i have my own domain and every now and again i wander through parts of the server just to check stats etc
and lo and behold i had some new subdomains
myaccount2.abbeynational.petedean.org.uk for one... and a couple of other similar ones....
The first one was set up at 0014 this morning and the last one at 0230 - allegedly from three different IP addresses - (faked - they originated at webwise in the USA so....)
so - transcript of the chat with tech support....
pete Dean:
hi there
went to look at my latest visitor stats via &&&&&&&& and it asked which domain - one is my own domain, other is myonlineaccounts2.abbeynational.co.uk.petedean.org.uk - security issue?
Welcome pete Dean! Your request has been directed to the Technical Support department. Please wait for our operator to answer your call.
Call accepted by operator Joe. Currently in room: Joe, pete Dean.
Joe:
Welcome to $$$$$$$$$$ Live Support , How may I help you ?
-------------------------------------
-------------------------------------
pete Dean:
hi joe
pete Dean:
as i said in my question - i appear to have an interesting domain that has appeared - myonlineaccounts2.abbeynational.co.uk.petedean.org.uk
Joe:
ok..
Joe:
let me check
pete Dean:
np
pete Dean:
hmm have some interesting sub domains as well
Joe:
may I know your cpanel login details ?
pete Dean:
YESLIKEMYLOGIN
pete Dean:
************
Joe:
I could see that the hacker has got hold your cpanel login details and then created these subdomains
pete Dean:
well - am curious as to how - I have not accessed cpanel for some time
pete Dean:
and i am also a mac user - not a pc so no malware is likely
Joe:
please avoid using simple passwords....
pete Dean:
well - i take the point, but what do we do now?
pete Dean:
can we trace the hacker?
Joe:
passwords like ************ can be bruteforced easily..
Joe:
yes...
pete Dean:
and i assume this is a phishing attempt
Joe:
the IP address of the hacker is 118.137.105.150
Joe:
we have blocked him from accessing the server..
pete Dean:
so - can we get his collar felt by the police?
Joe:
well, not that easy
pete Dean:
ok - we know what country?
Joe:
it's seen to be indonesia..
pete Dean:
hmmm - presumably that was a gateway to a receing account?
pete Dean:
receiving
Joe:
please change the password for your account...right now
pete Dean:
ok - has been sorted
pete Dean:
my thanks for the help - now - how can i/we inflict pain on that little scrote?
Joe:
it's not easy to trace that actual hacker....bcoz he might have used a spoofed IP address
pete Dean:
nod - his address does seem to be right by the national monument in jakarta
Joe:
yes...possibly
pete Dean:
can it get reported to anyone? and has he left a paper trail?
Joe:
we are not sure about the legal proceedings regarding this
pete Dean:
hmmm - is a crime so.....
pete Dean:
in view of the name he was trying to use, would abbey national be interested in this?
Joe:
yes..they might be..
pete Dean:
will you contact them or shall I?
Joe:
we really don't contact them....but usually we do get mails from them regarding phishing links
pete Dean:
just wondering as this is live - ie, i assume you did copy the website scrote was trying to use before you deleted it?
Joe:
yes
pete Dean:
can you email it to me? i will email it to them tomorrow
pete Dean:
and am on phone to abbey national atm
Joe:
sorry, the phishing content already has been deleted..
pete Dean:
!!!!!
Joe:
if we have that in the server backup, I will send it to you
pete Dean:
ok - and abbey national have no idea what to do about it....
Joe:
ok..
Joe:
Is there anything else I can assist you with?
pete Dean:
no thanks joe - and abbey will email me tomorrow to get the info
Joe:
ok fine
Joe:
Bye and thank you for using our chat facility.
and where the hack attempt originated from - http://whatismyipaddress.com/staticpage ... 37.105.150 - Jakarta
now - i am fairly scrupulous about my security online - so am more than surprised that it happened - I run a mac for anything to do with my websites so no malware would have got in - but i am forced to assume that i was brute forced - ie, the domain name was used then a program kept trying different passwords.....
My new access password is a lot stronger - and i thought the last one was strong LOL
what is scary - though the scrote could be traced, to a degree, no one wants to do anything about it.... me - i say kick the buggers door down and send him to a nice hotel where he is going to be someones little bitch.....
will report what out come is - but as i said earlier - check your domains if you have one!
for all others who have their own domain - check it out!
