smartcar 70.87.62.162

***GatorBrent*** · #1 05-28-2006, 10:12 AM

It appears that a few hours ago a good portion of the accounts on the smartcar server had their data deleted.

public_html folder, mail, and more. About the only thing left is the cpanel user files.

We have been investigating with our full efforts and have concluded the following...........

1. Some type of exploit was ran on the server.
2. The box was not rooted
3. At about the time it happened there was a jump in traffic from the internet to it.
4. There is no trend to why some accounts were not affected and others were

The server was completely up-to-date on everything accept cpanel since versions change practically everyday. The box even had phpsuex running on it.

We strongly believe this was a cpanel exploit. Smartcar was the only box we had running 10.8.0
There is also somebody else who posted in the cpanel forums saying he was hit with a cpanel exploit that sounds just like the way we were at about the same time. I'm currently trying to get in touch with him for more information.

We are in the process of restoring everyone from backups. The backups will be from the 27th at about 4 am. This is an automated process that should take a good portion of the day to complete if not all of it.

***GatorBrent*** · #2 05-28-2006, 11:53 AM

the restore has completed. If anyone is having any problems please let me know.

***GatorBrent*** · #3 05-30-2006, 02:09 AM

We were able to figure out what happened to this server. A reseller on the server had us restore an account with malicious commands in it that performed the deletion of everyone's site when we performed the restore.

We've never seen this before!!!

glassk9s · #4 05-30-2006, 02:07 PM

I certainly hope this "reseller" is a FORMER reseller?

As in GONE? As in terminated?

***GatorBrent*** · #5 06-01-2006, 08:57 AM

Yes he is although I'm not even sure if it was intentional.