ServerCrate compromised

[joepie91]

Hello Sven,

We regret to inform you that on Monday March 3rd at 10:16PM PST our systems were compromised. ServerCrate staff reacted quickly to the intrusion, shutting off our network to locate a point of entry in our systems, which has since been found. Unfortunately 3 VZ nodes were wiped in the intrusion, we were able to recover data from DALSSDVZ1 and DALSSDVZ2, but backups had to be restored onto DALSSDVZ5. All VPSs are up at this time, if your VPS is having issues or is offline, please submit a support ticket: https://billing.servercrate.com/submitticket.php


If you have a Minecraft server with us, we're looking into issues with a few Minecraft servers being down at this time.

We recommend clients immediately change their client area login passwords: https://billing.servercrate.com/clientarea.php?action=changepw

We also recommend that clients change any root passwords that would have been sent when you when you initially purchased from us.

We’ll be doing a thorough audit of our backend systems over the next few days, and will be monitoring carefully for any additional signs of intrusion. We’ll be keeping Multicraft and SolusVM access limited while we look into this issue further, and for additional client security.

ServerCrate appreciates your patience while we deal with this situation, if you have any questions regarding this intrusion, please don’t hesitate to get in touch: https://billing.servercrate.com/submitticket.php

Regards,

-- ServerCrate

 

[HalfEatenPie]

I wonder if they notified the authorities...

 

[rds100]

Damn. So what was it - WHMCS? SolusVM?

 

[GIANT_CRAB]

>using solusvm

that's the problem right there.

 

[joepie91]

I wonder if they notified the authorities...

Well, at least they notified their customers properly. A certain provider didn't even manage to do that correctly...

 

[MartinD]

>using solusvm

that's the problem right there.

Proof?

Ah yes, none. As always.

 

[drmike]

Poor Solus, always getting blamed.

It's like the new DDoS excuse for providers.

Could be true though   Surely they had compromises in the past.  It is software after all and a piece that every lowend* e-hoodlum sitting in mom's basement drolls about exploiting.  

My question is:  What was the nature of the attack and how was it detected?

 

[peterw]

Bad karma, but they informed their customers.

 

[jarland]

Recovered two and restored backups on the third. Thoughts about the "owner" aside, at least he takes backups.

 

[Francisco]

Bad karma, but they informed their customers.

 

Recovered two and restored backups on the third. Thoughts about the "owner" aside, at least he takes backups.

Robert gets my nod on this.

Francisco

 

[kaniini]

Proof?

Ah yes, none. As always.

It was not SolusVM.  I can't disclose at this time what it was though.

 

[rds100]

I can't disclose at this time what it was though.

Can you at least disclose what it wasn't?

 

[kaniini]

Can you at least disclose what it wasn't?

I do not believe that is appropriate either until the audit is fully concluded.

 

[Aldryic C'boas]

It was not SolusVM.  I can't disclose at this time what it was though.

So now the upstream is involved - that makes me wonder if the issue took place above Clarke's level of access.  Or is this a GVH situation, where you're just making commentary on behalf of a business relation?

 

[kaniini]

So now the upstream is involved - that makes me wonder if the issue took place above Clarke's level of access.  Or is this a GVH situation, where you're just making commentary on behalf of a business relation?

Centarra itself is not involved.  I am personally involved as I was hired, independently, to do the audit.

Centarra does not provide security services, but I would have figured you guys already knew that I do on the side.

 

[Francisco]

Centarra itself is not involved.  I am personally involved as I was hired, independently, to do the audit.

Centarra does not provide security services, but I would have figured you guys already knew that I do on the side.

I do, but probably not Ald

Fran

 

[Aldryic C'boas]

You figured correctly.  My comment served the double purpose of rolling my eyes at another 'company' (just can't help myself there), as well as allowing you to clarify the situation before rumours started.

 

[kaniini]

Well, to clarify, Centarra's only involvement was acting on feedback from Robert concerning what he wanted done with his VLAN, during the intrusion, as well as facilitating remote hands (basically moving his Lantronix KVM around from node to node) to enable investigation, containment and mitigation of the intrusion.

 

[texteditor]

Recovered two and restored backups on the third. Thoughts about the "owner" aside, at least he takes backups.

Probably a good idea he picked up from Nick_A

 

[Virtovo]

Recovering backups can sometimes just mean that those nodes were not nuked.  The provider then puts on some spin that they managed to save the day for at least some of their clients.  Not saying it happened in this case.  Why do I not see Servercrate advertise anywhere?