Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


What happened to Clouvider earlier... Why was a serious post like that removed?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

What happened to Clouvider earlier... Why was a serious post like that removed?

clouvider.net was compromised and hosted on the same server as .com and .co.uk

No explanation?

Hacked By Katyushahttps://clouvider.net

We Are Katyusha_sxc - Black_sxc - mr.n_sxc - ./ycr17_sxc - xs7_sxc. Powered SecurityXploitCrew - Indonesian Hacker.

«1

Comments

  • For real?

  • deankdeank Member, Troll

    Yeah, the guy posted in haste but deleted his post content, saying he was mistaken.

    Apparently, not. I even said my bit, too, the nigh is end stuff.

    Thanked by 2dahartigan adly
  • Oh wow it's true! That's unusual to see the website of such a provider compromised like that. Wordpress?

  • I feel like this type of event should be announced as an official statement from Clouvider...

    Thanked by 1adly
  • deankdeank Member, Troll

    If WP, I bet it was a plugin.

    A butt plugin.

  • @Gravely said:
    I feel like this type of event should be announced as an official statement from Clouvider...

    Yeah and not covered up (allegedly?) @Clouvider

  • deankdeank Member, Troll

    Possible deadpool?

  • @deank said:
    If WP, I bet it was a plugin.

    A butt plugin.

    ROFL!

  • AllHost_RepAllHost_Rep Member, Patron Provider

    Interestingly the cached results show a pretty much empty directory on the 21st including the sxc.php file and then the "hacked" version a couple days later on the 23rd.

    Doesn't look like there was a WordPress site there to be able to be exploited.

    Thanked by 1dahartigan
  • jarjar Patron Provider, Top Host, Veteran
    edited August 2021

    I use WordPress but it's not connected in any meaningful way to anything of value, so long as anything unexpected is removed extremely quick so as to not be able to trick a user into a compromising situation (like a false login form). If he's using WP as well I'd expect a similar scenario. WP is fine, so long as it's never connected to client data.

    WP always being a reasonable assumption when a site is compromised.

    Thanked by 2adly ariq01
  • @AllHost_Ben said:
    Interestingly the cached results show a pretty much empty directory on the 21st including the sxc.php file and then the "hacked" version a couple days later on the 23rd.

    Doesn't look like there was a WordPress site there to be able to be exploited.

    I thought the same when I saw that image, perhaps WordPress was installed and compromised, then they nuked his wp install?

  • deankdeank Member, Troll

    I generally do not like the silent type when a disaster strikes tho.

  • @jar said:
    I use WordPress but it's not connected in any meaningful way to anything of value, so long as anything unexpected is removed extremely quick so as to not be able to trick a user into a compromising situation (like a false login form). If he's using WP as well I'd expect a similar scenario. WP is fine, so long as it's never connected to client data.

    WP always being a reasonable assumption when a site is compromised.

    The user account tends to become compromised, so unless they run whmcs and WordPress under the same httpd user...

  • deankdeank Member, Troll

    @dahartigan said:
    unless they run whmcs and WordPress under the same httpd user...

    Nah, not possible. Only a dumb kid does that.

  • jarjar Patron Provider, Top Host, Veteran
    edited August 2021

    @dahartigan said:

    @jar said:
    I use WordPress but it's not connected in any meaningful way to anything of value, so long as anything unexpected is removed extremely quick so as to not be able to trick a user into a compromising situation (like a false login form). If he's using WP as well I'd expect a similar scenario. WP is fine, so long as it's never connected to client data.

    WP always being a reasonable assumption when a site is compromised.

    The user account tends to become compromised, so unless they run whmcs and WordPress under the same httpd user...

    Yeah best to just not even have it on the same system. Root it for all I care 😂

    I could settle for separate docker containers not linked to the same DB though.

    Thanked by 3dahartigan adly ariq01
  • @jar said:

    @dahartigan said:

    @jar said:
    I use WordPress but it's not connected in any meaningful way to anything of value, so long as anything unexpected is removed extremely quick so as to not be able to trick a user into a compromising situation (like a false login form). If he's using WP as well I'd expect a similar scenario. WP is fine, so long as it's never connected to client data.

    WP always being a reasonable assumption when a site is compromised.

    The user account tends to become compromised, so unless they run whmcs and WordPress under the same httpd user...

    Yeah best to just not even have it on the same system. Root it for all I care 😂

    Jesus haha running WordPress as root for lols?

  • jarjar Patron Provider, Top Host, Veteran

    @dahartigan said:

    @jar said:

    @dahartigan said:

    @jar said:
    I use WordPress but it's not connected in any meaningful way to anything of value, so long as anything unexpected is removed extremely quick so as to not be able to trick a user into a compromising situation (like a false login form). If he's using WP as well I'd expect a similar scenario. WP is fine, so long as it's never connected to client data.

    WP always being a reasonable assumption when a site is compromised.

    The user account tends to become compromised, so unless they run whmcs and WordPress under the same httpd user...

    Yeah best to just not even have it on the same system. Root it for all I care 😂

    Jesus haha running WordPress as root for lols?

    Nah, but might as well if it's the only thing on the system anyway lol

    Thanked by 1dahartigan
  • @deank said:

    @dahartigan said:
    unless they run whmcs and WordPress under the same httpd user...

    Nah, not possible. Only a dumb kid does that.

