GreenValueHost forced password reset - Security breach?

[Aldryic C'boas]

For what it's worth, I still have a dummy account setup with GVH with no VPS active and did NOT receive a password reset email. I did, however, get a mass email that stated they are investigating.

Similar situation here.  Which is why I posited the third option, that someone may have just gained access and was randomly resetting client passwords to screw with them.

Now what's going to be absolutely *hilarious*, though - there is another possibility.  There might just be someone using the client-side pass reset function, and GVH didn't properly investigate what was going on before jumping the gun and mass-mailing.  Perhaps it's time that CC starts employing actual professionals instead of kids, and they wouldn't have all of these issues with their child brands.

 

[toadyus]

It would seem that they maybe compromised as people are now getting second and third password reset emails. Or it could be a case of they're just getting them now from previous attempts. This is getting interesting..hopefully their 50+ techs can figure out the issue.

 

[mtwiscool]

i just received 3 emails with in 2 minutes.

 

[WebSearchingPro]

I just got 8 password reset emails starting at 12:01 this afternoon and one randomly every so often. Something is up.

 

[Aldryic C'boas]

I just got 8 password reset emails starting at 12:01 this afternoon and one randomly every so often. Something is up.

Would you mind pastebinning a couple of the emails (or just one if they're all the same), minus the passwords of course?  And possibly the headers from one or two of 'em?  There are actually several different emails from WHMCS relating to password resets, and I'm curious to know exactly which are being sent out.

 

[mtwiscool]

Would you mind pastebinning a couple of the emails (or just one if they're all the same), minus the passwords of course?  And possibly the headers from one or two of 'em?  There are actually several different emails from WHMCS relating to password resets, and I'm curious to know exactly which are being sent out.

http://pastebin.com/QeNcw9gr

 

[rds100]

Are the passwords in the 8 emails different, or the same? Which one actually works in their billing system - the first one or the last one?

 

[mtwiscool]

Are the passwords in the 8 emails different, or the same? Which one actually works in their billing system - the first one or the last one?

Different passwords.

 

[Aldryic C'boas]

http://pastebin.com/QeNcw9gr

Did the password you were sent work?

 

[WebSearchingPro]

Did the password you were sent work?

Looks like I got beat the the pastebin, PM'd

The last password sent is valid.

 

[Aldryic C'boas]

Bad news folks.  If GVH's WHMCS lets you change your client details (address, phone, etc) I very strongly suggest doing so now to try and keep your personal info safe.

Given that they likely use WHMCS modules to allow access to the VMs, it would be a wise idea to go set new root passwords as well - and contemplate pulling any sensitive data off of those VPSes.

 

[rds100]

edit: nevermind, brainfart on my side

 

[couldhave]

i have a vps with gvh.  my first password reset was at 1 am.  It did not look random, as the password contained "fu u cnt"  Although it had the appearance of random with numbers letters some capitols etc and is the same length as the automated ones.  Also as others stated i received a slew of automated password resets at about 1 pm eastern.

 

[toadyus]

• Poorly Coded Module - This has some potential.  To reset a client's password, you have to call the clientsummary.php page directly with the &resetpw=true&token=[REDACTED] flags included.  So, assuming you were competent with bash/perl/etc, you could fairly easily write a script that would generate a list of URLs to hit with curl that would effectively mass-reset passwords.  I've actually written a script to do just this some time back as a precaution when all of the exploits started surfacing last year.  However - I did say assuming you were competent, so I think we can pretty much agree this option is ruled out.

Can you run this script as a non-admin tho?

 

[Aldryic C'boas]

Can you run this script as a non-admin tho?

With curl, no, as using curl would require actually having an admin login.

BUT.  There are several other ways to accomplish the same thing that would not require a WHMCS admin account.

 

[KuJoe]

Please tell me they at least allow clients to enable Two-Factor Authentication on their WHMCS.

 

[Aldryic C'boas]

Please tell me they at least allow clients to enable Two-Factor Authentication on their WHMCS.

Honestly irrelevant at this point.  I cannot replicate the resets folks are seeing in any other method other than as an admin.  Very good chance they're already compromised beyond the point two-factor would do any good.

 

[mtwiscool]

Honestly irrelevant at this point.  I cannot replicate the resets folks are seeing in any other method other than as an admin.  Very good chance they're already compromised beyond the point two-factor would do any good.

how do you know if its been compromised?

 

[Aldryic C'boas]

how do you know if its been compromised?

Because if this were just a simple case of someone abusing the client-side password reset (like these guys seem to think), you would be receiving two emails.  The first being a confirmation email that would have you click a URL containing a randomized token - doing so would perform the actual password reset, which you'd receive in the second email.

When an admin resets your password, all you receive is the second email (the one you pastebin'd for me).

Someone charitable might want to cross post over to LE and let those folks know that it's a bit more serious than they're assuming.

 

[MartinD]

Please stick to the topic at hand. Thanks.