# RamNode Down?



## Mun

Seems Ramnode is down, and for roughly the past hour and a half. http://status.ramnode.com/

LowEndTalk, thinks it might be the vulnerability: http://lowendtalk.com/discussion/11191/ramnode-is-down#latest

Any thoughts?

Mun


----------



## TheLinuxBug

My thoughts are that the SolusVM bug is a major issue. It can be used to basicly remove all vms and do some other naughty things. As per what is ongoing on with RamNode, I really hope that is not the case.


Cheers!


----------



## tdc-adm

My VPSs were down. Hope everything comes back soon.


----------



## bizzard

One of mine is still down and seems like its on ATLCVZ7 as its the only OpenVZ node down now as per the Pingdom monitoring. Looking forward to hear from Nick_A.


----------



## wlanboy

At least a tweet about the status.


----------



## Ivan

Here's an official statement from Nick, he posted it on a thread in LET.



> Ok, I am working feverishly to get everything back up ASAP. Robert Clarke definitely ran the exploit, as he has admitted to both publicly and privately. I do not have an ETA for every VPS. Some nodes were unharmed and are back up. Some were wiped. Some are in between. I will be restoring SolusVM, then our website, then as many VPSs from backups as possible. Thank you for your understanding and support.


----------



## wlanboy

My vps was offline from 14:41:33 to 16:14:12.

Ok, down again.


----------



## drmike

What the hell is up with the hack and Robert Clarke being implicated as the culprit?

Maybe Lowend should merge with Hackforums?  Communities seem to be about the same age, interest, etc.


----------



## MartinD

Apparently he openly admitted it to Nick.


----------



## drmike

I read that @MartinD.

Seems like the kid can't be trusted.

Time for the coffin nails for his hosting business.


----------



## earl

It does not make sense thought why would he openly admit to the attack on ramnode knowing full well that it will be tarnishing his business?


----------



## drmike

@NickA / Ramnode is a stand up guy, so if he believes he is sure about the culprit I believe him.

Unsure why Clarke has been so forthcomnig about the matter and allegedly non protected in doing such.

All for seeing RamNode bring legal charges over the matter.


----------



## Otakumatic

A friend's site, hosted at RN is partially up (as in, he uses a free forum host for the forum due to content transferring issues, but uses his RN VPS for an AJAX chat), and he told me that RN was down. I'm suprised, honestly, cause RN seemed to be one of those hosts who rarely have downtime, and when they do, it's short. Anything could happen though!


----------



## earl

Well Robert does seem to have been the target for a lot of pranks.. I would not be surprised if he is being setup.. I just can't see how someone can be that foolish?


----------



## drmike

earl said:


> Well Robert does seem to have been the target for a lot of pranks.


 

No doubt about this. 

Again, surprised by Nick's statement.  He tends to be reserved and tight lipped about finger wagging.


----------



## earl

I'm not second judging Nick, I'm sure Robert or someone impersonating Robert did confront Nick.. but the whole thing just don't make sense Robert has too much to lose to openly admit to doing something like this.. but hey, I could be wrong, who knows anymore!! with all this hack and the general hostility in the community sometimes I wonder if it's time for a new hobby!


----------



## Aldryic C'boas

I usually don't get involved in messes like this... but here's a little something yanked from from our own logs:

50.46.111.187 manage.buyvm.net - [16/Jun/2013:02:51:56 -0700] "GET /centralbackup.php HTTP/1.1" 301 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36 AlexaToolbar/alxg-3.1"

 

Note the IP address.

 

Looks like that WHMCS Login Tracker is going to come in handy here:

 







 

_EDIT:  For anyone unsure what they're looking at here... that terminal window is just running a perl script that retrieves records from our billing panel logins, and puts it in a nice, readable table._

 

I would also like to note that as of 1017h of 09June, Clarke's services with us were terminated, and he was barred from further service.  I disclose this to emphasize the fact that he had no reason to be "testing" an exploit on us (for a panel we don't even use).

 

And as for the rest of you that tried to 'test' on us as well... yes, I know who you are, and yes, it will impact your tenancy with us.  Too late to claim "just watching your back".


----------



## Kris




----------



## drmike

Damn that @Aldryic.  Tee hee!!!   On top of problems and rectally probing the fools.

