Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Potential BlueVM WHMCS Breach
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Potential BlueVM WHMCS Breach

BlueVMBlueVM Member
edited October 2017 in Providers

Good morning,

Earlier this morning we were informed that a potential breach of our WHMCS may have exposed user details and passwords. As such we are taking preemptive action in the event that this is even remotely true.

As I write this my staff are shutting down many of our access systems (EG: WHMCS, HyperVM, SolusVM, etc...) and are beginning a full security audit of all of our logs. As part of this clients may not be able to access these systems at this time.

In the event a breach actually occured we will be forcing a password reset on every single user's WHMCS and hypervm/solusvm passwords and will bring these systems online when we feel that the minimum safety precautions have been met.

We strongly encourage all of our users who have not changed their OpenVZ vps passwords to login to SSH at this time and change the password now.

We sincerely apologize for any inconvenience this may cause our users, but we would rather ensure our clients data is protected at all costs than have a larger breach occur. The security of our user's data is our number one priority and we take it very seriously.

AT THIS TIME THE BREACH IS NOT CONFIRMED. WE WILL UPDATE EVERYONE AS WE HAVE MORE INFORMATION

Best Regards,

BlueVM Communications LLC

Thanked by 1VPNsh
«13

Comments

  • MagiobiwanMagiobiwan Member
    edited June 2013

    Just to stress the point: The breach is NOT confirmed, and we CHOSE to take WHMCS and HyperVM offline. If you wish to visit our IRC Channel but don't know the link, here's a Webchat.
    http://chat.obsidianirc.net:9090/?channels=bluevm&uio=d4
    Edit: Now you have to TELL it a nick to use.

  • Nick_ANick_A Member, Top Host, Host Rep

    Can you explain the signs of the potential breach?

    Thanked by 1datako
  • Megabyte+ sized responses from PHP files.

  • PaulPaul Member

    @Nick_A said:
    Can you explain the signs of the potential breach?

    I think any vulnerability on the server (bad scripts, applications, unsecured points of access, etc) opens up plenty of opportunities for a breach. I think from the point of view of the person breaching the server, if the goal is for a short-term steal and kill, then you'll probably see plenty of data movement, and then afterwards, files start disappearing. But for well-organized stuff, then you won't really notice anything right away. Attacks happen during off-hours most of the time or following a scheduled pattern.

    I'd like to know more about this too. Aside from what was mentioned above regarding changes or movements with the files (timestamp, sizes, etc.), transfers of loads of data, and unauthorized root access, are there any other points the community can share about the issue?

  • so is it still down? vm is offline.

  • BlueVMBlueVM Member

    @MorningIris - No VPS should be offline.

  • I meant Hypervm, sorry...

  • @BlueVM said:
    MorningIris - No VPS should be offline.

    My VPS at kansas DC is down for around 8 hrs. Can you plese check. I have also created a ticket.

  • MunMun Member

    Sounds like autonull.

    Thanked by 1DewlanceVPS
  • @peppr said:
    My VPS at kansas DC is down for around 8 hrs. Can you plese check. I have also created a ticket.

    Update : Managed to boot via IRC support. The node when rebooted seems not to boot my vps back. @BlueVM has sorted that.. so Thanks...

  • Nobody does file/directory integrity scanners anymore like afick?

    Run afick on your WHMCS dir, get alerted when a PHP shell pops up, or wherever a PHP shell may pop up. C'mon, afick and tripwire, so 1990s

  • It happened to me a few times before too. Seems the node's reboot does not bring my VPS back. I have to do a manual reboot from the control panel. Maybe a bug in HyperVM??

  • Hypervm is back online.

  • FritzFritz Veteran
    edited June 2013

    My VPS was offline for almost 8 hours too. I guess it was because the node restarted. They restart the node almost every week. Ouch!

  • Looking forward for an detailed email about what happend.

  • krs360krs360 Member

    That guy has changed his twitter feed so you can't view without being an approved follower.. Guess he got some abuse, Lol.

    I'm guessing he didn't post the dump in the end as he said he would?

  • BlueVMBlueVM Member

    I will be making a statement shortly, thank you for you're patience in the matter.

  • @doughmanes : I still run AIDE :)

    Thanked by 1doughmanes
  • MaouniqueMaounique Host Rep, Veteran

    I think that is a hypervm bug as ths is why i left BlueVM, my vpses were long time down after each reboot.
    I guess they didnt manage to fix it yet.
    for a in $(vzlist -a -1|sort -rn); do vzctl start $a; done

  • krs360krs360 Member

    There were really bad issues in the past with HyperVM weren't there? Guy ending up killing himself over it or something.

    Hopefully there was no validity behind "twodayexploit" claims..

  • Yeah HyperVM should be discontinued.

  • @CentrioHost said:
    Yeah HyperVM should be discontinued.

    What does this have to do with anything?

  • @Bogdacutuu said:
    What does this have to do with anything?

    He is now ready to post his offer ;)

  • @peppr said: He is now ready to post his offer ;)

    Lol, no.

  • joepie91joepie91 Member, Patron Provider

    @CentrioHost said:
    Yeah HyperVM should be discontinued.

    HyperVM is already discontinued. That's part of the problem.

  • @joepie91 said:
    HyperVM is already discontinued. That's part of the problem.

    It's not part of the problem, if they've taken the open source product and went through and did numerous fixes (as @BlueVM has already stated he's done, or I think it was him anyway).

    That's the part of an open source product, is it not? Just because something is "discontinued" doesn't mean that an individual or company can't pick up that product and adapt/update it to meet their needs.

  • joepie91joepie91 Member, Patron Provider

    @MrObvious said:
    That's the part of an open source product, is it not? Just because something is "discontinued" doesn't mean that an individual or company can't pick up that product and adapt/update it to meet their needs.

    The problem is that HyperVM is so messy, has so many things tacked on, and has so many different coding styles running through it (not to mention the horrible UX), that the effort required to patch it up would be more than that required to write a new and better functioning panel from scratch.

    I certainly appreciate the source of HyperVM being publicly available, and I've quite frequently used it as a reference for OpenVZ (because while the PHP is messy, the original author clearly understood OpenVZ very well), but it's simply not feasible to try and turn the current codebase into a workable panel.

    Also, the quote button is thoroughly broken.

  • mikhomikho Member, Host Rep

    @BlueVM said:
    I will be making a statement shortly, thank you for you're patience in the matter.

  • I'm not sure why Justin hasn't made it yet. I'll see what the hold-up is.

  • BlueVMBlueVM Member

    I apologize for my delay in making this statement. This incident could not have happened at a worse time. My move from Hawaii to Colorado began this week and as part of that I had to pack up everything in my house, file a ton of paperwork, ship my car (military shipment), etc... As part of that I'm writing this from an entirely empty house as I wait until Monday to finalize the paperwork I need to get out of the military.

    My staff discovered a tweet from TwoDayExploit on the 25th of June. The tweet stated that TwoDayExploit had dumped our WHMCS database and would release the passwords and data shortly. Around the same time a large outflow of data was detected by our monitoring system setup. It was at that time we decided to take the entire VPS responsible for our billing system offline (along with hypervm) to run through the logs and detect exactly what had happened. We posted the message on LET (VPS Board was down at the time) and on our twitter feeds. I had intended to issue everyone an email about it, but my circumstances called me away to handle my move. My staff picked up the torch and continued to scan through the logs and check for any possible breach.

    Around the time of the Twitter post someone uploaded a png image to our service as part of a ticket consisting of 1 MB of raw randomized text (no actual image). They then proceeded to load up that "image" from our site several hundred times, making the data flow outbound appear abnormally high until we took down our WHMCS installation. A review of the logs showed the image being loaded up and confirmed our hypothesis: There was no breach. As such we restarted the system and felt that it was unnecessary to email everyone about the incident due to the fact that we had already confirmed it fake. We appreciate everyone's support during this time and once again I apologize for the lack of communication on my end.

    Thanked by 2Magiobiwan mpkossen
This discussion has been closed.