baffled by DOS suspension

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • rsowen
    Member
    • Mar 2004
    • 40

    #1

    baffled by DOS suspension

    I've read of others being suspended and baffled, but never thought it could possibly happen to me. I have no customers and rarely log in to my account. Now a never used subdomain was suspended for a DOS attack. I'm absolutely clueless -- any ideas re. how this could happen?

    I created the subdomain about a month ago simply to show a non-techie how anyone could be in the hosting business (but I've never used my dis account to create space for anyone but me) without necessarily owning anything. (I posted here about a hosting scammer in the local news.) I have otherwise never logged into the subdomain account and never got around to deleting it.

    WHM shows that the subdomain has used 0 megs and 0% of bandwidth. AWstats on Cpanel on that subdomain shows 1.41 Kb total bandwidth on 2 visits -- the initial set up and demonstration with absolutely no activity since.

    Would a DOS attack not leave some trace of activity in WHM or Cpanel?

    I am the only person who has ever used my dis account to set up a few static domains - they don't do much but display html pages and don't get much traffic - and I have never created an account for anyone else and have never allowed anyone else to have access to the dis account or any accounts that I have created. The password has never ever been written on paper or stored on a machine (in my head only), it is a password that is a meaningless jumble of characters (not easily guessed), and it is has never been used anywhere except on the dathorn server.

    If somehow this subdomain was indeed involved in a DOS attack, how on earth could anyone have gained access to it?

    I am very much concerned as to how someone could have breached anything in my account, but I cannot see what I could be doing wrong.
  • AndrewT
    Administrator
    • Mar 2004
    • 3656

    #2
    WHM or cPanel would show absolutely nothing regarding this. They record bandwidth on very specific ports (HTTP, POP3, IMAP, FTP, etc.).

    If this is the individual that I think it is, this was done directly by logging into the account via SSH. Someone either had access to begin with or the password was very weak.

    Comment

    • -Oz-
      Senior Member
      • Mar 2004
      • 545

      #3
      Definitely change all of your passwords to something more secure.
      Try having a password with at least 1 capital letter, no dictionary words, and least one number, and at least eight characters long. Yes, it'll suck to memorize it but its a good thing. Oh yeah, no birthdates, addresses, last 4 of your social, things like that.
      Dan Blomberg

      Comment

      • Frank Hagan
        Senior Member
        • Mar 2004
        • 724

        #4
        Sometimes its easier to remember a password if you use a "substitution cipher".

        Take a word or combination of words you can remember, 8 characters long or longer, and substitute a number for some letters. For instance, use a "3" for an "E", a "7" for a "T", a "1" for an "I", that sort of thing. Once you make up your own substitution cipher to use, its pretty easy to remember. The combination of the letters and numbers should be unique enough to make it resistant to brute force or dictionary cracking methods.

        Comment

        • rsowen
          Member
          • Mar 2004
          • 40

          #5
          It seems that someone would have to have known two things:

          a) that the subdomain existed
          b) its password

          If indeed someone was able to hack the password, how could they have even known that the sub-domain (not registered anywhere) existed in the first place?

          I just did SSH into the dis account and another account that I had created. I haven't done this for a very long time (I believe not since I first moved to dathorn when it was just starting), but from what I can tell, it now isn't possible to move up into any directories outside of the account to look into the directory listings of my server's neighbors.

          Any ideas as to how anyone could have discovered the existence of the subdomain short of reading my mind?

          Comment

          • openbox
            Senior Member
            • Mar 2004
            • 238

            #6
            You can shell to an ip address or any domain on the server and use your username and password. Once you have access, I believe all of the subdomains are in directories under your public_html directory. So theoretically, gaining access to your account allows someone to see all of the subdomains on that account...even if they're not listed in DNS anywhere or on any website or search engine.

            The real question is how did they get the password to your account? My guess would be a weak password.

            Comment

            • sdjl
              Senior Member
              • Mar 2004
              • 502

              #7
              How about you look closer to home.
              Any spyware or malicious software installed on your computer that could have harvested the information about your login?

              Best run some checks to make sure.

              David
              -----
              Do you fear the obsolescence of the metanarrative apparatus of legitimation?

              Comment

              Working...