Current time: 04-16-2014, 12:32 AM Hello There, Guest! (LoginRegister)

Post Reply 
My web site has been hacked
03-29-2012, 06:14 PM
Post: #11
RE: My web site has been hacked
Brawdy14 Wrote:You have no doubt read the whole thread.

As a matter of course, yes.


Brawdy14 Wrote:Please demonstrate your expertise by providing a real life example of what you consider would have been a more appropriate 'Post Subject' in this particular instance.

Post Subject: Can I detect who hacked my account?

* Further reading below.


Brawdy14 Wrote:In that way, not only will I learn, but others reading here may do so too!

As slim as chances are, if it helps even just one person then it's probably worthwhile.


Brawdy14 Wrote:I very much look forward to reading your reply.

* Further reading: How To Ask Questions The Smart Way


Brawdy14 Wrote:TIA

np

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost
Visit this user's website Find all posts by this user
Quote this message in a reply
03-31-2012, 12:34 AM
Post: #12
RE: My web site has been hacked
(03-29-2012 06:14 PM)sXi Wrote:  Post Subject: Can I detect who hacked my account?

* Further reading below.

As slim as chances are, if it helps even just one person then it's probably worthwhile.

Hello again sXi

Thank you so much for responding as you did. I've now read at the helpful link you provided which led me on to this URL (which I have bookmarked!) http://en.tldp.org/HOWTO/Unix-and-Intern...als-HOWTO/ In time, I will read all of it!

I did, indeed open a ticket as was suggested earlier. In case anyone here is interested, this is the response received:-

Hello again!

We keep a record of when a domain is added and removed from the web
panel.

We also keep a history of what types of hosting have been added/removed
for a domain name.

The domain was added to your account on the 27th, which is confirmed with
this record:

TimeStamp: 2012-03-27 02:01:11
Action by: davbro88
Action: domain added
Reason:
Notes: domain ibuoy.co.uk (dh_id 1211187) added through webpanel.

Prior to this event, the domain would basically point to no where and not
resolve at all. A domain MUST be added to the web panel to at least
modify the DNS. So prior to parking, it looks like your domain name
simply was registered but was not viewable online since we the domain's
DNS records.

And there domain's http/hosting records show that the "parked" service
was recently updated at 2012-03-30 11:35:21 PST.

I'm not entirely sure what you saw previously, but I cannot really
troubleshoot nor diagnose what exactly happened if the issue is no longer
occurring.

Thanks!
Jen D


I have never posted anywhere as "davbro88"! Do you feel it worth me asking DH if they have any data regarding this persona? I don't wish to waste anyone's time but it would be nice to track down who actually did the dirty deed! ;-)

Have a grand day!
Find all posts by this user
Quote this message in a reply
03-31-2012, 12:58 AM (This post was last modified: 03-31-2012 12:58 AM by sXi.)
Post: #13
RE: My web site has been hacked
The user davbro88 looks like a genuine DreamHost account name (format xxxxxx99).

If your DreamHost Account Name is not davbro66 and you have not added this user to your Account, then you need to get in touch with DreamHost again ASAP and explain to them that this account is not yours and should have no access to your Panel. Perhaps include a link to this thread so that they can understand more clearly the issue you are facing without having to wait hours between a back & forth via the ticketing system.

Let us know the outcome.

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost
Visit this user's website Find all posts by this user
Quote this message in a reply
03-31-2012, 01:03 AM (This post was last modified: 03-31-2012 02:21 AM by bobocat.)
Post: #14
RE: My web site has been hacked
(03-31-2012 12:34 AM)Brawdy14 Wrote:  I have never posted anywhere as "davbro88"! Do you feel it worth me asking DH if they have any data regarding this persona? I don't wish to waste anyone's time but it would be nice to track down who actually did the dirty deed! ;-)

I'm not entirely sure what the dirty deed is considering your domain resolves to a holding page. But if you don't have any users named davebro88 in your account, then you should let DH know.
Find all posts by this user
Quote this message in a reply
03-31-2012, 01:53 AM
Post: #15
RE: My web site has been hacked
While that's all true, he said an image or picture was put on display at the domain and this is his reason for following it up. If it was a case of inadvertently hosting the domain while poking around in Panel the only thing that would be displayed without any further user interaction is the default Welcome Page.

