Staminus Offline

jonbeard

Who else has been affected by staminus being offline? Even their front facing website is offline: www.staminus.net

https://twitter.com/StaminusComm/status/707928101158694913

DDoS Protection
‏@StaminusComm
We are aware of network impacts. We are working on them. No ETA currently.
7:56 AM - 10 Mar 2016

century1stop

DDoS'ed?

AlexBarakov

It's a pitty. I looked them up today, as I needed DDoS protected US provider and their site didn't even load.

estnoc

Weird,in the morning i saw Incapsula was down,now staminus. Weird stuff

jonbeard

I believe its more of a hardware issue, or announce issues. The ranges that they provided to us went offline, however our own ranges that we have routed with them continued staying online. Its either going to be a provider issue, a fiber cut, or a core router issue. The fact that they havent given much more info besides "we know we are working on it", is a little worrysome. Luckily none of our customers were affected by this, just a few of our internal systems, which were quickly changed over.

jonbeard

Don't get me wrong, Staminus has held themselves up against attacks since we have been a client, however this lack of communication is what is irritating me.

kt

Down for about 10 hours now I think, very odd.

dreadiscool

Update on the situation: Staminus has been hacked, all database info including credit card info has been leaked. They used the same password for every box: St4m|nu5

https://leakforums.net/thread-691896

It is confirmed legit, ticket info of all customers is in there

doghouch

@dreadiscool said:
Update on the situation: Staminus has been hacked, all database info including credit card info has been leaked. They used the same password for every box: St4m|nu5

https://leakforums.net/thread-691896

It is confirmed legit, ticket info of all customers is in there

Edit: crap

dreadiscool

@doghouch said:
You idiot, read the rest of the post

What drugs are you on?
The people on the LF thread saying it's fake just aren't believers, look at the data yourself and confirm it with actual Staminus/Intreppid customers as I did. You'll see it's all true

dreadiscool

I'm no expert in this matter, but will they have to pay any kind of fines since they stored credit card info in plaintext? Someone once mentioned to me that they claimed they were PCI compliant, but I'm not sure if that's true or not

Nyr

I can't see the leak, but they are telling a very different story on Twitter...

https://twitter.com/StaminusComm/tweets

Still partially down. A surprise to see such a kong downtime from them, RFO should be interesting.

dreadiscool

@Nyr said:
I can't see the leak, but they are telling a very different story on Twitter...

https://twitter.com/StaminusComm/tweets

Still partially down. A surprise to see such a kong downtime from them, RFO should be interesting.

http://i.imgur.com/AIEr2Ji.png

A picture for you

Nyr

@dreadiscool said:

I would doubt if the leak is indeed new, but if you're telling other customers have confirmed it...

Very long downtime anyway, I guess they'll lose some important customers over this.

dreadiscool

It has to be fairly recent, because one of their support agents, Bryant Townsend, left the company a few weeks/months ago, and his info doesn't show up on the list of active administrators.

It's not conclusive proof of course, but it's something to consider

Zeast

https://twitter.com/StaminusComm/status/708115383501238272

jonbeard

Confirmed leak, FOR ANY CUSTOMER OF STAMINUS: Have cards shutoff and CHANGE ALL ROOT PASSWORDS INVOLVED WITH STAMINUS. Information below:

A new group known as "FTA" earlier this week has hacked into two large anti-ddos companies known as Staminus and Intreppid. Both companies are hosts of very large companies that lead into smaller companies and game servers. It was noted that "FTA" has leaked all information regarding Staminus, Intreppid and a few other sites. All of the leaked information exposes thousands of clients including owners of: BuyCraft, RamNode, Spigot, MC-Index, Zenoscape and even the KKK which exposes members of the community. The KKK alone are tagged as a terroist organization. Both Staminus, and Intreppid are completely shot to the ground and thousands of clients are furious. All data from the leak contains personal information, passwords, server logins and so much more.

http://hastebin.com/raw/oweyukamuj

["backup01-s3073-cab38-ocloud-irv1" ssh:72.20.52.37]: SAME BOX AS OTHER
["backup01-s3073-cab38-ocloud-irv1"]ssh:72.20.42.226: SAME BOX AS OTHER

dreadiscool

@jonbeard said:
Confirmed leak, FOR ANY CUSTOMER OF STAMINUS: Have cards shutoff and CHANGE ALL ROOT PASSWORDS INVOLVED WITH STAMINUS. Information below:

