unixfool.com

Feature Price Webhost Server Hacked


Opinions or Comments?

http://www.featureprice.com got hacked!

Yesterday evening I went to http://www.wigglit.com to check my webpage statistics and toward the bottom it usually has the account usernames that have logged in during the month. I've no other accounts set up, only myself, but I saw a username listed. His/her name was EvilJoe. It even showed that he either uploaded or downloaded a file. The statistics keep a tally of how many times a particular user logs in. He/she had only logged in once.

The below is how it looked: 

Top 2 of 2 Total Usernames 
 

#   Hits       Files     KBytes     Visits    Username 
 
1   28 0.09%  16 0.06%  398 0.04%   2 0.07%   XXX 
2   1  0.00%  1  0.00%  20 0.00%    1 0.03%   EvilJoe

I was worried so I logged into my FTP account and saw something else in the login greet message: 

i Control connection successfully established.
< 220 unix65.hosting-network.com NcFTPd Server (licensed copy) ready.
i Time zone of server could not be determined.
> USER XXX
< 331 User XXX okay, need password.
> PASS 
< 230-You are user #1 of 45 simultaneous users allowed.
< 230-
< 230 Restricted user logged in.
> SYST
< 215 UNIX Type: L8
> PWD
< 257 "/" is cwd.
> PASV
< 227 Entering Passive Mode (64,38,102,220,205,5)
i Data connection 4E7A48 connected.
> LIST
< 150 Data connection accepted from 68.98.166.66:3145; transfer starting.
< dr-xr-xr-x   2 root     apache         512 Jul 16  2002 bin
< drwxr-xr-x   2 XXX      pleskcln       512 Jan 31  2001 cgi-bin
< drwxr-xr-x   2 root     wheel          512 Oct 29 05:10 conf
< drwxr-xr-x  15 XXX       pleskcln      2048 Mar 11 14:32 httpdocs
< drwxr-xr-x   2 apache   apache         512 Jul 16  2002 logs
< drwxr-xr-x   2 apache   apache         512 Mar  3 00:44 pd
< drwxr-xr-x   2 apache   apache         512 Nov 13 01:53 web_users
i Data connection 4E7A48 closed normally.
< 226 Listing completed.

I homed in immediately on the '230 Restricted user logged in.' part. I checked all the directories several times to see if any files were out of the ordinary. I didn't see any files that shouldn't be there and I didn't notice any files that shouldn't have been there. If I'd had a shell account, I may have been able to do a more thorough analysis, but my hands were tied, as they do not offer shells at http://www.featureprice.com

I copied and pasted everything you see here and put it in an email to my webhost's NOC (Network Operations Center). Since I emailed them from my workplace, and if they read the email signature, they knew I was a network intrusion analyst. It's my job to pick up on things of this nature, although any idiot could have done the same. I've yet to receive an email back from the NOC. Now, if you were running a NOC, wouldn't it be in your best interest to respond any email that stated that your network has been exploited and that there's an unauthorized person inside doing God knows what? Shortly after I sent the email, I noticed that my webpage was down. I don't know if they removed that particular host from the network or if the malicious person did something to disable the host or network.

Analyst Notes:
Since I only have my own user account, EvilJoe couldn't have gotten ahold of my user password, otherwise he wouldn't have shown up as EvilJoe...he/she would have shown up as me and I would have never known that the server had been '0wn3d'. He had to have used someone else's account. He/she also could have gotten into the network by taking advantage of the multitude of vulnerabilities in web-based software. Whatever he/she did to get into the system, once he/she got into the system, he/she created the 'EvilJoe' user account, although doing that was dumb and left the culprit very exposed. In this case, the culprit seemed inexperienced (script kiddie).

I've stated before that I was going to get rid of http://www.featureprice.com as a webhost. They've been bought out, from what I can see on their webpages. I knew something like this had happened, as the once professional attitude of the Helpdesk associates had gone downhill. Their responses to my problems were now unsatisfactory. I've now completed my backup of everything that was once there. All I have to do now is establish my JTAN mail account to the way I like it and be able to receive mail from that account using Kmail or Sylpheed. Once I establish a regular user mail account (instead of wigglit@jtan.com / wigglit@unixfool.com), I'll start pulling mail from there, change all my mailing list subscriptions to the new email address, inform friends and acquaintances of the new email address, then cancel my subscription to http://www.featureprice.com.

I'll post anything that comes from the NOC here, when and IF they ever respond to my email.

UPDATE -

05/07/2003 - Checked http://www.featureprice.com/support.php and saw this:

Featureprice.com Update April 24th 2003

Featureprice has started arrangements for our new call center. This call center will feature new improved call times and responses times to your inquiry to Featureprice Technical Assistance and Customer Service. This new call center should be online and operational within the next few days. We thank you for your patience while we finalize our floor plans and phone systems to accommodate your call volume. With a new "ease-of-use" for management of your Domain Name(s).

Featureprice Technical Support Helpdesk will resume shortly, this was interrupted for migration and for implementation of our new phone systems. The helpdesk will resume shortly as well. Featureprice had also experienced "defacing" of our website by entities that wished to make an impression, similar to those defacing other very popular web sites.

Featureprice has always since the inception of the name always found that there were many features for the right price however, from time to time as in any company that has unsurpassed excellence in services and prices and as a result increases volume 110% year after year, we must restructure and reorganize to accommodate our success as being one of the largest and strongest providers in Web hosting.

Clients of Featureprice will greatly be impressed by and encouraged by our new call center efficiency and technical support employee's. Featureprice is not and has not "gone out of business," we're simply getting better and more comfortable for the years to come in offering the Featureprice value of hosting to-date.

I guess the part about their defacement is what got my attention. It seems I was correct. I don't know if I had helped or if they were already working on the problem when I emailed them. Still, it would have been nice for them to give me an update or acknowledgement that they'd received my email.

Also, I've not been able to received any of my hosted email in 10 days! I'm about cut off from the world and I usually get like 200 emails in a day. I guess when the problem is fixed, I'll be downloading like 2000 emails.

Back to home page

Copyright © 2003,2004 Ron Sinclair
Revised: 14 January 2004
URL: http://www.unixfool.com

This page generated by 1st Page 2000, an HTML editor for Win95/Win98/WinNT/Win2000/WinXP

Last edited using Screem, an HTML editor for Linux/Unix

This site is hosted by http://www.jtan.com


Valid CSS!