ChicagoVPS / CVPS Hacked. New SolusVM exploit? (Content Restored) [PT. 1/2]

[Aldryic C'boas]

That is only 58 people per server if you figure 160 servers.

160 servers? Hardly.

Total number of nodes

SELECT COUNT(nodeid) FROM nodes;

Total number of VMs per Node, plus how much "Guaranteed" RAM (in GB) is sold per node

SELECT nodes.nodeid, nodes.name, COUNT(vservers.nodeid), SUM(vservers.ram)/1073741824 FROM nodes, vservers WHERE nodes.nodeid = vservers.nodeid GROUP BY nodes.nodeid;

 

[drmike]

Who has/can find the list of nodes that were lost/deleted/hosed in this attack?

ATL-VPS1 was one of them.

That server had 317GB of RAM sold on it and 161 virtual servers running on it.

 

[mnsalem]

Who has/can find the list of nodes that were lost/deleted/hosed in this attack?

ATL-VPS1 was one of them.

That server had 317GB of RAM sold on it and 161 virtual servers running on it.

Well, im on BUF-VPS19 and its down, so im guessing compromised too

 

[MartinD]

C'mon guys - can we keep this thread on topic?

I know many people think he's an ass but i don't think it's right to be publishing information like that. If people want it I'm sure they can find the DB elsewhere for themselves

 

[mnsalem]

C'mon guys - can we keep this thread on topic?

I know many people think he's an ass but i don't think it's right to be publishing information like that. If people want it I'm sure they can find the DB elsewhere for themselves

Just goin' with the flow


But really, i see they are working really hard and continuously on it!


the number of nodes that is up now is much better than what it looked like this morning! According to Pingdom that is.

 

[leeboof]

Just goin' with the flow


But really, i see they are working really hard and continuously on it!


the number of nodes that is up now is much better than what it looked like this morning! According to Pingdom that is.

Seriously... I think the exact same amount of servers are down. Didn't they say they weren't restoring unless requested afterwards? What could be taking so long.

 

[drmike]

This is my last tidbit of info so folks understand the scope of the attack from a total victim/client perspective and why restores (even with enough man power) could take eons:


These are the CVPS nodes that reported high downtime in Pingdom and assumed to be nodes where major problems and data loss might have occurred:

NodeName = VPSes on Node  Total RAM Sold
atl-vps1 =  161 VPSes      317GB RAM
atl-vps4 =  122 VPSes      250GB RAM
atl-vps5 = 92 VPSes         197.75GB RAM
buf-vps17 =  100 VPSes   199.375GB RAM
buf-vps19 = 117 VPSes    216.5GB RAM
chi-vps10 = 23 VPSes      18.5GB RAM
chi-vps11 = 31 VPSes      48.875GB RAM
chi-vps12 = 29 VPSes      52GB RAM
chi-vps13 = 11 VPSes      6.75GB RAM
chi-vps14 = 30 VPSes      57.5GB RAM
chi-vps16 = 32 VPSes      37.25GB RAM
chi-vps17 = 71 VPSes      64.49GB RAM
chi-vps18 = 17 VPSes      17.25GB RAM
chi-vps24 = 11 VPSes      9.75GB RAM

= 847 VPSes impacted
 

[SIZE=11pt]LA18[/SIZE]

 is another node where someone confirmed data loss (it isn't in Pingdom monitoring)

la-vps18 = 62  VPSes      92.625GB of RAM

=  909 VPSes impacted

 

[mnsalem]

Seriously... I think the exact same amount of servers are down. Didn't they say they weren't restoring unless requested afterwards? What could be taking so long.

Well, in the morning, 3 Atlanta nodes were down .. CHIVPS12 was down .. CHIVPS25 was also down .. besides the 3 BUF nodes still down ... so that is clearly NOT nothing!

 

[Lanarchy]

The email states we will get fresh VPS, but how am I supposed to access or image these with no control panel?

I don't mind waiting, but how can we get fresh VPS with no control panel?

 

[upsetcvps]

CVPS_Chris, on 19 Jun 2013 - 12:38 PM, said:

> Why are you saying false information? We have backups and know how old they are. 

You yourself have stated explicitly that several nodes do not have backups.  At first, you stated it was just some nodes in ATL.  But later you stated there was also an LA node with data loss, which I presume means it did not have backups.  You've also stated that the backups are "at most a week old".  This suggests you do not know the age of the backups though maybe you were just being vague and do know.

 

I am not "saying false information."  If you need me to quote you verbatim on anything, just let me know and I'll dig through your posts here, your posts at LET, and your e-mails.

 

>  As for this happening twice, its because no one listened to me when I said it was a Solus issue the first time. If I was listened to, maybe this would have been found months ago and it would have saved myself, Ramnode, and the other provider from what we are going through.

 

That's your problem.  I deal with you, not Solus.  It's your decision to use their product the way you are using it.  The fact that you were sure Solus had significant issues and didn't take steps to either replace it or put safety measures in is even worse.  At the very least you could have had a sane disaster recovery plan.