The BuyVM gods spoke and Robert just got owned.

Did young Robert contest his suspension?  Claim he was hacked?


----------



## Zach

https://twitter.com/RobertJFClarke/status/346332660307738624


----------



## Kris

He'll be making things very clear as soon as he orders within 27 hours and 1 minute and chooses 1 day shipping.


----------



## Supicioso

If he publicly admitted, then where is this "public" admittance?


----------



## Aldryic C'boas

buffalooed said:


> Did young Robert contest his suspension?  Claim he was hacked?


His service with us was ended due to an unrelated matter.  Privacy policy prevents me from going any more into detail on that.. but it had nothing to do with this


----------



## drmike

Well @Alryic,  always a class act you guys are.

Guess we can add one more provider that hates BuyVM now


----------



## ShardHost

You know Robert seemed to have started to grow up lately.  No major hacks on him, he was reasonably polite to people and had eased his jumping into every thread touting service, then he performs such a douche move like this.  So glad he did not have service with us.


----------



## Kris

JaredT90 said:


> If he publicly admitted, then where is this "public" admittance?






As for the time zones, I think I might have been logged out. It's pretty well stated. The IP traces back to the Richmond / Seattle, WA area where he is, and the gem Aldyric just gave sort of shows us he at least ran the exploit / got the script planted.

If he actually ran the script paste a download of a DB? Not sure. Probably was a bit worried and called when he realized he got the index page replaced. But he did put the gears in motion / use his account to basically allow someone to damage RamNode.


----------



## MannDude

Was it _really_ Robert Clarke? Isn't this a kid who was having trouble running his own company and failed multiple times? Same kid who's had an imposter supposedly pose as him and spread rumors?


----------



## drmike

Yeah, that kid @MannDude.  Same kid who supposedly had someone call a swat team over to his house (never saw proof of that tough).


----------



## Kris

MannDude said:


> Was it really Robert Clarke? Isn't this a kid who was having trouble running his own company and failed multiple times? Same kid who's had an imposter supposedly pose as him and spread rumors?


The same that closed his company after that 'swat team' incident, then next week had more offers.

I think this time he'll be legit vanned.


----------



## Aldryic C'boas

MannDude said:


> Was it _really_ Robert Clarke? Isn't this a kid who was having trouble running his own company and failed multiple times? Same kid who's had an imposter supposedly pose as him and spread rumors?


There's no doubt at all that Robert Clarke (the real kid, not the imposter(s)) was the one that attempted to run the exploit on us as well.  By his own admission (visible in his Twitter timeline, until he locked his account from public view a few minutes ago) he was "testing a bunch of companies" as an excuse as to why his IP (his residential IP, at that) was showing up in httpd logs trying to access the exploited file.


----------



## MannDude

Kris said:


> The same that closed his company after that 'swat team' incident, then next week had more offers.
> 
> I think this time he'll be legit vanned.


Isn't he still a minor or in school?

Find his father and sit down and have a chat with Mr. Clarke.


----------



## Kris

MannDude said:


> Isn't he still a minor or in school?
> 
> Find his father and sit down and have a chat with Mr. Clarke.


You'd have to step into the Clarkezone for that.


----------



## ShardHost

Kris said:


> You'd have to step into the Clarkezone for that.


This is one family that lives a lot of their life quite publicly online.


----------



## Jack

Kris said:


> You'd have to step into the Clarkezone for that.


Joepie wanted to contact him and he blocked him.


----------



## notFound

He is around 15-16 years old, however that is not justification for anything. I know many 15-16 year olds who are mature and know not to do anything of the sort.


----------



## Jack

notFound said:


> He is around 15-16 years old, however that is not justification for anything. I know many 15-16 year olds who are mature and know not to do anything of the sort.









16?


----------



## MannDude

Kris said:


> You'd have to step into the Clarkezone for that.


https://twitter.com/search?q=%40clarkezone&src=typd Keeping an eye on this while people tweet to his father.



notFound said:


> He is around 15-16 years old, however that is not justification for anything. I know many 15-16 year olds who are mature and know not to do anything of the sort.


No justification, hopefully this kid gets in actual trouble.

Maybe he was just trying to impress his pop on fathers day?

