Manobanweb and their hosting service…BEWARE

My story with ManobanWeb’s Hosting service

This is a lengthy story about my recent experience with ManobanWeb (http://manobanweb.com) (MBW). I believe everyone should read this as a warning about this company. Now I’m not saying that this is a bad company as they’ve been great up until now, but this is something I hope nobody ever goes through so I am going to document it here. Enjoy.

(This is going to be exactly as the ticket is with them, with the exception that I removed any personally identifying information, and anything that could be used harmfully, ie – the phishing scripts that I showed them. I’ll give a quick summary at the end).

Gizmokid2005.com (Me)
Tuesday, May 19, 2009 @ 9:56 EDT:
Guys, I need help, bad and fast.

I went to login to my FTP and cpanel today to upload some files, and couldn’t get in. My password had been reset to a random character password again….also, my last login was from 41.191.108.130, which is most certainly not my IP address, in fact it traces to Nigeria somewhere.

Can you help me figure out what happened? And if any files were changed before 5/19/2009 @ 1355 (9:55am EDT). I’m kinda worried this time…something happened and I’m not sure what.

Thanks guys.
==========

MBW – D.C.
Tuesday, May 19, 2009 @ 10:10 EDT:
Hello,

I will now look into this and block that IP range from our network.

Thank you for your patience.

Kind Regards,

D.C.
==========

Gizmokid2005.com
Tuesday, May 19, 2009 @ 10:13 EDT:
D.C.,

Thanks. There seems to be some router interface hosted at that IP and from what I can see on there, either they are some type of hosting company or have a major pipe to the internet for something…looks like 30M/s in bandwidth pretty consistently.

-Michael
==========

MBW – A.H.
Tuesday, May 19, 2009 @ 10:18 EDT:
Hi Michael,

I am currently in-touch with the African Network Information Center which is where the IP is being used. If I could ask you to please change all your passwords to avoid them getting into your account again.

Kind Regards,

A.H.
==========

Gizmokid2005.com
Tuesday, May 19, 2009 @ 10:23 EDT:
A.H.,

I will start right now. If I might add, there seems to be something…odd happening. I just looked in the recent visitors log and found this:

Host: <ip>
/irs.gov.coookies287484.html?743985=dummyvar
Http Code: 200 Date: May 19 10:11:16 Http Version: HTTP/1.1 Size in Bytes: 25039
Referer: –
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

Host: <ip>
/irs.gov.coookies287484.html
Http Code: 200 Date: May 19 10:11:03 Http Version: HTTP/1.1 Size in Bytes: 25039
Referer: http://us.mc330.mail.yahoo.com/mc/welcome?.gx=1&.rand=4b319dba97bqe
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 1.1.4322; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

/image/efile_size2.gif
Http Code: 404 Date: May 19 10:11:03 Http Version: HTTP/1.1 Size in Bytes: 16117
Referer: http://gizmokid2005.com/irs.gov.coookies287484.html
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 1.1.4322; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

/image/electronic_irs_small_logo.gif
Http Code: 404 Date: May 19 10:11:03 Http Version: HTTP/1.1 Size in Bytes: 16117
Referer: http://gizmokid2005.com/irs.gov.coookies287484.html
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 1.1.4322; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
==========

Gizmokid2005.com
Tuesday, May 19, 2009 @ 10:57 EDT:
It looks like it was about 3:20AM EDT that they were in my hosting. They uploaded two files (both to the public_html folder):
internalrev.php
irs.gov.coookies287484.html

Looks like they are trying to use my domain for phishing…
==========

Gizmokid2005.com
Tuesday, May 19, 2009 @ 10:59 EDT:
Here’s the good data you’d need from the php file, it’s a hacker file, just to get data about bank logins and whatnot, and here contains the email address and whatnot:

“————ALAFONSO-Hacker from DARK————–
<PHP REMOVED>

SEE the actual php file for more info. I’m going to move the files to the root of the account, out of the public_html folder so they can’t be used anymore.
==========

Gizmokid2005.com
Tuesday, May 19, 2009 @ 11:43 EDT:
Guys – I have uploaded the file back to my site, modified. Please leave this one on my site until we can figure out more. I have removed all of the code and script from the file.

