ChicagoVPS / CVPS Hacked. New SolusVM exploit? (Content Restored) [PT. 1/2]

[drmike]

Another thing that's weird is my server doesn't match the node I thought I was on from previous emails. The node it shows in the database I am now shows as never being down. 

CVPS has a long and soiled history about moving people around after you are a customer.  It happens most often when you complain about performance of the server you are on and this move you to one with better neighbors.  There are other reasons to have been moved - like a prior server failure.

Send me a private message and I'll double check your node info. 

 

[drmike]

Though it is interesting that Adam is finally using his real name. That's a step in the right direction.

 

Well, Adam answered at least on ticket as himself back in December





 

Boom Scape · 7,963 like this

December 9, 2012 at 7:12am · 

• 
  
  
  
  Just received some good news guys
  
  "James,
  
  We are installing Windows on your VPS now.
  
  ---------------
  Adam Ng
  ChicagoVPS Support Tech"
  
  
  
  

• 
  
  
  
   
  
  
  
  

https://www.facebook.com/permalink.php?id=204958342858533&story_fbid=508822079138823

Fact is, that was one of the pieces of info that implicated Adam as being Kevin way back then

 

[drmike]

Why would Chris need an alias but?

Well the anon email has existed for eons (years?)

Hard to say why Chris created it and who all might be portaling through it to be whoever. 

I can tell you who is absent from the admin list directly --- Colocrossing employees.

This is the admin list from November hack:

mysql> select adminid, username, emailaddress  from administrators;

+---------+----------+---------------------------+

| adminid | username | emailaddress              |

+---------+----------+---------------------------+

|       1 | vpsadmin | [email protected]      |

|       2 | jshinkle | [email protected]   |

|       4 | layotte  | [email protected]    |

|       8 | jsantos  | [email protected]    |

|      10 | lgibbons | [email protected] |

+---------+----------+---------------------------+

 

 

This is the current admin list:


select adminid, username, emailaddress  from administrators;

+---------+----------+-------------------------+

| adminid | username | emailaddress            |

+---------+----------+-------------------------+

|       1 | vpsadmin | [email protected]    |

|       4 | layotte  | [email protected]  |

|      16 | fabocj40 | [email protected]    |

|      15 | tleonard | [email protected] |

|      12 | adamng   | [email protected]      |

|      14 | matthew  | [email protected]     |

+---------+----------+-------------------------+

 


Gone are Shinkle, Santos and Gibbons.

New are fabocj40, tleonard, adamng and matthew.

Fabocj40 is the company owner at CVPS as is the matthew account.

I'll go dig into the IP stuff next

 

[MannDude]

He's been unbanned from LET so I guess he'll unlikely grace us with his presence: http://www.lowendtalk.com/discussion/11304/chicagovps-update

 

[drmike]

He's been unbanned from LET

 

He was never "banned".  Chris said on here that he asked LET to ban him as the site was consuming too much of his time.  A self ban.

 

[xvtv]

I just wanted to update everyone and let them know that things are starting to calm down and return to normal. Communication moving forward will be much better since it is now less hectic and we appreciate everyone’s patience as it has been a long 3 days. Ticket response times will be much better and the pace has really picked up as we are concluding our recovery.


We appreciate your support and patience!


Thank you,


The ChicagoVPS Team

Still waiting for mine to be up...

edit: Last support ticket from Kevin was ~ one month ago...

 

[shawn_ky]

Anyone see anything about their Dallas location? Haven't seen anything that I remember...

 

[drmike]

Dallas = 1 server:

 149 | dfw1    |        5 |         5.75 |

That is node 149.

5 VPS accounts with 5.75GB sold RAM.

It is the second lowest RAM allocation and is a well undersold node.

 

[srichter]

Over @ LET:

Further good progress has been made and we are down to the final list of machines that were affected. More than 50% that were affected have been fully restored with files intact and the remaining list that needs more attention is what is left and we are working very hard to restore them fully with files intact.

Thanks for all your patience!

 

[xvtv]

50% in 3 days... I don't know if that's really good news!

 

[drmike]

. More than 50% that were affected have been fully restored with files intact

affected vs. effected ?

50% success rate?  Ho hum.  Listen to the customers moan.

 

[drmike]

One more thing to note, Pingdom DOES NOT have all nodes under monitoring.

Dallas isn't in there and those 5 VPSes are offline.

New Jersey is also absent from monitoring and status of there is unknown.

 

[mpkossen]

He was never "banned". Chris said on here that he asked LET to ban him as the site was consuming too much of his time. A self ban.

Oh, he was banned. By Chief and not on his own request.

Not that he doesn't have a second account on LET, but still.

 

[drmike]

Oh, he was banned. By Chief and not on his own request.

 

Oh man, another Fabozzi lie then

@mpkossen, they are lucky to have you help over on the low end.  Glad to see you on vpsBoard!

 

[srichter]

Just a quick update to keep everyone in the loop. Within the next 6 hours we will have all servers reinstalled ready to restore backups on the remaining machines. Within 18 hours we expect to resume normal status and all customers to have running VPS' with data intact.


Thank you again for your patience!


Regards


The ChicagoVPS Team

 

[mikho]

Oh, he was banned. By Chief and not on his own request.


Not that he doesn't have a second account on LET, but still.

Well, Chris was banned by Chief more then once and then had the ban lifted.


Liam once said that you could see who banned an account? Then that would be the last thing Joel did before leaving the community (after the sale was finished)

 

[mpkossen]

Well, Chris was banned by Chief more then once and then had the ban lifted.


Liam once said that you could see who banned an account? Then that would be the last thing Joel did before leaving the community (after the sale was finished)

Probably, yeah.

All these politics ;-)

 

[walesmd]

So, wait... this vulnerability was announced before and and CVPS did nothing to thwart it? Thank goodness I don't do anything serious on my VPS there - just couldn't pass on the deal - didn't even notice I was down until 24 hours or so afterwards, when they were sending emails.


They've tried to maintain a line of communication but it doesn't really make any sense - just different ways of saying "we're working on restoring, you're screwed until we say otherwise". Some emails it sounded like everyone was getting restored, others made it seem like we'd all go blank and could submit a ticket for a restore.

 

[Lanarchy]

CHI is up, NY is up, LA is up and restored with original data

ATL, 1 is available and appears wiped + fresh image, even though I have no idea what the root password is. And one is up, but totally inaccessible and I think it has the data on it, but the firewall is haywire or something and I cannot reboot it with no control panel.

 

[walesmd]

ATL here as well, can't even ping.