 

> What do you expect in a 24 hour period? With all the problems we are dealing with its more important to get everyone back online that to write a response every hour saying "We are still working on it". Do you think I am sitting around eating a sandwich laughing at all of this? The answer is no, and this is a very serious matter.

 

I expect you to immediately notify your customers as soon as you detect an intrusion.  You can be vague at this point.  Once things settle down, you understand exactly what happened and have a plan in place to fix it, you should relay exact details and time-frames to your customers.  You did neither. Some of your customers still have no idea when they will be back up.

 

> I know what I say will not change your mind, but at least get your facts straight so you dont scare people that do not know better and will listen to you.

 

As I said, my facts are straight.  You are the one contradicting yourself.

 

Finally, the grammar in your latest e-mail is atrocious.

 

[Chankster]

CHI59 is definitely still impacted.

 

[redjersey]

This is my last tidbit of info so folks understand the scope of the attack from a total victim/client perspective and why restores (even with enough man power) could take eons:

These are the CVPS nodes that reported high downtime in Pingdom and assumed to be nodes where major problems and data loss might have occurred:


NodeName = VPSes on Node  Total RAM Sold


atl-vps1 =  161 VPSes      317GB RAM


atl-vps4 =  122 VPSes      250GB RAM


atl-vps5 = 92 VPSes         197.75GB RAM


buf-vps17 =  100 VPSes   199.375GB RAM


buf-vps19 = 117 VPSes    216.5GB RAM


chi-vps10 = 23 VPSes      18.5GB RAM


chi-vps11 = 31 VPSes      48.875GB RAM


chi-vps12 = 29 VPSes      52GB RAM


chi-vps13 = 11 VPSes      6.75GB RAM


chi-vps14 = 30 VPSes      57.5GB RAM


chi-vps16 = 32 VPSes      37.25GB RAM


chi-vps17 = 71 VPSes      64.49GB RAM


chi-vps18 = 17 VPSes      17.25GB RAM


chi-vps24 = 11 VPSes      9.75GB RAM


= 847 VPSes impacted

[SIZE=11pt]LA18[/SIZE]

 is another node where someone confirmed data loss (it isn't in Pingdom monitoring)


la-vps18 = 62  VPSes      92.625GB of RAM


=  909 VPSes impacted

this makes sense. They sell quite a lot of 2gb vps for $30 to $40year. So buf-vps19 = 117 VPSes 216.5GB RAM = 117 x 30 = $3510 / 12 = $292.5 per month

 

[nunim]

So... this just tells us exactly what we knew already, CVPS nodes are massively oversold and likely are using SSD's as ram.

 

[imperio]

It seems like there is a disclosure campaign ongoing for Colocrossing/Chicagovps.

 

[Lanarchy]

If you're surprised by the fact that VPS are oversold, you're delusional. This almost seems like a hate train. Yes, I get it, yes I understand where everyone's coming from, but this just seems like an anti-CVPS circlejerk at this point.\

I still like knowing the info, like how many containers are on each node, but some of the posts in here are just not necessary.

 

[redjersey]

So... this just tells us exactly what we knew already, CVPS nodes are massively oversold and likely are using SSD's as ram.

what, you don't do math? they are charging a 2gb vps for only $30-40/year. To make profit they have to put 100-120 vps into one node. What do you expect? 15 2gb vps on a 32gb server??

 

[jfreak53]

Moderator, please clean this up again or close it? I would prefer clean, this thread is for the problems happening not a trashing thread, if they want to trash they can open their own thread for that. Thank you.

 

[drmike]

You yourself have stated explicitly that several nodes do not have backups.  At first, you stated it was just some nodes in ATL.  But later you stated there was also an LA node with data loss, which I presume means it did not have backups

From reading the various public releases and keeping up a bit on CVPS:

1. Atlanta nodes were not being backed up.

2. Backups *seem* to be on a weekly basis.

Good luck to those of you who weren't self-backing up to another VPS elsewhere.   Your data and VPS if not online by now is very likely GONE.

Those of us that lived through the last attack can attest to fact that it took 3+ days before it was clear many VPSes were lost/gone.

 

[AnthonySmith]

yes my fault i miss my backups but, i pay for money for service and stability is this cpvs problem not mine. But problem or hack or whatever happed. I 'm wait statement or any respose from cpvs u understand me. 

You don't pay for financially backed SLA enterprise grade hosting, you pay for basic unmanaged VPS hosting who make it clear they are not responsible for your loss of data, again if you are making promises to the degree that your customers can claim financial compensation from you then you should be using a self healing cloud based solution with a financially backed guarantee or have your own insurance in place.

 

[drmike]

You don't pay for financially backed SLA enterprise grade hosting, you pay for basic unmanaged VPS hosting

 

So very true.

For the newbies, redundancy is N+1, which means THREE.  That's right, if you are making money/have paying customers you should have a live with live standby VPS running -- either a cluster or something with low enough DNS TTL's to get people semi-gracefully over to the live server(s) with minimal delay.  But even that is only wise where you have the third backup site.  

By backup here, I don't mean dead data on a storage VPS either.  I mean built, configured, debugged, ready to do business servers/VPS/whatever.

Yes, you can achieve N+1 redundancy with low cost servers.   Many folks are doing it and it works very well.