# 24khost hacked?



## peterw (Jul 2, 2013)

If you look to this file: http://24khost.com/images/log/killer.php

It doen't look good.


```
--==[[ Configuration File Killer By Team IndiShell ]]==--
	
#############################################################################################################################################################
-==[[Greetz to]]==--
Guru ji zero ,code breaker ica, Aasim shaikh, Raman kumar rana,INX_r0ot,Darkwolf indishell, Chinmay Pandya ,Silent poison India,Magnum sniper,Atul Dwivedi,ethicalnoob Indishell,Local root indishell,Irfninja indishell
cool toad,cool shavik, Ebin V Thomas,Dinelson Amine ,Mr. Trojan,rad paul,Godzila,mike waals,Neo hacker ICA, Golden boy INDIA,Ketan Singh,Yash,Reborn India,Alicks,Aneesh Dogra,silent hacker,lovetherisk
Suriya Prakash,cyber gladiator,Ashell india,Cyber Ace,hero,Minhal Mehdi ,Raj bhai ji,cold fire hacker,Prashant Tanwar, VikAs ViKi ,Rakesh, Bhuppi,Mohit, Ffe ^_^,Ashish,Shardhanand,Bhuppi and rest of TEAM INDISHELL
--==[[Dedicated to]]==--
# SH.Kishan Singh Tanwar and my Ex Teacher Mrs. Ritu Tomer Rathi #
--==[[Interface Desgined By]]==--
Deepika Kaushik
#############################################################################################################################################################
```


----------



## rds100 (Jul 2, 2013)

Again?


----------



## SeriesN (Jul 2, 2013)

Not again!


----------



## maounique (Jul 2, 2013)

That looks like a regular defacement, not really a hack.

Getting to the web page is a thing, downloading solus db is another.

Our forum has been attacked successfully twice, the attackers managed to upload some scripts in avatars and images section, that does not mean even the site had a problem, not to mention whmcs or solus or hb.

But, as I say everywhere, nothing is safe. Doing online business poses a serious risk from which you can only run for a while and do your best for damage control and disaster recovery when it caught up with you.


----------



## serverian (Jul 2, 2013)

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>24KHOST THE GOLD STANDARD IN HOSTING</title>
<style>
body{
background-image:url('background.jpg');
text-align:center;
}
</style>
</head>
<body>
<br />
<br />
<br />
<br />
<br />
<br />
<br /><br /><br />
<br />

<img src="images/logo.png">
</body>
</html>


Holy moses!


----------



## SeriesN (Jul 2, 2013)

serverian said:


> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
> <title>24KHOST THE GOLD STANDARD IN HOSTING</title>
> <style>
> body{
> ...


BRO! Do you even css?


----------



## vanarp (Jul 2, 2013)

I feel sad for such things done by Indian skids. Not sure what they really gain out of it.

Recently two of my _dot in_ sites running WP on cPanel hosting were defaced/hacked too. Now I have moved them to a VPS where I feel comfortable with security measures taken by me.

I think everyone using WP should read this http://codex.wordpress.org/Hardening_WordPress


----------



## sv01 (Jul 2, 2013)

still there


----------



## JDiggity (Jul 2, 2013)

Well our website was not defaced.  I did that a while back.

Second there was no data lost, thanks to mod_security.


----------



## Otakumatic (Jul 2, 2013)

24khost said:


> Well our website was not defaced.  I did that a while back.
> 
> Second there was no data lost, thanks to mod_security.


Clever.


----------



## MCH-Phil (Jul 2, 2013)

24khost said:


> Well our website was not defaced.  I did that a while back.
> 
> Second there was no data lost, thanks to mod_security.


Would you elaborate more on this?  More specifically how mod_security saved you from data theft...  And how that applies to the script that was uploaded aka killer.php.


----------



## Kruno (Jul 2, 2013)

If they were able to upload a php script there is nothing mod_security could possibly do for you. Data is on their hands most likely.


----------



## wlanboy (Jul 2, 2013)

I don't know whats worst. That he got defaced or how he handles it.

Bet on the latter.


----------



## Slownode (Jul 23, 2013)

I'm a customer of 24k... I wonder who has my details now, would like some clarity on what happened... I wonder who used their CC.

I assume jon is working on an in-house solution like he's doing with the vps control panel... but if you don't really know what you're doing that's still at risk.


----------



## SeriesN (Jul 23, 2013)

Slownode said:


> I'm a customer of 24k... I wonder who has my details now, would like some clarity on what happened... I wonder who used their CC. I assume jon is working on an in-house solution like he's doing with the vps control panel... but if you don't really know what you're doing that's still at risk.


