Jump to content

TCAdmin Security Suggestion


JasonF

Recommended Posts

This is just my opinion, but I would recommend people:

 

(1) Create a new account with admin priviledges, make the password very hard to guess as ECF suggested. Then make sure your user ADMIN does not own any game or voice servers. After that disable the ADMIN account. Also update your billing software to reflect the new admin account for automatted setups

 

This will basically make a person guess the user and password to gain access. With the admin account active, all they need to do is guess the password.

 

(2) Update your TCAdmin installs for the new Security plugin that allows permanent IP banning.

 

(3) Everyone should look in their TCAdmin Control Panel\Logs folder at the following 2 files:

 

Web.Login.txt

FTP.Login.txt

 

Look for any suspicious logins, etc.

 

(4) Restrict .asd files from being uploaded in both the file manager and ftp server

 

(5) Limit the admin and subadmins to specific IP addresses.

Link to comment
Share on other sites

I have disabled mine with no issues. The hacker that has gained access to a few people's servers is using the admin account to gain access. By disabling it, the idiot needs to guess a user and password.

 

If anyone has questions please email me through the forums.

Link to comment
Share on other sites

Here's a suggestion, email everyone so they can check their systems. I only found out from another GSP who asked if I was affected. Otherwise I still wouldn't know.

 

I'm not talking about through tcadmin either, as our mail server setting was changed by this person.

Link to comment
Share on other sites

At this point Brandon, we are not 100% sure that the person is getting in via our software. So to send out an email with incorrect information would not help the situation.

 

Once we have collected all the information, and if it truly is an exploit in our software then the email will go out with all information that we have availible to us at the time.

Link to comment
Share on other sites

I have not been able to find how he got in, been scouring all the TCA logs, IIS logs, event logs. In talking to another who has been effected, we are wondering what all similarities there are in the setups, but I do not really want to discuss that info in a public forum.

 

The person who has been hitting people, I have researched a little bit. He appears to be a script kiddie, and does not appear to have the skills to develop any tools. I have found numerous posts in different hacker forums claiming to have written something, and others have shot him down showing where the script originated. I have not found anywhere yet where anyone is claiming of any TCA exploits.

Link to comment
Share on other sites

In talking to another who has been effected, we are wondering what all similarities there are in the setups, but I do not really want to discuss that info in a public forum.

 

Tcadmin perhaps?

 

Regardless if I wasn't informed by another GSP using TCADMIN then I still would not know that anything had happened. It would be in everyone's best interest if a simple precaution email was sent out so they can prevent further damages EVEN IF the source isn't Tcadmin.

Link to comment
Share on other sites

Luis has just pushed out another update which further reinforces the security plugin. It allows you to set admin IPs which are the only ones that can access an admin account within TCA.

 

Question on the admin IP feature. Can wild cards be used, I have some admins that have very fluctuating IPs and entering about 60 IPs to ensure there acess would be a pain, but I would love to restrict it to a batch of IPs with a wild card.

Link to comment
Share on other sites

Tcadmin perhaps?

 

Regardless if I wasn't informed by another GSP using TCADMIN then I still would not know that anything had happened. It would be in everyone's best interest if a simple precaution email was sent out so they can prevent further damages EVEN IF the source isn't Tcadmin.

 

We know TCAdmin is a common denominator, but wondering about other things.

 

NOTE: I found referer links from these forums and the dedicated.php page from this IP that has hit us. Also numerous google hits from the TCA version number displayed on the bottom of the TCA contol page.

Link to comment
Share on other sites

Well I won't discuss further here. All I am saying is that since there is a chance that others may be affected they should be informed. Just point them to that post or tell them what to look for and where. If they weren't affected then great, if so then you have more evidence to make your case.

Link to comment
Share on other sites

Funny stuff here now that we get alerts..

 

The IP 60.191.220.143 has been temporarily banned for 15 minutes.

Last login details:

UserId: Administrator

Password: 123456

 

LOL

 

The only wierd thing is that it got banned 3 times all 3 minutes apart. If that ip was banned how did it keep attempting to login?

Link to comment
Share on other sites

Yeah we have tons of alerts coming in now.. Wow. And I'm not messing around - 5 attempts and permanent ban. If a customer gets banned they can contact us. Otherwise it looks like we may have a pretty large ban list fairly soon.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Guest
This topic is now closed to further replies.
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue. Terms of Use