    Shots fired haha

  • @jar said:

    @dahartigan said:

    @jar said:

    @dahartigan said:

    @jar said:
    I use WordPress but it's not connected in any meaningful way to anything of value, so long as anything unexpected is removed extremely quick so as to not be able to trick a user into a compromising situation (like a false login form). If he's using WP as well I'd expect a similar scenario. WP is fine, so long as it's never connected to client data.

    WP always being a reasonable assumption when a site is compromised.

    The user account tends to become compromised, so unless they run whmcs and WordPress under the same httpd user...

    Yeah best to just not even have it on the same system. Root it for all I care 😂

    Jesus haha running WordPress as root for lols?

    Nah, but might as well if it's the only thing on the system anyway lol

    I'm not gonna lie, I run a "few" things under such circumstances just fine, but they aren't business apps.

    Thanked by 1jar
  • jarjar Patron Provider, Top Host, Veteran

    @deank said:
    I generally do not like the silent type when a disaster strikes tho.

    A good admin will usually talk after going over it all. A rare exception being my chat because talking to myself as I do it is a weird way I sort my thoughts.

    Thanked by 3dahartigan adly skorous
  • dahartigandahartigan Member
    edited August 2021

    @jar said:

    @deank said:
    I generally do not like the silent type when a disaster strikes tho.

    A good admin will usually talk after going over it all. A rare exception being my chat because talking to myself as I do it is a weird way I sort my thoughts.

    I've had a few "personal" issues with Dom (a long time ago by now) but I understand he has a reputation as an excellent admin, so it's likely top of his mind already..

    Thanked by 1jar
  • @deank said: Yeah, the guy posted in haste but deleted his post content, saying he was mistaken.

    It's not that it was a mistake, but that I first wanted to notify the provider himself about the incident.

  • ClouviderClouvider Member, Patron Provider

    Good Evening,

    At approximately 20:30 today (UK/London Time) we were made aware that one of our websites had been defaced, we are still currently investigating this and will release a full statement when we have concluded our investigations.

    We would like to assure you that the targeted website clouvider.net holds no Customer data, it was simply a redirect to clouvider.co.uk with a minimal file structure and has no other function or access to any other services.

    All of the subdomains for clouvider.net that are connected with functional internal infrastructure servers are completely separate and in no way impacted by this.

    A more detailed statement will follow at the appropriate time.

  • HotmarerHotmarer Member
    edited August 2021

    Course of events:
    1. I browse LET for offers, I come across an offer from Cloudvider, I find a serious bug on their website which allows general access to everything.
    2. I am browsing other hosts/domains and I notice that someone was faster and there was a hack.
    3. I create a LET post thinking that the .net domain is the main domain. I don't notice that the .com domain is still working.
    4. I delete the content of the post, write a message to cloudvider asking for contact (so far I am waiting for contact).
    5. Moderator gives me a warning and removes the post at my request.

  • deankdeank Member, Troll

    @Clouvid9er said:
    Good Evening,

    At approximately 20:30 today (UK/London Time) we were made aware that one of our websites had been defaced, we are still currently investigating this and will release a full statement when we have concluded our investigations.

    We would like to assure you that the targeted website clouvider.net holds no Customer data, it was simply a redirect to clouvider.co.uk with a minimal file structure and has no other function or access to any other services.

    All of the subdomains for clouvider.net that are connected with functional internal infrastructure servers are completely separate and in no way impacted by this.

    A more detailed statement will follow at the appropriate time.

    Phew, customers' sexual orientation data is safe!

    Praise the Moon!

    Ph!

    Thanked by 1bdl
  • HotmarerHotmarer Member
    edited August 2021

    @Clouvider said:
    Good Evening,

    At approximately 20:30 today (UK/London Time) we were made aware that one of our websites had been defaced, we are still currently investigating this and will release a full statement when we have concluded our investigations.

    We would like to assure you that the targeted website clouvider.net holds no Customer data, it was simply a redirect to clouvider.co.uk with a minimal file structure and has no other function or access to any other services.

    All of the subdomains for clouvider.net that are connected with functional internal infrastructure servers are completely separate and in no way impacted by this.

    A more detailed statement will follow at the appropriate time.

    But could you contact me?, because I still have access to your Github and LibreNMS. You have saved access tokens in your github repositories. So it turns out it's a different leak/bug.

    Edit: Contact established

  • @Hotmarer said:

    @Clouvider said:
    Good Evening,

    At approximately 20:30 today (UK/London Time) we were made aware that one of our websites had been defaced, we are still currently investigating this and will release a full statement when we have concluded our investigations.

    We would like to assure you that the targeted website clouvider.net holds no Customer data, it was simply a redirect to clouvider.co.uk with a minimal file structure and has no other function or access to any other services.

    All of the subdomains for clouvider.net that are connected with functional internal infrastructure servers are completely separate and in no way impacted by this.

    A more detailed statement will follow at the appropriate time.

    But could you contact me?, because I still have access to your Github and LibreNMS. You have saved access tokens in your github repositories. So it turns out it's a different leak/bug.

    Edit: Contact established

    You are a great person Hotmarer. Not only ticket/mail, but you even "bumping" it here. This thing just made me happier, thank you.

    Thanked by 1Hotmarer
  • So a great provider on LET was hacked. So much professionalism. Drama continues.

  • LeviLevi Member

    @Hotmarer said: 5. Moderator gives me a warning

    For what exactly you received a warning?

    Thanked by 1adly
Sign In or Register to comment.