VPS control panel is actually a proprietary control panel of RockMyWeb(cloud3k) and not "his" inhouse panel. As for his site, I have one thing to say "WOW". It has been down for long, too long.


----------



## wdq (Jul 23, 2013)

SeriesN said:


> VPS control panel is actually a proprietary control panel of RockMyWeb(cloud3k) and not "his" inhouse panel. As for his site, I have one thing to say "WOW". It has been down for long, too long.


I used to be a 24kHost customer (I had a storage VPS). Overall things were pretty good, although I couldn't stand that control panel. It was nearly impossible to navigate, and most of it just plain didn't make sense. I guess a control panel for me is something that I don't use very often so I was still able to get by with the panel. 

On the other hand the website is starting to get ridiculous. He should have at least something up. Even if it's just something that says "We've been hacked and we're working to fix things."


----------



## MCH-Phil (Jul 23, 2013)

wdq said:


> On the other hand the website is starting to get ridiculous. He should have at least something up. Even if it's just something that says "We've been hacked and we're working to fix things."


Is he working on fixing it or sweeping it under the rug...

I think that is the big problem.  It appears his customers don't even know whats going on?


----------



## wdq (Jul 23, 2013)

MCH-Phil said:


> Is he working on fixing it or sweeping it under the rug?


 

I have no idea, from the looks of it he must be either really busy with something else, or just completely forgot about it. 

You'd think that he'd already have something up there considering he is probably losing a lot of potential business by not having a website. Maybe has a day job and does this on the side so he doesn't consider it critical.


----------



## MCH-Phil (Jul 23, 2013)

Either way no way to run a business


----------



## Slownode (Jul 23, 2013)

Last host I used was fedorait.net and he bailed, didn't like the work of a startup... a shame, I was going to work with him, he came back later inviting me to do the same thing, but I don't trust he'd stick to it now.


-


It's such a pain, I have the skills to be my own host, write all of the panel and site software, not a skiddy using PHP, I use C for work, run VMs, moving to Go for web things, do it securely, but do I make the time and miss out on making money for a pipe dream... although, it appears my security is at risk trusting hosts who think using complicated closed third-party software is a good idea.


----------



## MartinD (Jul 24, 2013)

Slownode said:


> although, it appears my security is at risk trusting hosts who think using complicated closed third-party software is a good idea.


That'll be 99.9% of all hosts out there then, right?


----------



## Jeffrey (Jul 24, 2013)

Slownode said:


> although, it appears my security is at risk trusting hosts who think using complicated closed third-party software is a good idea


This is very true.  All of the major attacks have been targeted towards third party software.  Personally, I would rather just code up something myself and stay out of WHMCS, but it doesn't look like that will be happening anytime soon.


----------



## peterw (Jul 24, 2013)

Jeffrey said:


> I would rather just code up something myself and stay out of WHMCS


If you are able to take care about security. A lot of devs do not know newer attack vectors and so don't know how to harden your scripts.


----------



## Slownode (Jul 24, 2013)

&amp;nbsp;



Jeffrey said:


> This is very true. &amp;nbsp;All of the major attacks have been targeted towards third party software. &amp;nbsp;Personally, I would rather just code up something myself and stay out of WHMCS, but it doesn't look like that will be happening anytime soon.&amp;nbsp;


&amp;nbsp;
As someone who has made internal cms/vmcp from scratch for companies... it's really not that difficult, I find programming video games far more challenging. My background is microcontrollers for various things, remote automation, no scripty stuff, schools teaching scripting script instead of C, and people wonder why the world is full of bad programmers.


Billing is harder than the actual CMS/VPS-CP because you have to work with mostly ugly APIs... and often insecure APIs because people don't use them properly. *coughcreditcardnumbersinrawjsonoverhttp*



peterw said:


> If you are able to take care about security. A lot of devs do not know newer attack vectors and so don't know how to harden your scripts.


Why even use script stuff if it's so hard to secure? It's a mess... when I make a hard-coded web server my only vulnerability are the static/shared libs I use, I have very tight controls on my own code with a user/permissions system. You just have to assume all input is hostile.


----------



## Lee (Jul 24, 2013)

So, 24khost.  Deadpool?


----------



## wdq (Jul 24, 2013)

W1H-Lee said:


> So, 24khost.  Deadpool?


Not quite yet.


----------



## HalfEatenPie (Jul 24, 2013)

Isnt this the same guy who argued SSLs arent necessary on LET?


----------



## wdq (Jul 24, 2013)

HalfEatenPie said:


> Isnt this the same guy who argued SSLs arent necessary on LET?


