Server error, please try again later

[Divinum Fiat]

Hi all,

For some unexplainable reason I got logged out of my forum and when I try logging back in I get the message "server error, please try again later."

The page is frozen at that error page and no matter what tabs I click, I can't move away from the error page.

Does anyone have an idea of what this could be related to (my other domains, that share the same server, are up and running fine)?

 

[Divinum Fiat]

I'm not quite sure what the error log is or how to get it. This is what Matt found last night for the two IP addresses that logged into the cpanel:

2012-12-17 11:21:48 1TkeNw-0000z2-4u <= VPS@corefreedom.com U=root P=local S=562 T="lfd on blu.blueprint4love.com: WHM/cPanel root access alert from 95.130.11.183 (FR/France/smtp62.amo" from <VPS@corefreedom.com> for info@corefreedom.com; The french IP is also a proxy address

2012-12-17 13:51:54 1TkgjC-0006uV-Du <= VPS@corefreedom.com U=root P=local S=594 T="lfd on blu.blueprint4love.com: WHM/cPanel corefree access alert from 173.254.216.66 (A1/Anonymous Pr" from <VPS@corefreedom.com> for info@corefreedom.com

173.254.216.66 - corefree [09/16/2012:16:11:26 -0000] "POST /cpsess4365971093/3rdparty/phpMyAdmin/export.php

 

[borbole]

I'm not quite sure what the error log is or how to get it. This is what Matt found last night for the two IP addresses that logged into the cpanel:

2012-12-17 11:21:48 1TkeNw-0000z2-4u <= VPS@corefreedom.com U=root P=local S=562 T="lfd on blu.blueprint4love.com: WHM/cPanel root access alert from 95.130.11.183 (FR/France/smtp62.amo" from <VPS@corefreedom.com> for info@corefreedom.com; The french IP is also a proxy address

2012-12-17 13:51:54 1TkgjC-0006uV-Du <= VPS@corefreedom.com U=root P=local S=594 T="lfd on blu.blueprint4love.com: WHM/cPanel corefree access alert from 173.254.216.66 (A1/Anonymous Pr" from <VPS@corefreedom.com> for info@corefreedom.com

173.254.216.66 - corefree [09/16/2012:16:11:26 -0000] "POST /cpsess4365971093/3rdparty/phpMyAdmin/export.php

This is not good. If you see this last part:

173.254.216.66 - corefree [09/16/2012:16:11:26 -0000] "POST /cpsess4365971093/3rdparty/phpMyAdmin/export.php

It looks like the hacker/s did an export of your database. Meaning they have a copy of your entire site.

 

[Divinum Fiat]

I know and I'm not sure what I can do about it.

 

[Divinum Fiat]

And I'm not sure what they can do with the entire copy of my site. Why would anyone wants that?

 

[Digital Doctor]

This is a real eye opener for me.
Is cpanel that insecure ?
or is hostgator just doing a bad job of keeping cpanel up to date ?

 

[Divinum Fiat]

I'm not sure, I would have to let Matt answer that one. I'll call Hostgator in a little bit, it's 6:30 a.m. here, and will see what I can do.

 

[borbole]

And I'm not sure what they can do with the entire copy of my site. Why would anyone wants that?

They can harvest your email and the emails of all your users for one thing. The passwords are safe because xenforo encrypts them. But if you or your users have posted sensitive/private or other info of that nature or shared them through pm''s then they would have full access to that stuff as well.

 

[borbole]

This is a real eye opener for me.
Is cpanel that insecure ?
or is hostgator just doing a bad job of keeping cpanel up to date ?

If they are using the latest version then it shouldn''t be a problem. But if they are using an older version that contains known security issues then that poses a huge problem. Hence why I asked above what version of cpanel the OP is using.

 

[MattW]

cpanel / whm is on the current latest version

This is not good. If you see this last part:



It looks like the hacker/s did an export of your database. Meaning they have a copy of your entire site.

I've uploaded the whole log of their IP address here if you want to take a look:

http://nagios.z22se.com/matt.txt

 

[Divinum Fiat]

Thank you, Matt, for being here.

Hostgator said they restored the database last night but it's not working or it's not working again this morning. I'm at my widst end and I'm sure all of you are tired of this too. So sorry.

 

[borbole]

cpanel / whm is on the current latest version


I've uploaded the whole log of their IP address here if you want to take a look:

http://nagios.z22se.com/matt.txt

Everything there points to one ip from what I could see. I ran a check on it at whois and it seems to belong to a proxy server.

 

[MattW]

What is worrying me, is that I enabled Security Questions for WHM / CPANEL. When I connected from my home IP after setting it up, I had to manually answer all 4 questions, and my IP address was logged in the authorised IP address list. There IP isn't there from when root accessed it, same for the IP which accessed corefree cpanel account

 

[MattW]

Everything there points to one ip from what I could see. I ran a check on it at whois and it seems to belong to a proxy server.

Correct, that was the IP which accessed the corefree cpanel account prior to the rows being deleted from the user table again.

 

[MattW]

Here is the current error message on your forum

An unexpected database error occurred. Please try again later.
<!-- Access denied for user 'corefree_xenforo'@'localhost' (using password: YES) -->

it looks like hostgator has changed the database password and your config file hasn't been updated to reflect the new password.

If you are going to stay on that VPS, I'd suggest hiring a proper server security expert to go over it and ensure it's fully secured.

Or, move off hostgator VPS and go back to shared hosting for your sites.

 

[borbole]

That is very strange. What version of cpanel does blueprint4love have?

 

[Divinum Fiat]

What is strange is that this is what Hostgator says in their email to me last night:

"It appears that the database was corrupt, we have restored it again and the website appears to be working as intended, I was able to check a few of the topics on the forum and also the front page appears to be working as intended. I also checked the cPanel logs again and do not see any suspicious logins recently. If the cPanel password was not stolen from your PC its possible that another PC with access to the account was compromised or perhaps an email account that had this information saved."

And as I've said, it is not restored (or has been broken again throughout the night), because the site is still down.

 

[MattW]

That is very strange. What version of cpanel does blueprint4love have?

11.34.1 build 5

 

[Divinum Fiat]

I did not tell Hostgator to change any passwords, nor did they tell me that they changed any passwords... I'm thinking that someone hacked in again since their restore last night.

I will move off vps or move to another host. I'm just not sure how to do that when the data seems to be corrupt.

 

[borbole]

Here is the current error message on your forum

An unexpected database error occurred. Please try again later.
<!-- Access denied for user 'corefree_xenforo'@'localhost' (using password: YES) -->

it looks like hostgator has changed the database password and your config file hasn't been updated to reflect the new password.

If you are going to stay on that VPS, I'd suggest hiring a proper server security expert to go over it and ensure it's fully secured.

Or, move off hostgator VPS and go back to shared hosting for your sites.

In this case maybe there wasn''t a hack but an overlook on hostgator part by not updating the config.php file to reflect the db changes that they have made. Or it could also be a permission issue.

 

[MattW]

Your site is back online. I've reset your MySQL password to what is was previously (as per the config.php file)