"Hey Dad! DAD! DADDDD! Look what I did they're talking about me! I'm like, cool like you pa?"

--"<sigh> You're the milkman's. You're not mine."


----------



## George_Fusioned

notFound said:


> He is around 15-16 years old, however that is not justification for anything. I know many 15-16 year olds who are mature and know not to do anything of the sort.


Indeed he looks around that age (photo from last year) http://t.co/BJ8WpnD7


----------



## Aldryic C'boas

Jack said:


> Joepie wanted to contact him and he blocked him.


 

Pretty much the only sensible move the kid has made.  joepie and his ilk are exactly the sort you _avoid_ if you're trying to run a legitimate business.


----------



## TheHackBox




----------



## Aldryic C'boas

TheHackBox said:


> What's the beef between you two anyway?


His affiliation with the LulzSec group (and other unsavories), to put it shortly.  From http://www.guardian.co.uk/technology/2011/jun/24/lulzsec-irc-leak-the-full-record :



> *Jun 02 18:10:38* joepie91 uh*Jun 02 18:10:40* joepie91 Topiary
> 
> *Jun 02 18:10:40* joepie91 ..
> 
> *Jun 02 18:10:43* joepie91 that is a Frantech IP
> 
> *Jun 02 18:10:48* Topiary FIREFIREFIREFIRE
> 
> *Jun 02 18:10:52* Topiary FUCK YOU FRANTECH\111
> 
> *Jun 02 18:10:52* joepie91 DDoS it
> 
> *Jun 02 18:10:54* sabu everybody stfu
> 
> *Jun 02 18:10:54* joepie91 it will disappear
> 
> *Jun 02 18:10:55* storm ?
> 
> *Jun 02 18:10:56* joepie91 in a few minutes





> *Jun 02 18:13:42* joepie91 Topiary: just a tip, Frantech has an automated nullrouting system in place. If you DDoS Laurelais IP, he will disappear from the internet for a while, and if you keep doing it he will be booted from their service.*[...]*
> 
> *Jun 02 18:14:31* joepie91 it'll get nullrouted for ~1 hour at first I believe
> 
> *Jun 02 18:14:36* joepie91 after a few nullroutes he will get suspended
> 
> *Jun 02 18:14:37* joepie91


I tend to take issue with someone actively trying to turn negative attention towards our network.  There are other reasons as well, but the above pretty much makes a good summary.


----------



## fapvps

Wow...That is a pretty messed up situation, I truely hope RamNode will make a full recovery soon...


----------



## pcan

For a moment, I had the illusion to be back again in 1996, when you could read news like this: "15 years kid disables a service provider using its personal computer from home".

I was dreaming: almost 20 years have passed, Internet has a crucial role now, security is way better...

...or maybe not. It is precisely this type of issues that prevents the web service industry to be taken seriously on some kinds of business. Security is often neglected, and it shows. Here we have at least two major failures: a unbelievabily huge security hole on SolusVM, and lots of people that do a default install and don't remove the unused features.


----------



## MannDude

pcan said:


> For a moment, I had the illusion to be back again in 1996, when you could read news like this: "15 years kid disables a service provider using its personal computer from home".
> 
> I was dreaming: almost 20 years have passed, Internet has a crucial role now, security is way better...
> 
> ...or maybe not. It is precisely this type of issues that prevents the web service industry to be taken seriously on some kinds of business. Security is often neglected, and it shows. Here we have at least two major failures: a unbelievabily huge security hole on SolusVM, and lots of people that do a default install and don't remove the unused features.


And we also live in a world where all a 'hacker' has to do is follow a guide that is easier to follow than installing a LAMP stack or use booters to DDoS servers.


----------



## HalfEatenPie

pcan said:


> or maybe not. It is precisely this type of issues that prevents the web service industry to be taken seriously on some kinds of business. Security is often neglected, and it shows. Here we have at least two major failures: a unbelievabily huge security hole on SolusVM, and lots of people that do a default install and don't remove the unused features.


 

Well, this is the thing.  While many industries and fields have been developing for decades if not generations, the entire "online industry" is still very young.  Because of this there's still no "normal".  Also, the very nature of the service we provide allows even a newcomer to create something new, and when given that platform (especially since the entire world is connected on such a platform) a single major flaw could create similar events as this. 

