amuck-landowner

GreenValueHost forced password reset - Security breach?

Status
Not open for further replies.

SkylarM

Well-Known Member
Verified Provider
Not sure why they are using Email Marketer for this, that's not really the intent of the marketer deal. Idea is to say (for example) force password resets every 90 days, or to send an email thanking a customer when they reach X years hosted with you. Not to send out an email that everyone is going to get anyways. At least that's all it was.
 

DomainBop

Dormant VPSB Pathogen
There was no hack.   Nothing was compromised.

Depends on your definition of "hack"  If you go by the common street meaning "information theft" then there was no known hack (that has been discovered or acknowledged) but if you go by 18 U.S.C. § 1030 then  it would probably qualify as a hack.

18 U.S.C. § 1030(a)(5) : Damaging a protected computer
(5)


(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;


( B  intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or


© intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.

("protected computer" is basically any computer/server used in interstate commerce: e.g. a hosting site, ecommerce store, etc)

Wacking the cron repeatedly, and the password reset emails would qualify as intentionally accessing the computer to cause damage.

Regardless of which definition of hacking you use GVH is still at fault for not taking steps to properly secure their server and their negligence does put their users at risk.  I would seriously suggest that they hire a security firm (like Rack911, etc) to thoroughly audit their servers and do some  basic security hardening.

edited to add: @MannDude WTF is up with the formatting on this board :p
 
Last edited by a moderator:

drmike

100% Tier-1 Gogent
275Yi5pXqJjAOp2.png
 
Last edited by a moderator:

Nett

Article Submitter
Verified Provider
Hello Name,


As you are aware, GreenValueHost experienced issues in the past 24 hours where multiple password resets were sent to customers. We apologize for the flurry of emails.

GreenValuehost was NOT hacked, there wasn't a security compromise either. Customers are safe and secure.

What happened involves the WHMCS billing panel.

Two files: cron.php and /admin were accessible to the public. These should have been secured with additional rules. Yes, we have since added multiple layers of security to protect these files from public access.

A marketing email was pre-wrote and placed in WHMCS for a 2014 Spring Overstock Sale. The default template was erroneously set to / left at “Automated Password Reset”. WHMCS defaults the default template pull down option to “Automated Password Reset”.

Marketing emails run from cron.php events. Therefore, when someone accessed the cron.php file it triggered the sending of the marketing email, which was then set as “Automated Password Reset”. This happened a total of 17 times, generating 17 emails per email account.

GreenValueHost debugged this issue by manually running the secured cron.php, analyzing a few emails sent and looking in WHMCS.

We have a ticket with WHMCS which will be appended to reflect the debugging and resolution with recommendations to prevent this in future with other WHMCS users (beyond simply securing said files).

We welcome any customers concerned about the matter or who may be experiencing password problems to submit a ticket.


Thank You
GreenValueHost Team
 

roykem

New Member
So it's secured now. 

well, can't imagine if after this we keep receiving another pass reset emails from GVH.

hope not.

hey.. i'm new here :D
 

DomainBop

Dormant VPSB Pathogen
"there wasn't a security compromise either." and then in the next paragraph "Two files: cron.php and /admin were accessible to the public. These should have been secured with additional rules" 

umm, if someone was able to access the files because they weren't properly secured that's a security compromise :rolleyes:
 

drmike

100% Tier-1 Gogent
"there wasn't a security compromise either." and then in the next paragraph "Two files: cron.php and /admin were accessible to the public. These should have been secured with additional rules"

umm, if someone was able to access the files because they weren't properly secured that's a security compromise :rolleyes:
Think of it this way, there is a door as a barrier, they just added  a deadbolt lock.  Prior the door opened freely, but was a door. 

Normally shouldn't have been any harm in curling said URL's/files... but in this instance, yeah did what it did, every time.

Nothing was disclosed to anyone other than account holders, in their inbox, their account name + new password.

Certainly an annoyance, PITA and perhaps access issues for clients. 

I'll jump in any time anyone thinks Solus or WHMCS or Cpanel are compromise culrpit and is about to set off mass provider paranoia, pulling of panels, etc.   Saw what happened elsewhere with Solus and the shitfest, additional workload on folks and general distrust in segment. If I can be of some use, I try.
 

serverian

Well-Known Member
Verified Provider
Think of it this way, there is a door as a barrier, they just added  a deadbolt lock.  Prior the door opened freely, but was a door. 

Normally shouldn't have been any harm in curling said URL's/files... but in this instance, yeah did what it did, every time.

Nothing was disclosed to anyone other than account holders, in their inbox, their account name + new password.

Certainly an annoyance, PITA and perhaps access issues for clients. 

I'll jump in any time anyone thinks Solus or WHMCS or Cpanel are compromise culrpit and is about to set off mass provider paranoia, pulling of panels, etc.   Saw what happened elsewhere with Solus and the shitfest, additional workload on folks and general distrust in segment. If I can be of some use, I try.
No. When you run the cronjob, it shows you information about overdue invoices like

XX Overdue Invoice Reminders Sent

- Sent First Notice to User Firstname Lastname

- Sent First Notice to User Firstname Lastname

- Sent First Notice to User Firstname Lastname

 

So the ones who ran the cron.php saw some of their customers' names.
 

drmike

100% Tier-1 Gogent
No. When you run the cronjob, it shows you information about overdue invoices like

XX Overdue Invoice Reminders Sent

- Sent First Notice to User Firstname Lastname

- Sent First Notice to User Firstname Lastname

- Sent First Notice to User Firstname Lastname

 

So the ones who ran the cron.php saw some of their customers' names.
Ah, what client names did you see? :)  Someone have a capture?

Interesting.  I won't discount this as that's how the job like runs and you know better than I.  Assumes someone ran from terminal and all though and got output.   There were requests / encouraged people to run the URL.  All is possible.

From bits seen, was an API testing site used to make most requests.  Can't say what they got there, but yeah, possible. 
 

Mun

Never Forget
Mun, you have multiple accounts with multiple emails there.  That's the double email origin for you.
Yep indeed, which is equally scary that they let you know this.... Huh, on the bright side my main account now thinks GVH is spam XD
 

drmike

100% Tier-1 Gogent
Yep indeed, which is equally scary that they let you know this.... Huh, on the bright side my main account now thinks GVH is spam XD
Unsure what they divulged there that you didn't :)  Literally was just what I said. 

I ask: "Mun on vpsB got multiple emails from email broadcast, WHY?"

Response: "[he] has multiple emails in system"

Inferred on my part: multiple accounts.

Mind you, people want results and not more misinfo / fear / phobias.

Been a frightful day for providers following along.  Any twitch and someone needs to be on top of things.
 
Last edited by a moderator:

drmike

100% Tier-1 Gogent
You are working for GVH now?
Nope and never have.  That includes likewise working for, consulting, etc. for associated upstreams, or "related" other companies.

$0 taken from, billed to, paid from... No freebies, no complimentary services, nothing. Zippo daddy.
 
Last edited by a moderator:
Status
Not open for further replies.
Top
amuck-landowner