I'm a very patient guy, but I'm starting to get really upset now.

Several of my clients have several accounts on Powweb, and I have mine here too. it seems like there has been too many attacks going on some domains that I have registered. Two of the sites on Powweb got hacked (one for sure and another one I'm not 100% sure yet since Powweb support does not give me any explanation or information about what has been happening).

I know on the Linux servers that I have installed myself I can look at the access logs and determine who has been trying to access the server over different protocols such as SFTP or SSH. Especially if they have attempted with the wrong user-name or password. And I have managed to fend off many attacks, even some brute-force attacks that have happened a couple of times last week. I have no way of defending myself on Powweb, and I was hoping that I'm protected, obviously something is wrong here.

The latest incident is this now:

{quote removed containing details of the file that was being exploited and that CGI access was suspended}

Firstly what is the meaning of this? And how come Powweb Support does not give me any explanation or information about this except repeating what I can already read in the email? If hypothetically I am spaming someone shouldn't I know about it?
What am I supposed to do to have these issues fixed? I don't even know how these hackers could get in for me to be able to even start looking to fix anything.

I can see why this would be frustrating...seems like someone was using your script to send spam email, and you wouldnt know about it unless you get copies of the emails sent out by the script. they are asking you to delete that file and then contact them again to have cgi re-enabled.

Anyway, you can download raw log files at http://ops.powweb.com/webControl/LogFiles.bml . I never do it so cant speak to their equivalence with files you might get from your own box.

Quoting support is not allowed here and your quote will soon be removed.

What is your domain name? If you use apps like Wordpress or phpBB you have to keep them up to date. It's pretty simple, you need to fix your script or find an alternative more secure script. You won't know you're spaming because they are executing on the file sucesssfully, it won't show in the cgi error logs but you may see it in your http access logs. You are responsible for your scripts, you must do as support has instructed you.

It shouldn't be so hard to figure out for someone who has experience installing and securing Linux servers.

Quoting support is not allowed here and your quote will soon be removed.

What is your domain name? If you use apps like Wordpress or phpBB you have to keep them up to date. It's pretty simple, you need to fix your script or find an alternative more secure script. You won't know you're spaming because they are executing on the file sucesssfully, it won't show in the cgi error logs but you may see it in your http access logs. You are responsible for your scripts, you must do as support has instructed you.

It shouldn't be so hard to figure out for someone who has experience installing and securing Linux servers.

That is just a Joomla! site and it is the most recent version. Even tho I don't rule out the possibility that there many be security issues with Joomla! or any other applications out there, however in this case it turns out that file they have mentioned is not even part of Joomla!.
I have deleted that file from the server just a few minuets after. I know that the spam email was coming from a Hotmail email account. It looks like every Amiba on the surface of the planet can register a hotmail or yahoo account these days. :D and I get burned for it. All Hotmail does is that they try and suspend the account, and I have no proof either. Not even a single copy of the outgoing spam email (that's probably a good thing, right? ) :D

At this point all I need to find out is how a new PHP file even got there in the first place. It does not look very likely that someone could upload anything into that particular folder using Joomla! itself, or at least the standard administrative functions Joomla! has. it is more likely that they have had SSH or FTP access. Again, I'm really confused about this and there is nothing noteworthy in the logs. There are no SSHD access logs or no FTP Access logs that I can refer to and I guess it is pointless to ask.

What can I do to find out how they got to create that php file on the server? or is there a way at this point?

ok, so I found the logs from activity of that particular file and I have an IP this time also. That does me no good. That IP is from "Rambla Republica de Mexico 6125".

I still don't know how they manage to put that file there tho. Any ideas?

Is Joomla the only thing you have on your webspace? What is your domain name?

in that particular sub-domail it's only Joomla!.

vip.gameoffuture.com.

I have several other applications installed in other sub-domains. However my understanding is that they have different databases and different sub-domains point to different folders that are outside of my primary htdocs folder anyways ie. each are located in separate folders under the root of home folder, and inside each folder is a different htdocs that the sub-domain points to). So I suppose no one should be able to get to the main home folder (root) over HTTP through any of the sub-domains and apps. I hope that's how it works tho.

oh by the way it's joomla! 1.5.8.

No, it is possible to gain access to your entire webspace any folder/file you see - they can see by using a simple script on a weak point. You were actually fortunate only to be used as a spam relay. They could have done a recursive delete erasing all your files/folders. Subdomains are no immunity. Did you really setup Linux servers? Sorry but I'm having a very hard time believing that. Patch your apps and that hole before they come back (and they will) or Powweb will have to shut you down for good.

Update every application! galleries, forums, blogs, CMS, formail, everything! Make sure no files/folders are chmod to 444 555 666 OR 777. Also run a full ativirus and adware scan on your machine. Once you've done these change all user/passwords.

I have checked joomla! and all the plug-ins and mods seem to be the latest version. Unless there is an un-patched hole in Joomla! itself. All the permissions seem to be ok as far as I can see.
I have already changed all the passwords. I use Linux at home on all my computers that I use for developing and editing the site. This site is just a little hobby of mine. There is nothing important in this particular location on my account.

I am using another sub-domain that some of my business partners have FTP access to, but they can only see a specific folder under that other sub-domain, and that's not where that script file poped up. I'm just trying to narrow down the possibilities.

As for setting up servers, are you going to give me control over the Linux servers that Powweb are running so I could check their firewalls and verify their settings for you? How about just giving me SSH access (just read access should be enough) to the root and I will pull out the logs I'm looking for and you can take it back the access after. Get real my friend. It is not my responsibility if the hackers get around Powweb's own applications or servers.

I can only: 1. control the scrips I put on my folders here, and 2. set permissions for them, and 3. have strong passwords for the Powweb user accounts I get. I have no control over anything else what-so-ever, and I think that's a good thing, since I hope some professionals are handling the rest.

Don't get me wrong, I'm not holding Powweb responsible for the things that have been happening, however I was expecting a little bit more cooperation to help identify and solve the problem than just "Shut you down for good". I know nobody can be perfect, but I have been doing my hosting with Powweb for years. there are plenty of other places that I can go to. I chose Powweb for all these years voluntarily. I have been really happy with Powweb service and I tolerate some of their shortcomings too. But if the level of service is not at the level that I expect, or if the quality of the service is going to be dropping, I'll be spending my time and money somewhere else.

By the way I have managed to figure out and fix the issues with the other account at www.mhpcomputers.com. That's my client's account and there was a security issue with Joomla! that I fixed after. I'm looking for same type of solution here as well. at this point I know it was not the same vulnerability as the mhpcomuters.com since I have the latest patches applied on vip.gameoffuture.com already and tested them too.

Bottom Line: CGI logs and the HTTP access logs are worthless. I cannot see any traces of anyone accessing Joomla! back-end on this sub-domain from outside with this. If you have a better suggestion that can help us to figure out what we can do to prevent the problem or find the root cause of the issue bring it. If that is not possible and it can't be helped just say it, I don't mind it.

I was recently hacked also. This is the info I was able to come up with after investigating the logs:

IPs: 195.37.209.0 - 195.37.209.63
A link farm site for the "Co" owning the addresses: RGBGNET
Based in Germany according to Whois

Exploited joomla mod and tried many other venues including getting into one of the payment modules in virtuemart.