Virus' / Redirects / Sites not Working - Read Me

[AnaB]

First thanks to the hostgator team. Everything seems to be working finally for all my sites. (Now, I have the task of informing my visitors and all that...)
Second those *-holes should be tortured to death.

Quote:

Originally Posted by wwobn

Perhaps a good old lynching is in order?

Make sure that you all thank HG Techs when they're done. They've all just worked a million hours for you.

I don't see how that is true, given that just yesterday, 2 of 3 support staff that I spoke with live had no idea a problem existed. When I said I was going to change hosts, his response was "that is your choice".

Maybe just a lack of communication, but I trust they are working hard now to get this under control. I got email after email telling me the issue was resolved, then other emails telling me it was a "bad cpanel upgrade". No one seemed to know. Yesterday (Thursday) was basically a day lost in terms of revenue, but I realize there is someone out there who did this to all of us, and finding them should be a priority.

I really appreciate Brent's update.

[dutchnewz]

Quote:

Originally Posted by AnaB

First thanks to the hostgator team. Everything seems to be working finally for all my sites. (Now, I have the task of informing my visitors and all that...)
Second those *-holes should be tortured to death.

Don't count ur chickens b4 they're hatched AnaB...Yesterday it seemed all was fine and then it came back! again, and again, and again.............

I'm gonna wait until we get official confirmation from the tech's that all is sorted b4 I expose my users to any risk of trojans and such

[wwobn]

Quote:

Originally Posted by crobb305

I don't see how that is true, given that just yesterday, 2 of 3 support staff that I spoke with live had no idea a problem existed. When I said I was going to change hosts, his response was "that is your choice".

Maybe just a lack of communication, but I trust they are working hard now to get this under control. I got email after email telling me the issue was resolved, then other emails telling me it was a "bad cpanel upgrade". No one seemed to know. Yesterday (Thursday) was basically a day lost in terms of revenue, but I realize there is someone out there who did this to all of us, and finding them should be a priority.

I really appreciate Brent's update.

No one knew what the exact problem was until just a few hours ago. Again you're taking multiple issues from multiple clients and trying to diagnose what the exact cause is, it's very hard to do.

Now that the threat has been identified everyone is on the same page.

I can tell you this is unlike anything I've ever seen before and I'm putting my money that you will see this exploit EVERYWHERE over the next few days.

I honest believe HG was 0-Day.

Again, you can be thankful for the HG Engineers for working so hard to diagnose the situation and reaching out for external help. That in itself says a LOT about the company.

I may have stumbled onto a portion of the embedded pop up virii Trojan.

\Application Data\Microsoft\Excel
Excel1.xlb
File seems to contain a number of websites for the pop ups.
Anyone else?

It was created at the same time we became inundated with pop ups.

F**n BA**ds

[tomowa]

Thank you Brad, for stepping in with your help

To all those, in the previous threads (since deleted), that threatend to jump ship to a different host, what is to say they won't be the next target?

Am I right in understanding, that while to 'exploit' originated from HG servers being hacked, it was flaw in IE that allowed it to execute?
I have had FF installed here, maybe this will finally push me into using it.

I hope we hear what the final report is, when all the dust has settled.

Tom

At what point in time did HostGator start serving corrupt data?

I didn't hear of this problem until 19:00 22 Sep or so when I happened to visit my webpage with IE, and it crashed, and then I noticed malicious data.

I'm not surprised that there is some new exploit in the world, but how/when did HostGator get hacked?

?

[wwobn]

There is another major host that has confirmed the same threat. I'd say its a safe bet to expect to see more over the next few hours / days.

This is a very amazing exploit. I bet it's been under works for months!

I'm glad it started here at HG, at least we're way ahead of the game.

[dutchnewz]

Quote:

Originally Posted by wwobn

No one knew what the exact problem was until just a few hours ago. Again you're taking multiple issues from multiple clients and trying to diagnose what the exact cause is, it's very hard to do.

Sorry buddy but we all knew that this malicious code was trying to download trojans to all our visitors at 1500 BST yesterday...and they still kept saying .."oh it's a problem with a cpanel update...", and "Clear your cache and try again..."

If they'd have listened to our complaints and alerted the tech guys sooner, maybe now our sites would be live again now!

It was because of this arrogance that I went to another host and was in the middle of signing up with them when a problem occurred with my credit card...

BUT...seeing as they are now being honest about the fact that their servers have been compromised, I'll give them the benefit of the doubt and stick with them, 'cos this could happen to any webhost I assume?

[dutchnewz]

Another thing? is it possible that the hackers could have had access to our config files etc? Then they would know all our passwords to attack our sites at a later date?

[newhall]

Here's a little more information on this. I reported this problem to HG back on 8/14/2006!! I even talked to the Tech Support folks and told them about the Trojans and the exploits and PHP being compromised. They were able to fix the problem (explained as a cpanel fix) but it happened again 5 days later on 8/19/2006 and then again on 9/4/2006. Each time HG Support "fixed" this, but the problem came back, this time with a vengeance.

[GatorBrent]

Ok heres some info for everyone.


We've contacted a few other hosting companies to check their servers for this. We are not alone! We've confirmed one company has most of their boxes "hacked" with the same files we have. They're hosting a few 100,000's accounts and told us they are just now starting to get some reports about the virus.


We're also aware of another company with close to 80 boxes affected. The more we investigate the bigger it's getting.

[L146705]

I just want you to sort this problem out and also honour your 99.9% uptime gurantee. Also I want some sort of gurantee that this problem is defended against in the future. Are my passwords etc.. safe in the config files. keep up the hard work and lets get this solved

[dutchnewz]

If other hosts are having the same problem I suggest you tell them to disable all their hosted sites and put a holding page up explaining the situation...I would also alert tv stations and radio and internet news services to alert others to the fact so the damage can be minimized!!!!

