Notification Type
Emergency Maintenance
Service Affecting
Yes
Message
Our shared hosting server Ragnell has been compromised, and the majority of the index.php's have been replaced with a hacked version. We have disabled all copies of the compromised index files already.We are at the moment making sure the hole used is fixed before re-enabling Apache. As part of this, PHP is being upgraded to PHP5.
We are also going to see about restoring the disabled index files, however this is going to take longer. The backup system we use is geared towards full system backups, so restoring individual files is likely to take a while. If you have an uptodate copy of your index file, it will probably be faster if you get it uploaded yourself. This can be done even while Apache is down.
Update 1430: The upgrade of php / Apache is almost complete. Once it's finished we will be able start restoring index files from backups.
Update 1515: Apache is back up and running. We are currently restoring the index files from backup. This is going to take a long time.
UPDATE 1615: If your site's index file has been restored or if you've restored it yourself let us know if there are any issues.
UPDATE 16:52: As restoring individual index files is proving to be far too unwieldy, we are currently restoring the whole partition to another box. This will allow us to script the restore of any index files which are still showing as compromised.
UPDATE 1910: The restoration of the index files is progressing, but it's slow, as we are checking each index file to see if it has been compromised or simply replaced from a customer's own backup. If you have a backup / replacement index file and are having issues uploading it you may need to CHMOD 644 the current index.php
After 3 failed attempts at a full restore to a machine in our offices, we have successfully done a full restore to a machine in the data centre. This morning around 9am we restored any files which had a checksum that matched that of the defaced files that were placed there during the compromise on Saturday last.
Anyone who requires other files to be restored for any reason should contact us ASAP so we can restore them for you.
Can you confirm whether or not the compromise would have affected or allowed access to other parts of accounts, such as e-mail? Thanks!
The only thing affected was Apache. They seemed to be more interested in getting some form of political statement on as many pages as possible.
The exploit they used has been tracked down, and we are patching any other servers which are vulnerably to the same.
Thanks, Niall.
Hey folks,
Fair play for the quick action on a Saturday morning.
Can you tell us what the particular exploit was? I've seen a similar vector used on a couple of other hosting companies recently.
Cheers,
Alastair.
The initial vector was an old Joomla install, nothing new there, we see it all the time. Unfortunately in this case, they managed a privilege escalation against the kernel.
Old versions of DirectAdmin block kernel updates by default, and this was one of older servers.
We've taken out the restriction that DirectAdmin puts in, and upgraded the kernel on any potentially vulnerable shared machines.
Hi all,
seems that this hack coincided with the hacker leaving malicious code on my Wordpress install.
It manifested itself as Google search results appearing to link to a different site, p3p0.com.
The problem was code placed on wp-config, not a problem with Google.
Here is the fix: http://www.google.com/support/forum/p/Webmasters/thread?tid=3b1040184497f077&hl=en
Lar
Any update on when websites will be restored?