Thanks!

*****[NOTE: I modified the html file with the following text:
I AM NOT THE ONE THIS ORIGINATED FROM!! I AM A VICTIM TOO!!
If you are here, I am TRULY very sorry for the email you were sent. This was blatant hacking of my site and files. If you have reached this page, I have stopped you from giving away your identity to a hacker. If it sounds too good to be true, it is. REMEMBER!! ALWAYS check the URL of your links!! You NEVER know what you are clicking on. If the IRS has money to give you, they will NOT email you to say you have money. EVER.
If you were unfortunate enough to have made it to this page BEFORE I got this page up, PLEASE contact ALL of your banking institutions, and credit bureaus and let them know that you gave away all of your information. It would also be wise to contact the FBI and let them know the same. I have already contacted the email provider of the address this info was sent to, as well as my hosting company to find the originating person.
I’m sorry to anyone who’s clicked this, and if you’ve made it here, please forward the email you got with this link to your email provider as a phishing scam.
END NOTE]*****

==========

MBW – A.H.
Tuesday, May 19, 2009 @ 16:08 EDT:
Michael,

We are still looking into this and decding on what action to take.

We will keep you updated.

Kind Regards,

A.H.
==========

Gizmokid2005.com
Tuesday, May 19, 2009 @ 16:10 EDT:
A.H.,

Thanks for the help! Just let me know what you guys figure out. I’d love to help shut down the person that did this.

-Michael
==========

Gizmokid2005.com
Thursday, May 21, 2009 @ 10:54 EDT:
Any updates?
==========

MBW – A.H.
Thursday, May 21, 2009 @ 12:29 EDT:
Michael,

I am still awaing a reply from the IP provider who the hacker used. I am doubtful that we will catch him as most hackers will mask their IP’s.
We have set-up a new firewall on the server which went online earlier today, which should help keep some of them from hacking into accounts.

Kind Regards,

A.H.
==========

Gizmokid2005.com
Saturday, May 23, 2009 @ 14:10 EDT:
I’m changing my password again…I have a new different login IP: 203.206.67.79
Everything is in the folder “paypal.co.uk.login”
This is REALLY getting ridiculous…password changes in progress again.
==========

Gizmokid2005.com
Saturday, May 23, 2009 @ 14:18 EDT:
It looks like in the process of moving the files out of the public_html folder, they were blown away by my FTP client, or they were deleted on your end at the same time.
==========

Gizmokid2005.com
Saturday, May 23, 2009 @ 14:20 EDT:
And I refreshed, and there is ANOTHER login from a different IP: 97.91.188.232. My ISP is also charter which is where this is from, but this is NOT my IP, in fact it’s not even in the right state.
==========

Gizmokid2005.com
Saturday, May 23, 2009 @ 14:31 EDT:
OK…NOW I’m pissed.

I just reset my password for cpanel and my subsequently my FTP to a 31 character password….I can login to my FTP with the first 8 characters only. WHY?

*****[NOTE: Yeah….I was getting a bit frustrated here, but do you blame me? END NOTE]*****
==========

MBW – A.H.
Saturday, May 23, 2009 @ 16:42 EDT:
Dear Michael,

If you check the forum you will see we are in the middle of securing another server which will be made public within the next 48 hours. This server has been completly locked down and we have set up a number of checks to run daily. If you would like I can ask one of the techs currently working on the new node to transfer your account within the next two hours.

Kind Regards,

A.H.
==========

MBW – J.A.
Saturday, May 23, 2009 @ 18:25 EDT:
Hi,

I have been checking node2 and have noticed some issues that need fixing. I have now started moving 50% off accounts on node2 over to our newer node.
This is will stop the High CPU usage and should help relieve your account problems. As the list is rather large and most accounts are 2 – 3 GB it will take some time.

I will update this ticket as soon as your account has been transfered.

