librelist archives

« back to archive

VentraIP servers are compromised

VentraIP servers are compromised

From:
Michael Ridland
Date:
2012-06-27 @ 04:17
Hi All

This is a just a notice to anyone that's with VentraIP, their servers
are compromised. It's been multiple people I've spoken to with the issues.

==
I have an account with VentraIP for webhosting and have about 12 client
sites there, nothing much just small business stuff with some Static HTML
sites and a few Joomla sites.

In the last week 6 of them have been hacked into and suspicious code has
been added into every single HTML file.

I have done the usual thing, changed FTP/Account passwords and restoredthe
sites from backups, but they continue to be access and code changed. And
now Google has blocked them all.
==

Thanks.

Re: [sydjs] VentraIP servers are compromised

From:
Dave Elkan
Date:
2012-06-27 @ 04:35
I've had no trouble.

On Wed, Jun 27, 2012 at 2:17 PM, Michael Ridland <rid00z@gmail.com> wrote:

> Hi All
>
> This is a just a notice to anyone that's with VentraIP, their servers
> are compromised. It's been multiple people I've spoken to with the issues.
>
> ==
> I have an account with VentraIP for webhosting and have about 12 client
> sites there, nothing much just small business stuff with some Static HTML
> sites and a few Joomla sites.
>
> In the last week 6 of them have been hacked into and suspicious code has
> been added into every single HTML file.
>
> I have done the usual thing, changed FTP/Account passwords and restoredthe
> sites from backups, but they continue to be access and code changed. And
> now Google has blocked them all.
> ==
>
> Thanks.
>
>
>


-- 
http://www.edave.net
https://github.com/dave-elkan
Twitter: @edave

Re: [sydjs] VentraIP servers are compromised

From:
Andrew Stone
Date:
2012-06-27 @ 04:56
@Dave,

Have you pulled down your code and run a diff against the relevant
'correct' version stored in your SCM?


On 27 June 2012 14:35, Dave Elkan <dave@edave.net> wrote:

> I've had no trouble.
>
> On Wed, Jun 27, 2012 at 2:17 PM, Michael Ridland <rid00z@gmail.com> wrote:
>
>> Hi All
>>
>> This is a just a notice to anyone that's with VentraIP, their servers
>> are compromised. It's been multiple people I've spoken to with the issues.
>>
>> ==
>> I have an account with VentraIP for webhosting and have about 12 client
>> sites there, nothing much just small business stuff with some Static HTML
>> sites and a few Joomla sites.
>>
>> In the last week 6 of them have been hacked into and suspicious code has
>> been added into every single HTML file.
>>
>> I have done the usual thing, changed FTP/Account passwords
>> and restoredthe sites from backups, but they continue to be access and code
>> changed. And now Google has blocked them all.
>> ==
>>
>> Thanks.
>>
>>
>>
>
>
> --
> http://www.edave.net
> https://github.com/dave-elkan
> Twitter: @edave
>
>

Re: [sydjs] VentraIP servers are compromised

From:
Michael Ridland
Date:
2012-06-27 @ 05:12
That was a different client of theirs from sysadmin list, my files are ok
just my accounts are gone.



On Wed, Jun 27, 2012 at 2:56 PM, Andrew Stone <andrew@drivenlogic.com.au>wrote:

> @Dave,
>
> Have you pulled down your code and run a diff against the relevant
> 'correct' version stored in your SCM?
>
>
> On 27 June 2012 14:35, Dave Elkan <dave@edave.net> wrote:
>
>> I've had no trouble.
>>
>> On Wed, Jun 27, 2012 at 2:17 PM, Michael Ridland <rid00z@gmail.com>wrote:
>>
>>> Hi All
>>>
>>> This is a just a notice to anyone that's with VentraIP, their servers
>>> are compromised. It's been multiple people I've spoken to with the issues.
>>>
>>> ==
>>> I have an account with VentraIP for webhosting and have about 12 client
>>> sites there, nothing much just small business stuff with some Static HTML
>>> sites and a few Joomla sites.
>>>
>>> In the last week 6 of them have been hacked into and suspicious code has
>>> been added into every single HTML file.
>>>
>>> I have done the usual thing, changed FTP/Account passwords
>>> and restoredthe sites from backups, but they continue to be access and code
>>> changed. And now Google has blocked them all.
>>> ==
>>>
>>> Thanks.
>>>
>>>
>>>
>>
>>
>> --
>> http://www.edave.net
>> https://github.com/dave-elkan
>> Twitter: @edave
>>
>>
>


