Webhost denies poor passwords led to catastrophic hack
VAServ contradicts purported attackers
The director of an internet service provider has denied public allegations that poor password management and server configurations were responsible for an attack that wiped out data for more than 100,000 websites.
Rus Foster, director of VAServ.com, also says he was shocked when he learned the head of an Indian software firm hanged himself shortly after his software was fingered in the breach of the UK-based website host. As previously reported, the apparent suicide of K T Ligesh came around the same time Foster said an zero-day vulnerability in a virtualization management application made by Ligesh's LxLabs led to the catastrophic intrusion.
"I wondered if I was responsible in some way," Foster said during a brief phone call with The Register. "I'm just so, so tired."
The comments came a few hours after an anonymous posting from one of the purported attackers claimed Foster's repeated use of the same four passwords laid the groundwork for the mass compromise of VAServ's system. It went on to say that VAServ's main website ran on what's known as a virtualized private server, a configuration that the writer claimed made the password attack work quickly.
"Z3r0 day in hypervm??" the anonymous poster wrote, substituting numbers for letters as is common in hacker parlance. "Plz u give us too much credit."
Foster said he has discounted the posting because it contained fabricated details, including passwords and IP addresses.
"I don't have any of those passwords," he said of the secret phrases that were included in the post. "I don't recognize them."
Indeed, the post was general enough that it could have been written by anyone. It was originally added to this thread discussing the Vaserv incident on a website that caters to webhosts. It was quickly removed and later reposted here.
Some 48 hours after data was suddenly deleted from more than 200 servers operated by VAServ, company technicians have managed to retrieve lost information and restore service for some but not all of the 100,000 to 150,000 websites it hosted. Foster warned on Monday that data for some customers who signed up for unmanaged accounts was likely gone forever.
The ordeal has proved trying for Foster, who announced in a posting Vaserv was being taken over by a larger hosting provider known as BlueSquare.
"I've personally reached the end of my physical and emotitional [sic] tether," he wrote here. He went on to say he decided to "do what is best for the customer 'base' as it stands and get some big boys in behind to help get things back up and running and give people a chance." ®
Not necessarily untrue
In my last job at a hosting company, this is actually largely true. There were a lot of duplicate passwords, many of them having slight changes depending on the server, and a few key 'master' passwords.
When you have logins for the billing system, inventory/management, key authentication (for control panels etc.), KVM/IPs, and more, what are you going to do? Make obtusely different passwords for each section? And then do what, have a master password sheet you pass around? Nah, make it easy for the employees. It sounds insecure as hell, and it really is, and even as the most security-anal person there, I understood just why. Some of my coworkers used password vaults for easy access.
While I'm not familiar with how HyperVM manages file systems for virtualized containers, I know that in Virtuozzo it's very easy to fuck with a VPS from the hardware node itself -- just go into /vz/private and have fun. You can just nuke /vz and you've destroyed the files for every VPS in there except the config files (stored in /etc/vz/conf).
Billing system as well...most hosting companies, aside from small ones or immensely huge (ie, GoDaddy) ones use standardized billing platforms like WHMCS or billing software provided by their control panel provider (Plesk Billing, ClientExec, etc.). So as long as you know the database structure (and most use something similar), you can get in there and harvest away by dumping tables to an external file then using a few basic commands to make the output into an easily-readable file.
I still have no doubt that these are script kiddies, their behavior and actions speak volumes of it. But the attack itself sounds highly probable.
I have not run into a hosting company that does NOT tell you when you are getting automated backups. I also have not run into any hosting service that provides free backup services for dirt cheap accounts.
So if your provider does not EXPLICITLY state that you are getting backups, you must KNOW that you are responsible for that activity. It is unfortunate that VAserv had so many systems taken down, but if the machines are again available, the customers should get to work restoring from their own backups, and if they do not have any, then they should not be blaming VAserv for that. Frankly, it seems like VAserv is doing heroic work attempting to recover data that they were under no obligation to retain. Check out http://www.vaserv.com for status reports.
Even with our dedicated servers' nightly backups to tape maintained by the provider we STILL do our own nightly incremental backups via cronjob/rsync of all content files and databases. Even if the provider's data centers implode and we need to get completely new systems, we'll only be couple of hours away from full recovery, not counting propagation of the new DNS info.
The REAL Reason? (@Steve Evans)
I agree... The only reason a "hacker" would do this is part of a blackmail attempt... or to remove evidence of something already done.
200+ servers running how many virtual machines each? Sounds like a prime candidate for botnet control, stealth proxies, temporary harvesting depositories, bounce stations, or any number of useful setups, especially if the physical machine's norms are unusual or sporadic usage patterns.
What would you bet that this was an attempt to "clean up" after themselves once they were already done (or the way in was exposed), and what are odds for/against government sponsored tie-ins?