tsohost hacked!!! Help!

TEK · 11th April 2008

I'm being contacted by my customers telling me their sites have been hacked.

Looks like the windows web server has been compromised and every directory has been flooded with default docs for these muppets!

Does anyone have any weekend or emergency contact details for them please, or any suggestions as to how far things have been compromised. I'm only a developer supporting a small amount of clients but I know most of them will be pulling my services by Monday if this isn't sorted and some kind of reassurance is upheld

You can see for yourselves on their own support forums...

http://forums.tsohost.co.uk/

Thanks

fov · 11th April 2008

Dazmanultra or Adamsmith on here are involved in the business.

But the normal site is up. Cant you log a normal ticket?

[edit] http://support.tsohost.co.uk [/edit]

midnightsoftwar · 11th April 2008

As an aside, if anyone is wondering what the actual message is about, there is a dutch politician that is basically saying that immigration is diluting the dutch culture - essentially, as it is here. He has made a film about it, and this is what the islam followers are complaining about.

I heard about it from the Daily Source Code - a podcast by Adam Curry. Well worth a listen i think.

Edit: The dutch politian that has made the video is Geert Wilders

James[UH] · 11th April 2008

Quote:

Originally Posted by midnightsoftwar

As an aside, if anyone is wondering what the actual message is about, there is a dutch politician that is basically saying that immigration is diluting the dutch culture - essentially, as it is here. He has made a film about it, and this is what the islam followers are complaining about.

I heard about it from the Daily Source Code - a podcast by Adam Curry. Well worth a listen i think.

Edit: The dutch politian that has made the video is Geert Wilders

The site tries to exploit a realplayer security hole.

midnightsoftwar · 11th April 2008

Yes, i'm talking about the actual message that they are conveying with the text - rather than anything else. It's actually quite interesting what Adam Curry is saying.

In essence, everybody is too scared to say that they don't like the '(add country here)' culture is being diluted by the people that are immigrating.

For example - people in this country are scared of referencing their own religious holidays etc - in case it offends muslims. But, they don't dare to be outspoken in case they are branded racist.

adamsmith · 11th April 2008

We're aware of the forum hack - it seems to be that a security hole in vBulletin has been exploited despite us running the latest version. We're looking into this.

We're not away of anyone's site being compromised. The forums are hosted on a Linux server, completely separate to our Windows cluster which includes 8 separate machines.

If you have had a site compromised, please raise a suppor ticket urgently and we'll look into this for you.

We of course take security extremely seriously and if you have had a site compromised, this is of the utmost importance to us.

adamsmith · 11th April 2008

I've just spent the last 20 minutes scouring our Windows machines for any sign of what you describe and I've found nothing.

What site do you host with us?

TEK · 12th April 2008

Thank yo Adam. I will register on the support system and raise a proper ticket.

For the record though, I'm on a small reseller Windows Helm account and ALL of my domains have had the default docs (index. and default. htm, asp, cfm etc) replaced in EVERY directory, including 'logs' which is below wwwroot.... this is what concerns me the most as it seems to of just spidered through your entire D : volume.

This includes one site which only has email and simple web services enabled. No PHP, scripting or Db's

bpcsupplies.co.uk if it helps you to track the account down in the meantime before I get a chance to register in the morning (not in office now)

adamsmith · 12th April 2008

That site (bpcsupplies.co.uk) has been compromised however this happened back in February and a full explanation was sent to all affected clients at the time (approximately 100 users on a single machine). No files on that domain have been changed since then.

The forums.tsohost.co.uk issue is completely separate - it looks from the logs like there's a new XSS vulnerability in vBulletin which hasn't yet been patched. The Tsohost forums will likely remain offline until a definitive cause has been found.

You don't need to register for the support system to raise a ticket - just email support@tsohost.co.uk

TEK · 12th April 2008

Thank you again. I did not however receive the email. My first port of call out of hours tonight was your forums to see of any known issues and was left baffled due to no access.

Would you be kind enough to email me the explanation again in a moment please if I PM you on here. I'd really like to be armed with some facts and the extent of damage before making calls in the morning. I have no access to the works machine tonight

Thanks

adamsmith · 12th April 2008

I don't have the details to hand since I'm not in the office but if you email support@tsohost.co.uk you'll receive the full details in the morning. In short, this was related to a Helm bug which allowed a malicious user to gain FTP permissions on the directory below his webroot on a single machine and overwrite various index files before this was spotted and stopped. At no point was the machine itself compromised.

Just to re-iterate, this happened back in February 2008 and nothing has changed on the domain you posted since then.

Superracks · 12th April 2008

Quote:

Originally Posted by midnightsoftwar

It's actually quite interesting what Adam Curry is saying.

That would be a first ;-)

Quote:

Originally Posted by midnightsoftwar

For example - people in this country are scared of referencing their own religious holidays etc -

That would be the Netherlands? Who comes up with these stories?

Quote:

Originally Posted by midnightsoftwar

But, they don't dare to be outspoken in case they are branded racist.

I think the UK has a longer history with Islamic groups by far. There are small groups of pro and con Islamic people, that try to rule the community. We still have more Christian holidays we can remember. In fact, the only Islamic holidays we generally know of, are the ramadhan and the Id-al-Fitr . And besides that, we only care of the holidays for not having to work. :-)