— New Nameservers —
NS3.MANOBANWEB.COM
NS4.MANOBANWEB.COM

Login details can be reset on request. Once your account has been transfered you can access it by going the the following IP: <IP removed>

Kind Regards,

J.A.
==========

MBW – J.A.
Saturday, May 23, 2009 @ 20:03 EDT:
Hi,

Your account has been copied to the new node. It should be safe to change your nameserver details now.

Kind Regards,

J.A.
==========

Gizmokid2005.com
Saturday, May 23, 2009 @ 20:37 EDT:
A.H. & J.A.,

Thanks for the help. Sorry about the remark, I was just getting frustrated by this. Its just a bit irritating to deal with issues like that, especially when it blacklists my site on places such as http://mywot.com.

I want to thank all of you for being so transparent on the issue and not just covering it up with generic BS like a lot of places would.

I’m going to have to change my A records for my website now too aren’t I, considering the IP changed? Do you have this rsynced also, or are any changes that were made on the old server after the move not transferring over?

Thanks,

Michael
==========

MBW – A.H.
Sunday, May 24, 2009 @ 05:46 EDT:
Michael,

Most DNS settings and account settings are carried over. I’ll have Jake take a look as soon as he comes in.

Kind Regards,

A.H.
==========

MBW – J.A.
Sunday, May 24, 2009 @ 08:28 EDT:
Hi,

All details in the DNS zones are updated on our server. I have noticed some rather odd entries that I am requesting permission to delete.

paypal
paypal.co.uk.login
www.paypal.co.uk.login

Kind Regards,

J.A.
==========

Gizmokid2005.com
Sunday, May 24, 2009 @ 13:03 EDT:
PLEASE delete that record. I didn’t check to make sure they didn’t add any DNS. that’s from the latest phishing scam that was added.

As my DNS isn’t hosted with you, I have to repoint my A records to the new IP for node1 correct?
==========

MBW – J.A.
Sunday, May 24, 2009 @ 13:11 EDT:
Hi,

I have now removed the records.Yes you will have to change the A records to the new IP which is: <IP Removed>

Kind Regards,

J.A.
==========

Gizmokid2005.com
Sunday, May 24, 2009 @ 13:18 EDT:
Thanks Jake!

Are the files rsynced from the old server (ahoban) to the new one (node1) or are any changes made to the old server that I”m currently on going to be lost on the new one? (I don’t think there are many except for maybe in the /public_html/files/portableapps/ folder).

Thanks,

Michael
*****[NOTE: At this point I’d assumed that my issues were fixed and I was set going forward…boy was I in for a surprise. END NOTE]*****
==========

MBW – J.A.
Sunday, May 24, 2009 @ 13:28 EDT:
Hi,

The files were transfered last night which was just before I updated the ticket. any files uploaded after that time may be lost.

I have recently been in your account under the IP <IP Removed>, I have cleared all visable illegal files including a number of paypal sites and also a few email scripts that are not allowed on the server. The Email scripts were a form clearly used for sending spam.

Kind Regards,

J.A.
==========

Gizmokid2005.com
Sunday, May 24, 2009 @ 14:02 EDT:
J.A.,

Thanks. I’m not worried about anything else then. I kept looking for files that may have been not allowed, but the only folder I saw yesterday was the paypal folder and it disappeared when I was trying to move it out of the public domain for you guys. Thanks for the help Jake.

What did you guys ever come up with about the 8 character limit on the FTP password?
==========

MBW – J.A.
Sunday, May 24, 2009 @ 14:17 EDT:
Hi,

Michael I will look into this issue over the coming days for you.

Kind Regards,

J.A.
==========

Gizmokid2005.com
Monday, May 25, 2009 @ 16:48 EDT:
First off, I don’t know what you guys did with the rest of this ticket….second, it’s happened AGAIN! This time they didn’t log into my cpanel though…here’s the link:

<ACTUAL URL REMOVED>

The FTP password issue needs to be solved. ASAP. If it’s not being FTP’d onto my server, then it’s something within your security…..This has to stop. I’m on the new “more secure” server and this is the THIRD phishing attempt from my site in the last week…

This needs to stop. You guys have to figure out what is going on and stop it.

