Security Breached. what do i need to do?

milkboymilkboy OG
edited May 2023 in Help

So one of my Hosting DA panel got hack.
My 30++ years old "i-got-hacked" cherry has been popped. :3
It is only sending Spam emails on a few accounts.
All of the password are >20-key generated.

As this is my first, I'm unsure nature of the breach and what i need to do.
I have check a few sites (i.e haveibeenpwn) for breaches, but found none

As a precaution i have:

  • Suspended the DA user account and server for a day. (i control both user and reseller account)
  • Change all user password in the domain.
  • Change SSL (after i unsuspend later)
  • Notify the provider of the breach

So do i need to do anything else?
How do i know if its a simple password breach or much worse?

EDIT:
changed the title to reflect nature of the breach
Found the offending pc. office user brought their laptop to a 3rd party services during the weekend.
so far seems to be a spambot, scanned all the other check the entire office pc seems good.
wasted entire day :'(

Comments

  • @milkboy said:
    How do i know if its a simple password breach or much worse?

    Pretty sure that uncertainty is why this is a thing

  • @milkboy said:
    So one of my Hosting DA panel got hack.
    My 30++ years old "i-got-hacked" cherry has been popped. :3
    It is only sending Spam emails on a few accounts.
    All of the password are >20-key generated.

    As this is my first, I'm unsure nature of the breach and what i need to do.
    I have check a few sites (i.e haveibeenpwn) for breaches, but found none

    As a precaution i have:

    • Suspended the DA user account and server for a day. (i control both user and reseller account)
    • Change all user password in the domain.
    • Change SSL (after i unsuspend later)
    • Notify the provider of the breach

    So do i need to do anything else?
    How do i know if its a simple password breach or much worse?

    First is to find out how you got hacked. Whether it was a password breach or from a DA vulnerability or even from a vulnerability in one of the scripts ran by the user (most common being WordPress).

    Next, wipe everything on your account and restore it from a backup. Then change ALL passwords and remove the vulnerability the hacker used to get in. Only then enable access to the accounts.

    Thanked by (2)Talistech bikegremlin
  • Are you sure the server was hacked and it's not just one or more accounts infected with malware?

    Aside from the spam, what indications of a hack are you seeing?

    ResellerWiz - Web Hosting... Your Way!
    cPanel - DirectAdmin - Free WHMCS Plus License Included!
    NVMe - LiteSpeed - Imunify360 - JetBackup - MailChannels - SitePad Premium

  • milkboymilkboy OG
    edited May 2023

    @somik said: First is to find out how you got hacked. Whether it was a password breach or from a DA vulnerability or even from a vulnerability in one of the scripts ran by the user (most common being WordPress).

    Allergic to WP, none of it. just minimal GRAV CMS & no (DA/GRAV/roundcube) serious vulnerability im aware off.
    still checking things out on server site.

    @ResellerWiz said: Aside from the spam, what indications of a hack are you seeing?

    after checking, there is huge log on roundcube activity, all from the same IP as my workplace. I suspect a compromised user laptop. internal network seems to confirmed it too.
    Still investigating if it is the pc or other things, and if checking if any other devices is compromised.
    wasted a whole day on this crap.
    i have resume access to the hosting again, as the suspected PCs are currently turned off, there seems to be no activity.

    @havoc said: Pretty sure that uncertainty is why this is a thing

    i'm kinda have a paranoid personality , assume its the worse for simple things.
    yeah this few hours makes me feels like doing it too. watching everything burns to the ground slowly seems satisfying.
    hahaha....

  • I usually download all configs, files, etc and then reinstall the server.
    Next I'll try to figure out why I got hacked. I won't restart the service until I'm confident that I've fixed everything

  • Next I'll try to figure out why I got hacked. I won't restart the service until I'm confident that I've fixed everything.

    Took me a whole day, to check everything.
    Found the culprit, a spambot accessing chrome user file with saved session to round cube. may need to nuke the whole PC.
    my office need to have extra hour to train everyone on security practices.

    Thanked by (3)jarland bikegremlin dwight
  • jarlandjarland Hosting ProviderOG
    edited May 2023

    @milkboy said:
    Found the culprit, a spambot accessing chrome user file with saved session to round cube

    You'd think I would have seen something like that before, but I can't say I have. I wonder if that's going to be the next trend. After they finish with all of the ipfs phishing links.

    Thanked by (1)bikegremlin

    Hate radiates from the source. If you look around and see it everywhere, it's coming from you.

  • I remember time when cookies were IP based...
    But then mobile network boom happen and fuck it.

    Haven't bought a single service in VirMach Great Ryzen 2022 - 2023 Flash Sale.
    https://lowendspirit.com/uploads/editor/gi/ippw0lcmqowk.png

  • @Jab said:
    I remember time when cookies were IP based...
    But then mobile network boom happen and fuck it.

    Cookies were never safe. You can still use sessions instead of cookies. Let the user login every time they open the window.

    Or go with cookie timeout that is 1 day, not 1 month or more. That way user still have to login every day, but if they get hacked, at least only 1 day of stuff is ruined.

  • @jarland said: You'd think I would have seen something like that before, but I can't say I have. I wonder if that's going to be the next trend. After they finish with all of the ipfs phishing links.

    Sry, I wasnt clear before.
    It was a trojan, altering chrome on its host pc.
    So whenever the chrome process is closed. there is no activity.
    the trojan has been deleted, chrome has been reinstalled.
    currently still in the middle of moving data & planning to format the whole pc as soon as possible.

    Thanked by (1)jarland
Sign In or Register to comment.