New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
DigitalOcean might be compromised...
Early Sunday morning I was notified by DigitalOcean support that one of my database servers had been shutdown by support because they had received several abuse complaints regarding traffic originating from the machine and they surmised that it had been compromised. Upon inspection of a snapshot of the system I discovered that root access via password was enabled over SSH because of a problem with my automated configuration scripts and that my system had in fact been successfully accessed through that method from an ip address which was not mine (it was actually another of DigitalOcean's ip addresses).......
Link to full article
http://badassrockstartech.com/digitalocean-root-vulnerability-in-the-wild
Comments
I keep seeing words like "I", "me", "my"..... how is this a DigitalOcean issue?
Dunno why but @Raymii only took like 1/7 of the text
It is a quotation. I've added a big notice that the full article is linked...
Interesting. Basically, someone guessed his 12-character password with only one failed attempt and he's wondering how.
Wow, talk about sensationalist drivel. The guy probably runs windows and is backdoored.
Title of his blog post "DigitalOcean Root Vulnerability in the Wild"
ROFL
Have a blog with a minimal template; check
Have it running on RoR; check
Use obscure hipstershit while using the slogan "Attempting to undo the damage of code hipsterism"; check
I think we can all agree that this guy does not seem to be the sharpest knife in the box.
Read the article, he runs clean Ubuntu
@BronzeByte read the article, guy still comes off as a novice.
"(Credit goes to Matthew Panaro for helping me work through the security analysis Sunday morning; his security expertise was instrumental in diagnosing the situation and responding to it quickly.)"
Give me a break.
And FWIW, yes DO does suck as far as emailing password in clear text -- and they definitely store it since when you issue a rebuild you don't get a new one. I still doubt this guy -- if there is an issue we'd know soon enough with thousands of compromised vms.
He did get $10 so I think he's not alone and DO wants to silently patch this before saying anything (if they do)
Let's see, I've rebuilt at least 20-30 times on DO and still have a few vms running from some qa work I was doing.
badassrockstartech.com, site seems to be down?
-edit
it's back up now..
+1! Other than that, I just got nauseous while reading the article.
Also, only an idiot would keep the auto-generated password and not change it.
Damn, this crap reached ycombinator u_u
I always thought sending the root password in the clear was a feature. It is a very blatant message that "you should change this."
The first two things that I do after getting an account is 1) change the root password and 2) change the account password. This is since both are typically sent in the clear and are only useful for getting things started.
Of course 3 and 4 involve setting up keys and turning off password auth, but that's another story.
The blog post simply points to the lack of security and server administration knowledge that the blogger has.
+1
Bad Ass Rockstar Tech
Have it running on RoR; check
Actually, it's a hosted blog service I believe.
Honestly if your going to do this in the first place, just generate a random password and email it to me, then let me change my password....
Really, you shouldn't receive a password in the first place. Just a link that allows you to set a password would be good.
Recently there was a ssh exploit, maybe its is related. Btw, you should always disable password authentification and use ssh keys.
@gnugeek What ssh exploit? If there was one serious enough to allow a random user to completely compromise a box, especially the version running on DO (and I'm sure many other) default images, I'm fairly sure we'd be hearing about it a little more.
It's related to libkeyutils.
"old" news
http://www.webhostingtalk.com/showthread.php?t=1235797
And imho, there is no exploit, but a backdoor possibly related to another vuln.
Try to read here also : http://www.digitaloceanstatus.com/
This is what we currently do. Don't even allow users to enter a password at the initial order screen.
Problem is with SolusVM, WHMCS and SolusVM/WHMCS integration. Maybe when you finish your panel it would work
Hmmm
Sounds sad...
Edit: there is already a thread for this :O
@joepie91
Ah, never heard of, but RoR is cancer.
How do you want a host to send you your initial login credential? Encrypted file that can only be opened using either fingerprint or Eye scan or DNA scan?
https://www.23andme.com/
I want to buy it by the way....
/derailing
/ontopic
Probably he thought that the DO panel asked for a password when you create your VM, but no, it doesn't.
There's no need for such a ridiculing response. Several alternative options have already been mentioned in the thread.