1and1 Hacked or Website compromised?

Portal Home > Knowledgebase > Articles Database > 1and1 Hacked or Website compromised?

Posted by xtopher66, 01-24-2013, 06:37 PM
Hi, I have shared hosting on 1and1 for multiple websites. Some are database cms and others basic html5/css3. Today most of our domains would not resolve, We found all our DNS records edited to 217.160.30.145, which is a 1and1 Server, SCHLUND AG. Not sure why anybody would want to change it to a non resolving 1and1 dns if hacking? Ive looked at the ftp logs and discovered multiple chinese ip addresses on my ftp account. 117.41.184.12 UNKNOWN root [23/Jan/2013:18:56:36 +0100] "USER co" 331 - 117.41.184.12 UNKNOWN root [23/Jan/2013:18:56:38 +0100] "USER co" 331 - 117.41.184.12 UNKNOWN root [23/Jan/2013:18:56:40 +0100] "USER co" 331 - 60.169.78.77 UNKNOWN root [24/Jan/2013:00:24:19 +0100] "USER co" 331 - 60.169.78.77 UNKNOWN root [24/Jan/2013:00:24:22 +0100] "USER co" 331 - 60.169.78.77 UNKNOWN root [24/Jan/2013:00:24:25 +0100] "USER co" 331 - Access logs show one site, a cms with lots of activity on traffic log......such as 27.187.11.49 - - [23/Jan/2013:01:07:19 +0100] "POST /component/k2/ HTTP/1.1" 200 59 domainname.com/component/k2/item/8-con-secte-tuer-adi-pis-cing-elit/8-con-secte-tuer-adi-pis-cing-elit?start=1040 But truthfully the POST activity on one site is from multiple ips from argentina to china to greece etc etc Im wondering if that site was hacked but I thought it would be impossible to change the DNS settings for all control panel domains through a site hack? Thats a different server I believe. I have the logs, anything to look out for? 1and1 usually lock down the accounts immediately on unnatural activity, as they did with a wordpress hack a couple of years ago. But was random changes, some database sites, other html sites that are harmless. My user account password is 13 digits of upper lower case and numbers....trillion to 1 of guessing that for that CP login. 1and seem to be saying its an admin error on the domain dns changes? I had to manually reset the dns on the domains, theyre all back and I dropped the records of the hight activity websiteas it went up 290MB which is huge for just text comments. Attached Thumbnails
Posted by abraham26, 01-25-2013, 04:29 AM
On shared server the hacker can enter on another site and get access to server root. If server configuration allow access to accounts with root password, they can change easily, and even this setting it isn't, they could do. Contact hosting and tell them about the problem. For me is clear that something is wrong(hack).
Posted by EthernetServers, 01-25-2013, 11:46 AM
I would suggest submitting a support ticket with 1and1 and getting their verdict on what's happened. They can see more on their end than we can. Make sure to change all passwords that are related to the account (i.e. FTP, Email, Database Users, etc).
Posted by xtopher66, 01-25-2013, 08:41 PM
Thanks. Well I have reported it to 1and1 admin. On my dedicated server I get UK direct support but on the cheaper sites I use shared hosting and those weird accent Philipinos who talk pidgeon american are the admins. Theyre hard work but they understand the issue. I doubt they will report a hack elsewhere thats affected my site, hardly likelt to admit it. I`m not a server expert but even shared hosting there must be CSS protection across CP accounts, even if the domains are all on one server. Maybe not. But these hackers are clever guys. Anyway I did deduce that one site did have an out of date code that was a known CSS hack. Ive resolved that and the activity was only on that site, which I can see in the traffic logs. Ive checked through ssh and grep`d, check file timestamps and that corresponds only to that site. Others werent affected. I didnt robots.txt out the cms directories so anybody looking for that script through Google could have found potential sites to attack. Silly me. Normally I htaccess redirect the urls to not show any cms type of info. Apart from the huge rise in that one database the others arent affected as I checked all in phpmyadmin. However, mostly these hackers arent malicious hell bent on destroying a server. Often its a script compromise that they can redirect to a chosen domain, or to create a bot net through compromised sites or in this case post multiple spammy comments. Which in light of Googles anti spam campaign seems a little pointless! Only remaining question is why change domains dns to an unusable ip 1and1 server.....and not redirect to ip`s under the hackers control? Again the sites changed had no rhyme or reason.....html sites only included. Thanks for your input.
Posted by brianoz, 01-25-2013, 08:42 PM
Was your database password the same as your cpanel password? Let us know if that was the case, as I'll be able to suggest how you were likely hacked. There's a major symlink exploit out there at the moment. Probably worth setting your configuration.php/wp-config.php files to mode 600, if it works on your server. (more info on the links in my sig, search for symlink, or google for "apache symlink exploit").
Posted by xtopher66, 01-25-2013, 09:07 PM
No its wasnt brian. I use 13 digit random passwords on every single database, cms logins and same for CPanel. We all get these issues from time to time as you know brian and more often than not from misconfigured/exploitable website code. That individual database was only altered via website post commands, not direct database hack. Anyway these guys just move on to the next easy target once they know its game over. Will check the group status 1and to see if i can own only under chmod600. Some report problems if the server wont allow it. How about 640?
Posted by brianoz, 01-25-2013, 09:15 PM
