I've been HECKED

disneyjoe7

Ok you heavy Computer / IP people I need some advice. This morning I got an email stating they stopped a heck attempt. The odd thing to me is that my host password was set by them and really odd with numbers, small letters, cap letters, everything. I can't even remember it and need to look for the setup email which states the password. So since this password it so odd its the only password used for this FTP thing, and used on my laptop. The bigger question too me is do I have a bigger issue with my laptop?

Below is the copy of the email sent this morning.


Steve




Dear Stephen M,

The monitoring system on your server has detected an upload, via FTP, to your account that matches a known hack attempt. In order to protect your account, we have stopped the upload and blocked the IP address that was attempting the upload. For most sites, we can block all of the hack attempt, but please review your site immediately to verify it has not been altered.

IP Blocked: 113.19.240.71

Unfortunately, this does indicate that your FTP username and password have been compromised and we reset your FTP password to protect from further attacks. Please see below for your new password.

Files infected: /????/????/????/index.htm

InMotion Hosting has made every attempt to secure your account and restore the content from our backups. If there is any unusual content still on your site, our backups will have held the exploited content and cannot be recovered from our systems. To correct the issue, you will need to restore a backup or local copy. Keep in mind, the list is not exhaustive.

Based on a large number of similar situations, the most likely way the attempted hackers gained your username and password was due to weakness in a combination of several products on your personal computer. We have not been able to verify exactly what combinations are a problem but please make sure your personal computer is up to date for all software and specifically including:

Adobe Acrobat Reader
Adobe Flash Player
Adobe Shockwave
Any FTP Programs including Filezilla FTP and WS_FTP

It is also very possible that your software has been updated already and the attempted hack was possible because some time in the past your personal computer had a combination of software that was not secure. At that time, the method the hackers used would find your FTP username and password from your files and send it from your personal computer out to a repository they set up for future use.

For additional information:

https://support.inmotionhosting.com/ftp_exploits.html
https://support.inmotionhosting.com/cgi-bin/kb.cgi?do=read&id=94


We know this can be confusing and sometimes a little scary - if you have any questions please reply to this email (sending to support@inmotionhosting.com) including the blocked IP address above. This will greatly help us handle your account as quickly as possible.

Username:
New FTP and Cpanel Password:

Best Regards,
InMotion Hosting System Administration
888-321-4678
213-258-4422 (Int'l)

hearingimpared

Steve what the heck is "hecked?":D

concealer404

This almost sounds like a phishing scam to me... but then again i'm not familiar with inmotionhosting, either.

disneyjoe7

Could be I guess, but been with them for a while now also good too me. The index page is dead, so I assume it was some nasty page placed up instead. So they removed it completely.

Systems

concealer404 wrote: »

This almost sounds like a phishing scam to me... but then again i'm not familiar with inmotionhosting, either.

Usually phishing scams don't start out with your name at the beginning of the e-mail.....

cnh

Download a free version of Malwarebyte's anti-malware and run a complete scan...it will detect 'any' extraneous spyware or other attempts put on your computer...provide you with a list and allow you to 'remove' anything questionable.

Your description sounds a bit 'funny'...a good virus software program constantly updated should be able to tell you if someone is trying to 'hack' you or take control of your computer...at least give you a warning.

cnh

disneyjoe7

cnh wrote: »

Download a free version of Malwarebyte's anti-malware and run a complete scan...it will detect 'any' extraneous spyware or other attempts put on your computer...provide you with a list and allow you to 'remove' anything questionable.

Your description sounds a bit 'funny'...a good virus software program constantly updated should be able to tell you if someone is trying to 'hack' you or take control of your computer...at least give you a warning.

cnh

I realized I didn't have any FTP program on my laptop in over a month or so. Due to the fact I put Windows 7 on this laptop I didn't download a new FTP program. I wonder if this issue is on their server and not my laptop?

ozgal007

Stephen my client uses InMotion for hosting of his domain. This morning he also got this exact same email, verbatim.

This is bullsh!t. I'd bet a month's pay that InMotion servers got hacked, but they don't want us to know. So instead they cooked up a bullsh!t email pointing the finger at us, when likely it was the InMotion cpanel that was not up to date with security updates.

I googled and found your post. I signed up with with the forum just to post this.

disneyjoe7

Funny I also couldn't find any malware or spam on my laptop and I didn't have any FTP program on my laptop. I called them today due a copy and paste issue with my new password, I asked them if it could be their issue as I stated above in which they say no.

