Kernel Compromised on secure.ukhostsupport.com

[Administrator]

Kernel was compromised on the server as someone managed to mass replace index pages of all websites hosted on this server.

We have initiated restore process for all index pages but the rsync processes are taking some time to execute.

We have last backup of 16th July and all the index pages will be reverted to this dates backup.

Nothing else has got compromised on the server and FTP, Email service and everything else is working fine on the server. We have latest version of kernel on the server with grsecurity.

for further questions you can contact our livechat support or open a ticket from http://webhosting.uk.com/support.php

[media-slave.co.uk]

Getting this error trying to connect to Neomail
Couldn't open /var/cpanel/neomail/neomail.log!

[Administrator]

This will get sorted in next 30 minutes once the rsync restore processes complete.

[mudders]

Quote:

Originally Posted by Administrator

This will get sorted in next 30 minutes once the rsync restore processes complete.

Any idea how much longer this will take?
My one site is back but the other (with dedicated IP) is still down.

Thanks.

[Robin]

Quote:

Originally Posted by Administrator

This will get sorted in next 30 minutes once the rsync restore processes complete.

I understand that you are still trying to restore the servers.

What is being done to stop the security breach happening again?

Robin

[scream]

replacing the index page in some cases wont fix this problem. I think i was one of the first to report this problem, but also realised that the attacks payload was index related, obvious by the size of the index file 25kb. I replaced the index file that i already had on backup, however this still didn't resolve the issue as my index page was dynamic (it's a forum index page). the only sulotion left to me is to replace the whole folder. Which unfortunately i don't have. So i'm asking the kind people here if they could replace the whole folder to restore use again.

[pink_fish]

Has anyone else had a partial restore? My site is a blog powered by WordPress and I've got the site back - but the hacked message is still at the top of every page and it's caused some weird errors when you try to post a comment or something.

Also, my email folders in Squirrel Mail have vanished. Will they (or at least the emails in them!) be restored at any point?

[BillyBobBongo]

Yeah...my forum is back....but contains hacked messages....my main site is still down! I'd imagine it's going to be a waiting game for all of us to have our backups restored!

[Administrator]

Kernel was upgraded on the server early in the morning at around 4 AM and the new kernel is grsecurity kernel so similar problem wont occur again in future. We have RAID configured on the server and 2 different backups maintained on remote servers to prevent any kind of data loss but some customers have lost the changes they made in last 4 days.

Blogs, forums, galleries, mambo sites should have no problem after restoring backup of index pages as databases are intact and dynamic data is fethced from databases so nothing is lost for this applications.

If you need full restore of a folder or if you find your emails missinf then you should open a ticket with our support department and we will complete the restore for you.

Replies to threads in forum may get delayed but tickets are resolved in less than 1 hour and we are trying our best to have all websites work without any errors to avoid any problems for online business of our customers.

[Pumazooma]

Thank you. Much appreciated.

[Administrator]

I have found couple of blogs that were injected. I am getting backup of blog templates restored but some might get ignored so please open a ticket and we will get back to you as soon as the problem is solved.

Regards,
Mark.

[Robin]

Quote:

Originally Posted by Administrator

If you need full restore of a folder or if you find your emails missinf then you should open a ticket with our support department and we will complete the restore for you.

Replies to threads in forum may get delayed but tickets are resolved in less than 1 hour and we are trying our best to have all websites work without any errors to avoid any problems for online business of our customers.

I have logged into cPanel but can no longer find the link to open a ticket, anyone got any ideas?

Robin

[skip]

secure.webhosting.uk.com

Log in there to open a ticket

Skip

[Administrator]

Those who find templates of blogs or forums being infected can upgrade version of that particular application from fantastico.

Upgrade will overwrite the templates but those who have customised templates may loose changes in case of upgrade.

[media-slave.co.uk]

I have checked other forums on info about these attacks. Here is an interresting quote from a senior member and i would like to note this to the Admin team here:

Quote:

The strong message coming from the community in general is that these hackers do leave their little access keys buried in our server software and this enables them access at will so we can replace our site on the front end until the cows come home but the hacker will just keep on taking it down and if he/she is feeling really pedantic, as fast as you put it back up!

Just restoring your site is not a cure as you are treating the "symptoms" not the underlying "illness".