BlueVM's domain name was hijacked

drmike

100% Tier-1 Gogent
URL: http://bluevm.com/

New Wave NetConnect Acquires Blue VM Communications

New Wave NetConnect, a Velocity Server / ColoCrossing Company Acquires Blue VM Communications
We’re excited to announce another addition to New Wave NetConnect LLC, the company behind market leader ChicagoVPS, has recently acquired the assets of Blue VM Communications.
As part of our pre-purchase review it was decided that most efficient and effective way to improve the Blue VM customer experience was to wind down the existing Blue VM infrastructure and incentivize customer’s to switch to ChicagoVPS.
Blue VM's existing services will remain for at least 10 days to provide for an easy transition for all customers.
We look forward to serving you soon!
Thank you,
New Wave NetConnect
 
Last edited by a moderator:

drmike

100% Tier-1 Gogent
Someone is claiming it's a domain hijack....

"We have not closed or sold to anyone. It seems like a NS hijack or our domain account is hacked. We are investigating."

Link to that claimed to be Twitter, but nothing shows right now on BlueVM's Twitter feed:

https://twitter.com/BlueVM_VPS
 

Munzy

Active Member
I just checked with Justin, and from his "Busy ATM" statement I highly doubt that he sold to CVPS.

Seems he is working with his NS provider to get things resolved.
 

mojeda

New Member
Code:
dig bluevm.com ANY

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> bluevm.com ANY
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33662
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;bluevm.com.                    IN      ANY

;; ANSWER SECTION:
bluevm.com.             21599   IN      SOA     ns01.000webhost.com. freehosting.000webhost.com. 2014082401 172800 7200 3600000 172800
bluevm.com.             21599   IN      A       31.170.162.168
bluevm.com.             21599   IN      MX      0 mx.000webhost.com.
bluevm.com.             21599   IN      NS      ns01.000webhost.com.
bluevm.com.             21599   IN      NS      ns02.000webhost.com.

;; Query time: 124 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Aug 23 18:56:32 2014
;; MSG SIZE  rcvd: 160
 

drmike

100% Tier-1 Gogent
Yeah well BlueVM Tweets, the Twitter post disappears...

"You know, they make pills for premature ejaculation now, drmike."

I don't have that problem.  I lay pipe properly and miles of it without a leak.
 

drmike

100% Tier-1 Gogent
This is damn funny. From BlueVM's IRC.

DanielI is BlueVM employee/freebie recipient/volunteer/whatever:

