x10Hosting may not be secure

[chiragsangani]

Today, when I looked at my file manager, I noticed a curious file named "uN.txt". Curious, because I don't recall putting it there. The last modified date is May 10, and I know I didn't do anything to my website on the 10th of May.

The contents of the file are:

whisvodown
it's for fun-not important.

You can check out the file here: http://www.chiragsangani.com/uN.txt

A search on whisvodown revealed a number of zone-h entries on websites hacked by whisvodown. Clearly, someone broke into my account.

Now, did they figure out my password? Very unlikely, since my password is a random string of lower, upper case characters, numbers and special characters. Maybe they got it from another website they hacked into which shares the same password (not many). I think this is unlikely, since it requires the hacker to specifically focus on me, which is not what this looks like. I think someone found a vulnerability in your web hosting stack and exploited it en-masse.

I tried searching for a list of recent login events to my account on cPanel. There wasn't anything there. This was disappointing - you should be providing a list of recent login attempts and events.

I'm highly concerned about this, and would like to receive information on how this was possible, a log of login events for my account with IP addresses and time stamps, and what steps you are going to take to fix it (including a list of vulnerabilities you found).

I look forward to your response.

Chirag

 

[Ohso]

Maybe the files you uploaded from your computer were already infected.

 

[chiragsangani]

@Ohso: That's an interesting thought, but let's consider the facts:

1. I always maintain a secure, clean workstation. This is more of a subjective matter, but take my word on it.
2. I uploaded my website a year ago. The "incident" happened 20 days ago. Why would a "virus" wait so long, and eventually just create a harmless little text file? I checked - nothing else in my account has changed
3. Come to think of it, how would a virus even work? I run a Windows workstation. The servers run Linux. I don't know of any viruses that run on both Windows and Linux. Again, think about this: for a virus to infect, it needs to be executed. All I uploaded were ASCII files containing HTML, JavaScript, PHP and CSS. All these files are processed by the HTTP server. For an infection to occur, someone would have to modify my PHP files to exploit a vulnerability in the PHP module of Apache HTTP - this exploit would be a fairly large piece of PHP code that I would have certainly noticed lying around in my files - I should know, I've written exploit codes in my own time.

So, in conclusion, no - this couldn't have been the work of a virus. I'm still waiting on a response from x10Hosting.

 

[Livewire]

After investigating this thoroughly with senior staff, I can confirm the account was compromised; there's a Wordpress install under backup/prototype that has the same password as your cPanel password, leaving the account wide open as soon as any hackers/unsavory folks discovered it. This is due largely in part to it being on version 3.4.1, which is nearly two years and innumerable zero-day exploits out of date.

Given the age of the Wordpress install on the account there's no telling how long the password was compromised; some "script-kiddy" hackers just run bots that prowl the net looking for exploits, and part of that can include trying random directory names like backup, prototype, etc, which may explain how they got to the install on the account.

What we know for sure is that, after one "failed" attempt in the logs, they were instantly able to get into cPanel. This indicates the use of a zero-day exploit for Wordpress that revealed the database password or the contents of wp-config.php, which they then tested against cPanel and discovered it worked. The wp-config.php file was also set to read, write, and execute to world (777). I'm surprised they weren't more malicious with it, but some hackers are more in it for the challenge I guess.

With this, I would immediately recommend removing the install from the backup folder (it's a backup, it doesn't need to be stored on the account anyways since that would violate the Terms of Service) to prevent it from being a source for future compromises. It's also a good idea to not use the same password in multiple places, even on the same account, for cases just like this.


As a side note on your #3, some virus's watch for the FTP connection from your system to the destination, and insert the malicious code during upload; this modifies the code without exploiting any known or unknown vulnerabilities within the FTP client or within the server itself, since it modifies the file in transit (think man-in-the-middle). That's not what happened here as was explained above, but we've seen user's with compromised home systems have their files modified during upload in this fashion before. It's rare, but not unheard of.

 

[chiragsangani]

Wow.

Thank you very much for your response. This would be the first time any system I've operated has been compromised, and all thanks to Wordpress.

As per your suggestions, I've removed the backups and all Wordpress instances.

Before I change my password, I'm curious to know - how did you know the database password was the same as my account password? Did you try logging in, or is the password stored in your database - either in the clear or encrypted, but still retrievable?

Once again, thank you very much.

Chirag

 

[Livewire]

I didn't actually test it; the staff member who was helping me dig into this attempted it and was granted entry. The password itself is stored in an encrypted format so we can't actually get the unencrypted version under normal circumstances if we wanted to (we instead use our master login's whenever we need to check something, to ensure accounts remain secure).