/public_html/images/on is the folder these files are in…THEY HAVE BEEN THERE SINCE 5/18/09….which means they weren’t taken off when the account was cleaned up before by Jake either.

Guys, PLEASE FIX THIS!!

*****[NOTE: At this point, they had deleted over half my ticked from 5/21 – 5/25 in the server move they did…but I requested it back later, you’ll see the entry in the ticket and pasted back in chronological order here. END NOTE]*****
==========

Gizmokid2005.com
Monday, May 25, 2009 @ 17:41 EDT:
I just moved the files from the /public_html/images/on folder to the root in “on”
==========

Gizmokid2005.com
Monday, May 25, 2009 @ 18:20 EDT:
GUYS…SERIOUSLY?? I got an email from you as follows:

——– Original Message ——–
Subject: [Ticket ID: 559192] “spoofed” PayPal.com pages
From: ManobanWeb | Internet Services Abuse
To: Michael
Date: 5/24/2009 8:44 AM
> Michael,
>
> I have just recieved this Email from our service provider. I have removed the folder in question, however if this issue comes up again I’m afraid we will have to suspend the account until we can investigate the issue further.
>
>
> <——————–>
>
> We have just learned that your service is being used to display false, or “spoofed,” PayPal.com pages, in an apparent effort to steal personal and financial information from consumers, and defraud PayPal users. Specifically, it appears that a Solar VPS user is sending unsolicited messages which misrepresent the sender as PayPal, and making false statements that encourage the recipient to go to a page hosted by you at
>
><IP REMOVED> – <URL REMOVED>
>
> <DOMAIN REMOVED>
>
> asking to enter personal and account information. The purloined information is then sent to an email account and, based on our investigation of similar schemes, used to steal accounts and commit other fraudulent acts including international credit card and wire fraud.
>
> This matter is urgent – we believe that consumers have been falsely directed to this page and may be fooled into divulging personal information to a criminal, if the page is not immediately disabled. We ask that you immediately disable the site at <URL REMOVED>, as well as any associated email addresses, so that this fraudulent scheme can be stopped. We further request that you provide us with all contact information that you have for this user so that we may provide this information to the proper law enforcement authorities.
>
> While we believe that the above information gives your company more than a sufficient basis for disabling the page immediately, out of caution we note that your user’s unauthorized reproduction of PayPal’s trademark and copyrighted materials violates federal law, and places an independent legal obligation on your company to remove the offending page(s) immediately upon receiving notice from PayPal, the owner of the copyrighted materials. Accordingly, the information below serves as PayPal’s notice of infringement pursuant to the Digital Millennium Copyright Act, 17 U.S.C. Section 512
> (c)(3)(A):
>
> I, the undersigned, CERTIFY UNDER PENALTY OF PERJURY that I am the agent authorized to act on behalf of the owner of certain intellectual property rights, said owner being named PayPal, Inc. I have a good faith belief that the website located at URL <URL REMOVED> has its copyright in each page of its website and associated source code. Please act expeditiously to remove or disable access to the material or items claimed to be infringing.
>
> We sincerely appreciate your immediate attention to this important matter. We would also appreciate if you would take steps to confirm the accuracy of any contact information that your user may have provided to you in establishing the account. Should you have any accurate information that could assist PayPal and law enforcement in tracking this individual, we would greatly appreciate your assistance, as we know that you do not condone the use of your services for such criminal purposes.
>
> Finally, please be advised that we have referred this issue to the Federal Bureau of Investigation for their investigation. The F.B.I. has requested that we convey to you in this message their request that you preserve for 90 days all records relating to this web site, including all associated accounts, computer logs, files, IP addresses, telephone numbers, subscriber and user records, communications, and all programs and files on storage media in regard to all Internet connection information, pursuant to 18 U.S.C. section 2703(f). While we do not act as an agent of the FBI in conveying this request, we do intend to fully cooperate with their investigation, and encourage you to do so as well.
>
> eBay Inc.
> Audit and Investigations
> securityalerts@ebay.com
—————————————————————————

HOW can you have this much disconnect in your systems? THIS ticket should’ve flagged anything like this that came into to you. If this affect gizmokid2005.com and betatalk2.org is on the same hosting account, it should be common sense that this could be affected too….come on guys!

