SomeGuy
Veteran Member
So I previously posted about how awful Deluxe Hosting
(www.deluxehosting.com) and their support is:
Like a moron, I didn't switch from them then. After being down for way, way, way too long, they got the server back up. I hadn't had time to mess with it. Figured what the hell, how much worse can it get?
Well, now it is malware!
Happy, happy, joy, joy. That is actually MUCH WORSE than just being down.
So what is happening? Various PHP files started appearing on my site - I don't use PHP for anything. On closer inspection some of these PHP file were "php file manager" and others looked like they served up malicious advertising spam or who knows what else.
I don't use any kind of scripting on my site. It is all static HTML. So it should be impossible for anything on my site content to be responsible.
At first I figured it was some transient issue that would have already been resolved by a server patch somewhere, or perhaps some bit of cruft I missed somewhere. So I just deleted everything and re-uploaded from my local copy. Changed my cPanel password just to be sure.
They came back. And they keep on coming back.
Still not exactly sure how they are attacking the server. The only access I have is through cPanel, SSH/SFTP, and an e-mail account.
An attack around April 1 uploaded more crap PHP, but also disabled spamassasin on the server - I mean removed the icon from cpanel and killed the spam assassin process.
Obviously anything from my account should not be able to do that.
I contacted their support specifically about the spamassasin issue and they claimed everything was working perfectly, without even looking at it, and to add massive insult to injury, they tried to upsell me on some subscription based external mail filtering service! Assholes.
Following the logs, it looks as if someone from random IP addresses is logging in to my cPanel account. No way they could have my password though - I just changed it.
I tried contacting DeluxeHosting's useless e-mail support again.
Their useless tech support was blaming me for having "custom code" on my web site.
They obviously had not even looked at it, or they would have seen only a few static HTML files and zip file downloads.
They did suggest that there might be "processes" running in my account, but I saw nothing. No scheduled tasks either. They offered to "block ip addresses", however looking at logs, these are coming from mostly random IP addresses.
They also tried blaming my computer as possibly having malware. If that were true, that would be a very interesting trick. They didn't even offer any evidence, just outright accused me.
One time that this malware magically re-appeared was suspiciously at almost the same time that one of their "techs" e-mailed me saying they had just checked my account and found no malware. Hmmmmmmm.
At multiple points I have tried logging in to cPannel to find that my password has been changed. Fortunately, I have been able to reset my password. Obviously I am using "secure" passwords, not the same combination as my luggage.
Interesting fact: when I call their support they ask me to verify who I am by asking for the last four digits of my credit card on file with them or the last four characters of my cPannel password.... yes they can apparently see at least the last four characters. Such wonderful security.
So at the moment, I'm thinking either there is a gaping cPanel exploit, the server is rooted, and/or their Indian techs are corrupt as hell. (Yes, when one of their techs logged in to cPanel - oh, and no they don't need my password to log in - the IP in the log indeed showed they were in India, as if the badly broken English and incompetence were not enough of a giveaway).
And just now I found my cPanel password is changed and the recovery e-mail address is changed so I can't log in to cPanel at all.
They appear to be running cPanel 86.0.40. I don't know much about that but a quick search shows that as out of date.
Groans.
(www.deluxehosting.com) and their support is:
Like a moron, I didn't switch from them then. After being down for way, way, way too long, they got the server back up. I hadn't had time to mess with it. Figured what the hell, how much worse can it get?
Well, now it is malware!
Happy, happy, joy, joy. That is actually MUCH WORSE than just being down.
So what is happening? Various PHP files started appearing on my site - I don't use PHP for anything. On closer inspection some of these PHP file were "php file manager" and others looked like they served up malicious advertising spam or who knows what else.
I don't use any kind of scripting on my site. It is all static HTML. So it should be impossible for anything on my site content to be responsible.
At first I figured it was some transient issue that would have already been resolved by a server patch somewhere, or perhaps some bit of cruft I missed somewhere. So I just deleted everything and re-uploaded from my local copy. Changed my cPanel password just to be sure.
They came back. And they keep on coming back.
Still not exactly sure how they are attacking the server. The only access I have is through cPanel, SSH/SFTP, and an e-mail account.
An attack around April 1 uploaded more crap PHP, but also disabled spamassasin on the server - I mean removed the icon from cpanel and killed the spam assassin process.
Obviously anything from my account should not be able to do that.
I contacted their support specifically about the spamassasin issue and they claimed everything was working perfectly, without even looking at it, and to add massive insult to injury, they tried to upsell me on some subscription based external mail filtering service! Assholes.
Following the logs, it looks as if someone from random IP addresses is logging in to my cPanel account. No way they could have my password though - I just changed it.
I tried contacting DeluxeHosting's useless e-mail support again.
Their useless tech support was blaming me for having "custom code" on my web site.
They obviously had not even looked at it, or they would have seen only a few static HTML files and zip file downloads.
They did suggest that there might be "processes" running in my account, but I saw nothing. No scheduled tasks either. They offered to "block ip addresses", however looking at logs, these are coming from mostly random IP addresses.
They also tried blaming my computer as possibly having malware. If that were true, that would be a very interesting trick. They didn't even offer any evidence, just outright accused me.
One time that this malware magically re-appeared was suspiciously at almost the same time that one of their "techs" e-mailed me saying they had just checked my account and found no malware. Hmmmmmmm.
At multiple points I have tried logging in to cPannel to find that my password has been changed. Fortunately, I have been able to reset my password. Obviously I am using "secure" passwords, not the same combination as my luggage.
Interesting fact: when I call their support they ask me to verify who I am by asking for the last four digits of my credit card on file with them or the last four characters of my cPannel password.... yes they can apparently see at least the last four characters. Such wonderful security.
So at the moment, I'm thinking either there is a gaping cPanel exploit, the server is rooted, and/or their Indian techs are corrupt as hell. (Yes, when one of their techs logged in to cPanel - oh, and no they don't need my password to log in - the IP in the log indeed showed they were in India, as if the badly broken English and incompetence were not enough of a giveaway).
And just now I found my cPanel password is changed and the recovery e-mail address is changed so I can't log in to cPanel at all.
They appear to be running cPanel 86.0.40. I don't know much about that but a quick search shows that as out of date.
Groans.