-----------------

Code:
<Chat3908> hi everybody, this is the end of BlueVM? what about everyones' current plans?
<DanielI> Chat3908: I know nothing of it, not more than you do.
<DanielI> As I see, all BlueVM VPSes will be deleted after 10 days
<DanielI> As far as I see*
<Chat3908> cool - I bought 3 VPSes 2 months ago...
<DanielI> Cool story bro.
<Glass> Wait, what?
<DanielI> Glass: I thought the same. Check http://bluevm.com/
* Glass sees nothing
* h1k3r0027 has quit (Ping timeout: 183 seconds)
<DanielI> Glass: Your DNS must be slow.
<Glass> Oh
<DanielI> This is what I see, just this text: http://hastebin.com/enemugolap.txt
<DanielI> I can only assume that Feathur too is dying.
<Russell> ಠ_ಠ 
<Glass> Who is ChicagoVPS not buying?
<DanielI> Glass: Mr.
<DanielI> Me*
<Glass> You?
<DanielI> I'm leaving.
<Glass> Ah
<DanielI> At least that's the plan.
* h1k3r0027 ([email protected]) has joined
<Allen> Bluevm was bought?
<DanielI> Allen: Afaik yes.
<Allen> So, afayk all vpses are being deleted, and no refunds.
<DanielI> Exactly.
<DanielI> All of that in 10 days according to that I've read.
<Allen> Any possible reasons why it would sell?
<DanielI> I don't think that's for me to tell the public.
<Allen> I've heard bad things about ChicagoVPS
<Allen> Random downtimes, terminating users without reason, and refusing to state reason
<DanielI> I've heard a lot of bad things about them including those.
<DanielI> There was a reason I was in BlueVM
<Glass> I've never had a bad experience, but I don't have many experiences with them, just one lonely VPS that I've never needed to open a ticket
<DanielI> There was a reason I had to leave BlueVM for periods
<DanielI> I'm not planning to touch CVPS.
<Allen> Neither am I
<DanielI> Most of my reasons are ideological.
<Allen> I bet 20 bucks that they aren't going to refund the paying users, or give them a free vps or recreate their vps.
<DanielI> I am almost 100% certain they won't do that.
<DanielI> Read the text on bluevm.com.
<DanielI> It says they'll leave BlueVM's stuff open for 10 days, then it'll be closed, all current BlueVM customers recommended to move to CVPS
<Glass> Is there a way to get into the client portal anymore?
<DanielI> Not for general customers, no.
<Glass> I was hoping to look at my services, time remaining, and paid amount.
<Allen> I bet 50% or more of bluevm's customers won't switch to cvps
<Allen> I have a friend of mine hosting me a kvm on his dedi
<Glass> I stuck with bluevm because of the differences it had with CVPS
<DanielI> Glass: You probably won't get refunded or a free VPS there anyway.
<Allen> I stuck with bluevm because the staff were kind and polite, and the prices were good
<Glass> I know :P
<Allen> Damn if I knew how much bluevm was sold for I would try to find a way to pay 1 dollar more than CVPS was paying
<DanielI> Allen: I don't think you get the reasons for selling in the first place.
<Allen> I could probably guess a few reasons why
<Allen> financial reasons?
<DanielI> Allen: I really shouldn't say too much about that, in case it's a little... A little too much.
<DanielI> It's really not my business to leak out.
* Sploshua has quit (Quit: Connection closed for inactivity)
* comma8 ([email protected]) has joined
<Obby> New news from http://bluevm.com/twitter/: [BlueVM_VPS] S6-CA is back online after being offline for a while. The cause was a faulty OpenVZ script, we had to regenerate VPS configuration files. || [BlueVM_VPS] S19-NY is back to normal operation after suffering downtime due to abuse. The long downtime was because of issues with the IPMI. || [BlueVM_VPS] @nhd81 Should be fixed now, sorry for the turbulence. || [BlueVM_VPS] @GameOfNodes We wish, would be ni
* saidul ([email protected]) has joined
<Luke> is this actually legit, or was the website hacked lol
<Allen> Luke, appears to be legit.
<DanielI> Luke: I'm assuming it's real.
<Allen> although
<Allen> the website currently atm is being hosted on 000webhost
<DanielI> Luke: I don't think Ishaq / Justin are dumb enough to randomly loose the password somewhere, or get cracked.
<DanielI> Allen: Yeah, that's suspicious as hell.
<Glass> DanielI: is there any way you can ask them?
<DanielI> Glass: Ask who, exactly?
<DanielI> Justin?
<Glass> Either one
<DanielI> I am, as we speak.
<DanielI> Too bad both of them are gone most of the day.
* Neo has quit (Connection reset by peer)
<Glass> Ah
<DanielI> I think Justin is on his laptop or phone.
<Allen> https://who.is/dns/https://bluevm.com looks like its using 000webhost's free hosting NSes
<Luke> well the normal websites still up as DNS is cached for me o_O
<DanielI> Allen: BlueVM uses Cloudflare for the DNS itself
<DanielI> Luke: The server is up indeed, the 199.21.112.x one
<DanielI> If someone got into the domain controls though, I think only Justin has access there.
<Russell> bluevm.com mail exchanger = 0 mx.000webhost.com.
<Russell> bluevm.com nameserver = ns01.000webhost.com.
<Russell> bluevm.com nameserver = ns02.000webhost.com.
