amuck-landowner

GreenValueHost forced password reset - Security breach?

Status
Not open for further replies.

raindog308

vpsBoard Premium Member
Moderator
This stinks of a 'sysadmin' fucking around in a production environment instead of a proper dev area.  
Hmmm...I think having a dev instance is only allowed with a purchased WHMCS license (as opposed to leased).  I guess I wouldn't be surprised if GVH leases WHMCS.
 

Aldryic C'boas

The Pony
Hmmm...I think having a dev instance is only allowed with a purchased WHMCS license (as opposed to leased).  I guess I wouldn't be surprised if GVH leases WHMCS.
Not unless that's a newish rule?  I've had a dev license for years, and we've only owned our WHMCS license for the past.. maybe 15-20 months?

EDIT:  Pretty sure the catch is they'll only provide support if you keep your owned license renewed - leased licenses are pretty much good to go.
 
Last edited by a moderator:

couldhave

New Member
@aldryic   I had done my own password resets at gvh earlier today and it did not require a second step or clicking a link. To change the password only required you to input an email address and click the reset password link.  You would than get an email containing you your new password.   However I just notice something very interesting.  At the end of the slew of password resets was the final one which DID require clicking a link.  So it looks like they were updating things on their end.  The only thing that worries my is my initial password having "fu u cnt" in it.  Maybe the guys at gvh thing this is funny, or maybe there was some compromise earlier.
 

raindog308

vpsBoard Premium Member
Moderator
I wonder if someone:

 

1. took a list of emails from some provider's previous leak (e.g., CVPS database)

2. wrote a script to request a password reset for each email from GVH

3. let it run endlessly

 

In which case it'd be easy for a competent admin to identify where all the resets are coming from and block...
 
Last edited by a moderator:

couldhave

New Member
i didn't look at the emails close enough.....

1:02 am password in email

moving to PM....

1:02 pm password in email

1:04 requires a link

1:05 password in email

1:06 password in email

1:06 password in email

1:07 password in email

1:08 password in email

1:09 password in email

1:11 requires a link

During this time i am almost certain I requested two passwords resets myself, which would probably be the 1:04 and 1:11. 
 

Aldryic C'boas

The Pony
@aldryic   I had done my own password resets at gvh earlier today and it did not require a second step or clicking a link. To change the password only required you to input an email address and click the reset password link.  You would than get an email containing you your new password.   However I just notice something very interesting.  At the end of the slew of password resets was the final one which DID require clicking a link.  So it looks like they were updating things on their end.  The only thing that worries my is my initial password having "fu u cnt" in it.  Maybe the guys at gvh thing this is funny, or maybe there was some compromise earlier.
That's... rather frightening when you stop to think about it.  WHMCS has included password verification (the two-email process) for quite some time - and unless I'm blind, there's not an option to disable.  Which makes me wonder just how *old* their WHMCS install was.

I wonder if someone:

 

1. took a list of emails from some provider's previous leak (e.g., CVPS database)

2. wrote a script to request a password reset for each email from GVH

3. let it run endlessly

 

In which case it'd be easy for a competent admin to identify where all the resets are coming from and block...
That was my first thought.. but I haven't found an option to disable the verification emails for password resets.  Meanwhile, an admin issuing the reset by hand automatically generates the new pass and sends the email.
 

Aldryic C'boas

The Pony
i didn't look at the emails close enough.....

1:02 am password in email

moving to PM....

1:02 pm password in email

1:04 requires a link

1:05 password in email

1:06 password in email

1:06 password in email

1:07 password in email

1:08 password in email

1:09 password in email

1:11 requires a link

During this time i am almost certain I requested two passwords resets myself, which would probably be the 1:04 and 1:11. 
Aah, that makes more sense.  But, still means that someone gained access to an admin account, and was having a gaye old time with it.

What's truly disturbing is how long it's gone on without them having the sense to track down the issue, or even block public access to prevent further damage.
 

rds100

New Member
Verified Provider
I don't know how many clients they have, but i can't imagine someone (an admin) being able to go through the list of all their clients and manually click on the "reset & set password" link for each client, all this in a minute or so. Must have been scripted / automated.
 
Last edited by a moderator:

WebSearchingPro

VPS Peddler
Verified Provider
What's truly disturbing is how long it's gone on without them having the sense to track down the issue, or even block public access to prevent further damage.
I just talked to Jon, their sysadmin blocked off whmcs admin to prevent anymore resets. I personally was tired of getting spammed with password emails :(.
 

Aldryic C'boas

The Pony
I don't know how many clients they have, but i can't imagine someone (an admin) being able to go through the list of all their clients and manually click on the "reset & set password" link for each client, all this in a minute or so. Must have been scripted / automated.
Depends on how many clients they actually have (that group is known to exaggerate figures), and whether or not it was actually a 'mass' reset as opposed to just spamming a bunch of random clients' reset links.
 

Aldryic C'boas

The Pony
Their WHMCS is, their admin path is not.
Which pretty much confirms that they know it was someone running around with a compromised admin account.  If they truly thought it was a bug in WHMCS, they would either throw maintenance mode, or lock the entire site down.
 

DomainBop

Dormant VPSB Pathogen
What's truly disturbing is how long it's gone on without them having the sense to track down the issue

They need to hire someone competent to deal with the issue.  Jon doesn't have the necessary skills to deal with a security breach and I don't have much confidence in his new 'VP of Ops' (granted my judgement of the new VP might be clouded by the "DCMA" [sic] graphic on his site)
 

Virtovo

New Member
Verified Provider
"We're letting someone new poke around our systems and view all of your data.  We can't tell you who it is, though."
Probably the same guy who was sending password resets.  Admin path is on WHMCS default also.  
 

MartinD

Retired Staff
Verified Provider
Retired Staff
Their VP of Ops is a very talented admin, however who it is is confidential unfortunately. Just know you are in good hands!
See if you're going to throw cloak and dagger crap around, don't bother posting. Either give the information out or say nothing. All you're doing is making yourself look incompetent because no decent admin would put that kind of pish on their own website.
 

DomainBop

Dormant VPSB Pathogen
Their VP of Ops is a very talented admin, however who it is is confidential unfortunately. Just know you are in good hands!
It can't be too confidential since "VP of Operations GreenValueHost" is posted on his LinkedIn profile for everyone to see (see the link I posted on the first page of this thread ).
 
Status
Not open for further replies.
Top
amuck-landowner