Need some understanding about a hacker attack...

Some parts of this message have been removed. Learn more about Nabble's security policy.

Hello Brian,

Saturday, October 11, 2008, 10:03:37 PM, you wrote:

Thanks very much for the feedback. I have been thinking since I moved to this server in May that something wasn't quite right. All of my administrative email accounts have been hijacked and forged headers have been used to execute major spam attacks. I got thousands of email rejections from all over the planet. The IP address of the mailserver has been perpetually flagged as a spammer so that my member notification almost never get delivered and a series of things have happened to make me think that there is a loose cannon on that server that pretty much runs amok any time he wants to. Only a gut feeling on my side but THEY should know if someone is compromising their server. I DO know that I have never had any kind of problems like this on any Host Provider I have ever had in the past and they have ALL been shared server reseller accounts, even the bad ones didn't give me security headaches. I am very much aware of the vulnerabilities in the software I am using and have added code to prevent the hackers from accessing my include file which is one of the known exploits that have plagued this software in the past. The don't know, of forgot that I do development work on this stuff and told me that my software was "out of rev" and that I should upgrade it. In fact I forgot more about this software than they know but it was a laughable suggestion anyway (I run a technical support site for this software and have installed versions of every thing that has ever been released that I use to support the products). I used to do stuff like that when I did technical support on VMS/Pathworks too many years ago, LOL some things never change!

Actually, its not the first time I have been attacked using this software but it is the first time I have seen a hack on any of my sites, but I think your possible explanation makes me feel a little less anxious about it. I hadn't thought about that SSH access but that very definitely is a candidate.

Thanks to every body who responded I have a good deal of info now that didn't have a couple of hours ago.

Thanks very much.

-- 

Best regards,

 mikesz                            mikesz@...

Some parts of this message have been removed. Learn more about Nabble's security policy.

Hello Brian,

I checked all the points you made and thanks for taking the time.

"It sounds like you'll need a crash course in Apache configuration..." 

That works for me here on my development system that is an XP pro Box running WAMPSERVER but unfortunately my host has all the marbles and seems now to be less than enthusiastic about learning Apache than I would expect. When I got the equivalent of "we are bulletproof" and you are not, I pretty much got the idea that they either don't know what they are doing or the "status quo" is a bigger priority than doing it right.

I have seen this before, though not to this extent, where a tech will say "but they are configured identically" and when you do a phpinfo.php on each of them, its like they are on different planet and clearly configured by different people with totally different compile instructions. 

I think your first point, and the one made by a few other people who replied to me is the most relevant now, need to go hunting for a host again clearly.

Thanks again.

-- 

Best regards,

 mikesz                            mikesz@...

Some parts of this message have been removed. Learn more about Nabble's security policy.

Hello Brian,

Sunday, October 12, 2008, 11:13:01 AM, you wrote:

That was the part that floored me. They threw it out there with NO other justification or ANY evidence to support their assumption, nothing and in a really, really nonchalant tone which bugged me even more. Actually, they did refer to the folders in the product that require write access to do things like realtime image conversions and uploads, but definitely NO, "we found a hacker using such and such folder" nothing like that and as I mentioned the exploited folder was and is read only so that was another red herring they threw at me.

Thanks for the tip. I haven't had the best luck with Hosting, clearly. I wouldn't be with these guys but for the ISP that I was with decided that reseller accounts were not profitable so the dumped their service offering but would continue if I wanted to pay three times more $$$ for a smaller package... the one before that, went belly up and disappeared... oh, forgot the one in between, they had offshore support that decided I didn't need write access to anything, unbelievable!

LOL ... its been an adventure, that's for sure... 

Thanks again.

-- 

Best regards,

 mikesz                            mikesz@...