Anything wrong with 24KHost?

VMVPS

Haven't been here for some time. The banner on my blog is expiring, so I am trying to reach 24Khost. But I just notice that the official site contains only a logo without any url, and the billing panel is the default WHMCS.

What happened to this guy?

Dean

maybe they are in the process of doing a new website?
@24KHost

asterisk14

@VMVPS He's been posting here recently so should be around...

shaunpud

h4x0r3d?
http://24khost.com/images/log/

rethinkvps

Uhoh doesn't look too good.

tommy

If I remember correctly they redesign their website

Ivan

Not again....

vanarp

It has been like that for a while.

@24khost mentioned that there is a new design work in progress. I am sure all order links from their offers work just fine.

CentrioHost

http://24khost.com/images/log/killer.php

Wow!

Dean

@shaunpud said:
h4x0r3d?
http://24khost.com/images/log/

I've put in a ticket to let them know.

DomainBop

@tommy said:
If I remember correctly they redesign their website

If I remember correctly they did that after their WordPress install was hacked and they claimed they checked and everything was OK even though they hadn't had time to do a thorough security analysis of their server. They also said the hack wasn't a big deal

24Khost said " doesn't matter, no information was leaked. No data theft."

http://www.lowendtalk.com/discussion/10167/24khost-hacked

@shaunpud said:
h4x0r3d?
http://24khost.com/images/log/

umm, yeah killer.php

=[[ Configuration File Killer By Team IndiShell ]]==--
#############################################################################################################################################################
-==[[Greetz to]]==--
Guru ji zero ,code breaker ica, Aasim shaikh, Raman kumar rana,INX_r0ot,Darkwolf indishell, Chinmay Pandya ,Silent poison India,Magnum sniper,Atul Dwivedi,ethicalnoob Indishell,Local root indishell,Irfninja indishell
cool toad,cool shavik, Ebin V Thomas,Dinelson Amine ,Mr. Trojan,rad paul,Godzila,mike waals,Neo hacker ICA, Golden boy INDIA,Ketan Singh,Yash,Reborn India,Alicks,Aneesh Dogra,silent hacker,lovetherisk
Suriya Prakash,cyber gladiator,Ashell india,Cyber Ace,hero,Minhal Mehdi ,Raj bhai ji,cold fire hacker,Prashant Tanwar, VikAs ViKi ,Rakesh, Bhuppi,Mohit, Ffe ^_^,Ashish,Shardhanand,Bhuppi and rest of TEAM INDISHELL
--==[[Dedicated to]]==-- 
# SH.Kishan Singh Tanwar and my Ex Teacher Mrs. Ritu Tomer Rathi #
--==[[Interface Desgined By]]==--
Deepika Kaushik
#############################################################################################################################################################
Welcome Bhai ji  .. Configuration file killer welcomes you _/\_ 
The button given below generates php.ini file 


>The button given below extract usernames for symlink  

Back in May I had this to say about 24K host :

DomainBop said "Thread shouldn't have ended because some of 24k's comments in this thread indicates we're dealing with a web host whose knowledge of security is...ummm...lacking."

The existence of that hacked file indicates my analysis was correct.

vanarp said " I am sure all order links from their offers work just fine."

That's actually a bad thing for customers since 24Khost doesn't know his ass from a hole in the ground when it comes to server security.

edited to add: "configuration file killer/killer.php" allows a hacker to (description from a download site):

Features:-

Creates Config files within few seconds.

Creates Symlinks as well

Manual Symlinking

Automated Mass Symlinking

perl Based Symlinking

Disable Safe Mode, by uploading a php.ini file.

User friendly.

Till now, best shell for creating symlinks.

An article on WordPress symlink hacking

There is a serious security hole in the way that Apache handles symlinks on shared servers.

This allows an exploited account on a server to view .php files owned by other accounts, thus escalating a single-account exploit to potentially many accounts on the one server.

http://whmscripts.net/misc/2013/apache-symlink-security-issue-fixpatch/

VMVPS

@DomainBop Nice job!

niceboy

24khost seems to be just a reseller of cloud3k(rockmyweb) vps services.

Dean

@niceboy I thought reselling wasn't allowed here?

DalComp

No more gauranteed and balls-out ?

24khost

@niceboy said:
24khost seems to be just a reseller of cloud3k(rockmyweb) vps services.

Not a reseller sorry.

Also, the file did not allow them to get anything but server usernames. No passwords were available thanks to mod_security. I did a scan for the most commonly used file names. For some reason it was not in the list of file names.

DomainBop

Also, the file did not allow them to get anything but server usernames. No passwords were available thanks to mod_security

Mod_security had nothing to do with them not getting passwords. The exploit isn't designed to steal passwords directly. It is designed to create symlinks in the other accounts on the server. By creating symlinks however they could gain access to passwords and data in other accounts and mod_security would be of no help since it only protects at the Apache (or Nginx) webserver level. If they were able to get the server usernames then they would have been able to create symlinks with the exploit and it is likely that the entire server your WordPress installation was hosted on is still compromised (especially since you didn't even notice that the killer.php file was on your site until it was pointed out in this thread 2 months after the hack).

gsrdgrdghd

Uhm why would you trust @24khost with anything security related? He has stated himself multiple times that he doesn't know much about computers and just outsources everything that needs to be done. See also his SSL fiasco.

DomainBop

See also his SSL fiasco.

Which one? The "who needs SSL" thread or the "trying for 3 days to install an SSL cert" thread?