Yeah, I'm pretty sure he is.


----------



## Lee (Jul 24, 2013)

wdq said:


> Not quite yet.


Oh well, maybe next time...


----------



## MannDude (Jul 24, 2013)

Maybe a new RLT brand coming soon?


----------



## Slownode (Jul 24, 2013)

MannDude said:


> Maybe a new RLT brand coming soon?


Better not, I have 2 VPS and was about to order more before he got hacked.

At some point I feel I should start seriously fishing for a host to work with.


I can develop software; VPS-Panel/CMS/Forum/Ticket(skipping email and webhosting, will have API for that, not my areas, my real area is micros), host provides some resources to test software, they can use for whatever. An open source project, lots of eyes peering on easy to read code, very modular, easy to audit.


----------



## JDiggity (Jul 25, 2013)

We are not dead,  we are not gone. 

I have been working 2 jobs

Fulltime job - 11 hours a day ( non-webhost related)

Paper route - 4-5 hours a day (weekends)

plus doing 24khost 

Some financial issues have come up.  This is also the reason for the failed expansion as I ran out of personal fund and have had to re-evaluate things.  24khost pays for itself.  No worries about dead pooling.  Growth has been put on hold though.

Website is a work in progress right now.  Just haven't had time to finish it up.  Will be doing it soon.


----------



## MartinD (Jul 25, 2013)

Have you just publicly stated that 24k is essentially your hobby then?


----------



## JDiggity (Jul 25, 2013)

No but I also have to pay my bills.  And right now it is just not paying my bills.  I have funded 24khost from my pocket personally for over 3 years.  I have put every dime back in it.

I put out thousands on new servers and never launched.


----------



## MannDude (Jul 25, 2013)

Best of luck man, been there done that. It's not fun.


----------



## wlanboy (Jul 25, 2013)

Yup, good luck.

A lot of people don't know nothing whatsoever about self-dependence.

Not that easy to bear the whole economic risk and being your own boss.


----------



## JDiggity (Jul 25, 2013)

Thanks *@**wlanboy*, *@**MannDude*,   it is a tough road.  Hopefully soon will be all back on track.  Website will be back and no longer wordpress.


----------



## Slownode (Jul 25, 2013)

Well it's good to hear everything is paying for itself, this means there's no risk in you, financial stability is kinda a big thing.

I suggest putting up a simple site and just selling the old fashioned way in the meantime.


----------



## JDiggity (Jul 25, 2013)

Working on it.  just been busy.


----------



## Shados (Jul 25, 2013)

Slownode said:


> &amp;nbsp;&amp;nbsp;
> 
> 
> As someone who has made internal cms/vmcp from scratch for companies... it's really not that difficult, I find programming video games far more challenging. My background is microcontrollers for various things, remote automation, no scripty stuff, schools teaching scripting script instead of C, and people wonder why the world is full of bad programmers.


Yeah, but to be fair games programming can be fairly hard - there are a lot of potentially non-trivial problems, and you need to solve them all with very hardline timing guarantees otherwise you blow your framerate targets.


----------



## Slownode (Jul 25, 2013)

Shados said:


> Yeah, but to be fair games programming can be fairly hard - there are a lot of potentially non-trivial problems, and you need to solve them all with very hardline timing guarantees otherwise you blow your framerate targets.


----------



## BlackoutIsHere (Jul 25, 2013)

Slownode said:


> You just have to assume all input is hostile.


----------



## yolo (Jul 25, 2013)

@24kHost how old are you?


----------



## Slownode (Jul 25, 2013)

BlackoutIsHere said:


> This is how I like to think and it is how every dev should look at inputs.&nbsp;


----------



## Shados (Jul 26, 2013)

Slownode said:


> Problem is... script is slow at anally controlling data, whereas a compiled language does it with ease.
> 
> 
> Script is great for internal automation, essential even, but externally - nope nope nope.


Honestly, Python/Ruby/etc. are 'fast enough' for most web-level purposes, and at least with Python you've got options if you need to scale up and can't afford more hardware - Stackless, PyPy, Cython, etc. They're also extremely good for rapid prototyping of new ideas, and you generally have the option of rewrite performance-critical code regions as C/++ modules later.


----------



## MCH-Phil (Jul 26, 2013)

24k your server was compromised.  I'm sure your customers would love to know what steps you have taken to protect them.  You are just deflecting the real issue at hand.  Your server is compromised and if you just deleted that file, like you stated, your still compromised.  Bottom line.

If you don't know what your doing, it may be time to hire someone to assist you in securing your servers.  Or cancel and refund all customers still with you because your doing them a horrible dis-service.