*****[NOTE: Yeah, I was mad again…this is the SAME crap that’s happening with my main domain, just on one of my add-on domains I was hosting for a friend…END NOTE]*****
==========

MBW – D.C.
Monday, May 25, 2009 @ 18:39 EDT:
Micheal,

It is in our policy that we forward and investigate any abuse email we receive, so this staff member has taken the correct steps.

We are aware of the current situation so i will remove the abuse flag from your account.

Kind Regards,

D.C.
==========

Gizmokid2005.com
Monday, May 25, 2009 @ 19:00 EDT:
Thanks Dan. What happened to the rest of this ticket?
==========

MBW – A.H.
Monday, May 25, 2009 @ 19:02 EDT:
Michael,

In regards to the files in which you found. I know J.A. did a general check and removed most visable content. We have never seen them hide their files in the images folder before so I’m guessing thats why it was missed.
We have configured this node for secure usage, changing SSH ports, new firewalls etc…

Can you please just confirm the last date you believe files were uploaded on, so I can check the logs and compare them to the old server?

I have also checked 2 of my personal accounts with passwords longer than 8 letters and it will not let me in without the full thing.
I will open a ticket with Cpanel first thing in the morning, it’s 24:00 now and I was in the middle of sleeping before Dan called.

Kind Regards,

A.H.
==========

Gizmokid2005.com
Monday, May 25, 2009 @ 19:10 EDT:
A.H.,

The majority of the files that I had moved were uploaded on the 18th, there were a few more that I’d noticed today that were uploaded sometime yesterday or early today.

Sorry to have you awoken, but this is getting really excessive now. Please let me know as soon as you have more info about the FTP passwords too. At this point, that looks to be the weak point, as there wasn’t a new login from cPanel.

-Michael
==========

MBW – D.C.
Tuesday, May 26, 2009 @ 09:06 EDT:
Hello,

I’m afraid this matter is now out of our hands. The FBI have requested your details and they will now begin investigating this matter.

We have been asked to suspend your account for the time being.

Thank you for your co-operation throughout this matter.

We wish you every success with the FBI investigation.

Kind Regards,

D.C.
==========

Gizmokid2005.com
Tuesday, May 26, 2009 @ 09:10 EDT:
This is COMPLETELY unacceptable. I need a call from one of you ASAP. YOU should be the ones to help with the investigation, ESPECIALLY since this did NOT originate from me. You are passing this off, and have been as if it’s a non-critical issue…Your own technicians BLATANTLY said there were security issues with your servers…so somehow it’s MY fault?? This is NOT acceptable in ANY way.
==========

MBW – A.H.
Tuesday, May 26, 2009 @ 09:22 EDT:
Michael,

Our new server which you have been moved to has been hardened to industry standards and has enterprise class firewalls installed. SSH access is locked to ManobanWeb IP’s only. I understand where you are in this situation, however as stated in our TOS. This was requested and we must comply with these orders.

Responsibility for Content:
You, as ManobanWeb’s customer, are solely responsible for the content stored on and served by your ManobanWeb account.

Regards,
A.H.
==========

Gizmokid2005.com
Tuesday, May 26, 2009 @ 09:23 EDT:
But how am I responsible for a BLATANT security failure on your end?
==========

Gizmokid2005.com
Tuesday, May 26, 2009 @ 09:24 EDT:
Not too mention that over half this ticket was /conveniently/ deleted….
==========

MBW – A.H.
Tuesday, May 26, 2009 @ 09:55 EDT:
Michael,

We we’re in the process of moving our website when that ticket was submitted. Hence why some parts may have been lost. All are however in our email logs for our records.

