Facebook
Twitter
T
TimGC
Guest
Hey,
I have a Plesk (9.5.4) VPS at a major hosting company. A couple of weeks ago I noticed that email was running slowly so I logged in and checked the server. Someone had created multiple email addresses under different domain names and was relaying spam through those accounts. I deleted the accounts/queued messages and called my hosting company. They recommended that I change all of my passwords and reboot the server. I changed all my passwords on that server as well as for my mail email accounts. I also restricted domain admin access.
A week later the same thing happened. My hosting company said that the plesk logs show that the email accounts were created through the admin panel website so the "hacker" must have gotten the password from my "pc". They said that I probably have malware on my "pc".
That all sounds reasonable except for the fact that I don't think that it's likely that someone got into my local computer. I'm on a new Mac, double firewalled running the latest software. I'm the only one with access to it and it's password protected. There are only a few applications on it and I doubt Adobe has malware in it. I don't download free internet apps and I'm not on a wireless network. There is no place where malware could have been introduced unless the OS is completely vulnerable at install, which I know it's not.
But, just in case, I spent an entire day making sure my computer was not compromised. I bought and ran the two most popular mac spyware/malware/virus programs, nothing. I checked all processes and network connections, nothing. I was barely even able to find any threats for my OS. It's not that popular so hackers don't write stuff for it, yet.
But, probably the most telling thing that makes me think that my local computer was not compromised is the fact that the password storage file I have on my local computer has logins for dozens of other servers, bank accounts, paypal/google checkout and even other VPS servers at this same hosting company. I think it's pretty unlikely that someone hacked into my local, firewalled computer and stole all my passwords and then targeted one empty server, twice.
I think it's far more likely that my public web server, running an out of date version of plesk, was hacked into and my hosting company is utilizing the "blame the customer since we can't find the problem" support response. I would assume that Plesk was never properly secured or a vulnerability was introduced by them, me or one of my customers.
Anyway, they said that they ran "run chkrootkit, rootcheck, and rkhunter" and have not found anything and that the hacker definitely mist have gotten the password off of my computer. BS.
Any thoughts, suggestions? Other that the obvious one... go to a better hosting company.
I have a Plesk (9.5.4) VPS at a major hosting company. A couple of weeks ago I noticed that email was running slowly so I logged in and checked the server. Someone had created multiple email addresses under different domain names and was relaying spam through those accounts. I deleted the accounts/queued messages and called my hosting company. They recommended that I change all of my passwords and reboot the server. I changed all my passwords on that server as well as for my mail email accounts. I also restricted domain admin access.
A week later the same thing happened. My hosting company said that the plesk logs show that the email accounts were created through the admin panel website so the "hacker" must have gotten the password from my "pc". They said that I probably have malware on my "pc".
That all sounds reasonable except for the fact that I don't think that it's likely that someone got into my local computer. I'm on a new Mac, double firewalled running the latest software. I'm the only one with access to it and it's password protected. There are only a few applications on it and I doubt Adobe has malware in it. I don't download free internet apps and I'm not on a wireless network. There is no place where malware could have been introduced unless the OS is completely vulnerable at install, which I know it's not.
But, just in case, I spent an entire day making sure my computer was not compromised. I bought and ran the two most popular mac spyware/malware/virus programs, nothing. I checked all processes and network connections, nothing. I was barely even able to find any threats for my OS. It's not that popular so hackers don't write stuff for it, yet.
But, probably the most telling thing that makes me think that my local computer was not compromised is the fact that the password storage file I have on my local computer has logins for dozens of other servers, bank accounts, paypal/google checkout and even other VPS servers at this same hosting company. I think it's pretty unlikely that someone hacked into my local, firewalled computer and stole all my passwords and then targeted one empty server, twice.
I think it's far more likely that my public web server, running an out of date version of plesk, was hacked into and my hosting company is utilizing the "blame the customer since we can't find the problem" support response. I would assume that Plesk was never properly secured or a vulnerability was introduced by them, me or one of my customers.
Anyway, they said that they ran "run chkrootkit, rootcheck, and rkhunter" and have not found anything and that the hacker definitely mist have gotten the password off of my computer. BS.
Any thoughts, suggestions? Other that the obvious one... go to a better hosting company.
Last edited by a moderator:
