Questions? Start a Support Ticket
User Registration
Customer Login

Knowledgebase

Portal Home > Knowledgebase > Articles Database > Hacked at Eleven2


Hacked at Eleven2




Posted by amirhamdani, 01-19-2014, 11:08 PM
Hello everybody, This is my first post, as I'm new to website hosting. My account at Eleven2 has been hacked yesterday and all my website was deleted. This is can happen to anyone and I was OK with that. But the problem is that I have received calls from an another Eleven2 customer asking me to stop Hacking his account !!! I convinced him that it wasn't me. And after that he sent me an email and here is what he is saying : ---------------------------------- Can anyone tell me if this happened before or not? Should I trust him or not !!! ??? Is Eleven2 Services are bad to that point !!!! I'm too much confused.
Posted by AcclaimedHost Alan, 01-19-2014, 11:15 PM
From an outside perspective, I have no idea what happened. You'd best ask Eleven2 management to have a look.
Posted by amirhamdani, 01-19-2014, 11:17 PM
They have been informed, and still waiting for an answer from them.
Posted by FLDataTeK, 01-19-2014, 11:18 PM
I agree.. I would get with Eleven2 and see if they have backups of your site and have them get you straitened out. You have no clue if the other guy is telling the truth, and has not tampered with your DB or files. I would also change passwords on your DB's and other accounts.
Posted by net, 01-19-2014, 11:19 PM
Are you saying someone pretended it was you and they got your password by asking eleven2 to reset it?
Posted by amirhamdani, 01-19-2014, 11:21 PM
This is what the guy who send me this email is saying !!! I'm still waiting for an answer from Eleven2.
Posted by Atlanical-Mike, 01-19-2014, 11:29 PM
I hope that's a miscommunication as they have loads of accounts, and probably, just probably your account username is near that users. But again only Eleven2 know this and should be able to resolve it for you. If your concerned maybe you should get a backup and go to another host. But again we don't know so I can't say much more than that.
Posted by net, 01-19-2014, 11:30 PM
Well, that is a mess. I hope they are not just giving password randomly. They should at least verify the owner of the account.
Posted by AcclaimedHost Alan, 01-20-2014, 12:24 AM
Wow, so much uncertainty. I would love to see what Eleven2 has to say about just what did happen.
Posted by PieLayer-Harry, 01-20-2014, 12:48 AM
I am also interested what the E2 staff will tell about this because I have one account with them for private purposes. Please update us on how the situation developed.
Posted by TonyB, 01-20-2014, 12:54 AM
I'm surprised they'd reset a user account via a ticket. It's a dangerous thing to be doing and can easily be manipulated by malicious user or via human error. We've always had a policy of never give out a user password via ticket. They have to do all password resets via our client area. It annoys some users but is a heck of a lot safer. I'm surprised any provider would do it any other way.
Posted by amirhamdani, 01-20-2014, 03:12 AM
This is the only reply I'm getting from them.
Posted by NameVictor, 01-20-2014, 03:13 AM
It would be interesting to hear eleven2 response on this. As stated above, I'm really surprised the password would be given out via ticket or email.
Posted by PieLayer-Harry, 01-20-2014, 03:14 AM
So they admit they made this mistake and gave out account info to someone else? Edit: Let's wait for their clarification on the situation.
Posted by amirhamdani, 01-20-2014, 03:15 AM
And they already sent me my account details (user and pass) via ticket. And when I saw my password showing I was disappointed.
Posted by NameVictor, 01-20-2014, 03:16 AM
I would tell them that you want a detailed explanation on what happened. You shouldn't just settle for your sites being restored.
Posted by amirhamdani, 01-20-2014, 03:19 AM
No, earlier in the ticket this is what they said : And at that time, nothing was restored, all my websites was down, and still they are till now. Its been now more than 16 hours since I submitted the ticket. Does it take all that time to restore from a backup ??
Posted by AcclaimedHost Alan, 01-20-2014, 09:23 AM
Depending on the size of the backup, yes, it can. But that's not to say that it should (maybe if your site is 100 GB). If I were you I would update the ticket and ask, since a considerable amount of time has passed
Posted by Nick H, 01-20-2014, 10:49 AM
