Server Hacked

  • Resolved pattycake22

    (@pattycake22)


    1 year, 5 months ago

    My server at knownhost was just hacked – I have three WordPress sites, all protected by Wordfence, and several php/mysql and Xenforo forum sites on that server.

    Instead of one or more sites getting hacked, they actually installed a new installation of Ubuntu on the server. Knownhost tells me that they don’t support UBuntu. By installing a new UBuntu OS on the server, this essentially erased all content from the server including all web sites, ftp, email, cpanel accts, etc. Knownhost suggests that it might have come thru their billing portal where one can re-provision a server.

    The WHM, SSH, and cpanel passwords were heavily encripted – passwords something like “lzCZCv(lZ5gBtjw25r&iAuAOh0q”

    What access would they have needed to completely wipe a server and then install a new OS ? My OS “was” centos” before it was wiped and replaced with Ubuntu

    I don’t think it could have been done thru any of the websites on that server, and I don’t think a new OS can be installed via cpanel. Am I wrong?

    I am thinking that it had to come via WHM or SSH. Your thoughts?

    The page I need help with: [log in to see the link]

Viewing 8 replies - 1 through 8 (of 8 total)

  • Interesting case. Following. Only one question: If your server was hacked, how is it possible that your website is working just fine for us? Are there any “ads” or “links” that we shouldn’t click?

    Thread Starter pattycake22

    (@pattycake22)

    it was restored. hack came from Indonesia ip that came thru the billing portal and re-provisioned the server.

    Can you share the Indonesian IP? Perhaps Team Wordfence can tell us something about it and adopt proper measures to block it – if appropriate.

    Thread Starter pattycake22

    (@pattycake22)

    they won’t tell me… it took forever to get them admit that it came thru the billing portal – wouldn’t provide any logs that I could look at ,,, I think it was a wakeup call to their security that it happened.

    Thread Starter pattycake22

    (@pattycake22)

    update – they caved and gave me the ip address

    The Indonesian IP that accessed your KH account via the portal was this:

    103.108.33.113

    Plugin Support wfpeter

    (@wfpeter)

    Hi @pattycake22, thanks for your question.

    You would need much higher administrative, possibly root access to your web server to install an entirely different operating system. In fact, I would suspect on first glance that it’s more likely a mistake from the host’s end rather than malicious – but they’ve given you an IP, so that suspicion could be wrong. I’m glad they’ve been able to restore your site from backup.

    Wordfence is an endpoint firewall that runs after PHP loads, but when optimized, before WordPress loads. This means that it can’t stop IPs from physically making requests to your site but it can stop them from being served any content. Wordfence wouldn’t be involved in the process if they were accessing the server or database directly rather than a browser request for your URL, when PHP would run. According to their documentation, cPanel does not support in-place operating system upgrades.

    Hopefully your host have changed server passwords and reviewed the security measures at their end, but any time I think someone’s site has been compromised I also tell them to update their passwords for their hosting control panel, FTP,? WordPress admin users, and database just in case. Make sure to do this too.

    Thanks,
    Peter.

    Hey @wfpeter,

    Great info, thanks.

    Hey @pattycake22,

    I would also like to recommend changing your WP database (i.e., table) prefix.

    Cheers ??

    Plugin Support wfpeter

    (@wfpeter)

    Thanks @generosus, I’ll leave this topic open for now in case @pattycake22 has any further information, or needs to see your follow-up there.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Server Hacked’ is closed to new replies.