One scenario is that OP has been "hacked" via someone gaining his login credentials and going on a spite attack. Dreamhost should have IP logs of who logged into the account and if they are not the owner then they should pass whatever information they can to the account holder. While it's unlikely there would be any serious legal ramifications, if a culprit can be identified then a knock on the door by the plod or even a "lulz n00b" post in a forum might be enough to let the other party know that they probably shouldn't try that kinda stuff ever again because at the end of the day they're just proving themselves to be an absolute prat.

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost
Visit this user's website Find all posts by this user
Quote this message in a reply
04-07-2012, 12:05 AM
Post: #16
RE: My web site has been hacked
Hello again! Smile

My thanks to all who have helped me in this thread. I apologise for the delay in responding to the most recent posts by sXi and bobcat but real life caught up with me!

I have today written again the DreamHost Customer Support Team referring them to this thread and asking them to check their records as you have recommended. I will, of course, advise you of the outcome.

May I take this opportunity to wish you a very Happy Easter.
.
Find all posts by this user
Quote this message in a reply
04-11-2012, 02:45 AM
Post: #17
RE: My web site has been hacked
Hello folks! As promised, this is what DreamHost has advised me:

These are the IP addresses we have on record going into your panel from
the time around the incident Februrary 26th through April 1st.

108.23.66.211
109.148.209.88
86.176.94.118
86.177.170.230

(Los Angeles or Orange County IP addresses may be irrelevant as those may
indicate us checking something in the panel on your behalf)

Here is a thorough log with date and time stamps, areas of the panel and
the "offending" IP Address.

2012-03-30 11:32:53 (domain/registration/none/none) 108.23.66.211
2012-03-30 10:40:12 (domain/registration/Index/none) 108.23.66.211
2012-03-30 10:40:10 (domain/registration/none/none) 108.23.66.211
2012-03-30 10:40:04 (domain/manage/none/none) 108.23.66.211
2012-03-30 10:40:01 (support/his/none/none) 108.23.66.211
2012-03-30 10:38:52 (support/his/none/none) 108.23.66.211
2012-03-30 10:38:48 (billing/accounts/none/none) 108.23.66.211
2012-03-30 10:38:45 (mail/auto/none/none) 108.23.66.211
2012-03-29 00:58:43 (domain/manage/none/none) 86.176.94.118
2012-03-28 12:59:00 (support/msg/Index/Submit) 109.148.209.88
2012-03-28 12:32:41 (support/msg/Index/Outage) 109.148.209.88
2012-03-28 12:32:33 (support/msg/none/none) 109.148.209.88
2012-03-28 12:32:11 (support/msg/none/none) 109.148.209.88
2012-03-28 12:24:33 (support/msg/none/none) 109.148.209.88
2012-03-27 04:04:15 (support/msg/Index/KillReport) 86.177.170.230
2012-03-27 04:03:35 (support/msg/none/none) 86.177.170.230
2012-03-27 04:01:40 (support/msg/Index/Outage) 86.177.170.230
2012-03-27 04:01:00 (support/msg/none/none) 86.177.170.230
2012-03-27 04:00:46 (domain/manage/none/none) 86.177.170.230
2012-03-27 02:25:54 (support/test/none/none) 86.177.170.230
2012-03-27 02:05:47 (support/test/none/none) 86.177.170.230
2012-03-27 02:05:37 (support/test/none/none) 86.177.170.230
2012-03-27 02:04:49 (domain/manage/none/none) 86.177.170.230
2012-03-27 02:01:28 (domain/manage/ShowAddhttp/AddHttp) 109.148.209.88
2012-03-27 02:00:21 (domain/manage/Index/ShowAddhttp) 109.148.209.88
2012-03-27 02:00:10 (domain/manage/none/none) 109.148.209.88
2012-03-27 01:59:53 (domain/manage/none/none) 109.148.209.88
2012-03-27 01:59:30 (home/over/none/none) 109.148.209.88
2012-03-27 01:59:18 (status/disk/none/none) 109.148.209.88
2012-03-27 01:58:50 (status/disk/none/none) 109.148.209.88
2012-03-27 01:58:28 (status/bw/none/none) 109.148.209.88
2012-03-27 01:57:37 (status/stats/none/none) 109.148.209.88
2012-03-27 01:56:18 (goodies/installer/Index/Finish) 109.148.209.88
2012-03-27 01:55:02 (goodies/installer/Index/Finish) 109.148.209.88
2012-03-27 01:54:31 (goodies/installer/Index/Finish) 109.148.209.88
2012-03-27 01:53:48 (goodies/installer/Index/Finish) 109.148.209.88
2012-03-27 01:49:23 (goodies/installer/none/none) 109.148.209.88
2012-03-27 01:48:45 (home/over/none/none) 109.148.209.88
2012-03-26 14:41:34 (status/disk/none/none) 109.148.209.88
2012-03-26 14:41:08 (users/users/none/none) 109.148.209.88
2012-03-26 14:40:26 (home/over/none/none) 109.148.209.88
2012-03-26 14:39:00 (home/over/none/none) 109.148.209.88


Hopefully this helps you figure out the problem. If you like, I can add
an extra layer of security to your panel where all logins can only occur
from verified IP addresses. If an un-verified IP attempts to login, they
will have to submit a verification form that goes to the primary email
address on the account for verification.

