We’ve been noticing over the past few months that some of our clients had their sites compromised and were later used to send out spam or distribute malicious content to sites visitors through password leaks.
There appears to be no pattern connecting the compromise to each others, except all of them indicate the hacker had gained accessed to the sites through FTP access. The hackers used the account holder username/password to login to the site and manually or through an automated script upload/replace site files.
Our investigation have revealed that these hacks are not limited to a certain OS, Control Panel or Server. They would occur to some of our direct clients and at some instances to clients of our orresellers.
Further investigation confirmed there were no server-wide compromise. There is no indication of root compromise, file integrities are intact and no rouge users or scripts were found on the physical servers.
After carefully analyzing the logs for few weeks, and running traces on the hackers, we’re confident that these attacks were only successful through a user/password compromise of the hacked site.
It appears the hackers are using a KeyLogger malware to sniff user/pass information on clients local stations. Then use these information to login to the victim site through FTP to upload their malicious content. Once the password of the account is changed on our end, the hack stops.
We would highly recommend to all of our clients to check if their workstations are compromised even if they’re running an Anti-Virus software. We also ask that you ensure your password is not shared over the public Internet such as Messengers, Emails. Additionally, please verify your password meets the complexity rules stated in section (8) of this email.
The hackers can upload keyloggers and data sniffers to your local workstations through many methods including a security weakness in a software you run on your system such as Internet Explorer, FireFox, Windows Media Player, QuickTime Player, Outlook, Office, Password guessing or Password dictionary attack. To help you protect yourself from such attacks, we’ve prepared few recommendations to keep your computer system secure:
1) Never share your password with any parties, and always create different passwords for different sites
2) Be extremely careful when working on a remote system or a system that is shared with others. We don’t recommend that you use a shared system to login to sensitive websites. There is a chance that a shared system may contains a password hijacker program, or be on a rogue network.
3) If you share your password with 3rd parties, please ask them to follow these steps as well.
4) Before changing your passwords, please ensure your system is clean of viruses. There is no point of changing passwords if the system you’re working on is already compromised. These are few suggestion on how to scan your system for viruses on the Microsoft Platform:
a) Download, Install and run Malwarebytes from https://www.malwarebytes.org/
b) Download, Install and run Microsoft Security Essentials from http://windows.microsoft.com/en-us/windows/security-essentials-download
c) If malicious content is found using the above two systems, we recommend that you do more vigorous checking for hidden malwares using Dr. Web CureIt: http://www.freedrweb.com/cureit/
d) You can also do further checking using Prevx http://www.prevx.com/freescan.asp
e) For Advanced users, you can also try Microsoft Rootkit Revealer to show any hidden content at: http://technet.microsoft.com/en-ca/sysinternals/bb897445.aspx (Please note, Rootkit Revealer may generate false positives)
f) Lock down your Windows using EMET (Enhanced Mitigation Experience Toolkit) from: http://www.microsoft.com/en-us/download/details.aspx?id=41138
If you’re not currently using an Anti-Virus and Anti-Spyware, we would urge you to purchase one soon. In the mean time, you can try these free real-time scanning alternatives: http://free.avg.com/ or http://www.avira.com
We also strongly encourage you to check and install the latest Windows Security Updates from Microsoft: http://windowsupdate.microsoft.com/. Additionally, you can use the following tools to check for any out-of-date applications installed on your system:
– MBSA from Microsoft: http://www.microsoft.com/downloads/details.aspx?FamilyID=F32921AF-9DBE-4DCE-889E-ECF997EB18E9
– Secunia Scanner: http://secunia.com/vulnerability_scanning/
5) If your virus scanner finds any malicious content that is rated Medium-High, please advise us immediately. We’ll change your password from our end.
6) Even if you run an up-to-date virus scanner, we do urge you to run multiple scans using the instructions above. Sometime real-time scanning is unable to catch viruses spread through a web browser, or its signature database may not be up to date.
7) Once you’ve confirmed your local machine is safe, check for other machines within your local network to ensure no infection spreads from one machine to another using USB keys, network file sharing.
8 ) Ensure your password is complex enough. The ideal password will be at least 8 characters long, contains both Upper and Lower case characters, a number and a special character.
You can use Microsoft online password checker to verify your password strength. A level of Strong or above would be ideal: http://www.microsoft.com/protect/yourself/password/checker.mspx
If you’re using the default password which was sent to you when your hosting account was created, please change it immediately. The Control Panel interface offers a handy password generation utility.
9) It is always preferred that you use secure connections when transmitting password information online. This includes not logging to any systems or sites that do not support encryption. Our servers will allow you to connect securely for FTP, cPanel, SMTP, POP3 access, as follow:
– We support Auth TLS FTP connections
– You can login securely to your cPanel interface through https://enterYourSiteName.com/cpanel/ , you may be presented with a security certificate warning, please accept it to continue.
– You can access secure SMTP on the same port as your regular SMTP connection (Port 25 or 26)
– You can access secure POP3 on Port 995 which is set by default in Outlook when checking “This server require secure connection (SSL)”
Please note, using SSL connections will result in slower speed and may cause timeouts. Using SSL will also display a warning advising you to accept the server certificate. This is an inherent limitation of shared SSL certificates.
We hope these information will be of great value and help you maintain a safe and secure online presence.