qazwerty Posted May 15, 2007 Share Posted May 15, 2007 My web hosts control panel allows email forwarding. I setup an email like [email protected] and had it forward to a personal address, [email protected]. Recently we got complaints about emails not be delivered to us. We still received emails so I asked for an example and it was sent to an address I did not recognize. I checked out control panel sure enough all email to [email protected] was being forwarded to the personal address I setup but also sent to another address I did not add, [email protected]. I contacted the hosting company and they pulled their logs. This is what they said: Hello, According to our server logs, the forwarding from [email protected] to [email protected] was created on November 28, 2006. The forwarding we set via the Mail Manager of your online control panel. The person that created the mail forwarding used the following IP address 202.91.x.xxx . Here is the log regarding this matter: 2006-11-28 22:18:46 cp myusername 202.91.x.xxx CP LOGIN 22:20:16 cp/fileman myusername 202.91.x.xxx FILE UPLOAD name /www/www/help.php size 82934 22:27:42 cp/mail myusername 202.91.x.xxx SET FORWARD account pam save address [email protected] [email protected] Also, this person uploaded a remote shell tool /www/www/help.php to your account's webspace. For security reasons we have deleted the offensive tool from your account. If you do not recognize the IP address that accessed your control panel, this means that your hosting password has been compromised, and someone intruded into your webspace. In this case, you will have to change your hosting password immediately. The intruder managed to obtain somehow your password. For this reason, you should improve the security of your account. You need to upgrade any third party applications you are using on mysite.com to the latest available versions, and apply any security patches released by the respective vendors. It is also strongly recommended that you do not use your main hosting password in the cases when an application requires MySQL access. You can create MySQL subusers and configure your applications to use these subusers. This way, if an application gets hacked, the hacker will not be able to obtain your main hosting password. For additional security, you need to scan all computers that are used for maintaining mysite.com for viruses and spyware. You will have to make sure that all computer systems are safe and there is no leak of sensitive data to other parties. If we can be of additional assistance to you, please let us know. Best Regards, K. V. Abuse Team Now I have changed all the passwords and I do not see any files I do not recognize on the server. What is my next step? What am I legally responsible for if any CC info was grabbed? I am in VA. Do I need to notify customers? Link to comment Share on other sites More sharing options...
qazwerty Posted May 15, 2007 Author Share Posted May 15, 2007 Here is an update from my host: Hello, We examined the logs for your account. The only activities that took place after the mail forwarding in question was set are dated 2007-05-14. All records contain your IP address only. According to our logs, the IP address that was used to set up the mail forwarding back on 2006-11-28, has not been accessing your Control Panel ever since. From what we could dig up from our server logs, we were unable to find any evidence that your database was compromised. Best Regards, P. D. Abuse Coordinator MyHost.com Link to comment Share on other sites More sharing options...
dynamoeffects Posted May 15, 2007 Share Posted May 15, 2007 If they had access to your account, they could've dumped your entire database to a file and walked away with it and there would be nothing in the server logs. You need to contact your customers immediately because someone out there could have all of their personal information that they can use for identity theft. If you stored full credit card information in your store and your store was not PCI compliant at the time, you're liable to Visa/MC for a substantial amount of money if they trace the CC# thefts back to you. The responsible thing to do would be to contact your customers immediately and inform them to keep an eye for anything suspicious. Please use the forums for support! I am happy to help you here, but I am unable to offer free technical support over instant messenger or e-mail. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.