----------



## MartinD (Jul 26, 2013)

FYI, it is you're, not your. K. Thx.


----------



## SeriesN (Jul 26, 2013)

Eh? I don't see his servers being compromised mentioned anywhere.


Correct me if I am wrong though.



MCH-Phil said:


> 24k your server was compromised. I'm sure your customers would love to know what steps you have taken to protect them. You are just deflecting the real issue at hand. Your server is compromised and if you just deleted that file, like you stated, your still compromised. Bottom line.
> 
> 
> If you don't know what your doing, it may be time to hire someone to assist you in securing your servers. Or cancel and refund all customers still with you because your doing them a horrible dis-service.


----------



## RiotSecurity (Jul 26, 2013)

MCH-Phil said:


> what your doing,


 
what you're doing *


----------



## SeriesN (Jul 26, 2013)

RiotSecurity said:


> what you're doing *


Fus ruh dah!


Now stop picking on people for spelling and grammatical mistakes. This is an international community forum.


----------



## MCH-Phil (Jul 26, 2013)

LOL a bunch of grammar Nazi's.  Go outside and take a break your obviously way too stressed behind your computer if your worried about fucking grammar on a forum with kid hosts.  

How is his server *not* compromised LOL if you can't see it is, you need to just shutdown your hosting company.  This is too funny.

Everyone who doesn't think his service is compromised, please go back to PAGE 1 of this thread and re-read that.  ALL of it.  Tell me again, his server isn't compromised.

Any more grammar mistakes please forward to /dev/null.  I don't really give a fuck.


----------



## Lee (Jul 26, 2013)

I am non technical Phil, can you explain for me how you know this is the case?

Thanks


----------



## MCH-Phil (Jul 26, 2013)

Then I would suggest you contact your IT dept. and ask them what it means when someone has successfully uploaded hack scripts to your server.  Then ask him to check into the one on 24k's server and find out what it does.  It's meant for exploiting specific items in the setup most of us run.  

Now a couple things could very well come from this.  Maybe it was only a rouge upload script that was vulnerable and they just got a file uploaded that did nothing.  Or maybe it did exactly what it was designed to do and he is compromised.  His data at the very least has been copied.  But no one knows because 24k isn't saying anything at all about it.


----------



## Lee (Jul 26, 2013)

I would prefer not to contact my IT dept, don't get me wrong they are good enough for my customers, but yeah, Indians, well you know...


----------



## SeriesN (Jul 26, 2013)

MCH-Phil said:


> LOL a bunch of grammar Nazi's.  Go outside and take a break your obviously way too stressed behind your computer if your worried about fucking grammar on a forum with kid hosts.
> 
> How is his server *not* compromised LOL if you can't see it is, you need to just shutdown your hosting company.  This is too funny.
> 
> ...



Eh? I don't see 24k's serversa getting hacked. Just their main site getting compromised. Get off your horsie.


----------



## JDiggity (Jul 26, 2013)

The script that they uploaded was able to get usernames and nothing else.  It tried to use things that had been protected against.  We went through and updated all configurations on the server and made sure everything was good to go.  No data was compromised, no accounts other than our main website was impacted.

Again I am not deflecting anything.  There was an issue it  happened, we handled it.  It's over.  I am working 2 jobs, running a company, and just haven't had time to be here.  Sorry If that looks like deflection.  We are doing what we have to do to reorganize the company to keep it strong.  Need to make sure the company stays funding itself.


----------



## mikho (Jul 26, 2013)

W1H-Lee said:


> I would prefer not to contact my IT dept, don't get me wrong they are good enough for my customers, but yeah, Indians, well you know...


Are that the same people who call me and claim they are from Microsoft and saus my computer has a virus?


----------



## MCH-Phil (Jul 26, 2013)

24khost said:


> The script that they uploaded was able to get usernames and nothing else.  It tried to use things that had been protected against.  We went through and updated all configurations on the server and made sure everything was good to go.  No data was compromised, no accounts other than our main website was impacted.


This will go a long ways to helping your customers feel confident with your services.  Thank you for the clarification.


----------



## Lee (Jul 26, 2013)

mikho said:


> Are that the same people who call me and claim they are from Microsoft and saus my computer has a virus?


That's them, I hope you bought the software from them that cleans you pc (of all your personal data)


----------



## mikho (Jul 27, 2013)

W1H-Lee said:


> That's them, I hope you bought the software from them that cleans you pc (of all your personal data)


They actually had to bring their senor tech since I tolf them I couldn't load the page they were reffering to. When I (by accident) mentioned that I do work with computers for a living, they hung up on me. 

I really wanted that software.


----------