-- 

*Michael Ridland | ThinkSmart Digital*
Managing Director
P. 0404 865 350
E. michael@thinksmartdigital.com.au
W. www.thinksmartdigital.com.au
T. www.twitter.com/rid00z
L. au.linkedin.com/in/michaelridland


 <http://au.linkedin.com/in/michaelridland>

Re: [sydjs] VentraIP servers are compromised

From:
ptheriault
Date:
2012-06-27 @ 05:31
Is there anything that makes you think it is a server compromise, as 
opposed to a website compromise? If you are running Joomla, is it patched 
( and did you/they patch after restoring old content)? 

FYI, there was a Joomla blind SQL injection bug patched in March. 
http://developer.joomla.org/security/news/391-20120301-core-sql-injection.html



On Jun 27, 2012, at 3:12 PM, Michael Ridland wrote:

> 
> That was a different client of theirs from sysadmin list, my files are 
ok just my accounts are gone.
> 
> 
> 
> On Wed, Jun 27, 2012 at 2:56 PM, Andrew Stone <andrew@drivenlogic.com.au> wrote:
> @Dave,
> 
> Have you pulled down your code and run a diff against the relevant 
'correct' version stored in your SCM? 
> 
> 
> On 27 June 2012 14:35, Dave Elkan <dave@edave.net> wrote:
> I've had no trouble.
> 
> On Wed, Jun 27, 2012 at 2:17 PM, Michael Ridland <rid00z@gmail.com> wrote:
> Hi All 
> 
> This is a just a notice to anyone that's with VentraIP, their servers 
are compromised. It's been multiple people I've spoken to with the issues.
> 
> ==
> I have an account with VentraIP for webhosting and have about 12 client 
sites there, nothing much just small business stuff with some Static HTML 
sites and a few Joomla sites.
> 
> In the last week 6 of them have been hacked into and suspicious code has
been added into every single HTML file.
> 
> I have done the usual thing, changed FTP/Account passwords and 
restoredthe sites from backups, but they continue to be access and code 
changed. And now Google has blocked them all.
> ==
> 
> Thanks.
> 
> 
> 
> 
> 
> -- 
> http://www.edave.net
> https://github.com/dave-elkan
> Twitter: @edave
> 
> 
> 
> 
> 
> -- 
> Michael Ridland | ThinkSmart Digital
> Managing Director
> P. 0404 865 350
> E. michael@thinksmartdigital.com.au
> W. www.thinksmartdigital.com.au
> T. www.twitter.com/rid00z
> L. au.linkedin.com/in/michaelridland
> 
> 
> 
> 

Re: [sydjs] VentraIP servers are compromised

From:
Michael Ridland
Date:
2012-06-27 @ 05:40
That was a different client of theirs from sysadmin list, my files are ok
just my accounts are gone including my host account that didn't even have
an app attached.



