get both resadmin and hcadmin passwords through the forgot password

I assume they were trying an old bug out

Still no attacks i've checked all users etc

__________________
Chris Daley
Dwebs Ltd Director :: Company No. 05603664 :: Phone No. (UK) 0870 803 4423
www.hc7.co.uk - HC7c Launch 27th December 2006
www.Dhosting.co.uk - Web Hosting, Domain Registration, Windows 2003 NLB Cluster with HC 6.1!!!
www.Dwebs.ltd.uk - Web Design & Other Services
My views are my own and not those of my company.

How hard do you think it would be add some code to the password mailer asp page that sends the reseller/admin an e-mail whenever someone requests their password. Just a simple CDOSYS script that says that such&such IP is requesting the password for such&such account?

Not that this fixes the problem at hand but it might help give a heads up.

I had the same problem and reported this on 24 dec. 2006 The response from HC was "Well no one else is reporting the issue you might want to check you security settings. Update to HC7 it is more secure."

I'm happy that they got to my test machine as I'm evaluating HC and will be for some time before I decide to buy it or not. At this moment I like HC but there is some work to do for HC before I will buy it..

Right im what your saying Update to HC7 it is more secure is what hc said that is the wrong thing to say, if hc want to drop customers keep that sort of talk up, post the email reply i would be interested to see which hc member of staff stated it.

Out of line, at the moment hc7 still doesnt work properly so upgrading isnt an option

__________________
Chris Daley
Dwebs Ltd Director :: Company No. 05603664 :: Phone No. (UK) 0870 803 4423
www.hc7.co.uk - HC7c Launch 27th December 2006
www.Dhosting.co.uk - Web Hosting, Domain Registration, Windows 2003 NLB Cluster with HC 6.1!!!
www.Dwebs.ltd.uk - Web Design & Other Services
My views are my own and not those of my company.

I'm having the same problem now. The user just use forget pwd page and gets a new pwd after change the email somehow from user profile page.

How did you fixed?

Thanks
Jan

We haven't seen anything like this, only two attempts through the password reminder, but i reckon they were trying an old security bug, maybe reapply the latest hotfix

__________________
Chris Daley
Dwebs Ltd Director :: Company No. 05603664 :: Phone No. (UK) 0870 803 4423
www.Dhosting.co.uk - Web Hosting, Domain Registration, Windows 2003 NLB Cluster with HC 6.1!!!
www.Dwebs.ltd.uk - Web Design & Other Services
My views are my own and not those of my company.

Do you remember the hacker name that attacked you??

Is very strange... I have a issue like this using hot fix 3.2 before the 3.3 release.. and I remember.. but the problem don't see exactly the same. Now the guys first change the email.. form profile. At other time they changed the pwd directly. And they have access from hc panel users. At this time i see that they should know first the name.

I turned off hc panel for security waiting a HC Support solution. I sent the log files to them I expect a fast solution as a user since 2001.

Thanks for your reply.

Sounds like 3.3 wasn't applied properly or you have another security issue.

Like i said more than one person tried but failed on all attempts, its rather odd we have not had a security wich hc ever lucky i guess :)

__________________
Chris Daley
Dwebs Ltd Director :: Company No. 05603664 :: Phone No. (UK) 0870 803 4423
www.Dhosting.co.uk - Web Hosting, Domain Registration, Windows 2003 NLB Cluster with HC 6.1!!!
www.Dwebs.ltd.uk - Web Design & Other Services
My views are my own and not those of my company.

We had a demo reseller & webadmin account setup that potential customers could login with to give HC a trial run. We have deleted those accounts as well as blocked the entire class subnect C of the two IPs that hacked us.

Whether this stopped them or they just coincidentally decided to leave us alone I'm not sure but we've not had any more problems since.

I still believe that there is a new SQL injection exploit out there that HC is refusing to acknowledge. I haven't seen anything posted on milw0rm or metaploit yet but I'll keep looking.

It maybe a question of trying out old bugs to see if they haven't been fully patched etc.

We lock the password on our demo account in windows account manager and disable many features like folder browser etc to stop hack attempts

It still could be when people have updated to 3.3 its not fixed the 3.2 security issue, i.e. the file hasn't been saved correctly.

I really think we have been very lucky :)

__________________
Chris Daley
Dwebs Ltd Director :: Company No. 05603664 :: Phone No. (UK) 0870 803 4423
www.Dhosting.co.uk - Web Hosting, Domain Registration, Windows 2003 NLB Cluster with HC 6.1!!!
www.Dwebs.ltd.uk - Web Design & Other Services
My views are my own and not those of my company.

I reaply the hot fix 3.3. But I'm very sure that other time was applied sucessfully.

So I still not sure that was this the problem. Scares me the idead that someone can get the Hosting Controller admin access. So I will not pay the price to risk me again.

Like this I turned off also some features that could compromise the server.

Another problem that HC should consider is NOT show the email that it sends the pwd. This email keeps exposed to spammers.