DomainBop
Dormant VPSB Pathogen
they (Ho-Stress) were "hacked this weekend and lost everything."
Hostress, LLC has acquired GreenValueHost v2 Clients and domain.
- Thread starter tdale
- Start date
drmike
100% Tier-1 Gogent
Ahh the weekend ended their time like ahhh 15+ hours ago... and yesterday being Sunday I think things there were fine.
Sounds like this shituation happened overnight Sunday into Monday, but could be something else going on.
It's brutal either way. I feel for Tom. I'd be looking at every log, system access, etc. I am not a fan of inheriting things standing in-place from other shops unless the owners have a financial implication carrot to behave. People get pissed, sometimes the workers and sometimes random person that helped way back whenever uses the situation to slide back in the open door. I condone none of this sort of behavior and if someone did such for real shame on them and enjoy the karmaburger.
The poor customers, the ones that know nothing of the GVH history, the handoff, etc. and just are being hacky sacked around.
Sounds like this shituation happened overnight Sunday into Monday, but could be something else going on.
It's brutal either way. I feel for Tom. I'd be looking at every log, system access, etc. I am not a fan of inheriting things standing in-place from other shops unless the owners have a financial implication carrot to behave. People get pissed, sometimes the workers and sometimes random person that helped way back whenever uses the situation to slide back in the open door. I condone none of this sort of behavior and if someone did such for real shame on them and enjoy the karmaburger.
The poor customers, the ones that know nothing of the GVH history, the handoff, etc. and just are being hacky sacked around.
AuroraZero
Active Member
Actually tomorrow might be a better day to remind people to do that.
Last edited by a moderator:
drmike
100% Tier-1 Gogent
This shituation happened 12-1:30PM Eastern Time on Sunday.
More than a dozen nodes wiped.
IPMI exploited. Looks like lots of upgrades of firmware due and some front side protection of IPMI.
Someone entered box, rm -rf'd the files literally. Dropped partitions too.
Those boxes are totally gone. Already brought back up with fresh OS and empty containers.
Customers should claim the account credits they are due likely per the Terms of Service. Over here: http://greenvaluehost.com/termsofservice.html
5. SERVICE LEVEL AGREEMENT
GreenValueHost agrees to maintain at least a 99.9% server and network uptime per any given calendar month. For each 30 minutes of downtime experienced beyond 99.9%, you shall be eligible for a 10% refund of your purchase to your GreenValueHost account credit balance. Refunds may not exceed 100% at any given billing period.
So get your 100% free month for your 100% empty container.
Someone needs to pull that GVH site offline... As is, it is bullshit and misleading....
More than a dozen nodes wiped.
IPMI exploited. Looks like lots of upgrades of firmware due and some front side protection of IPMI.
Someone entered box, rm -rf'd the files literally. Dropped partitions too.
Those boxes are totally gone. Already brought back up with fresh OS and empty containers.
Customers should claim the account credits they are due likely per the Terms of Service. Over here: http://greenvaluehost.com/termsofservice.html
5. SERVICE LEVEL AGREEMENT
GreenValueHost agrees to maintain at least a 99.9% server and network uptime per any given calendar month. For each 30 minutes of downtime experienced beyond 99.9%, you shall be eligible for a 10% refund of your purchase to your GreenValueHost account credit balance. Refunds may not exceed 100% at any given billing period.
So get your 100% free month for your 100% empty container.
Someone needs to pull that GVH site offline... As is, it is bullshit and misleading....
Code:
Contact GreenValueHost
Green Value Hosting, Inc.
PO Box 972
Normal, Illinois 61761United States
Code:
13. JURISDICTION AND CHOICE OF LAW
13a. Provisions of this Agreement are made under all respects of the laws of the United States and the state of Illinois.
13b. In the event in which litigation as permitted under this Agreement is initiated, jurisdiction shall be solely within Cook County, Illinois.
Code:
12. NETWORK & SERVICES ABUSE REPORTS
Abuse reports may be directed towards our designated network compliance officer at [email protected].
