NT33 Possible Hack Attempt!!

[admin]

We will be rebooting NT33 due to an attack on the system with in the next 10 to 15 min to fix some issues.

We will be sending out an email to all customers once this has been fully done, we will ask all resellers to notify there customers to change there FTP and SQL passwords at that time to be 100% safe. Please change your password at this time or ASAP if you are NT33.

The issue seems to have come from a Microsoft Hole in the OS that has now been fixed and patched after calling Microsoft about this issue. We have also applied this patch to all windows 2000 boxes.

We are also making a few changes that should also help prevent this from happening again, e.g. using Patch Quest ( http://www.securecentral.com/products/patchquest/ ) and Anti Virus software on all the systems to help keep you and them a bit safer.


We are also looking in to better fire walling the network, the issues there is passive FTP, we are going to talk about this today in our meeting to see if we can't find a work around for this today. This will help a lot if we can find a way to do this today.

Thank you and we are very sorry about the issue and are doing everything we can like I said to make our systems 100% safe.

[dpyers]

Quote:

Originally Posted by admin

We are also making a few changes that should also help prevent this from happening again, e.g. using ... and Anti Virus software on all the systems to help keep you and them a bit safer.

Would the AV be for user initiated ftp?

[admin]

No this is more less to scan the boxes to keep them from getting a virus or hack attempt.

It will scan the files in your FTP to be sure there is no virus in there and remove it if there is. But it will not be checking that in real time.

[drobee]

What's the easiest way to determine which users are on NT33?

[soky]

never mind

[generic]

was just trying to figure that out myself....got to be an easy way..

[soky]

I was able to find mine quickly enough by...

1) Opening admin account
2) Searching for all accounts
3) Logging on to each account in the list
4) Clicking the file manager in the quick access page
5) Read the address bar and it will show the box (http://nt38.domain.com......)

It was quick enough since Vortech keeps their servers so clean and the HSphere control panel is so responsive. (whew)

I'm a Windows only reseller so I don't know about Unix garba... eh... stuff. (Laughing... don't kill me.)

[admin]

Quote:

Originally Posted by soky

I was able to find mine quickly enough by...

1) Opening admin account
2) Searching for all accounts
3) Logging on to each account in the list
4) Clicking the file manager in the quick access page
5) Read the address bar and it will show the box (http://nt38.domain.com......)

It was quick enough since Vortech keeps their servers so clean and the HSphere control panel is so responsive. (whew)

I'm a Windows only reseller so I don't know about Unix garba... eh... stuff. (Laughing... don't kill me.)

Soky there is an easier way to do this.

1) Opening admin account
2) Searching for all accounts
3) Click the account ID number.


We have a way on our side to search for users on servers but it just lists all the users. We can't cut it down to just a reseller or I would offer to do that to make it easier.

It is safe to now change all passwords and please do this ASAP.

[admin]

The new firewall rules are also now in place. If you have any issues please let us know.

We are also updating our rules for snort as well, so we will be watching ports 1024 and up very close for things that should not be there now.

[soky]

Quote:

Originally Posted by admin

Soky there is an easier way to do this.

1) Opening admin account
2) Searching for all accounts
3) Click the account ID number.

Oh... yeah... that's slick. Thanks.

[glebreck]

I am having problems with Using passive FTp on NT39 as well as NT9. Is this the same issue?

[Brangwyn]

True Hack attempt? or just Zotob which started doing the rounds yesterday ?

[devorem]

I couldn't tell you for sure if it was related or not, but one of my clients (on NT33) had their index.htm file replaced over the weekend with one that featured some gruesome pictures of mutilated children and it said:

YOU ARE CAUSE OF ALL THAT HAPPENED

FOR IRAQ,

FOR AFGHANISTAN,

FOR PALESTINE,

FOR ALL COUNTRIES UNDER SIEGE LIKE ABOVE.

TO BE CONTINUED...

HACKED BY Cool_Baby & sanaleskiya

TURKISH HACKERS

I was able to replace the file with a copy from Google cache. Apparently, my client didn't catch it in time and the hacked copy had already been backed up so Vortech wasn't able to restore it. I bought a copy of "Site Shelter" to back up my client's sites as a result of all of this.

[Jim Nayzium]

If I am on NS1 - NS4 only, then I have no worries and don't need to change my passwords correct??

NT shows up nowhere on my ID listings....

[devorem]

Those are your name servers/DSN servers. That is not what we're talking about. You need to check to see what web server your sites and the sites of your customers are on.