A new group known as "FTA" earlier this week has hacked into two large anti-ddos companies known as Staminus and Intreppid.

iirc Intreppid is a daughter company of Staminus - they're basically the same thing

jonbeard

In case you guys don't see this in the link I provide:

~[CTRL-H]~ KKK & FRIENDS
This was a real treat and one that completely blindsided our team. After pillaging and generally shitting on
the entirety of Staminus' & co's infrastructure, it was discovered that one of the client box's was housing a real gem.
Yes, that's right, Staminus was hosting the KKK and it's affiliates. An organization legally recognized in some regions
as a terrorist collective. Not that we hold anything against the KKK. Choosing such an awful host as Staminus however is
unforgiveable, and consequently they had to be punished.

:: SNIP ::
    Hello Rachel Pendergraft,

    Your server is complete.

    Here is your server information:

    Administrative IP: 69.197.2.214 (Private Use)
    Protected IP: 69.197.31.193 (Public Use)
    User: root
    Password: TkBNk7TdrSh2Uq42
    Secondary Usable IP's: 69.197.31.193 - 69.197.31.206

    Please remember to not give out your Administrative IP [69.197.2.214]. Only use your Protected IP [69.197.31.193] for public serving services.

    Your protected IP is protected for 30 Gbps or 12 Million Packet Per Second which ever it reaches first. If your attack goes above either one 
    of those your protected IP will be nullrouted for the duration of the attack. If you wish to upgrade at that time 
    please submit a sales ticket requesting a quote.

    Your can reach your cPanel at https://69.197.2.214:2087

    If you have any further questions please do not hesitate to ask us.

    Thank you


    ---
    Thank You
    Intreppid Support |
:: SNIP ::

( ?° ?? ?°)

:: SNIP ::
    Please set the following rDNS pointers:

    69.197.2.214         sv1.harrisonarkansaswebsites.com
    69.197.31.193       kkk.bz
    69.197.31.198       wpmedianetwork.com
    69.197.31.199       kkk.com
    69.197.31.200       kkkradio.com
    69.197.31.201       americanheritagecommittee.com
    69.197.31.205       sotctraininginstitute.com
    69.197.31.206       sotctv.com


    Thank you

PetaByet

@jonbeard said:
Confirmed leak, FOR ANY CUSTOMER OF STAMINUS: Have cards shutoff and CHANGE ALL ROOT PASSWORDS INVOLVED WITH STAMINUS. Information below:

A new group known as "FTA" earlier this week has hacked into two large anti-ddos companies known as Staminus and Intreppid. Both companies are hosts of very large companies that lead into smaller companies and game servers. It was noted that "FTA" has leaked all information regarding Staminus, Intreppid and a few other sites. All of the leaked information exposes thousands of clients including owners of: BuyCraft, RamNode, Spigot, MC-Index, Zenoscape and even the KKK which exposes members of the community. The KKK alone are tagged as a terroist organization. Both Staminus, and Intreppid are completely shot to the ground and thousands of clients are furious. All data from the leak contains personal information, passwords, server logins and so much more.

http://hastebin.com/raw/oweyukamuj

["SPCHECK" spcheck ssh:104.131.132.49 ]:root:St4m|nu5
["VM HOST" cl08-irv1 ssh:72.8.154.8 ]:root:St4m|nu5
["MOTHERLOAD" apitest ssh:69.197.35.134 ]:root:St4m|nu5
["CHATBOT" chatbot ssh:69.197.35.133 ]:root:St4m|nu5
["backup01-s3073-cab38-ocloud-irv1" ssh:69.197.40.229]:root:St4m|nu5
["backup01-s3073-cab38-ocloud-irv1" ssh:72.20.52.37]: SAME BOX AS OTHER
["backup01-s3073-cab38-ocloud-irv1"]ssh:72.20.42.226: SAME BOX AS OTHER
["ams2" ssh:176.56.238.205 ]:root:St4m|nu5
["proxweb" ssh:72.8.128.4]:root:St4m|nu5
["smb01-irv1" ssh:72.8.128.34]:root:St4m|nu5
["kkk" ssh:69.197.31.193]:root:TkBNk7TdrSh2Uq42
["puppet-agent" ssh:199.192.78.210]:root:St4m|nu5

Didn't RamNode switch to Black Lotus?