Last edited by a moderator:
DomainBop
Dormant VPSB Pathogen
...and yet no mention of the hack when he sent an email later in the day to customers and posted on LET. Instead he lied and called it "data corruption" and tried to pin some of the blame for the data loss on the "previous owners of your services" Jonny and Duke. Somebody needs to clue him in that 46 states have data breach notification laws and by lying to customers and trying to cover up the fact that it was a breach not "data corruption" he opens himself up to a lot of potential liability if any of those customers decide to take further action.
the email he sent to customers:
LET post:
Somebody tell him his liability for the data breach wasn't removed just because backups weren't included in the plans.
TL;DR: strike one UGVPS, strike two DigTheMine, strike three Hostress v1, strike four Hostress v2. 4 for 4 on customers getting screwed over the past 2 1/2 years.
Munzy
Active Member
So IPMI exploit that I think was used has been floating around for some time (~1 year). That means data was able to be compromised for at least that same period.
Also how do you rm -rf / --no-preserve-root a server if you don't have the password to the server. You would still need to get past the login prompt. (Yes, I understand you could do it with a RAID rebuild or live ISO) It was inferred via the posts I read that it was done on the host node?
Also how do you rm -rf / --no-preserve-root a server if you don't have the password to the server. You would still need to get past the login prompt. (Yes, I understand you could do it with a RAID rebuild or live ISO) It was inferred via the posts I read that it was done on the host node?
DomainBop
Dormant VPSB Pathogen
They rent from HudsonValleyHost and I'd be willing to bet GVH/Hostress servers aren't the only ColoCrossing servers with unpatched IPMIs...
drmike
100% Tier-1 Gogent
It's unclear again how the rm -rf'ing technically happened. There is back pedaling off the IPMI entry. I know the firmware on the IPMIs was old and 'ploitable. IPMI might have been on public IPs with no ACL, VPN, etc. to access.... If so that's a self imposed gun in the mouth.
Unsure how the files got dropped and forensic data wasn't preserved and nothing log wise was found. Pretty comprehensive job or incompetence. Unsure which or if both.
Sad that in the end customers indeed got FUCKED. People need to get their heads of out their literal asses about customer centered business. Backups are necessary and so is practical security as a company policy. I'd put good money on a wager saying this whole rm'ing was preventable.
drmike
100% Tier-1 Gogent
Frontrange / TSS / Colo@?
This is what I did a while back... Mostly. I keep a few VPS instances for location or features (filtering). Can count them now on one hand versus needing a spreadsheet.
Last edited by a moderator:
You reboot the server from the IPMI, catch /edit grub go in to single user mode and your done, the server is your plaything, once you have IPMI you can do what ever you want really as if you had physical access.
telephone
New Member
That email just reads "Nothing was our fault, all fault lies with GVH and TactVPS". If you takeover a business, you are responsible now!
So, about that RFO...
Weasel wording... sounds like they're trying to hide the reason. What was the "way" in question?
"Open exploits"? Incredibly vague term, doesn't really describe what's going on. "Without the logs"? Why weren't there any logs?
Okay, fair.
And what 'exploits' would those be? Why is there no full disclosure on this, now that they have supposedly been fixed?
This should have been sorted out before the sale/handover occurred.
Fools rush in where angles fear to tread.
I think I would have found a good management company and worked out a contract for the servers to be checked and updated fast. Its silly to try and do that with a small team. Knowing gvh history and the fact that duke didn't have it long enough to get the mess fixed. I would have expected these problems.
I think I would have found a good management company and worked out a contract for the servers to be checked and updated fast. Its silly to try and do that with a small team. Knowing gvh history and the fact that duke didn't have it long enough to get the mess fixed. I would have expected these problems.
Amitz
New Member
Congrats! You understood 50% of the thread! Time for an offer soon, eh?
drmike
100% Tier-1 Gogent
INb4 offer.... Then again, 5 posts shown on account view public side and 2 of them are sales jobs already.
iFi Host isn't going to find much good taking this power sales bulldozer approach.