On Wed, Jun 27, 2012 at 3:31 PM, ptheriault <ptheriault@mozilla.com> wrote:

> Is there anything that makes you think it is a server compromise, as
> opposed to a website compromise? If you are running Joomla, is it patched (
> and did you/they patch after restoring old content)?
>
> FYI, there was a Joomla blind SQL injection bug patched in March.
> http://developer.joomla.org/security/news/391-20120301-core-sql-injection.html
>
>
>
> On Jun 27, 2012, at 3:12 PM, Michael Ridland wrote:
>
>
> That was a different client of theirs from sysadmin list, my files are ok
> just my accounts are gone.
>
>
>
> On Wed, Jun 27, 2012 at 2:56 PM, Andrew Stone <andrew@drivenlogic.com.au>wrote:
>
>> @Dave,
>>
>> Have you pulled down your code and run a diff against the relevant
>> 'correct' version stored in your SCM?
>>
>>
>> On 27 June 2012 14:35, Dave Elkan <dave@edave.net> wrote:
>>
>>> I've had no trouble.
>>>
>>> On Wed, Jun 27, 2012 at 2:17 PM, Michael Ridland <rid00z@gmail.com>wrote:
>>>
>>>> Hi All
>>>>
>>>> This is a just a notice to anyone that's with VentraIP, their servers
>>>> are compromised. It's been multiple people I've spoken to with the issues.
>>>>
>>>> ==
>>>> I have an account with VentraIP for webhosting and have about 12 client
>>>> sites there, nothing much just small business stuff with some Static HTML
>>>> sites and a few Joomla sites.
>>>>
>>>> In the last week 6 of them have been hacked into and suspicious
>>>> code has been added into every single HTML file.
>>>>
>>>> I have done the usual thing, changed FTP/Account passwords
>>>> and restoredthe sites from backups, but they continue to be access and code
>>>> changed. And now Google has blocked them all.
>>>> ==
>>>>
>>>> Thanks.
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> http://www.edave.net
>>> https://github.com/dave-elkan
>>> Twitter: @edave
>>>
>>>
>>
>
>
> --
>
> *Michael Ridland | ThinkSmart Digital*
> Managing Director
> P. 0404 865 350
> E. michael@thinksmartdigital.com.au
> W. www.thinksmartdigital.com.au
> T. www.twitter.com/rid00z
> L. au.linkedin.com/in/michaelridland
>
>
>  <http://au.linkedin.com/in/michaelridland>
>
>
>


-- 

*Michael Ridland | ThinkSmart Digital*
Managing Director
P. 0404 865 350
E. michael@thinksmartdigital.com.au
W. www.thinksmartdigital.com.au
T. www.twitter.com/rid00z
L. au.linkedin.com/in/michaelridland


 <http://au.linkedin.com/in/michaelridland>

Re: [sydjs] VentraIP servers are compromised

From:
Dave Elkan
Date:
2012-06-27 @ 05:55
What you say may well be true, however I think that before you start saying
a certain host's servers are compromised you should perhaps raise a ticket
rather than spam an unrelated list.

The two problems you describe sounds quite different. The first issue could
be related to an unpatched Joomla install being attacked and your own could
be a simple mistake or accounting issue.

To Ventra IP's credit, I've had no problem at all with them over the past
year and a half I've been with them. In fact I've found their service to be
really good and their support polite and quick to reply. And no, I'm not in
their pay. I'm just a normal customer.

Cheers.

~Dave

On Wed, Jun 27, 2012 at 3:40 PM, Michael Ridland <rid00z@gmail.com> wrote:

>
> That was a different client of theirs from sysadmin list, my files are ok
> just my accounts are gone including my host account that didn't even have
> an app attached.
>
>
>
> On Wed, Jun 27, 2012 at 3:31 PM, ptheriault <ptheriault@mozilla.com>wrote:
>
>> Is there anything that makes you think it is a server compromise, as
>> opposed to a website compromise? If you are running Joomla, is it patched (
>> and did you/they patch after restoring old content)?
>>
>> FYI, there was a Joomla blind SQL injection bug patched in March.
>> http://developer.joomla.org/security/news/391-20120301-core-sql-injection.html
>>
>>
>>
>> On Jun 27, 2012, at 3:12 PM, Michael Ridland wrote:
>>
>>
>> That was a different client of theirs from sysadmin list, my files are ok
>> just my accounts are gone.
>>
>>
>>
>> On Wed, Jun 27, 2012 at 2:56 PM, Andrew Stone <andrew@drivenlogic.com.au>wrote:
>>
>>> @Dave,
>>>
>>> Have you pulled down your code and run a diff against the relevant
>>> 'correct' version stored in your SCM?
>>>
>>>
>>> On 27 June 2012 14:35, Dave Elkan <dave@edave.net> wrote:
>>>
>>>> I've had no trouble.
>>>>
>>>> On Wed, Jun 27, 2012 at 2:17 PM, Michael Ridland <rid00z@gmail.com>wrote:
>>>>
>>>>> Hi All
>>>>>
>>>>> This is a just a notice to anyone that's with VentraIP, their servers
>>>>> are compromised. It's been multiple people I've spoken to with the issues.
>>>>>
>>>>> ==
>>>>> I have an account with VentraIP for webhosting and have about
>>>>> 12 client sites there, nothing much just small business stuff with
>>>>> some Static HTML sites and a few Joomla sites.
>>>>>
>>>>> In the last week 6 of them have been hacked into and suspicious
>>>>> code has been added into every single HTML file.
>>>>>
>>>>> I have done the usual thing, changed FTP/Account passwords
>>>>> and restoredthe sites from backups, but they continue to be access and code
>>>>> changed. And now Google has blocked them all.
>>>>> ==
>>>>>
>>>>> Thanks.
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> http://www.edave.net
>>>> https://github.com/dave-elkan
>>>> Twitter: @edave
>>>>
>>>>
>>>
>>
>>
>> --
>>
>> *Michael Ridland | ThinkSmart Digital*
>> Managing Director
>> P. 0404 865 350
>> E. michael@thinksmartdigital.com.au
>> W. www.thinksmartdigital.com.au
>> T. www.twitter.com/rid00z
>> L. au.linkedin.com/in/michaelridland
>>
>>
>>  <http://au.linkedin.com/in/michaelridland>
>>
>>
>>
>
>
> --
>
> *Michael Ridland | ThinkSmart Digital*
> Managing Director
> P. 0404 865 350
> E. michael@thinksmartdigital.com.au
> W. www.thinksmartdigital.com.au
> T. www.twitter.com/rid00z
> L. au.linkedin.com/in/michaelridland
>
>
>  <http://au.linkedin.com/in/michaelridland>
>
>


-- 
http://www.edave.net
https://github.com/dave-elkan
Twitter: @edave

Re: [sydjs] VentraIP servers are compromised

From:
Michael Ridland
Date:
2012-06-27 @ 05:13
Must only be a subset of their servers.


On Wed, Jun 27, 2012 at 2:35 PM, Dave Elkan <dave@edave.net> wrote:

> I've had no trouble.
>
>
> On Wed, Jun 27, 2012 at 2:17 PM, Michael Ridland <rid00z@gmail.com> wrote:
>
>> Hi All
>>
>> This is a just a notice to anyone that's with VentraIP, their servers
>> are compromised. It's been multiple people I've spoken to with the issues.
>>
>> ==
>> I have an account with VentraIP for webhosting and have about 12 client
>> sites there, nothing much just small business stuff with some Static HTML
>> sites and a few Joomla sites.
>>
>> In the last week 6 of them have been hacked into and suspicious code has
>> been added into every single HTML file.
>>
>> I have done the usual thing, changed FTP/Account passwords
>> and restoredthe sites from backups, but they continue to be access and code
>> changed. And now Google has blocked them all.
>> ==
>>
>> Thanks.
>>
>>
>>
>
>
> --
> http://www.edave.net
> https://github.com/dave-elkan
> Twitter: @edave
>
>


-- 

*Michael Ridland | ThinkSmart Digital*
Managing Director
P. 0404 865 350
E. michael@thinksmartdigital.com.au
W. www.thinksmartdigital.com.au
T. www.twitter.com/rid00z
L. au.linkedin.com/in/michaelridland


 <http://au.linkedin.com/in/michaelridland>