# ServerCrate compromised



## joepie91 (Mar 5, 2014)

> Hello Sven,
> 
> We regret to inform you that on Monday March 3rd at 10:16PM PST our systems were compromised. ServerCrate staff reacted quickly to the intrusion, shutting off our network to locate a point of entry in our systems, which has since been found. Unfortunately 3 VZ nodes were wiped in the intrusion, we were able to recover data from DALSSDVZ1 and DALSSDVZ2, but backups had to be restored onto DALSSDVZ5. All VPSs are up at this time, if your VPS is having issues or is offline, please submit a support ticket: https://billing.servercrate.com/submitticket.php
> 
> ...


----------



## HalfEatenPie (Mar 5, 2014)

I wonder if they notified the authorities...


----------



## rds100 (Mar 5, 2014)

Damn. So what was it - WHMCS? SolusVM?


----------



## GIANT_CRAB (Mar 5, 2014)

>using solusvm

that's the problem right there.


----------



## joepie91 (Mar 5, 2014)

HalfEatenPie said:


> I wonder if they notified the authorities...


Well, at least they notified their customers properly. A c_ertain provider_ didn't even manage to do _that _correctly...


----------



## MartinD (Mar 5, 2014)

GIANT_CRAB said:


> >using solusvm
> 
> that's the problem right there.


Proof?

Ah yes, none. As always.


----------



## drmike (Mar 5, 2014)

Poor Solus, always getting blamed.

It's like the new DDoS excuse for providers.

Could be true though    Surely they had compromises in the past.  It is software after all and a piece that every lowend* e-hoodlum sitting in mom's basement drolls about exploiting.  

My question is:  What was the nature of the attack and how was it detected?


----------



## peterw (Mar 5, 2014)

Bad karma, but they informed their customers.


----------



## jarland (Mar 5, 2014)

Recovered two and restored backups on the third. Thoughts about the "owner" aside, at least he takes backups.


----------



## Francisco (Mar 5, 2014)

peterw said:


> Bad karma, but they informed their customers.


 


jarland said:


> Recovered two and restored backups on the third. Thoughts about the "owner" aside, at least he takes backups.


Robert gets my nod on this.

Francisco


----------



## kaniini (Mar 5, 2014)

MartinD said:


> Proof?
> 
> Ah yes, none. As always.


It was not SolusVM.  I can't disclose at this time what it was though.


----------



## rds100 (Mar 5, 2014)

kaniini said:


> I can't disclose at this time what it was though.


Can you at least disclose what it wasn't?


----------



## kaniini (Mar 5, 2014)

rds100 said:


> Can you at least disclose what it wasn't?


I do not believe that is appropriate either until the audit is fully concluded.


----------



## Aldryic C'boas (Mar 5, 2014)

kaniini said:


> It was not SolusVM.  I can't disclose at this time what it was though.


So now the upstream is involved - that makes me wonder if the issue took place above Clarke's level of access.  Or is this a GVH situation, where you're just making commentary _on behalf_ of a business relation?


----------



## kaniini (Mar 5, 2014)

Aldryic C said:


> So now the upstream is involved - that makes me wonder if the issue took place above Clarke's level of access.  Or is this a GVH situation, where you're just making commentary _on behalf_ of a business relation?


Centarra itself is not involved.  I am personally involved as I was hired, independently, to do the audit.

Centarra does not provide security services, but I would have figured you guys already knew that I do on the side.


----------



## Francisco (Mar 5, 2014)

kaniini said:


> Centarra itself is not involved.  I am personally involved as I was hired, independently, to do the audit.
> 
> Centarra does not provide security services, but I would have figured you guys already knew that I do on the side.


I do, but probably not Ald 

Fran


----------



## Aldryic C'boas (Mar 5, 2014)

You figured correctly.  My comment served the double purpose of rolling my eyes at another 'company' (just can't help myself there), as well as allowing you to clarify the situation _before_ rumours started.


----------



## kaniini (Mar 5, 2014)

Well, to clarify, Centarra's only involvement was acting on feedback from Robert concerning what he wanted done with his VLAN, during the intrusion, as well as facilitating remote hands (basically moving his Lantronix KVM around from node to node) to enable investigation, containment and mitigation of the intrusion.


----------



## texteditor (Mar 5, 2014)

jarland said:


> Recovered two and restored backups on the third. Thoughts about the "owner" aside, at least he takes backups.


Probably a good idea he picked up from Nick_A


----------



## Virtovo (Mar 5, 2014)

Recovering backups can sometimes just mean that those nodes were not nuked.  The provider then puts on some spin that they managed to save the day for at least some of their clients.  Not saying it happened in this case.  Why do I not see Servercrate advertise anywhere?


----------



## blergh (Mar 5, 2014)

Virtovo said:


> Recovering backups can sometimes just mean that those nodes were not nuked.  The provider then puts on some spin that they managed to save the day for at least some of their clients.  Not saying it happened in this case.  Why do I not see Servercrate advertise anywhere?


I doubt he'd do it just for the PR. He's discontinuing the VPS-branch/services very soon as far as i know. This would also explain the lack of advertising.


----------



## Aldryic C'boas (Mar 5, 2014)

Virtovo said:


> Why do I not see Servercrate advertise anywhere?


ServerCrate (Owned/Run by Robert Clarke) has a nasty reputation here due to Clarke compromising RamNode (and attempting to compromise other providers) in the past, causing Nick a ton of grief.  Relevant -


----------



## kaniini (Mar 5, 2014)

Virtovo said:


> Recovering backups can sometimes just mean that those nodes were not nuked.  The provider then puts on some spin that they managed to save the day for at least some of their clients.  Not saying it happened in this case.  Why do I not see Servercrate advertise anywhere?


The restore was a bare metal restore.  The other two nodes had /vz in tact, so the configuration was rebuilt after a reinstall.

This is in part, why they recommend putting /vz on it's own filesystem.


----------



## raindog308 (Mar 5, 2014)

blergh said:


> He's discontinuing the VPS-branch/services very soon as far as i know. This would also explain the lack of advertising.


So now he's recovering his VPS service just to retire it?

In light of "we were just hacked", "our owner hacks other providers", and "we will be closing shop soon anyway" this page makes for hilarious reading:

https://servercrate.com/why-us.php

Another example of why it's impossible for me to take teenage hosts seriously.


----------



## DomainBop (Mar 5, 2014)

blergh said:


> I doubt he'd do it just for the PR. He's discontinuing the VPS-branch/services very soon as far as i know. This would also explain the lack of advertising.



I think the lack of advertising by the little spoiled brat shit is better explained by the fact that he is banned from WebHostingTalk and LowEndTalk and therefore can't advertise on hosting forums.


----------



## DomainBop (Mar 5, 2014)

raindog308 said:


> Another example of why it's impossible for me to take teenage hosts seriously.


There are exceptions who I think are worthy of being taken seriously.  Like these guys.


----------



## kaniini (Mar 5, 2014)

blergh said:


> I doubt he'd do it just for the PR. He's discontinuing the VPS-branch/services very soon as far as i know. This would also explain the lack of advertising.


I think he disagrees.

[3/5/14, 8:09:42 PM] Robert: Kindly tell this "blergh" person that he's completely speaking out of his ass


[3/5/14, 8:09:46 PM] Robert: I've never said that anywhere


----------



## Shados (Mar 5, 2014)

kaniini said:


> I think he disagrees.
> 
> [3/5/14, 8:09:42 PM] Robert: Kindly tell this "blergh" person that he's completely speaking out of his ass
> 
> ...


Couldn't he just say that himself? Or is he banned here or something?


----------



## kaniini (Mar 5, 2014)

No idea.  That's just what he told me when I asked him about it on Skype.


----------



## raindog308 (Mar 5, 2014)

Aldryic C said:


> ServerCrate (Owned/Run by Robert Clarke) has a nasty reputation here due to Clarke compromising RamNode (and attempting to compromise other providers) in the past, causing Nick a ton of grief.  Relevant -


I'd forgotten Robert tried to hack BuyVM.  I think it went something like this:


----------



## MannDude (Mar 5, 2014)

Shados said:


> Couldn't he just say that himself? Or is he banned here or something?


He is.


----------



## blergh (Mar 6, 2014)

kaniini said:


> I think he disagrees.
> 
> [3/5/14, 8:09:42 PM] Robert: Kindly tell this "blergh" person that he's completely speaking out of his ass
> 
> ...


Servercrate/shovenose - Same shit different name.


----------



## texteditor (Mar 6, 2014)

Shados said:


> Couldn't he just say that himself? Or is he banned here or something?


There are very few places he _isn't_ banned


----------



## shovenose (Mar 7, 2014)

blergh said:


> Servercrate/shovenose - Same shit different name.


Um...? No...?


----------

