Security Breached. what do i need to do?
So one of my Hosting DA panel got hack.
My 30++ years old "i-got-hacked" cherry has been popped. 
It is only sending Spam emails on a few accounts.
All of the password are >20-key generated.
As this is my first, I'm unsure nature of the breach and what i need to do.
I have check a few sites (i.e haveibeenpwn) for breaches, but found none
As a precaution i have:
- Suspended the DA user account and server for a day. (i control both user and reseller account)
- Change all user password in the domain.
- Change SSL (after i unsuspend later)
- Notify the provider of the breach
So do i need to do anything else?
How do i know if its a simple password breach or much worse?
EDIT:
changed the title to reflect nature of the breach
Found the offending pc. office user brought their laptop to a 3rd party services during the weekend.
so far seems to be a spambot, scanned all the other check the entire office pc seems good.
wasted entire day 
Tagged:
Comments
Pretty sure that uncertainty is why this is a thing
First is to find out how you got hacked. Whether it was a password breach or from a DA vulnerability or even from a vulnerability in one of the scripts ran by the user (most common being WordPress).
Next, wipe everything on your account and restore it from a backup. Then change ALL passwords and remove the vulnerability the hacker used to get in. Only then enable access to the accounts.
If it’s not broken, keep fixing it until it is. Blink twice if you agree.
Are you sure the server was hacked and it's not just one or more accounts infected with malware?
Aside from the spam, what indications of a hack are you seeing?
SimpleSonic - We Make Fast... Easy!
New High Performance Economy Shared Hosting Plans Available As Low As $1.46/mo
Allergic to WP, none of it. just minimal GRAV CMS & no (DA/GRAV/roundcube) serious vulnerability im aware off.
still checking things out on server site.
after checking, there is huge log on roundcube activity, all from the same IP as my workplace. I suspect a compromised user laptop. internal network seems to confirmed it too.
Still investigating if it is the pc or other things, and if checking if any other devices is compromised.
wasted a whole day on this crap.
i have resume access to the hosting again, as the suspected PCs are currently turned off, there seems to be no activity.
i'm kinda have a paranoid personality , assume its the worse for simple things.
yeah this few hours makes me feels like doing it too. watching everything burns to the ground slowly seems satisfying.
hahaha....
I usually download all configs, files, etc and then reinstall the server.
Next I'll try to figure out why I got hacked. I won't restart the service until I'm confident that I've fixed everything
Next I'll try to figure out why I got hacked. I won't restart the service until I'm confident that I've fixed everything.
Took me a whole day, to check everything.
Found the culprit, a spambot accessing chrome user file with saved session to round cube. may need to nuke the whole PC.
my office need to have extra hour to train everyone on security practices.
You'd think I would have seen something like that before, but I can't say I have. I wonder if that's going to be the next trend. After they finish with all of the ipfs phishing links.
Do everything as though everyone you’ll ever know is watching.
I remember time when cookies were IP based...
But then mobile network boom happen and fuck it.
Haven't bought a single service in VirMach Great Ryzen 2022 - 2023 Flash Sale.
https://lowendspirit.com/uploads/editor/gi/ippw0lcmqowk.png
Cookies were never safe. You can still use sessions instead of cookies. Let the user login every time they open the window.
Or go with cookie timeout that is 1 day, not 1 month or more. That way user still have to login every day, but if they get hacked, at least only 1 day of stuff is ruined.
If it’s not broken, keep fixing it until it is. Blink twice if you agree.
Sry, I wasnt clear before.
It was a trojan, altering chrome on its host pc.
So whenever the chrome process is closed. there is no activity.
the trojan has been deleted, chrome has been reinstalled.
currently still in the middle of moving data & planning to format the whole pc as soon as possible.