I mean we can all do much better to work on security, but I feel like this issue is far from being solved.


----------



## pcan

HalfEatenPie said:


> I mean we can all do much better to work on security, but I feel like this issue is far from being solved.



I agree: this will not be solved quickly. The prevalent idea is that functionality comes well before security. The same mindset was common on other engineering branches, but things changed after some disasters that struck the imagination of the people (think of the Zeppelin, or Titanic). There has been no mayor security disaster on web tecnology.  Yet.


----------



## HalfEatenPie

pcan said:


> I agree: this will not be solved quickly. The prevalent idea is that functionality comes well before security. The same mindset was common on other engineering branches, but things changed after some disasters that struck the imagination of the people (think of the Zeppelin, or Titanic). There has been no mayor security disaster on web tecnology.  Yet.


 

And also the entire fact that those technologies have been around for a while.  Even in Civil Engineering we're using analysis equations developed in 1958.


----------



## bbb

lol @ robbie

pz'd himself


----------



## maounique

pcan said:


> There has been no mayor security disaster on web tecnology.  Yet.


I am not so sure about that. There were a lot of things leaked and probably a lot of secret stuff made it's way to terrorists or god knows who.

If the americans could install a worm in the Iranian computers that control nuclear stuff what makes us think it was not possible the other way around, that chinese will install some trojan in the dept of defense computers ? There is increasing evidence they did and one day the wars will no longer be started by the US president at the call of the US churches or corporations but by the talibans by remote control.

It is that bad, I think.


----------



## HalfEatenPie

I feel like not a lot of people outside of the actual tech industry fully understand the importance of security.  I mean for many people it's "Ok it works, don't break it", but with servers even if it works it doesn't mean it's secure, and we do end up seeing this many times.

I mean remember CurtisG's old "live chat" system he was building?  Once he showed us snippets of the codes many people informed him how it could have been exploited.  His response was "it's not production anyways" or just "this was a quick start".  I feel like not enough stress is placed on security and sanitation of variables.


----------



## MCH-Phil

Definitely not enough pressure is put on the importance of securing systems.  It's a very amateur thing to not sanitize input before usage.  

*Security through obscurity* is *not *_security _people!


----------



## Supicioso

Kris said:


> As for the time zones, I think I might have been logged out. It's pretty well stated. The IP traces back to the Richmond / Seattle, WA area where he is, and the gem Aldyric just gave sort of shows us he at least ran the exploit / got the script planted.
> 
> If he actually ran the script paste a download of a DB? Not sure. Probably was a bit worried and called when he realized he got the index page replaced. But he did put the gears in motion / use his account to basically allow someone to damage RamNode.


That's not too convincing in my eyes. It's way to vague. It wouldn't fly in court, so you lot shouldn't pass it off as true until all the facts are laid out.


----------



## HalfEatenPie

JaredT90 said:


> That's not too convincing in my eyes. It's way to vague. It wouldn't fly in court, so you lot shouldn't pass it off as true until all the facts are laid out.



What we do have is an understanding (proof if what Nick_A says is true) that RobertClarke did at the very least initiate the process.  

By following those directions on RamNode's installation of SolusVM, he has compromised their systems.  Now we don't have any proof that he was the individual to initiate the damage, but he's basically someone who has left the door wide open for another person to come in and wreck havoc (without proper authorization or permission to initiate this in the first place).  

We also have proof that he has tried this on another host (link: http://vpsboard.com/topic/733-ramnode-down/?p=10588 ) and he himself have stated that he initiated it on RamNode (publicly and privately from what Nick stated).  

What else do you need?  To me this is good enough information until more information is provide in the final analysis of the logs and information available.


----------



## drmike

Someone SWAT them all 

Someone is going to get put on a time out for being a bad boy.


----------



## maounique

HalfEatenPie said:


> he has compromised their systems


I strongly disagree with that. He did not compromise anything, the exploit compromised every solusvm installation out there, it wasnt even needed to be released, solus was still compromised.

He only installed a tool to make it easy, granted, I dont say he is not to be blamed, he shouldnt have done that, however, you cannot honestly say someone compromised the security of your home unlocked doors if they took out the plasma TV in the yard making it easier to be stolen. Anyone could have done that, the security was compromised before this thing happening.


