Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


OVH Hacked
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

OVH Hacked

dragontamerdragontamer Member
edited April 2013 in General

https://bitcointalk.org/index.php?topic=186902.msg1936161#msg1936161

Here's one thing to the whole bitcoin experiment... it is toward testing the security of these cheaper hosts! Linode and OVH have proven insecure in the wake of bitcoins...

«13

Comments

  • @dragontamer said: Linode and OVH have proven insecure

    How you know that they didn't had a dumb password, or their home machines had a trojan? Really the provider is the culprit???

  • If OVH was hacked, I am sure they would do so much more then just go after one pool. Think about what is stored there.

  • This is why panels that provide full automation to your servers are a BAD idea.

    Colocate and do everything over a VPN + IPMI, use PXE to reinstall servers. Problem solved

  • @MrAndroid said: Think about what is stored there.

    Warez and seedboxes?

  • dragontamerdragontamer Member
    edited April 2013

    How you know that they didn't had a dumb password, or their home machines had a trojan? Really the provider is the culprit???

    Fair enough. I guess we can wait it out a bit. I know that OVH had a very intrusive daemon running on all of their machines (as root), so I've been waiting for this sort of event to happen.

    Linode handled the event very well actually, and detailed where they were at fault.

    http://status.linode.com/2012/03/manager-security-incident.html

    Perfect security cannot be expected from a VPS provider, so my opinion of Linode is only higher after that event. Full disclosure + quick communication is the best I can expect from a VPS provider.

  • @dragontamer said: I know that OVH had a very intrusive daemon running on all of their machines (as root), so I've been waiting for this sort of event to happen.

    What is the name of this daemon? I'm not finding it.

  • shovenoseshovenose Member, Host Rep

    I think its in the kernel!

  • @dragontamer said: erfect security cannot be expected from a VPS provider

    Or you could blame SolusVM for hundreds of VMs lost on about 10 nodes then have your main tech guy leave the company

  • What is the name of this daemon? I'm not finding it.

    I think I'm technically incorrect.

    http://forum.ovh.co.uk/showthread.php?t=1642

    Its not a daemon, but a backdoor SSH key + backdoor cronjob. Apologies for the technical mixup.

  • @doughmane I rofled

  • DomainBopDomainBop Member
    edited April 2013

    OVH Hacked

    OVH wasn't hacked. The server of some f**ktard who uses OVH was hacked. Big difference.

    edit:

    What is the name of this daemon? I'm not finding it

    RTM - a real time monitor that alerts OVH if there is a problem (server down, server being attacked or sending attack, etc). It's preinstalled on all OVH servers.

    http://help.ovh.com/RealTimeMonitoring

  • @dragontamer said: Its not a daemon, but a backdoor SSH key + backdoor cronjob. Apologies for the technical mixup.

    Well, the SSH key I know about... the cron job I've not found.

    @shovenose said: I think its in the kernel!

    The kernel's a vanilla grsec-patched kernel. Nothing special there.

  • dragontamerdragontamer Member
    edited April 2013

    OVH wasn't hacked. The server of some f**ktard who uses OVH was hacked. Big difference.

    TWO servers run by two different administrators were hacked, both of whom were using OVH. That is Slush's BTC pool, as well as Bitcoin-Central.net.

    If it were just one guy, it wouldn't be news. Two independent BTC servers getting hacked at the same time implies a common link. And that common weakness is OVH right now.

    Its reason for suspicion. No proof yet, but I think the "OVH was hacked" case is stronger than you imply.

  • DewlanceVPSDewlanceVPS Member, Patron Provider

    Why OVH is responsible for this?

  • doughmanesdoughmanes Member
    edited April 2013

    @dragontamer said: Two independent BTC servers getting hacked at the same time implies a common link.

    The owner got pwned regardless of his chest puffing in the forum about his security?

    @DewlanceVPS said: Why OVH is responsible for this?

    You should license Autoboot (TM) to OVH

  • the two admins, working together to steal coins, you can not hack OVH servers

  • @kandosan said: you can not hack OVH servers

    wat

  • @doughmanes said: The owner got pwned regardless of his chest puffing in the forum about his security?

    Maybe? I don't know how that is relevant, but sure. If you don't like the owner, whatever. Still seems like a blackeye on OVH however, at least until they can explain what the hell is going on.

  • @dragontamer said: If you don't like the owner, whatever.

    What makes you immediately think I don't like the owner? Folks puffing their chest and proclaiming their security sometimes make a foolish mistake.

    @dragontamer said: Still seems like a blackeye on OVH however, at least until they can explain what the hell is going on.

    Does OVH manage the server?

    Oh, they rent the server to a customer who's responsibility it is to keep the server secure.

    If you do not like hosting providers, whatever.

  • Thankfully I had root login disabled on my OVH dedi. It still worries me somewhat, though.

  • Does OVH manage the server?
    Oh, they rent the server to a customer who's responsibility it is to keep the server secure.
    If you do not like hosting providers, whatever.

    Fair enough. I admit that I don't like hosting providers who install backdoor SSH keys into the root user, especially when it seems like that backdoor is insecure. It may be the end customer's ultimate responsibility to remove backdoors that your provider puts into the servers you have...

    Personally, I think that if the service provider is doing that sort of thing to their customer's servers, then it is the provider's responsibility to ensure that the backdoors do not get compromised.

  • SunshineSunshine Member
    edited April 2013

    @DomainBop said: OVH wasn't hacked. The server of some f**ktard who uses OVH was hacked. Big difference.

    @yomero said: How you know that they didn't had a dumb password, or their home machines had a trojan? Really the provider is the culprit???

    @doughmanes said: Does OVH manage the server?

    Oh, they rent the server to a customer who's responsibility it is to keep the server secure.

    If you do not like hosting providers, whatever.

    I kindly suggest that you actually read the forum thread that @dragontamer linked to ;)

    The OVH control panel can boot the server into rescue mode and provide SSH access. And there seems to be a security issue related to the password reset feature of the OVH control panel.

    I don't know if there really is a security issue or not (perhaps the customer himself is indeed at fault). But if there is, then that's a pretty big deal.

  • @Sunshine that is what I understood.

  • MaouniqueMaounique Host Rep, Veteran

    @dragontamer said: then it is the provider's responsibility to ensure that the backdoors do not get compromised.

    Yes, like in the famous Sony case...
    I think that if i rent a dedi i would rather not allow any backdoor, if they have to monitor it, they can do externally, it's not like you cant monitor the network or ping the server to see if it is down or something... That is a poor excuse to spy on you.

  • dragontamerdragontamer Member
    edited April 2013

    Thankfully I had root login disabled on my OVH dedi. It still worries me somewhat, though.

    I do not have a server at OVH. Have they notified you (or any of their customers) of the potential breach in security? Or are they silent on this issue? The only links I can find on Google relate to bitcoin forums / twitter, where this story is getting spread. I haven't seen any OVH related status update on this.

    And it is reaching ~Day 5 since the breach of two systems (April 24 was the first breach, April 25th was the 2nd breach).

  • Lets move on folks. It's merely a PEBCAK error, nothing that's OVH's issue.

  • @Rallias said: Lets move on folks. It's merely a PEBCAK error, nothing that's OVH's issue.

    Do you have more information on this? I'd like to move on... but there is only one side of the story right now. I'd like to give OVH the benefit of the doubt, but silence is a bit deafening on security matters.

  • @Rallias said: Lets move on folks. It's merely a PEBCAK error, nothing that's OVH's issue.

    Sounds like it to me too but folks love to kick the provider around here. Funny how OVH is kicked but the fanboys love OVH prices. Rinse, wash, repeat.

  • @dragontamer said: I'd like to give OVH the benefit of the doubt, but silence is a bit deafening on security matters.

    They have about 100,000 servers. These two servers were two, low value customers. They were using their primary product. That the customer got hacked isn't big news for OVH. OVH probably doesn't even KNOW it happened.

  • dragontamerdragontamer Member
    edited April 2013

    Slush's pool is estimated to currently mine ~350 BTC / per day... or ~$49,000 / day in USD. 8% of all bitcoins mined goes to Slush's pool right now.

    Bitcoin-central.net is a BTC/Euro market that was also hacked as part of this... with a daily market volume over 1000BTC/day (with some days recently having 4000 BTC volume). As an exchange, that also means that ~130,000EUR (with peaks at 520,000 EUR) were getting traded back and forth per day.

    Fortunately, both sites caught the hacks quickly and shut down operations. So only a few hundred BTC were stolen (~order of $10k USD or so).

    I imagine that it doesn't take too much resources to run a BTC mining pool (as big as Slush's pool is, it only is farming out ~300 tasks / second), nor does it take many resources to run a BTC exchange (its mostly web traffic). But given the amount of money that these two sites commanded... I wouldn't call them "low value" customers. These single hacks have stolen tens of thousands of dollars in mere minutes.

    It sounds like both sites owned multiple servers at OVH as well, so I'm sure they were paying more than just a Kimsufi Atom.


    I do question Slush's decision however. He seems hellbent at not owning servers of his own. He rented from Linode till his first server got hacked. Then he rented from OVH, and now he's moved to Amazon Web Services.

    AWS is a big target, and a giant mystery to me as far as security. I don't understand why he just doesn't get a locked quarter-rack or half-rack at some data-center and own a few boxes. He can even build his own mining server... much cheaper than renting a GPU cluster from Amazon... especially if he keeps it at 100% load for BTC mining.

Sign In or Register to comment.