Hi folks, At this time, we know who and what caused the issue, but we are still investigating so we are not going to elaborate at this time on the root cause. As an immediate course of action, we disabled the accounts that caused this issue. We also contacted as many of our customers that we could identify were affected and restored their accounts from backup. While I can't give you much information right now, I can say that the potential compromise was caused by a valid user account created by one of our resellers. As far as what the OP posted, everything he has stated is hearsay, and without Ticket IDs or Chat IDs, or even the identity of the person who contacted him, I can't speculate on any of those allegations. I can say that we do not change or give out passwords via live chat or phone. We only change passwords when we receive a request from a valid and authenticated user to our support system (we do not accept support tickets via email requiring a valid login). Any deviation from this policy by any of our staff would be grounds for immediate dismissal. I will post updated as we have them. As I said, our team has been actively investigating this and continues to do so. We are looking to find a root origin and prevent it ever happening again.
Posted by amirhamdani, 01-21-2014, 06:08 AM
Thank you for the interest on my case. Here is the ticket number Ticket #854815, you can check yourself. I confirm receiving an Email from Eleven2 and here is what its saying : I'm sorry to tell you that I'm going to move from Eleven2 not because of this problem only but also because of the slowness of the server. Your support Team are good, they are always trying to solve all the problems Im facing, but the quality of the service it self is very poor.
Posted by RosenHost, 01-21-2014, 08:51 AM
So this turned into a WHMCS vulnerability thread now or am I way too confused ? Really unfortunate events for both hosting company and customers.
Posted by @Jesse, 01-21-2014, 02:03 PM
You are correct - outdated WHMCS
Posted by amirhamdani, 01-21-2014, 02:15 PM
Just for your information, WHMCS was up to date !!!
Posted by @Jesse, 01-21-2014, 02:18 PM
It's luck of the draw. Even if it's up-to-date, there's still a chance of being hacked. It's still a mess of a script - although much better than a couple months ago.
Posted by Tyl3r, 01-21-2014, 06:37 PM
Wait.. a second. WHMCS hacked? Where did you get that information?
Posted by cloudreseller, 01-21-2014, 06:42 PM
Eleven2 alerted members via e-mail. Cheers, Thomas T.
Posted by Tyl3r, 01-21-2014, 06:45 PM
Ahh okay, so it looks like some of their resellers didn't update WHMCS and *THEY* got hacked, Eleven2 didn't get hacked, correct? I'm confused.
Posted by WireNine, 01-21-2014, 07:13 PM
What version of WHMCS were you using at the time?
Posted by HRR--, 01-21-2014, 07:41 PM
It would be wise to resellers that usually are small shops to not link your reseller with your WHMCS. Peace of mind.
Posted by MTKBillH, 01-22-2014, 11:13 PM
HRR1963 What do you mean by "not link your reseller with your WHMCS"? Thanks, WBH.. .. .
Posted by HRR--, 01-23-2014, 12:40 AM
The hacked accounts was due to using an outdated WHMCS from the user side. Since the user had his WHMCS configured / integrated with cPanel/WHM for automatic deployment or for easy deployment of new accounts, somebody hacked the user outdated WHMCS and manipulated the system (whmcs) to delete all the accounts in WHM/cPanel. All of that was possible because: 1- The user failed to maintain a healthy and up to date WHMCS. 2- The WHMCS billing system was linked directly or let say integrated or configured to access the reseller account for account creation, suspension and termination. Therefor if you are a small hosting company or just a reseller with a few customers, your best bet is to do the creation, suspension and termination manually via WHM/cPanel. This will guarantee that even if somebody hack into your WHMCS billing system, due to any reason, they can't harm you. Hence my statement: " It would be wise to resellers that usually are small shops to not link your reseller with your WHMCS. Peace of mind.
Posted by MTKBillH, 01-23-2014, 12:58 AM
Thank you for the explanation. WBH.. .. .
Posted by Nick H, 01-23-2014, 01:55 PM
That about sums it up. Anyone affected by the compromise was running an outdated version of WHMCS. As always, it is very important for our resellers (and all customers) to stay on top of keeping their 3rd party scripts up to date to avoid problems like this from occurring.


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
Private nameservers (Views: 730)
Mod compress for Webuzo lighttpd (Views: 716)
Mod_throttle probs... (Views: 706)
permissions (Views: 695)
register globals (Views: 685)


Language:

Our Services

Client Menu

Legal

Terms of Service | Privacy Policy | Refund Policy | Affiliates
Copyright © 2015 DC International LLC in partnership with Bragin IT Solutions Inc. - All Rights Reserved.