----------



## shovenose

Mao said:


> you cannot honestly say someone compromised the security of your home unlocked doors if they took out the plasma TV in the yard making it easier to be stolen.


You're right, because most plasma TVs are really heavy, especially from ones a couple years old, and they'd have a hard time moving it


----------



## HalfEatenPie

Mao said:


> I strongly disagree with that. He did not compromise anything, the exploit compromised every solusvm installation out there, it wasnt even needed to be released, solus was still compromised. He only installed a tool to make it easy, granted, I dont say he is not to be blamed, he shouldnt have done that, however, you cannot honestly say someone compromised the security of your home unlocked doors if they took out the plasma TV in the yard making it easier to be stolen. Anyone could have done that, the security was compromised before this thing happening.


 

Ehh, true.

I guess what I meant to say was he made it one step easier for someone to inflict damage to their system.  In my own opinion, he initiated this entire ordeal by performing such actions.


----------



## maounique

OK, what I also mean is that whoever deleted the VPSes using that exploit is really the culprit. RK is an accessory, but not the main perpetrator if it is true he didnt delete anything, nor downloaded AND  released the DB.

He is a bright kid and I am sorry for his troubles, while there are other kids which know better, I know that knowledge does not bring responsibility in thinking and this is true for many adults too.

This will hopefully be the last lesson he needed to learn in his way to maturity.


----------



## Aldryic C'boas

HalfEatenPie said:


> Ehh, true.
> 
> I guess what I meant to say was he made it one step easier for someone to inflict damage to their system.  In my own opinion, he initiated this entire ordeal by performing such actions.


Assuming he didn't do the actual hit to begin with.  On a more amusing note, someone has been trying to use the http://code.google.com/p/slowhttptest/ tool from a couple different VPSes (I'll be emailing the providers shortly) to try and slam the exploit link with us.  Stallion doesn't have this exploit, of course... but it looks like someone paniced from my earlier posts, and was trying to fill the httpd logs and ensure their IP got trimmed out.  Too bad for them, I already saved copies of the original logs long before they tried this little tactic.  

And now you've given me additional points to hunt you from - the game begins <3


----------



## shovenose




----------



## MannDude

shovenose said:


> Slowloris is such a useless attack if NGINX or IIS is used. But it's deadly effective and minimally abusive to Apache


And we all remember Shovenose's history with Slowloris...


----------



## shovenose

MannDude said:


> And we all remember Shovenose's history with Slowloris...


And that's why I now know all about it lol. You could consider me the resident Slowloris expert  If expert is the same as copying and pasting one command into a random SSH window


----------



## MannDude

shovenose said:


> And that's why I now know all about it lol. You could consider me the resident Slowloris expert  If expert is the same as copying and pasting one command into a random SSH window


And that's whats worrying. It's not like Robert, for example, did anything 'difficult'. It's not like he's a 'master hacker' hell bent on destruction. Just some kid with piss poor judgement and instead of trying this on himself and only on himself he tried other provider(s).


----------



## shovenose

MannDude said:


> And that's whats worrying. It's not like Robert, for example, did anything 'difficult'. It's not like he's a 'master hacker' hell bent on destruction. Just some kid with piss poor judgement and instead of trying this on himself and only on himself he tried other provider(s).


Well, tbh a variation of what I did. But at least I don't do those things consistently, and I did not cost anybody money or time. And I learn from my mistakes and understand what decisions I've made in the past what were stupid. I think that's the difference between him and me.


----------



## Mun

Hmmm Vpswiki.us posting about this.... I can't, but you all can 

http://www.vpswiki.us/providers/servercrate/


----------



## MCH-Phil

shovenose said:


> And that's why I now know all about it lol. You could consider me the resident Slowloris expert  If expert is the same as copying and pasting one command into a random SSH window


That doesn't make you an expert.  That makes you one of the 1000000's of other kids that can do the exact same thing, download a program and run a command.  Nothing expert about this....

Sorry I don't mean to come off assholish but this kind of behavior is ridiculous and degrading to people who are actual security experts etc..  How can you consider yourself an expert at something you downloaded and ran????