Any one with half a brain can see that this one is 'the real deal', this could cause people no end of problems if measures aren't put in place to contain it!!!

[Kelmas]

Now that seems to be the worst nightmare in web hosting history.

GatorBrent, what is current situation on servers, are there anything suspicious found?

[GatorBrent]

Servers are fine right now we removed the exploited files. What were worried about is them coming back, and or possibly something worse happening. We don't see signs of the boxes being "rooted" but at the same time something is getting exploited.

[dutchnewz]

Quote:

Originally Posted by GatorBrent

Servers are fine right now we removed the exploited files. What were worried about is them coming back, and or possibly something worse happening. We don't see signs of the boxes being "rooted" but at the same time something is getting exploited.

Thanks very much for keeping us informed...Nice to see the owner getting his hands dirty, so to speak

[wwobn]

My guess it this has been under works for some time and we're just now seeing the Virus side of it.

FYI - We're reaching out to Symantec, Trend, and McAfee as we we speak.

[slam]

Man, I guess I switched hosts at the wrong time going from my old host to HostGator yesterday evening. I’m assuming the reason my old domain wasn't transferred by now is due to the problems as listed in this thread, but now it's been over 24 hours and my site is still down. I should have never pointed my DNS to my new HostGator sql database until everything was tested and working, but never thought problems like this would occur. About 4 hours ago my domain was finally transferred but came back corrupted, so I’m waiting once again for the transfer to happen.

One area that really worries me right now is e-mail support as I'm having to wait over 1 hour for each reply & on average it's been many hours between e-mails which has taken up the most of the time. Every time support has a new question, I expect major delays. The thing is, from what I've learned it looks like there’s staff which just specializes in domain transfers, so I'm not sure if they were even working on the virus problems with HostGator. Also, while waiting to hear back from support last night I contacted live chat and was told they are off work until 9 AM, which delayed me yet again.

I will try to give HostGator the benefit of the doubt due to the recent virus problems but as of right now I am extremely unsatisfied with tech support.

ps: As I type this message, I'm waiting for yet another E-Mail response which is going on another hour.

I was a "am gona jump ship" but like most of you, am staying since they have now given me a full picture of the issue in the forums, and have resolved (for the time being) the issues.

Sadly I doubt there would be a great deal I could do to help, but I have a few simple questions that I have not seen replies to yet.

1. Should we change all username password to accounts, including host account for cpanel?
2. Will there be protection in future for this type of event

As for moving, im staying.

Any suggestions for getting rid of the virus' from our systems?

All the scanners I use, say everything is clean but I get all these popups now.

-ticked-

[wwobn]

Quote:

Sadly I doubt there would be a great deal I could do to help, but I have a few simple questions that I have not seen replies to yet.

1. Should we change all username password to accounts, including host account for cpanel?
2. Will there be protection in future for this type of event

As for moving, im staying.

No, at this point no personal information was obtained; this was an exploit that just inserted code into your site. There is no need to change your login credentials unless you want to do it for peace of mind.

Yes, their will be future protection. As with all new attacks proper prevention and new security roles are put into place. I can honestly say that in 15 years I've never seen anything like this. So we'll all learn a great deal from this entire experience.

Quote:

Any suggestions for getting rid of the virus' from our systems?

Quote:

All the scanners I use, say everything is clean but I get all these pop ups now.

That all depends on which virus was installed on your system due to the exploit. Go here:http://www.trendmicro.com/hc_intro/default.asp and do a free scan and see what it turns up.

If you don't Antivirus suite then I suggest Symantec Antivirus 10.1 with Malware support.

If you don't already have Microsoft Windows Defender Beta 2 Installed I suggest you install it also. You can download it from here: http://www.microsoft.com/downloads/d...displaylang=en

There are hundreds of Spyware / Antivirus / Malware utilities out there to choose from so a good rule of thumb is to stick to the giants, they have the resources to keep up with the Jones if you know what I mean.

Quote:

I was a "am gona jump ship" but like most of you, am staying since they have now given me a full picture of the issue in the forums, and have resolved (for the time being) the issues.

For the rest of you who want to jump ship. Do it at your own risk. Personally I'd rather be on board the ship that has already experienced the issues and is taking active measures to beat it. But then again that's just me.

I'm going to get a few hours of shut eye. I'll check back with you all in the morning.

[dutchnewz]

So far so good for me...I'll give it a couple of hours more before I invite my users back tho...

[L146705]

http://news.netcraft.com/archives/20...e_exploit.html

theres a site at the bottom with a patch on.

[Boinng]

I was one of those ready to walk, and I still am. Hostgator's response to this whole situation has been almost criminally negligent right from the start - it's clear from some of the posts here that they've had plenty of warning about this, with the first instances occuring several days ago, and yet up till late yesterday evening - after hundreds of their hosted sites had been compromised and were actively spewing forth god knows what to how many people for hours - there was no official recognition that this was anything other than a minor hiccup in a Cpanel upgrade.

Every affected site and server should have been SHUT DOWN until the cause was understood and rectified (which means they should STILL be shut down even now) - instead, hundreds of Hostgator's customers are having to explain to hundreds more of their own clients and site users that, for almost a whole day, they were being exposed to malware. The fact that Hostgator kept their servers running in the full knowledge that they were infecting other net users with malware is completely unnacceptable in my opinion. They had their finger on the OFF button, and knowing that this situation was out of control they SHOULD have used it.

Instead, all we get is finger crossing, and hopes that it might be over now (without any explanation of what, if anything, anyone's changed), and entire threads detailing exactly what happened here are being deleted in an attempt for HG to save face. Perhaps they'll delete this post too, either way in a few days I'll be asking them to delete my account.