Webhost hack wipes out data for 100,000 sites A large internet service provider said data for as many as 100,000 websites was destroyed by attackers who targeted a zero-day vulnerability in a widely-used virtualization application. Technicians at UK-based Vaserv.com were still scrambling to recover data on Monday evening UK time, more than 24 hours after unknown hackers …
Your comments should have killed him. Ligesh takes an attack on his code as big insult. He never use to release the software based on the same fear/ or did somebody challenge him to hack his code? He should have wandered in room like mad fellow seeing this vulnerability. I know him. He walks through the length of his room so fast scolding you all guys, and would have done this extreme step. He is a genius. At same time he was innocent too. Somebody should have been there to take care of him, You moron hackers.. You killed our Ligesh.
1. If your company can go backrupt because an unmanaged hosting service goes down, clearly you're doing something wrong. Or you are a cheapskate.
2. Mirrors are not backups, and anyone who thinks they are deserve what they get.
3. If you have no recent backups of your company data, you are doing something wrong, whatever other factors might be in play, whether it's hardware failure, remote attack, disclosed or undisclosed holes in the software, death of the developers, flood, fire, plague of locusts, up to and including a meteor strike, whatever. Your data = your responsibility. It's just a bloody web site, it should fit on a single CDROM.
If you trust "the other guy" you SHALL get screwed eventually. He who doesn't backup often, consistently, without FAIL will pay the price for digital ignorance. It's YOUR data, it's YOUR responsibility, and it's YOUR a$$ when (NOT if) things go poof!
Seems to me this is just nature's way of deselecting digital idiots.
"Since last night, I've had probably 40 phone calls from clients saying 'Why is my website down,'" said Daniel Voyce, a web developer for Nu Order Webs who uses Vaserv to host customer sites. "It's making me look bad."
I have no sympathy here, if you are using low cost hosting and not backing up your customers data then it's your own fault.
They explicitly offer a cheaper service without backups, and if you made the conscious decision to use the cheaper service which doesn't offer backups then you are either not storing anything of importance on it, sorting out your own method of backups, or stupid.
I have a cheap VPS with a plan like that, it's sole purpose is as a backup DNS server, which retrieves the data directly from the main server. The main server has regular backups, the backup DNS server is never backed up. Were i to lose that server, it would be a trivial case of copying a new set of data from the master.
"Voyce said the hackers, given the high level of server access they gained, were likely able to intercept a wealth of sensitive data stored on Vaserv's servers. Voyce said his customers are safe because all sensitive information was encrypted."
It may well have been "encrypted", but where were the keys stored and what type of encryption was used? I've seen lots of deployments where data is stored on an encrypted filesystem, but the key has already been entered into the system so that the database can access it, meaning you can still access the data from the running system, the encryption would only protect against someone stealing the physical drives. Sometimes it's even worse than that, the keys are saved on the machine so that it can access the encrypted drives at boot without user intervention required.
I work for a hoster. Backup costs money, this is why we charge extra for the service.
If you don't pay for backup then you don't have any right to complain that your site and data is lost either through the loss of a server or your own finger trouble.
You as a customer/reseller have to assess how critical your sites are and build in the cost of business continuity to the TCO. As a hoster we can provide all the backups and redundancy you require, but it all costs money.
The Real Kev K
Joe.
Backups were taken - both on VAServ and as personal scheduled downloads to another VPS. I also have backups of each site on a local machine. The main problem is that we dont actually have a server to put all of this on at the moment. Of the 5 servers I have with VAServ (and have had happily for over 3 years now - with no previous problems and excellent support). 3 have lost all data and are currently still offline - including the backups with VAServ. Which leaves me with local backups (totalling about 25GB) which I now need to commision / build a server (VPS.NET) and upload these backups aswell as waiting for DNS propagation for the new server.
It is not a case of data lost but rather service delayed as we strive to get these sites back on line.
The encryption was DES encryption with the users password as the key - entered when they login not stored anywhere other than in a salted MD5 hash in the user table. The only sensitive information was name and address.
Its a lot more than most people do and seeing as this was only an SQL injection of rm -rf there is no risk of any data leak full stop - I am secure in the knowledge that my users data would be protected even if they did get hold it - plus going to the effort of cracking a salted MD5 for a relatively small number of names and addreses would seem a bit pointless.
So - Joe, please explain what else you would expect me to do other than the steps I have already taken on this one?
I lost my virtual server there too. I thought, and still think, their price, terms and conditions are ideal for non-mission-critical stuff run by people who have sufficient Clue to organise their own backups. Their network connectivity, for the price, was excellent, the support very quick, and their choice of pre-installed operating systems (notably, Ubuntu 8.04) sold it for me.
One of the few affordable UK VPS hosts, I do hope they stay in the market for a long time.
Just got this email from VASERVE
Hello,
We are sending you this notice to let you know that your credit card ending in **** will be expiring in 10 days. Please be sure to log into your account and update your card to avoid service disruption for non-payment. Your login information is enclosed for you.
I dont think so ;-)
It appears that the attack was targeted more at VAServe than HyperVM.
The following purports to be the message left by the hax0rs of VAServe:
http://www.webhostingtalk.com/showpost.php?p=6227712&postcount=7
It appears that VAServe are putting a bit of a spin on the tale. Besides all the vulns in HyperVM, it was just poor password pol at VAServe:
"Z3r0 day in hypervm?? plz u give us too much credit. If you really really wanna know how you got wtfpwned bitch it was ur own stupidity and excessive passwd reuse. Rus's passwds are:" blah blah blah
Seems like VAServe cannot entirely pass the buck...
Someone wanting to do some damage to a particular website could pressure the programmer for the system password, suicide him then hack the main server.
You have to cover your tracks so you kill the person you got the password from and you kill all the websites so there is no clear motive.
Obviously a Black Op, hence the dark chopper.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