We have done our best to try resolve this issue without taking action against your account, however at this time we can not afford to have abuse emails coming in every other day from both banks and also our provider.

On another note: we are only having this problem with your account, so it’s the security of your account which has been compromised, nothing to do with our server. I have also checked the logs and matched an IP upto your IP address.

Kind Regards,

A.H.
==========

Gizmokid2005.com
Tuesday, May 26, 2009 @ 09:59 EDT:
I am hereby requesting a copy of this ENTIRE ticket for my records also.

I told you what the issue was, and you failed to resolve it. The eight character FTP password is where the security failure was for sure in the last issue. You probably matched an IP to my address, I MOVED those files OUT of the public eyes AND uploaded COMPLETELY unrelated files in the meantime…

Please fulfill my request for the full copy of this ticket asap.

-Michael
==========

MBW – A.H.
Tuesday, May 26, 2009 @ 10:31 EDT:
Michael,

The thing we don’t understand is how it’s only your FTP account that has been affected with this 8 letter password problem…

< Ticket 449209 SNIPPED – You see it all chronologically above>
==========

Gizmokid2005.com
Tuesday, May 26, 2009 @ 10:37 EDT:
A.H.,

Thanks for the ticket. I don’t either…but that’s where the weak point is now…as the last login has been from my IP.

-Michael
==========

Gizmokid2005.com
Tuesday, May 26, 2009 @ 13:44 EDT:
Is there any reason why my traffic is now blocked?

*****[NOTE: This entry and the last one were updated via email…I can no longer access their site or any sites that are hosted on the same server, I just get a timeout. END NOTE]*****
==========

Gizmokid2005.com
Tuesday, May 26, 2009 @ 16:26 EDT:
Hello?
==========

MBW – A.H.
Tuesday, May 26, 2009 @ 18:43 EDT:
Michael,

I’m afraid I don’t quite understand what you mean.

Regards.
A.H.
==========

Gizmokid2005.com
Tuesday, May 26, 2009 @ 16:26 EDT:
I don’t know how else to explain
it….Anytime I try to go to your site, or any of people I know hosted
on your server, the connection times out.

Here is the traceroute:

C:>tracert www.manobanweb.com

Tracing route to manobanweb.com [67.222.18.130]
over a maximum of 30 hops:

1 1 ms 1 ms 1 ms DD-WRT [192.168.10.1]
2 8 ms 26 ms 5 ms 10.180.64.1
3 7 ms 6 ms 6 ms swc04aldlmi-gbe-2-1.aldl.mi.charter.com
[96.34.3
6.12]
4 6 ms 6 ms 6 ms
crr01aldlmi-tge-0-1-0-6.aldl.mi.charter.com [96.
34.32.13]
5 10 ms 10 ms 16 ms
edr01aldlmi-tge-0-0-1-0.aldl.mi.charter.com [96.
34.32.29]
6 13 ms 14 ms 13 ms 64.127.129.9
7 66 ms 65 ms 68 ms sjc-ten6-3-chi-ten3-1.wvfiber.net
[64.127.129.62
]
8 86 ms 77 ms 78 ms la-ten3-1-sjc-ten6-4.wvfiber.net
[66.186.192.57]

9 78 ms 76 ms 78 ms net2ez.any2ix.crgwest.com
[206.223.143.38]
10 86 ms 76 ms 76 ms 64.93.64.145
11 77 ms 76 ms 76 ms cr01-1-1.lax6.net2ez.com [64.93.64.30]
12 78 ms 76 ms 78 ms la-gw.privatesystems.net [72.172.66.10]
13 77 ms 87 ms 77 ms vz34-la.privatesystems.net
[67.222.15.134]
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.

