amuck-landowner

BlueVM's domain name was hijacked

DomainBop

DomainBop

Dormant VPSB Pathogen
Domains / SSL certs and DNS settings should be worth the hassle.
Click to expand...
Filing the annual paperwork to keep the company's corporate status in good standing with the government should be worth the hassle too but BlueVM apparently doesn't think so since it didn't bother to file its paperwork this year.

A short recap of the last 9 months of low end domain problems:

UGVPS.com: domain "hijacked" by the real Crystal, domain temporarily suspended by ICANN for invalid WHOIS

DigTheMine.com: domain temporarily suspended by ICANN for invalid WHOIS

NWNX.net: domain temporarily suspended by ICANN for invalid WHOIS

BlueVM.com : domain hijacked
 
sv01

sv01

Slow but sure
they just move to cloudflare


;; ANSWER SECTION:
bluevm.com.        167254    IN    NS    eva.ns.cloudflare.com.
bluevm.com.        167254    IN    NS    hank.ns.cloudflare.com.


that was fast, only took 2 day :D
 
DomainBop

DomainBop

Dormant VPSB Pathogen
Aldryic C said:
CVPS gets exploited pretty frequently - this isn't really much of a surprise.
Click to expand...
Maarten over on LET now requires proof when you make any negative CVPS/123sys statements so I'll help you out with the proof.

https://www.google.com/search?q=chris+fabozzi+cvps.sql&ie=utf-8&oe=utf-8 (scroll down the results page, the database dump appears to be from February 2013...I don't recall any announcements of a hack in Feb 2013 but  obviously there was one, so that makes at least 4 known Solus/WHMCS compromises from Nov 12/Oct 13).
 
AThomasHowe

AThomasHowe

New Member
Francisco said:
Anyone know if bluevm was always using google for their MX records? Reason I ask is that right now it's pointing to google and if it wasn't them that did that.....


Francisco
Click to expand...

sv01 said:
they just move to cloudflare

;; ANSWER SECTION:
bluevm.com.        167254    IN    NS    eva.ns.cloudflare.com.


bluevm.com.        167254    IN    NS    hank.ns.cloudflare.com.

that was fast, only took 2 day  :D
Click to expand...
I think cloud flare was what they were using before.

Anyway, homepage now says:

We’ll be back soon!


Sorry for the inconvenience but we’re securing the client area and Feathur at the moment due to a recent hijack of our domain. No client services have been affected by this. We’ll be back online soon!

Thank you for your cooperation.

— Management
Click to expand...
 
Last edited by a moderator:
Shados

Shados

Professional Snake Miner
wlanboy said:
Quite simple.


Activate Two-Factor-Authentification: https://www.namecheap.com/support/knowledgebase/article.aspx/9253/45/how-to-two-factor-authentication


Domains / SSL certs and DNS settings should be worth the hassle.
Click to expand...
Quite a few high profile 'hacks' have happened precisely because someone convinced a DNS or server provider to disable two-factor authentication on their target's account because they'd lost their device or such.


Of course, it ups the work required / difficulty involved on an attackers part, but don't mistake that for any sort of guarantee.
 
sv01

sv01

Slow but sure
If someone only hijack their domain, why they need to securing their client area and Feathur?

AThomasHowe said:
We’ll be back soon!

Sorry for the inconvenience but we’re securing the client area and Feathur at the moment due to a recent hijack of our domain. No client services have been affected by this. We’ll be back online soon!

Thank you for your cooperation.

— Management
Click to expand...
 
Last edited by a moderator:
mikho

mikho

Not to be taken seriously, ever!
One example;


If one of the admin accounts used a @BlueVM.com email and the attacker used the "forgot password" function.
 
AThomasHowe

AThomasHowe

New Member
In theory you could also have kept feather up, back proxy the traffic to the real server and log/sniff traffic I guess. That's a lot of work though.
 
WebSearchingPro

WebSearchingPro

VPS Peddler
Verified Provider
Looks like the site is back up, though from IRC it seems that its not up to 100% functionality yet. Hopefully a more detailed incident report will be published soon.
 
SwitchBlade

SwitchBlade

New Member
No official statement yet? Does the BlueVM guy have a account here? Hope it is just a domain issue and not more severe.
 
Jade

Jade

NodeServ
Verified Provider
Wonder what the statement will say :p
 
Last edited by a moderator:
You must log in or register to reply here.
Top
amuck-landowner