My previous host get access to my DA in the new host

[1764]

Dear Friends,
I need your assistance please..
I used VPS for my websites at 1 host for more than 2 years and recently I moved to a new HOST due to some issues with the previous host.. I assume that the previous host had my access user and password to my DA as he also had a Root Access on the VPS and all of my details from the times I request for support and sent them the details..

1 Day after the move, I found that someone removed all of my data in the new VPS.. I don`t know for sure who is this but I guess its them by mistake because I asked them to close my previous VPS and maybe they accessed by domain and not IP..
I asked the new host supplier to rebuild the VPS include fresh installation of the Direct Admin, I restored my backups and this time changed my Password to new strong password..

1 Day after I got email from my previous host that I`m using their Direct Admin Licence on my new server, they sent me screenshot of their licence on my server and say they are going to court with this on theft..
I Never used their licence, the new host has his own licences and he used only them..
The 1st host is well known in Israel in this type of behavior, after I left I make some google on this company and read wayyy too much about them so I`m not surprised at all..

I have some questions need your help please:
1 - When I do restore for backup, does it restore also the Licence of the Direct Admin?
2 - It seems like they conected to my new VPS, installed their own licence and then contacted me about it trying to scare me so I`ll pay them money.. How can I check that their Licence is real. Maybe their licence are also stolen or hacked.. Because I see that their Licence valid till 2038 and its unable to connect to Direct Admin servers...
3 - This is the most important question - Becuase they logged in to my server 2 times with both old and new password which they don`t have, Is there any chance that they installed a file \ hack in my files so when I moved it to the new host I moved the hack also and now they can get my user and password?
Is there somthing possible? Someone here have experience with that and can help? I can pay for it if needed, no problem!

Many Many Thanks in advance!
Idan

 

[zEitEr]

1 - When I do restore for backup, does it restore also the Licence of the Direct Admin?

If you use backup/restore function of Directadmin, and restore only user accounts, then NO, it does not.

How can I check that their Licence is real. Maybe their licence are also stolen or hacked.. Because I see that their Licence valid till 2038 and its unable to connect to Direct Admin servers...

To check license you should contact [email protected] with details of a license (usually you can see them at admin level in directadmin). That's OK if you see 2038 year, lifetime licenses are limited to that year. If a license would be invalid directadmin hardly could even start. But still there might be a hack to start directadmin with invalid license, but in this case directadmin won't get updates and fail to connect to directadmin server.

Is there any chance that they installed a file \ hack in my files so when I moved it to the new host I moved the hack also and now they can get my user and password?

If they had a root access, then yes, they could do that. Did you change all the passwords? root's? admin's? other users?

Did you contact your current hosting company?

Is there somthing possible? Someone here have experience with that and can help? I can pay for it if needed, no problem!

Some of us here (including me) could check your server to determine how do they login and get access. And protect it. Please feel free to PM those who you trust most for details.

 

[1764]

Thanks Alex,
I changes all passwords yes and they still accessed my server..

I`ll contact you by PM.

Thanks,
Idan

If you use backup/restore function of Directadmin, and restore only user accounts, then NO, it does not.



To check license you should contact [email protected] with details of a license (usually you can see them at admin level in directadmin). That's OK if you see 2038 year, lifetime licenses are limited to that year. If a license would be invalid directadmin hardly could even start. But still there might be a hack to start directadmin with invalid license, but in this case directadmin won't get updates and fail to connect to directadmin server.



If they had a root access, then yes, they could do that. Did you change all the passwords? root's? admin's? other users?

Did you contact your current hosting company?



Some of us here (including me) could check your server to determine how do they login and get access. And protect it. Please feel free to PM those who you trust most for details.

 

[Richard G]

About 3.).
Go to SSH and check /root/.ssh for a file called authorized_keys. If you don't use SSH keys for SSH acces, remove that file. Good chance that he is getting in the system that way. You can change passwords all day long, as long as there is acces via authorized keys, it doesn't matter because that's not affected by password changes.

 

[nobaloney]

That's a good point, Richard, but I have to wonder: what kind of backup did Idan use? It seems he may have used the System Backup which could have backed up lots of things, including the /etc/passwd, etc/group, and /etc/shadow files, all of which could have been modified to give the old host password access as well.

@Idan, I'd recommend that if you used System Backup you probably should restore it, immediately do an Admin level Reseller Backup and then have the new system rebuilt, have everything reinstalled from scratch, and then reinstall that new backup, which will only restore whatever is in the users' space.

Of course still check the admin user (and other users which may appear suspicious, or even all users) for any suspicious file sowned by them.

I don't have time to look into your server right now, and in my opinion, zEitEr made you a good offer; consider taking him up on it.

Jeff

 

[1764]

Thanks

Thanks Richard, I will check it..
Jeff, I`m doing only admin backup and backing up users.. First time I guess the new host moved the whole server with System Backup, Second time I Rebuilt the Server and restored from users backups.

I`ll check Richard`s suggestion and I`ll contact zEitEr anyway.

Many thanks everyone!
Idan