----------



## shovenose

MCH-Phil said:


> That doesn't make you an expert.  That makes you one of the 1000000's of other kids that can do the exact same thing, download a program and run a command.  Nothing expert about this....
> 
> Sorry I don't mean to come off assholish but this kind of behavior is ridiculous and degrading to people who are actual security experts etc..  How can you consider yourself an expert at something you downloaded and ran????


I'm sorry, but I was obviously using the term expert sarcastically.


----------



## MCH-Phil

Obvious doesn't work well over the internet, neither does sarcasm.  All anyone sees from your post is a bunch of smiles that make it seem like your proud of it.


----------



## shovenose

MCH-Phil said:


> Obvious doesn't work well over the internet, neither does sarcasm.  All anyone sees from your post is a bunch of smiles that make it seem like your proud of it.


No, I am most certainly not proud of those actions,


----------



## MCH-Phil

Thank you for the clarification


----------



## drmike

What I like about Shove is he admits to his youthful mistakes.  That's worth something.  Showing progress Shovey.

Clarke I am unclear about.   The LET chatter prior about him, the swat incident, etc.   

Can't blame Clarke.  He has Microsoft dopiates in his DNA.  Someone needs to reboot him for him to work right.

BuyVM catching him via the logs poking where he shouldn't have been #priceless


----------



## XFS_Duke

Wow, I look forward to meeting new people in this industry but people like him make me wonder... I know a lot of people that did bad things when they were younger. I know I did. I'm not proud of any of them, but they did teach me what NOT to do. And mine weren't really that bad and I'd tell anyone if they asked. People like him and a few others I know shouldn't be allowed anywhere near a good web host. He shouldn't even be able to own a domain name. Dude needs to grow up real fast. What he did was illegal, NO matter if he just accessed it or not. Access in itself is a crime. Especially if it is done with a known or unknown exploit.

Just my 2 cents.


----------



## MCH-Phil

buffalooed said:


> What I like about Shove is he admits to his youthful mistakes.  That's worth something.  Showing progress Shovey.
> 
> Clarke I am unclear about.   The LET chatter prior about him, the swat incident, etc.
> 
> Can't blame Clarke.  He has Microsoft dopiates in his DNA.  Someone needs to reboot him for him to work right.
> 
> BuyVM catching him via the logs poking where he shouldn't have been #priceless


Admitting because he was caught or just out of the kindness of his heart?  

I don't see saving face because your caught red handed with your fingers in the cookie jar worth something.  I knew I shouldn't do it but I did it anyway... Sorry :/

These discussions are the exact reason shove shouldn't bring that up.  It's happened yes, but why remind potential customers and everyone else that you did it?  Doesn't seem pro-business in my mind.  If it was a mistake leave it at that  in the past where it belongs.  Learn from it and *move on*.


----------



## earl

All i can say is what a mess! I feel sorry for all the parties involved, I'm sure it has been a nightmare! reminds me of the fsckvps incident a couple years back..


----------



## drmike

earl said:


> reminds me of the fsckvps incident


I missed that trainwreck.  Is there a summary of it somewhere worth reading?



MCH-Phil said:


> Admitting because he was caught or just out of the kindness of his heart?



Lots of folks would take the low road and deflect and fabricate.  We have grown, seasoned adults around here that still do that. 

Or he could have taken the other sketchy road that is fairly popular with the electro-anarchist sect on lowend that declare hacking, floods, etc. essentially free speech and blame you for having an insecure system or open door.


----------



## Mun

buffalooed said:


> I missed that trainwreck.  Is there a summary of it somewhere worth reading?
> 
> Lots of folks would take the low road and deflect and fabricate.  We have grown, seasoned adults around here that still do that.
> 
> Or he could have taken the other sketchy road that is fairly popular with the electro-anarchist sect on lowend that declare hacking, floods, etc. essentially free speech and blame you for having an insecure system or open door.


Simple summary:

Early on Sun 15th of June 2013 an exploit was shown in SolusVM. Certain providers scrambled to get everything fixed, while others tested the exploit on other providers. One of these providers was RamNode and the culprit  for testing was "RobertClarke". I use quotations as I can't attest to this myself. In any case someone posted the SolusVM database to the world, and then began damaging some of the nodes. As such RamNode shutdown all servers and began patching.