Please don't think I was casting any aspersions on you re the password! It's surprisingly common for people to get that wrong, and if you're not aware of security issues you wouldn't realize. You need mode 600 so the hackers can't see your DB user and password in the config file. If mode 600 diesn't work, it's quite likely your site is entirely insecure anyway as far as other users on the server are concerned. If it's Wordpress, install Wordfence and pay for the premium licence, well worth it (it will do indiv file recovery if the site is hacked, and blocks many hacks out of the box). The other hack that's common is a virus or trojan on your PC, or listening on your network. Worth checking for, just in case. Also I'd check to see whether they logged in with your cPanel password or whether they just broke in through POST etc (as you seemed to be implying).
Posted by xtopher66, 01-25-2013, 09:57 PM
No offence taken! Well the hack on one script was known for CSS exploit. The activity remained on that site and theres A LOT of post activity in traffic logs. Its a good indicator. One thing i dont understand, maybe you can help Brian. FTP log....... 60.169.78.76 UNKNOWN root [23/Jan/2013:23:04:38 +0100] "USER co" 331 - is the hacker i guess Then i see instance of xx.xx.xx.xx UNKNOWN root [24/Jan/2013:00:21:33 +0100] "USER u41xxxxxx" 331 - which is my ftp account, but my ftp access always show below, my next two commands.... xx.xx.xx.xx UNKNOWN u41xxxxxx [24/Jan/2013:00:49:21 +0100] "PASS (hidden)" 230 - xx.xx.xx.xx UNKNOWN u41xxxxxx [24/Jan/2013:00:49:21 +0100] "PWD" 257 - The 331 is password unknown and all the hacker ip always returns 331. Not sure why it was showing root for my first login and a 331 and next attempt root is changed into my user details u41xxxxx.
Posted by brianoz, 01-27-2013, 06:11 AM
CSS exploit? Css can't be exploited as it isn't active code? I'm not familiar with the style of ftp logging you show, you'd need to compare it with a normal login to see if anything is funny there. You should be running something to prevent password brute forcing via firewall rules - Configserver's CSF does a good job of that, but there are others that also do it. You want it to log the brute force attempts, then block them off with firewall rules. While they will jump to a new IP, this does make brute forcing harder for the baddies to pull off.
Posted by xtopher66, 01-27-2013, 02:41 PM
Cross site scripting - not cascading style sheets...
Posted by dwong, 01-31-2013, 09:17 PM
I got the same issue with 1and1. Our DNS setting are being changed to another 1and1 ip address. This happened on multiple of our sites. Also, from the ftp log we find out there is line like this: 212.227.112.228 UNKNOWN tmp37581117-7547 [18/Jan/2013:13:11:46 -0500] "PASS (hidden)" 230 - 212.227.112.228 UNKNOWN tmp37581117-7547 [18/Jan/2013:13:11:46 -0500] "TYPE I" 200 - Turns out someone from Germany is using 212.227.112.228 to login without hacking. That ip address also belongs to 1and1. I have reported this to 1and1. When I called their tech support, they told me there is no access control log. They said they did not made the change. I have a hard time to believe that. I then emailed them. Their staff is trying to avoid the question as how this occur. After 7-8 emails within 2 weeks to different departments, all they did was giving instruction to get the ftp log and the control panel log and did not give an explanation why this is happening. I do not think we are the only client having this issue. I am not so convinced that is done by hacker because from the log, it indicated the request is from 1and1 IP address. Could it be something happening within 1and1 ? At this point I am still waiting for them to get the answer. Did they screw up internally or did they got hacked in the top level & the hacker can actually create temporary ftp accounts and change DNS setting.... If the hacker gain root access on the top level of web hosting server, even if we changed all the password, it won't help. This is what they said: "Whether or not the someone accessed your ftp logs from 1&1 is a seperate issue. If the dns was changed it was through the control panel Neither you nor us have access to the control panel logs. They are only provided through a legal request. There is no evidence that your account is compromised and no issue for the security team" -- Sincerely, Security Team 1&1 Internet, Inc Either case, it is VERY disappointing not only this happened but also how they failed to help their customer to address the problem by denying there is an issue.
Posted by xtopher66, 01-31-2013, 11:59 PM
why would I change my DNS settings? Anyway DWONG, just make sure you reset cpanel password and if you have cms or plugins, update to the latest version. Apart from that not much you can do. My server sites was playing up all week before this so something as going on. But rest assured 1and1 may not announce the hack but they will plug the hole pretty quickly if they find an issue. Carry on and keep calm. .
Posted by dwong, 02-01-2013, 04:04 PM
The interesting part is they confirmed they have actually attempted to close the case multiple time (without having it resolve or provide any useful help). If that is not entertaining enough, They confirmed their security team cannot function and they are going to ignore customers. 1&1 did not change the DNS information. There is no evidence of any kind of a compromise by a hacker, and 1&1 does log in via ftp from time to time, such activity is totally normal. It was most likely someone at your business that changed the information. You'll only know for sure if you request the control panel logs. We have already closed this ticket on numerous occasions. There is nothing the security team can do for you. Further emails to security regarding this issue will be ignored. -- Sincerely, Security Team 1&1 Internet, Inc.

Add to Favourites Print this Article