All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Budgetnode outage
avidscavenger
Member
Hello all - it seems to be over now but I thought it worth posting about what happened recently to Budgetnode's server's in Ashburn, Virginia. Given the dearth of info from Budgetnode (especially compared with some of the other outages documented on the forum) I thought I'd take matters into my own hands.
Sometime last weekend (yes it was the 4th of July weekend for our US friends, but then neither I nor Budgetnode is based in the USA) I noticed my server was down but found no notification from Budgetnode of any outage. So I reached out via a ticket and via Twitter but no response to date.
On At around 0000UTC Monday 6 July (by now something like 48 hours since the outage began) there was a customer email notification stating that there had been a compromise of the server, which would be reprovisioned with data loss.
About 26 hours later (0220UTC) I received notification that my VPS had been reprovisioned as a completely new virgin installation. I requested further information and about 7 hours later received a personal response saying that the server had been taken down, all data removed and a ransom demand received. It stated that they did not know how this compromise had happened but assumed it was an exploit on the server. Of course that proves nothing - it is what they would say.
Now today (8 July 1740UTC) I received a further email saying that some of the reprovisioned VPSs have been hacked and used for outbound DOS attacks owing to insecure root passwords. I find this a little hard to believe, since the reprovisioned VPSs had randomly generated root passwords. If those randomly generated passwords have been compromised that would suggest that Budgetnode's portal is also compromised. Anyway I was pleased to see that my own VPS has no unexplained network traffic, but as always I have disabled password authenticated SSH logins so blocking at least one method of attack.
So less than stellar performance Budgetnode. That said in the 4 years I've been using them I haven't had any previous issues. But if I hadn't just paid my yearly bill I'd be looking for another provider, since I have to restore my VPS from scratch in any case.
Comments
What's the deal with budgetnode?
People registering new accounts and posting how bad budgetnode is?
I would bet good money (speculation) they had insecure IPMI IP and they were hit by the recent bots that have been hacking insecure IPMI and then installing ransomware through the IPMI interface in an automated manor on older dedicated servers. I only know of this because I have seen it once on a customer machine which we had to remedy and figure out the cause. We detected the exploit came through an insecure IPMI interface IP on their network. The exploit is really shitty, with-in a short period it accesses the server, installs the ransomware, reboots the system and starts encrypting. Most people will have first noticed the issue because the server was rebooted unexpectedly. They will then demand large sums of bitcoin to decrypt the information for you. Unless you are a government agency or medical company with appropriate cyber security insurance attached to your business insurance, most are not going to pay the ransom as it is exorbitant and cost prohibitive.
Also, who knows how much information they are exporting remotely during the process that you will never know about. So if customers were dumb enough to reuse the same (easy to password crack) passwords on their servers, being "re-hacked" may not even be what happened there, they may just be using the passwords they skimmed during the attack to access the systems again.
Anyways, warning to those out there selling dedicated servers or renting servers with IPMI exposed, a lot of older systems IPMI is 100% vulnerable and if you are not already placing it behind some type of VPN or proxy interface blocking access to the IPMI IPs, then you should for sure be blocking full access to IPMI IP's in your firewalls and only be allowing access as is needed.
my 2 cents.
Cheers!
Are you fucking reading the posts? Jesus Christ. It's a dumpster fire provider.
People tend not to give shit when things go smoothly.
It's only when things go south where they begin to whine. And it takes only a minute of downtime for "the best host" to become "the worst host".
Zero response or activity since forever, its soon time to revoke that provider tag... Changes are coming.
@Ishaq