Not sure why they are using Email Marketer for this, that's not really the intent of the marketer deal. Idea is to say (for example) force password resets every 90 days, or to send an email thanking a customer when they reach X years hosted with you. Not to send out an email that everyone is going to get anyways. At least that's all it was.
GreenValueHost forced password reset - Security breach?
- Thread starter MannDude
- Start date
- Status
DomainBop
Dormant VPSB Pathogen
Depends on your definition of "hack" If you go by the common street meaning "information theft" then there was no known hack (that has been discovered or acknowledged) but if you go by 18 U.S.C. § 1030 then it would probably qualify as a hack.
("protected computer" is basically any computer/server used in interstate commerce: e.g. a hosting site, ecommerce store, etc)
Wacking the cron repeatedly, and the password reset emails would qualify as intentionally accessing the computer to cause damage.
Regardless of which definition of hacking you use GVH is still at fault for not taking steps to properly secure their server and their negligence does put their users at risk. I would seriously suggest that they hire a security firm (like Rack911, etc) to thoroughly audit their servers and do some basic security hardening.
edited to add: @MannDude WTF is up with the formatting on this board
Last edited by a moderator:
Hello Name,
As you are aware, GreenValueHost experienced issues in the past 24 hours where multiple password resets were sent to customers. We apologize for the flurry of emails.
GreenValuehost was NOT hacked, there wasn't a security compromise either. Customers are safe and secure.
What happened involves the WHMCS billing panel.
Two files: cron.php and /admin were accessible to the public. These should have been secured with additional rules. Yes, we have since added multiple layers of security to protect these files from public access.
A marketing email was pre-wrote and placed in WHMCS for a 2014 Spring Overstock Sale. The default template was erroneously set to / left at “Automated Password Reset”. WHMCS defaults the default template pull down option to “Automated Password Reset”.
Marketing emails run from cron.php events. Therefore, when someone accessed the cron.php file it triggered the sending of the marketing email, which was then set as “Automated Password Reset”. This happened a total of 17 times, generating 17 emails per email account.
GreenValueHost debugged this issue by manually running the secured cron.php, analyzing a few emails sent and looking in WHMCS.
We have a ticket with WHMCS which will be appended to reflect the debugging and resolution with recommendations to prevent this in future with other WHMCS users (beyond simply securing said files).
We welcome any customers concerned about the matter or who may be experiencing password problems to submit a ticket.
Thank You
GreenValueHost Team
As you are aware, GreenValueHost experienced issues in the past 24 hours where multiple password resets were sent to customers. We apologize for the flurry of emails.
GreenValuehost was NOT hacked, there wasn't a security compromise either. Customers are safe and secure.
What happened involves the WHMCS billing panel.
Two files: cron.php and /admin were accessible to the public. These should have been secured with additional rules. Yes, we have since added multiple layers of security to protect these files from public access.
A marketing email was pre-wrote and placed in WHMCS for a 2014 Spring Overstock Sale. The default template was erroneously set to / left at “Automated Password Reset”. WHMCS defaults the default template pull down option to “Automated Password Reset”.
Marketing emails run from cron.php events. Therefore, when someone accessed the cron.php file it triggered the sending of the marketing email, which was then set as “Automated Password Reset”. This happened a total of 17 times, generating 17 emails per email account.
GreenValueHost debugged this issue by manually running the secured cron.php, analyzing a few emails sent and looking in WHMCS.
We have a ticket with WHMCS which will be appended to reflect the debugging and resolution with recommendations to prevent this in future with other WHMCS users (beyond simply securing said files).
We welcome any customers concerned about the matter or who may be experiencing password problems to submit a ticket.
Thank You
GreenValueHost Team
DomainBop
Dormant VPSB Pathogen
"there wasn't a security compromise either." and then in the next paragraph "Two files: cron.php and /admin were accessible to the public. These should have been secured with additional rules"
umm, if someone was able to access the files because they weren't properly secured that's a security compromise
umm, if someone was able to access the files because they weren't properly secured that's a security compromise
drmike
100% Tier-1 Gogent
Think of it this way, there is a door as a barrier, they just added a deadbolt lock. Prior the door opened freely, but was a door."there wasn't a security compromise either." and then in the next paragraph "Two files: cron.php and /admin were accessible to the public. These should have been secured with additional rules"
umm, if someone was able to access the files because they weren't properly secured that's a security compromise
Normally shouldn't have been any harm in curling said URL's/files... but in this instance, yeah did what it did, every time.
Nothing was disclosed to anyone other than account holders, in their inbox, their account name + new password.
Certainly an annoyance, PITA and perhaps access issues for clients.
I'll jump in any time anyone thinks Solus or WHMCS or Cpanel are compromise culrpit and is about to set off mass provider paranoia, pulling of panels, etc. Saw what happened elsewhere with Solus and the shitfest, additional workload on folks and general distrust in segment. If I can be of some use, I try.
No. When you run the cronjob, it shows you information about overdue invoices like
XX Overdue Invoice Reminders Sent
- Sent First Notice to User Firstname Lastname
- Sent First Notice to User Firstname Lastname
- Sent First Notice to User Firstname Lastname
So the ones who ran the cron.php saw some of their customers' names.
drmike
100% Tier-1 Gogent
Ah, what client names did you see?
Someone have a capture?Interesting. I won't discount this as that's how the job like runs and you know better than I. Assumes someone ran from terminal and all though and got output. There were requests / encouraged people to run the URL. All is possible.
From bits seen, was an API testing site used to make most requests. Can't say what they got there, but yeah, possible.
Yep indeed, which is equally scary that they let you know this.... Huh, on the bright side my main account now thinks GVH is spam XD
You are working for GVH now?
drmike
100% Tier-1 Gogent
Unsure what they divulged there that you didn't
Literally was just what I said. I ask: "Mun on vpsB got multiple emails from email broadcast, WHY?"
Response: "[he] has multiple emails in system"
Inferred on my part: multiple accounts.
Mind you, people want results and not more misinfo / fear / phobias.
Been a frightful day for providers following along. Any twitch and someone needs to be on top of things.
Last edited by a moderator:
drmike
100% Tier-1 Gogent
Nope and never have. That includes likewise working for, consulting, etc. for associated upstreams, or "related" other companies.
$0 taken from, billed to, paid from... No freebies, no complimentary services, nothing. Zippo daddy.
Last edited by a moderator:
peterw
New Member
They told you information about a customer?
Hxxx
Active Member
c'mon, we all know drmike is privileged everywhere... He is like the Wikipedia guy
Their marketing team is just too brilliant. Getting their name out any way possible, just brilliant.
- Status