And here’s a trace from a place that can access your site:

Tracing route to manobanweb.com [67.222.18.130]…

hop
rtt
rtt
rtt

ip address
fully qualified domain name

1
1
3
4

70.84.211.97
61.d3.5446.static.theplanet.com

2
0
0
0

70.87.254.1
po101.dsr01.dllstx5.theplanet.com

3
0
0
0

70.85.127.105
po51.dsr01.dllstx3.theplanet.com

4
0
0
0

70.87.253.13
et5-1.ibr04.dllstx3.theplanet.com

5
1
0
0

63.218.23.25
ge5-3.br02.dal01.pccwbtn.net

6
35
35
35

63.218.73.50
avanz.ge5-7.br01.lax05.pccwbtn.net

7
33
33
33

64.93.64.65
br01-1-2.lax4.net2ez.com

8
36
37
36

64.93.64.30
cr01-1-1.lax6.net2ez.com

9
37
36
36

72.172.66.10
la-gw.privatesystems.net

10
36
36
36

67.222.15.134
vz34-la.privatesystems.net

11
36
36
36

67.222.18.130
host.manobanweb.com

You tell me whats going on, because from what I can see, it looks like
something on your end is blocking my IP. I can access your site fine
from other internet connections.

-Michael
==========

MBW – A.H.
Wednesday, May 27, 2009 @ 03:14 EDT:
Michael,

Our servers are loaded in our standard config and your IP address has not been blocked.
==========

Gizmokid2005.com
Wednesday, May 27, 2009 @ 09:14 EDT:
I don’t know what to say…maybe it was done without your knowledge.

But my traceroute dies at host.manobanweb.com, that’s where I start to time out. This is something on your network that is preventing a connection to your servers…

I don’t know what other proof you want that it’s on your network, but my traceroute blatantly shows it dies on your network.

-Michael
=============================

And there you have it, that’s the ticket as it stands so far.

Since I have written this, MBW has managed to get my access to their network back up and running so I can access everything again. They have also unblocked my account and have unsuspended it. I have heard nothing from the FBI nor any other agency. I am currently still diligently looking for a new host.

Quick Summary:

Last week on Tuesday, May 19, 2009 I tried to upload files to my website via FTP for a project I was working on, and couldn’t log in. I kept getting a password error. I logged into my account at MBW and noticed that my password had been reset to my cPanel hosting manager which in turn manages my FTP password. After I reset my password I was able to login to my FTP, but I noticed that there were some new files in my hosting. Seeing this I logged into my cPanel hosting manager and noticed that the last login was NOT from my IP address, and infact came from an IP address in Nigeria. I IMMEDIATELY reported this incident to MBW in ticket #449209. I told MBW where the files where, actually gave them the content of the files in the ticket so that they had the information, I also moved the files so that they could not longer be accessed via the web. MBW said that they installed a new firewall, and contacted the African Network Information Center regarding this incident. I thought all was fine until a few days later.

On Friday, May 22, 2009 I noticed that there was ANOTHER issue at hand. I logged into my cPanel and noticed the last login was NOT my IP again. I immediately contacted MBW and they said that they are looking into it again. They also said that they are setting up a more secure server and moving my account to it. I had removed the files that I found uploaded again, also letting MBW know what they were and where, AGAIN. They transferred my server over later that day, and said they removed some more files they had found that I missed as well as some DNS entries. At this point I changed my password from an 11 alphanumeric character password to a 31 alphanumeric password to ensure that it wasn’t compromised. I did notice that my FTP login only required EIGHT of the 31 characters to login. Just the first eight would allow a login, and anything after that would not matter in the slightest. I let them know that and they seemed to have ignore it. Except for the FTP password issue, I figured at this point they found the issue, and took care of it. Fast forward to Monday, May 25, 2009. I log into my cPanel and I don’t see anything out of the ordinary but I checked my “Recent Visitors” stats again and noticed that there was something new on my site. My account’s FTP access was accessed/hacked and more files were uploaded. I noticed in the same directory those files were in there were files added previously on the 19th that nobody had noticed. I move ALL of those files out of the public access area again and let MBW know what was going on. I also reiterated the fact that my FTP was able to login with only the first eight characters of my password and they said that was not normal and they were going to open up a ticket with cPanel to have that looked into. That was the evening of Monday, May 25th. Today, May 26, I received a notification from them that my hosting was suspended and they weren’t going to do anything else because the FBI requested my details regarding this incident.