Both the index file was messed with per their email, along with the .htaccess file. Server is biz29 I wonder if your client is the same?

ozgal007

Same here, BIZ29 74.124.198.60

I sent them a nasty email and their response was to point the finger back at the customer. They denied they played a role in the simultaneous hacking of multiple of their clients.

I don't buy it, and I'm waiting for others to pop up.

bigaudiofanatic

OP I would not worry about it to much everyday computer hackers try to hack into computers. Servers try to be hacked at least 20 times a minute. Do a virus scan and download anti malware and run that as well that will protect you against malware which virus software can not. Make sure your firewall is turned on as well. You should be fine just change your passwords and clear all your cookies as well. You might want to call and cancel your cc's to be safe. Other than that should not worrry to much.

disneyjoe7

But they could have been a little more honest about the issue in my eyes, and not sound as this issue was on our end. Now on the other hand they seem fair, and always willing to help, all in all ok as a host.

Polkersince85

Welcome to the forum ozgal007. Stick around and get your listening on.

hearingimpared

Welcome to Club Polk ozgal007! Thanks for helping Steve out.

John30_30

ozgal007 wrote: »

Stephen my client uses InMotion for hosting of his domain. This morning he also got this exact same email, verbatim.

This is bullsh!t. I'd bet a month's pay that InMotion servers got hacked, but they don't want us to know. So instead they cooked up a bullsh!t email pointing the finger at us, when likely it was the InMotion cpanel that was not up to date with security updates.

I googled and found your post. I signed up with with the forum just to post this.

I seriously doubt that, joe and ozgal007. Older FTP apps are notoriously weak password encrypters, or cleartext. They seem pretty specific about Adobe products also being involved, which is no stretch of the imagination for me.

Unfortunately nearly everyone have Adobe Flash, Reader, etc, and I'm guilty of still having an older version of WS-FTP around- once you get used to an app.....etc,

In any case, they gave you an I.P. they said was compromising your Username/PW- this 113.19.240.71. originates from Orissa, India.

Country India India
Country Code IN
Region Orissa
City Bhubaneswar
Latitude 20.2332
Longitude 85.8333
Whois Information
[Querying whois.arin.net]
[Redirected to whois.apnic.net]
[Querying whois.apnic.net]
[whois.apnic.net]
% [whois.apnic.net node-1]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 113.19.0.0 - 113.19.255.255
netname: ORTELCOMMUNICATIONS-IN
descr: INTERNET SERVICE PROVIDER
descr: USING CABLE MODEM
country: IN
admin-c: MM349-AP
tech-c: MM349-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-ORTEL-NET

This is the Netadmin ( I assume) responsible for that I.P. block :
person: Man Mohan Pattnaik
nic-hdl: MM349-AP
e-mail: jyoti.sahoo@ortelgroup.com
e-mail: corp.technology@ortelgroup.com
address: Plot 16, Chandrasekharpur
address: Bhubaneswar
address: Orissa
address: PIN-751016
phone: +91-674-3983207
fax-no: +91-674-2303448
country: IN
changed: manmohan.pattnaik@ortelgroup.com 20091215

I'd give him a hollar. "Hey, Man, whutup, yo?"

ozgal007

DisneyJoe, I predicted other stories would surface

http://slashdot.org/comments.pl?sid=1487318&cid=30531454

InMotion is lying to us. Time to give them the finger and move on.

disneyjoe7

ozgal007 wrote: »

Same here, BIZ29 74.124.198.60

I sent them a nasty email and their response was to point the finger back at the customer. They denied they played a role in the simultaneous hacking of multiple of their clients.

I don't buy it, and I'm waiting for others to pop up.

74.124.198.60 is my also?

But I have www.dvrblackbox.com and www.4dtvblackbox.com both of them state the same ip?

ozgal007 wrote: »

DisneyJoe, I predicted other stories would surface

http://slashdot.org/comments.pl?sid=1487318&cid=30531454

InMotion is lying to us. Time to give them the finger and move on.

Interesting but it's cool with me, I've moved on. I wish they told me it was an issue on they side, before I looked at my end for troubles.


Merry Christmas.

ozgal007

It's a shared IP. Our domains are on the same box. That's how the hackers got into all our domains.

My objective is so that InMotion doesn't get away with this.