<Russell> lel
<Russell> even thats been changed
<DanielI> All the Cloudflare records won't show if the NS records are changed
<Allen> So were the staff notified of this or were they left in the dark?
<DanielI> Allen: I wasn't.
<DanielI> I guess I'm expendable anyway.
* Neo ([email protected]) has joined
<Allen> DanielI, I think all a hacker would need is access to cloudflare and bam they can foward it to another site.
<DanielI> Allen: In this case, someone entirely bypassed Cloudflare.
<DanielI> They went to the domain registrar and changed the nameservers.
<DanielI> okay that is not legit
* iDG has quit (Ping timeout: 180 seconds)
* h1k3r0027 has quit (Ping timeout: 184 seconds)
<Allen> Another thing that's bothering me is, why didn't bluevm send out emails to its customers?
<DanielI> I'm doubting it's legit, but I'll assume it is legit.
<Russell> it matches the text of https://vpsboard.com/topic/4886-new-wave-netconnect-acquires-electricbytecom/
<Russell> the only difference is the company name ._.
<Russell> and minus the coupon
<Allen> Russell, however, the text can be mimicied
<Russell> indeed
<DanielI> ^
<Allen> You know wouldn't it make more sense for CVPS to host the bluevm on their vpses if they actually bought it instead of using a free host?
<Allen> I mean if you have the money to host vpses and buy other hosts, you can atleast afford to host a site of a host you recently bought
<Allen> Ima do some more digging
<DanielI> Yeah, that's what makes it suspicious
<Allen> So there were no warnings, this just happened out of the blue today?
<DanielI> Blue... Dat pun.
* Neophyte6 ([email protected]) has joined
* Neo has quit (Ping timeout: 184 seconds)
* forcie has quit (Ping timeout: 184 seconds)
* Chat3908 has quit (Ping timeout: 183 seconds)
* forcie ([email protected]) has joined
* ejb ([email protected]) has joined
<Allen> DanielI, if you find anything ping me.
* ejb has quit (Quit: ejb)
* ejb ([email protected]) has joined
* DaveQB ([email protected]) has joined
<DanielI> Allen: text on bluevm.com: confirmed bullshit
<Allen> its fake?
<DanielI> yup
<DanielI> wlel
<DanielI> well*
<DanielI> we already guessed as much, but confirmed fake
<Allen> so then cloudflare was breached.
<Allen> anyway
<Allen> It may have been a hater of bluevm that did it
* freezurbern ([email protected]) has joined
<DanielI> Allen: no, not cloudflares fault
<Allen> whos fault?
<DanielI> let's not look for people to blame, eh?
<Allen> kk but how'd it happen?
<Glass> I'm sure more info will be out sometime :P
* freezurbern thinks Allen is new to the internetz
<DanielI> ^
<DanielI> lololol
<Allen> No I'm aware it got hacked, but when and where is the question
<DanielI> that's quite irrelevant, is it not
<DanielI> ?
<freezurbern> fairly sure its only relevant to the people who are supposed to keep it from happening again.
<DanielI> ^
* Gleighton has quit (Quit: Leaving)
<saidul> So, how long it will take to fix? only way I can access feather is to tunnel through my bluevm vps :P
<DanielI> try 199.21.112.12
<DanielI> that's the IP
<DanielI> and heh, no idea
<saidul> Thanks.
<saidul> I'm very excited to be part of Wave net connect. LOL
<DanielI> confirmed fake.
<DanielI> it got hijacked somehow, I got no idea.
* ejb has quit (Quit: )
<Glass> Justin didn't feed the server gremilins
<Glass> Most likely scenario
<DanielI> No
<DanielI> Domain got hijacked
<DanielI> (NS changed from Cloudflare)
* igloo ([email protected]) has joined
* Neophyte6 has quit (Quit: Leaving)
<igloo> So - is the information showing on bluevm.com really true?
<Kworb> no
<Kworb> was hijacked
<igloo> Really? Well then
<igloo> Apparently you can still get to Feathur through the direct IP https://199.21.112.12/
* DaveQB has quit (Ping timeout: 181 seconds)
* comma8 has quit (Ping timeout: 183 seconds)
* DaveQB ([email protected]) has joined
<Obby> New news from http://bluevm.com/twitter/: [BlueVM_VPS] We have not closed or sold to anyone. It seems like a NS hijack or our domain account is hacked. We are investigating. || [BlueVM_VPS] S6-CA is back online after being offline for a while. The cause was a faulty OpenVZ script, we had to regenerate VPS configuration files. || [BlueVM_VPS] S19-NY is back to normal operation after suffering downtime due to abuse. The long downtime was because of issues w
<DanielI> there it came
<DanielI> he said he'd twitter it
<igloo> Thanks for the update. Got a little worried there, especially since I just purchased a Blue 5.
<DanielI> I got worried too
<igloo> Wouldn't you have heard about something like that? Or worried about what someone might have done to the site?
<DanielI> I don't know if I would have heard.
<DanielI> And yeah, I did guess it was fake, but I assumed it was real until otherwise proven.
<igloo> Fair enough
* saidul has quit (Quit: Page closed)
<Allen> blue5?
<DanielI> Allen: Custom plan.
<DanielI> Equals a BLUE5, which we nickname it
<Allen> oh
<DanielI> It's an unofficial-ish plan.
 