----------



## Jack

By the look of RAMNode's twitter, Poor Nick has had no sleep :-/


----------



## earl

buffalooed said:


> I missed that trainwreck.  Is there a summary of it somewhere worth reading?


Over 177 pages!! it's like a novel..lol

http://www.webhostingtalk.com/showthread.php?t=867100

The short of it..

http://hostingfu.com/article/fsckvps-servers-wipeout-reveals-lxlabs-hypervm-insecurity


----------



## johnlth93




----------



## mpkossen

MannDude said:


> And that's whats worrying. It's not like Robert, for example, did anything 'difficult'. It's not like he's a 'master hacker' hell bent on destruction. Just some kid with piss poor judgement and instead of trying this on himself and only on himself he tried other provider(s).


According to his posts on LET, he _did_ try it on his own infrastructure at first (http://lowendtalk.com/discussion/comment/283952/#Comment_283952). This makes his "attempt" at other providers even worse. He did already know it worked. He wasn't testing it on others, he was doing it knowing perfectly well it would work.


----------



## peterw

RamNodes SolusVM CP is online again.



> We will open the ticket system shortly, but please understand that we will not be able to respond with our usual quickness for a few days.


----------



## Mun

mpkossen said:


> According to his posts on LET, he _did_ try it on his own infrastructure at first (http://lowendtalk.com/discussion/comment/283952/#Comment_283952). This makes his "attempt" at other providers even worse. He did already know it worked. He wasn't testing it on others, he was doing it knowing perfectly well it would work.


It wasn't per say a time line, and he may have very well tested it on other first, and just stated and acted like he didn't to try and protect what he had done. 

Mun


----------



## wlanboy

Considering the timezones the timing was perfect to catch RamNode cold. But deleting (reinstall) the vps of users?

This attack is at the expenses of others to damage a host.

Can't believe the whole thing and the lower stairs ethics of the attacker.

Heads up @RamNode. Hopefully you can now get some sleep.


----------



## JDiggity

anybody know if this is the hack that took out CPVS that we have never been able to confirm?


----------



## CVPS_Chris

24khost said:


> anybody know if this is the hack that took out CPVS that we have never been able to confirm?


I talked to Solus and he said it is a very good possibility. You can all say I was a big liar blah blah blah but I was not lying, I just did not have any information to pursue after Jeremiah quit, he also said it had to do with CB before he left.

Kevin also checked out web server logs and  confirmed that Robert ( or whoever ) tried to do it to us as well but failed.


----------



## JDiggity

*@**CVPS_Chris* If the community was wrong and called you a liar, about the hack, it needs to be set straight.


----------



## Aldryic C'boas

CVPS_Chris said:


> I talked to Solus and he said it is a very good possibility. You can all say I was a big liar blah blah blah but I was not lying, I just did not have any information to pursue after Jeremiah quit, he also said it had to do with CB before he left.
> 
> 
> &nbsp;
> 
> 
> Kevin also checked out web server logs and&nbsp; confirmed that Robert ( or whoever ) tried to do it to us as well but failed.


If you would, make a text file of Robert's attempts to try it against you, please. I'm putting together similar information for Nick, as I believe he's going to pursue a criminal case on this.


(You also might want to grep your logs for the googlecode bit I mentioned before).


----------



## CVPS_Chris

24khost said:


> If the community was wrong and called you a liar, about the hack, it needs to be set straight.


I just did set it straight, I opened a ticket with Solus and Phil said its a good possibility that it was the same method.


----------



## CVPS_Chris




----------



## Aldryic C'boas

&amp;nbsp;



CVPS_Chris said:


> 50.46.111.187 manage.chicagovps.net:5656 - [16/Jun/2013:06:51:59 -0400] "GET /rofl.php HTTP/1.1" 404 345 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36 AlexaToolbar/alxg-3.1"
> 
> 
> Is this what you need?


That's perfect, thanks. He only made one attempt?
_Edit, Unrelated_: I guess I'm gonna have to break down and start using a 'proper' browser... links is butchering the hell out of the BBCode and quote attempts <_<


----------



## JDiggity

*@**CVPS_Chris* I understand that, I saw this thread, saw what happend, and wanted to vindicate you.  I am being nice to your Chris, no need to be an ass to me.  I was making a point on your behalf!  Just say thank you and move on.


----------