Please let us know if there's anything else we can do for you!
___________________________________________________

A friend has helped me confirm the IP address data:-

> 108.23.66.211
IP: pool-108-23-66-211.lsanca.fios.verizon.net
Organization: Verizon Internet Services
ISP: Verizon Internet Services
City: Chino Hills
Country: United States State: California
Postal Code: 91709
Time-zone: America/Los_Angeles
Local Time: 09.04.2012 20:13:49
Latitude: 33.9473 Longitude: -117.7289
Ping-Date-Time:4-9-2022 9:59 PM GM:0600


> 109.148.209.88
IP: host109-148-209-88.range109-148.btcentralplus.com
Organization: British Telecommunications
ISP: British Telecommunications
City: Beaconsfield
Country: United Kingdom State: Buckinghamshire
Time-zone: Europe/London
Local Time: 10.04.2012 04:03:52
Latitude: 51.6000 Longitude: -0.6333
Ping-Date-Time:4-9-2022 9:59 PM GM:0600

> 86.176.94.118
IP: host86-176-94-118.range86-176.btcentralplus.com
Organization: British Telecommunications
ISP: British Telecommunications
City: London
Country: United Kingdom State: London, City of
Time-zone: Europe/London
Local Time: 10.04.2012 04:03:52
Latitude: 51.5142 Longitude: -0.0931
Ping-Date-Time:4-9-2022 9:59 PM GM:0600

> 86.177.170.230
IP: host86-177-170-230.range86-177.btcentralplus.com
Organization: British Telecommunications
ISP: British Telecommunications
City: Windsor
Country: United Kingdom State: Belfast
Time-zone: Europe/London
Local Time: 10.04.2012 04:07:26
Latitude: 54.5667 Longitude: -5.9500
Ping-Date-Time:4-9-2022 10:05 PM GM:0600

--

My ISP is British Telecom (BT) so if I understand matters correctly the 'attack' on my domain was probably carried out by someone in the USA using Verizon.

Is that correct? Is there any further action I can take? No doubt the 'attacker' could have taken the action from a library or Internet cafe (for example) so there might well be no way to trace him.

You guys have been extremely patient and helpful - I am most grateful! Smile

Any further advice or comment will be welcomed.

Have a great day!
Find all posts by this user
Quote this message in a reply
04-15-2012, 08:20 PM
Post: #18
RE: My web site has been hacked
You mentioned being hacked on or about the 26th. I'd check any records prior to the ones above.

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost
Visit this user's website Find all posts by this user
Quote this message in a reply
04-16-2012, 12:02 AM
Post: #19
RE: My web site has been hacked
(04-15-2012 08:20 PM)sXi Wrote:  You mentioned being hacked on or about the 26th. I'd check any records prior to the ones above.

Hello sXi - thanks for your response.

As you are aware, I don't have any records myself. I'm using my iMac and do not have a server. I do not wish to be a nuisance to the staff at DreamHost, especially as they have already identified a 'rogue' IP from Verizon.

I've been advised on Usenet that there is no way a seasoned hacker could be identified from an IP address, but have no idea if that is the truth of the matter. These were the exact words used:

"That IP could be a tor node or an open proxy, or
worse yet, a verizon powered free wifi at a mcdonalds. You have nothing,
David. Your site became somebodies bitch and there isn't anything you
can do about it."

If that comment is true, there seems to be little point in asking DH for any more information.

Do you agree?
Find all posts by this user
Quote this message in a reply
04-16-2012, 03:31 AM
Post: #20
RE: My web site has been hacked
The Verizon IP is logged days after the hack took place. Chances are that it could be a DH tech responding to your query (as they pointed out in the ticket). Again, you need to look at IPs logged while any hack took place, not 4 days after the fact. If 109.148.209.88 was the first one logged after a notable absence of Panel logins than this would be an IP of particular interest.

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost
Visit this user's website Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump: