Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


[Warning]A2 Hosting infected by Ransomware
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

[Warning]A2 Hosting infected by Ransomware

YmpkerYmpker Member

Although a bit late and if you are with A2 Hosting you probably have already noticed but it seems like their services have been (partly) infected with ransomware since a couple of days.
If you were looking to host with them or are already there client and not (yet) affected you may consider moving or atleast backing up your data asap.

Sources:

https://a2status.com/incident/1094

https://www.zdnet.com/article/windows-server-hosting-provider-still-down-a-week-after-ransomware-attack/

https://www.theregister.co.uk/2019/04/26/a2_hosting_outage/

«1

Comments

  • YuraYura Member

    A2 #METOO

    Thanked by 1Ympker
  • ChuckChuck Member

    inside job?

    Thanked by 1Janevski
  • level6level6 Member
    edited May 2019

    "A2 Hosting is the host you can depend on with ultra-reliable servers!" - except when they're buggered with ransomeware... Owned by EIG of course.

  • donlidonli Member

    I guess this is why you should only go with A1 providers.

  • FranciscoFrancisco Top Host, Host Rep, Veteran

    @level6 said:
    "A2 Hosting is the host you can depend on with ultra-reliable servers!" - except when they're buggered with ransomeware... Owned by EIG of course.

    https://www.a2hosting.com/kb/does-a2-hosting-support/are-you-owned-by-endurance-international-group

    ?_?

    Francisco

    Thanked by 2level6 legalstuff
  • YmpkerYmpker Member
    edited May 2019

    @Francisco said:

    @level6 said:
    "A2 Hosting is the host you can depend on with ultra-reliable servers!" - except when they're buggered with ransomeware... Owned by EIG of course.

    https://www.a2hosting.com/kb/does-a2-hosting-support/are-you-owned-by-endurance-international-group

    ?_?

    Francisco

    Welp can't read it :S No VPN/Proxy. Just Vodafone.

    You accidentally triggered our security firewall.
    Don't worry! This temporary precaution expires in 15 minutes.
    If you are still experiencing issues after this time, please contact the A2 Hosting Support Team by clicking the chat icon below.

    Thanked by 1pike
  • FranciscoFrancisco Top Host, Host Rep, Veteran
    edited May 2019

    Ympker said: Welp can't read it :S No VPN/Proxy. Just Vodafone.

    Here you go:

    Are you owned by Endurance International Group?
    No, we are not owned by Endurance International Group (a large website hosting company that has acquired many smaller companies). A2 Hosting is an independent and founder- owned company.

    Francisco

    Thanked by 1Ympker
  • donlidonli Member
    edited May 2019

    @Ympker said:

    @Francisco said:

    @level6 said:
    "A2 Hosting is the host you can depend on with ultra-reliable servers!" - except when they're buggered with ransomeware... Owned by EIG of course.

    https://www.a2hosting.com/kb/does-a2-hosting-support/are-you-owned-by-endurance-international-group

    ?_?

    Francisco

    Welp can't read it :S No VPN/Proxy. Just Vodafone.

    You accidentally triggered our security firewall.
    Don't worry! This temporary precaution expires in 15 minutes.
    If you are still experiencing issues after this time, please contact the A2 Hosting

    Here's what it says:

    Are you owned by Endurance International Group?

    No, we are not owned by Endurance International Group (a large website hosting company that has acquired many smaller companies). A2 Hosting is an independent and founder-owned company.

    They are apparently not owned by EIG:
    https://researchasahobby.com/full-list-eig-hosting-companies-brands/

    Thanked by 1Ympker
  • YuraYura Member

    In case someone still can't read it, here's what it says:

    Are you owned by Endurance International Group?

    No, we are not owned by Endurance International Group (a large website hosting company that has acquired many smaller companies). A2 Hosting is an independent and founder-owned company.

    Thanked by 2Ympker dedotatedwam
  • SirFoxySirFoxy Member

    In case someone still, still, can't read it, here's what it says:

    @Yura said:

    In case someone still can't read it, here's what it says:

    Are you owned by Endurance International Group?

    No, we are not owned by Endurance International Group (a large website hosting company that has acquired many smaller companies). A2 Hosting is an independent and founder-owned company. Peepee poopoo.

    Thanked by 2Yura dedotatedwam
  • YmpkerYmpker Member
    edited May 2019

    Thanks for posting what it says :) Dunno why they wouldn't allow residential Vodafone IP.

  • SirFoxySirFoxy Member

    @Ympker said:
    Thanks for posting what it says :) Dunno why they wouldn't allow residential Vodafone IP.

    They don't like your kind 'round these parts.

  • mgilangmgilang Member

    windows, always.

  • YmpkerYmpker Member

    @SirFoxy said:

    @Ympker said:
    Thanks for posting what it says :) Dunno why they wouldn't allow residential Vodafone IP.

    They don't like your kind 'round these parts.

    Well it's not like I wanted to order anything from them anyway. Still odd.

  • donlidonli Member
    edited May 2019

    @Ympker said:

    @SirFoxy said:

    @Ympker said:
    Thanks for posting what it says :) Dunno why they wouldn't allow residential Vodafone IP.

    They don't like your kind 'round these parts.

    Well it's not like I wanted to order anything from them anyway. Still odd.

    Odd? You want really odd??

    Vodafone commercials...

    Thanked by 1NobodyInteresting
  • deankdeank Member, Troll

    Nigh, the end.

    Thanked by 1vovler
  • vovlervovler Member

    @deank said:
    Nigh, the end.

    Exactly what I was looking for when I opened this thread

  • ALL YOUr base... ah fuck it, i'm tired.

    Thanked by 2ehab uptime
  • leang97leang97 Member

    But the real question is, they seems to be able to "restore" the servers, did they pay for the keys or anything?

  • FranciscoFrancisco Top Host, Host Rep, Veteran

    @leang97 said:
    But the real question is, they seems to be able to "restore" the servers, did they pay for the keys or anything?

    They've been restoring their own backups.

    Some users have reported large rollbacks (multiple days/weeks/months in some cases).

    What a disaster. Shout out to the staff having to work through this.

    Francisco

    Thanked by 3leang97 Ympker uptime
  • leang97leang97 Member

    @Francisco said:

    @leang97 said:
    But the real question is, they seems to be able to "restore" the servers, did they pay for the keys or anything?

    They've been restoring their own backups.

    Some users have reported large rollbacks (multiple days/weeks/months in some cases).

    What a disaster. Shout out to the staff having to work through this.

    Francisco

    Damn, backup is really important. RIP for the staff and engineers that have to work day and night to overcome this absolute disaster and pressure over the week. Btw, from my understanding, the ransomware was be able to spread by using RDP Protocol, their servers have RDP port opened to the public internet? I personally dont think that they will make mistakes like this by putting RDP listening on public ips, they should have some VPN/Proxy connection before they can rdpied into the machines. I really doubt that it would be an inside job for spreading the virus on the machines via internal IPs.

  • FranciscoFrancisco Top Host, Host Rep, Veteran

    leang97 said: the ransomware was be able to spread by using RDP Protocol

    Wait seriously? Where was that discussed? I must've missed something somewhere.

    Francisco

  • PHDanPHDan Member
    edited May 2019

    https://www.zdnet.com/article/windows-server-hosting-provider-still-down-a-week-after-ransomware-attack/

    Based on the .lock file extension and the infection date, the ransomware appears to be a version of the GlobeImposter 2.0 ransomware strain, whose operators have been extremely active over the past weeks, Lawrence Abrams, malware analyst and founder of Bleeping Computer, told ZDNet today.

    GlobeImposter, a ransomware strain known to be installd via RDP, may also be the reason why A2 has disabled RDP access to its servers after the attack.

  • MikeAMikeA Member, Patron Provider
    edited May 2019

    @Francisco said:

    leang97 said: the ransomware was be able to spread by using RDP Protocol

    Wait seriously? Where was that discussed? I must've missed something somewhere.

    Francisco

    The two articles I read from a day or two ago just say that RDP was brute forced and the ransomware installed from there, where it infected the rest, then they disabled RDP.

    Not surprising if so.

    Thanked by 1Ympker
  • leang97leang97 Member

    @MikeA said:

    @Francisco said:

    leang97 said: the ransomware was be able to spread by using RDP Protocol

    Wait seriously? Where was that discussed? I must've missed something somewhere.

    Francisco

    The two articles I read from a day or two ago just say that RDP was brute forced and the ransomware installed from there, where it infected the rest, then they disabled RDP.

    Not surprising if so.

    Brute force? I don't think they would put their password as easy as abc for it to be able to brute forced in a short time.

  • MikeAMikeA Member, Patron Provider
    edited May 2019

    @leang97 said:

    @MikeA said:

    @Francisco said:

    leang97 said: the ransomware was be able to spread by using RDP Protocol

    Wait seriously? Where was that discussed? I must've missed something somewhere.

    Francisco

    The two articles I read from a day or two ago just say that RDP was brute forced and the ransomware installed from there, where it infected the rest, then they disabled RDP.

    Not surprising if so.

    Brute force? I don't think they would put their password as easy as abc for it to be able to brute forced in a short time.

    Well, it's the most common way. If the RDP/Windows server is managed by the client, and A2 doesn't manage them all, you'd be surprised how many people use a basic combo of letters and numbers. Plus many less experienced just disable the firewall because it's an inconvenience.

  • deankdeank Member, Troll
    edited May 2019

    @MikeA said:
    you'd be surprised how many people use a basic combo of letters and numbers. Plus many less experienced just disable the firewall because it's an inconvenience.

    True on both. A user recently posted on LET about his account being hack and he was absolutely confident that his password was strong because it was a combination of four words.

    The foundation of a strong password is gibberish.

  • leang97leang97 Member

    @MikeA said:

    @leang97 said:

    @MikeA said:

    @Francisco said:

    leang97 said: the ransomware was be able to spread by using RDP Protocol

    Wait seriously? Where was that discussed? I must've missed something somewhere.

    Francisco

    The two articles I read from a day or two ago just say that RDP was brute forced and the ransomware installed from there, where it infected the rest, then they disabled RDP.

    Not surprising if so.

    Brute force? I don't think they would put their password as easy as abc for it to be able to brute forced in a short time.

    Well, it's the most common way. If the RDP/Windows server is managed by the client, and A2 doesn't manage them all, you'd be surprised how many people use a basic combo of letters and numbers. Plus many less experienced just disable the firewall because it's an inconvenience.

    That sounds logical. But how about their own Windows Server for hosting their client website as shared hosting? They should've and should be separated their own windows machine from the customer's VMs network, that doesn't sound right if one customer's windows VMs get infected and infect the whole data center that is running on different subnets and machines.

  • deankdeank Member, Troll

    "Should have" translates to "Too much work".

    Therefore, forget it.

    Thanked by 1reikuzan
  • leang97leang97 Member

    @deank said:

    @MikeA said:
    you'd be surprised how many people use a basic combo of letters and numbers. Plus many less experienced just disable the firewall because it's an inconvenience.

    True on both. A user recently posted on LET about his account being hack and he was absolutely confident that his password was strong because it was a combination of four words.

    The foundation of a strong password is gibberish.

    Try password generators...... dont use proper WORDS for passwords maybe, try your pet dog name with a few other combination of your favourite numbers and something that come up in your dreams, that would be enough for a "strong password". And a few symbols too, placing different symbols between each "words" that you can come up with, that would be hard enough.....

    @deank said:
    "Should have" translates to "Too much work".

    Therefore, forget it.

    Well, yeah, that probably sums it all up. Your signature quote might also explain it abit.....

Sign In or Register to comment.