Last edited by a moderator:

lbft

New Member
If someone else got control of the domain, it would make sense that they'd use that to reset the password to the Twitter account (assuming it had a @bluevm.com email associated with it).
 
Last edited by a moderator:

drmike

100% Tier-1 Gogent
If someone else got control of the domain, it would make sense that they'd use that to reset the password to the Twitter account (assuming it had a @BlueVM.com email associated with it).
Seems plausible.

There was a Twitter post mentioned above....  This was the link thereto:

https://twitter.com/BlueVM_VPS/status/503282713156415488

Throws up not found error.

Wasn't BlueVM having days now of downtime and slow ticketing like 3 day wait times?  Is this the new level of UNMANAGED VPS @Nick_A was asking about / wondering what was acceptable?

If someone hacked BlueVM, then coffin nails to BlueVM.   If they have access to email, account info, etc.  then full scale hack would be logically expected, not just a public defacement for lols.

Lucky I only use BlueVM to evade the great firewall of [Asia] so I can look at boobies.
 
Last edited by a moderator:

lbft

New Member
They only need to control the domain name itself to reset a password - they can just point the MX record to a server they control. Doesn't need any access beyond what they already clearly have, being able to change the domain's nameservers.

Same principle would give them access to other accounts that can be reset (including the BlueVM user on this forum, presumably, and any access that BlueVM might have to CC or CVPS billing systems that uses an email at bluevm.com).

It would, however, give them full access to any PayPal emails coming through during the time they control the domain, including disputes and recurring payments (and those PayPal emails can contain sensitive information), as well as any emailled ticket replies customers send. 

Edit: forgot to mention, I personally saw the tweet at https://twitter.com/BlueVM_VPS/status/503282713156415488 before it was deleted and can verify that it said "We have not closed or sold to anyone. It seems like a NS hijack or our domain account is hacked. We are investigating."
 
Last edited by a moderator:

DomainBop

Dormant VPSB Pathogen
Looks like whoever hijacked the domain decided to delete the domain at the registrar.  Dig is returning NXDOMAIN.

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>>  shitprovider.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 29606
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;shitprovider.com.        IN    A

;; AUTHORITY SECTION:
com.            899    IN    SOA    a.gtld-servers.net. nstld.verisign-grs.com. 1408839984 1800 900 604800 86400

;; Query time: 54 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Aug 23 20:26:49 2014
;; MSG SIZE  rcvd: 107
 

drmike

100% Tier-1 Gogent
They only need to control the domain name itself to reset a password - they can just point the MX record to a server they control. Doesn't need any access beyond what they already clearly have, being able to change the domain's nameservers.

Same principle would give them access to other accounts that can be reset (including the BlueVM user on this forum, presumably, and any access that BlueVM might have to CC or CVPS billing systems that uses an email at bluevm.com).

It would, however, give them full access to any PayPal emails coming through during the time they control the domain, including disputes and recurring payments (and those PayPal emails can contain sensitive information), as well as any emailled ticket replies customers send. 

Edit: forgot to mention, I personally saw the tweet at https://twitter.com/BlueVM_VPS/status/503282713156415488 before it was deleted and can verify that it said "We have not closed or sold to anyone. It seems like a NS hijack or our domain account is hacked. We are investigating."
All of which means if this happened, as you imply, every customer should FEAR.  Fear their account info is now in public, fear a database dump with your info in public, fear anything you can relate to your BlueVM account and especially where you had common username and password credentials.

Or like many in these parts, you can just ignore it all and hope for the best ;)  I hope customers hold whoever is running the show at BlueVM responsible.

It has been hours now and BlueVM continues to scramble.  Aside from a Twatter post that was later recanted, yeah where's the public massage?

May I say this,  I more than anyone want to see BlueVM NOT BE A CC / CVPS acquisition.  I want them to gain ZERO customers through such deals.

I've been told what the dollar value of some prior deals were and I shit more worthy piles of crap than those deals.  I'll assume those acquisitions had hardly any customers left by takeover time.

For those of you out there who have followed along with the UGVPS stuff..... Doesn't this seem like the November 2013 issues ChicagoVPS had where UGVPS.com was suddently offline... Where they blamed their domain registry and it went on for months and months... Meanwhile the rightful owner of UGVPS.COM (Crystal) took control of the domain and threw Fabozzi and Co. out?
 
Last edited by a moderator:

MannDude

Just a dude
vpsBoard Founder
Moderator
Well, it looks like it's a domain hijack and not an actual sale.

https://twitter.com/BlueVM_VPS/

Plus their domain was pointing to a free web host, and not something on the CC network.

I don't think they have sold, at least not in any official manner.
 

MannDude

Just a dude
vpsBoard Founder
Moderator
If they have control over their Twitter again, would it be safe to imagine they have control over their domain now too?

Twitter support is non-existent. I've tried contacting those bastards so many times in the past. I can only assume that they got Twitter access again from regaining control of the domain?
 
Top