Looks like the turned back to Staminus.

They are not peering with BL anymore and knowledgebase still mentions Staminus.

Nick_A

PetaByet said: They are not peering with BL anymore and knowledgebase still mentions Staminus.

Correct, we're with Staminus. I'm not aware of any way the leak would directly compromise our customers' information, but we're staying on top of it as much as possible with zero communication from Staminus other than their tweets.

Licensecart

@Nick_A said:
Correct, we're with Staminus. I'm not aware of any way the leak would directly compromise our customers' information, but we're staying on top of it as much as possible with zero communication from Staminus other than their tweets.

I would be very hesitate and change your passwords for any server because their WHMCS information / Database information is in that leak.

Including the cc_encryption_hash which encrypts your card details.

Clouvider

Licensecart said: Including the cc_encryption_hash which encrypts your card details.

and all the other passwords, effectively making the DB useless if not converted to the new hash.

Licensecart

@Clouvider said:
and all the other passwords, effectively making the DB useless if not converted to the new hash.

Well all they need is the database & the whmcs config and when they've put the encryption hash in all the card information will show up on WHMCS.

raindog308

"Not that we hold anything against the KKK."

Hackers are so classy.

Ishaq

The irony.

jonbeard

Ive got a full cab customer that uses Staminus - while he was not affected (because anyone that uses their own IP space didnt go offline), I advised him on a cautionary side to change all of his root passwords regardless.

Best to expect the worse, hope for the best. Be safe than sorry guys!

Several things I want to point out here, the hackers responsible made a statement that the following occurred:

-All credit card information for customers was stored in plain text, which is a PCI Compliance Issue. This right here would be the result of a major class action lawsuit.

-All internal servers utilized the same root password, which is a freaking given that should never happen or occur!

-Expose your power units to WAN scans, to shut down your power remotely. Like what the heck are you thinking?

A lot of this is common-sense when it comes to security. If you want to make sure your systems are secure, contact me and I will put you in touch with people who can evaluate your systems. Unfortunately for Staminus, it is going to be extremely difficult to make a comeback for this, as a security company having this magnitude of a breach. They have customers with highly sensitive and validated environments that cost millions to validate and be complaint and now they’re at risk.

This right here is the quickest way to destroy a multi-million dollar company.

https://krebsonsecurity.com/2016/03/hackers-target-anti-ddos-firm-staminus/

AlexBarakov

jonbeard said: -All credit card information for customers was stored in plain text, which is a PCI Compliance Issue. This right here would be the result of a major class action lawsuit.

Everything else can be forgotten and forgiven. This thing here, however, will be the end of them. No matter how rich they are, this lawsuit will bankrupt them. Exactly as you said - they have some clients, who are extremely sensitive and in the same time - powerfull.

MikePT

This is just crazy. Oh god.

estnoc

Oh god. This is crazy. I assume there will be never-ending lawsuit now.

Rhys

Looks like servermania is taking this opportunity to advertise to Staminus clients included in the database dump.

To whom this may concern,

My name is Andrew Horton, Account Manager at ServerMania.com. I’m contracting you today as I’ve heard that you were affected by the Staminus outage and hack that occurred earlier today. We’re a premier Dedicated Server company with services based in New York. We leverage RioRey DDOS Protection appliances on the core of our network with over 200 Gbps of mitigation available covering all 7 layers.

I would like to sit down with you and learn a bit more about your business and how we can service you.

Our company can service your needs in the following ways:
*Intel-Xeon based dedicated servers
*Private VLAN, Switches and Racks
*Standard dedicated 1 Gbps Network for each server
*North American based with true 24/7 Support via E-Mail, Ticket or Telephone
*Industry-Leading SLA
*Dedicated Account Manager
*Thousands of satisfied clients
*Protecting some of the largest DDoS services on the market today!

Let's move quick to avoid unnecessary downtime for your business!

I look forward to speaking with you.

-- 
Andrew Horton, Account Manager, Server Mania
+1.888.237.6637 | +1.716.745.4678 Ext. 608
Skype ID: andrew.servermania
[email protected] | www.servermania.com

Paste w/ headers (Email censored for obvious reasons): https://pste.pw/v/mxJtvsB6VS