DigitalOcean might be compromised...

Raymii

Early Sunday morning I was notified by DigitalOcean support that one of my database servers had been shutdown by support because they had received several abuse complaints regarding traffic originating from the machine and they surmised that it had been compromised. Upon inspection of a snapshot of the system I discovered that root access via password was enabled over SSH because of a problem with my automated configuration scripts and that my system had in fact been successfully accessed through that method from an ip address which was not mine (it was actually another of DigitalOcean's ip addresses).......

Link to full article

http://badassrockstartech.com/digitalocean-root-vulnerability-in-the-wild

Damian

@Raymii said: I discovered that root access via password was enabled over SSH because of a problem with my automated configuration scripts and that my system had in fact been successfully accessed through that method from an ip address which was not mine

I keep seeing words like "I", "me", "my"..... how is this a DigitalOcean issue?

erhwegesrgsr

@Damian said: I keep seeing words like "I", "me", "my"..... how is this a DigitalOcean issue?

Dunno why but @Raymii only took like 1/7 of the text

Raymii

@BronzeByte said: Dunno why but @Raymii only took like 1/7 of the text

It is a quotation. I've added a big notice that the full article is linked...

twheel

Interesting. Basically, someone guessed his 12-character password with only one failed attempt and he's wondering how.

unused

Wow, talk about sensationalist drivel. The guy probably runs windows and is backdoored.

Title of his blog post "DigitalOcean Root Vulnerability in the Wild"

ROFL

blergh_

Have a blog with a minimal template; check
Have it running on RoR; check
Use obscure hipstershit while using the slogan "Attempting to undo the damage of code hipsterism"; check

I think we can all agree that this guy does not seem to be the sharpest knife in the box.

erhwegesrgsr

@unused said: Wow, talk about sensationalist drivel. The guy probably runs windows and is backdoored.

Read the article, he runs clean Ubuntu

unused

@BronzeByte read the article, guy still comes off as a novice.

"(Credit goes to Matthew Panaro for helping me work through the security analysis Sunday morning; his security expertise was instrumental in diagnosing the situation and responding to it quickly.)"

Give me a break.

And FWIW, yes DO does suck as far as emailing password in clear text -- and they definitely store it since when you issue a rebuild you don't get a new one. I still doubt this guy -- if there is an issue we'd know soon enough with thousands of compromised vms.

erhwegesrgsr

@unused said: I still doubt this guy -- if there is an issue we'd know soon enough with thousands of compromised vms.

He did get $10 so I think he's not alone and DO wants to silently patch this before saying anything (if they do)

unused

Let's see, I've rebuilt at least 20-30 times on DO and still have a few vms running from some qa work I was doing.

earl

badassrockstartech.com, site seems to be down?

-edit
it's back up now..

mpkossen

@unused said: And FWIW, yes DO does suck as far as emailing password in clear text -- and they definitely store it since when you issue a rebuild you don't get a new one. I still doubt this guy -- if there is an issue we'd know soon enough with thousands of compromised vms.

+1! Other than that, I just got nauseous while reading the article.

Also, only an idiot would keep the auto-generated password and not change it.

yomero

Damn, this crap reached ycombinator u_u

gaarai

I always thought sending the root password in the clear was a feature. It is a very blatant message that "you should change this."

The first two things that I do after getting an account is 1) change the root password and 2) change the account password. This is since both are typically sent in the clear and are only useful for getting things started.

Of course 3 and 4 involve setting up keys and turning off password auth, but that's another story.

The blog post simply points to the lack of security and server administration knowledge that the blogger has.

yomero

@gaarai said: The blog post simply points to the lack of security and server administration knowledge that the blogger has.

+1

raindog308

Bad Ass Rockstar Tech

joepie91

@blergh_ said: Have a blog with a minimal template; check

Have it running on RoR; check

Actually, it's a hosted blog service I believe.

compuguy

@gaarai said: I always thought sending the root password in the clear was a feature. It is a very blatant message that "you should change this."

Honestly if your going to do this in the first place, just generate a random password and email it to me, then let me change my password....

joepie91

@compuguy said: Honestly if your going to do this in the first place, just generate a random password and email it to me, then let me change my password....

Really, you shouldn't receive a password in the first place. Just a link that allows you to set a password would be good.

gnugeek

Recently there was a ssh exploit, maybe its is related. Btw, you should always disable password authentification and use ssh keys.

nickvanw

@gnugeek What ssh exploit? If there was one serious enough to allow a random user to completely compromise a box, especially the version running on DO (and I'm sure many other) default images, I'm fairly sure we'd be hearing about it a little more.

Ishaq

It's related to libkeyutils.

yomero

@nickvanw said: What ssh exploit?

"old" news
http://www.webhostingtalk.com/showthread.php?t=1235797
And imho, there is no exploit, but a backdoor possibly related to another vuln.

ErawanArifNugroho

Try to read here also : http://www.digitaloceanstatus.com/

concerto49

@compuguy said: Honestly if your going to do this in the first place, just generate a random password and email it to me, then let me change my password....

This is what we currently do. Don't even allow users to enter a password at the initial order screen.

@joepie91 said: Really, you shouldn't receive a password in the first place. Just a link that allows you to set a password would be good.

Problem is with SolusVM, WHMCS and SolusVM/WHMCS integration. Maybe when you finish your panel it would work

yomero

@ErawanArifNugroho said: Try to read here also : http://www.digitaloceanstatus.com/

Hmmm

So if you want to enable backups for a $5/mo virtual server, the cost for backups will be $1/mo.

Sounds sad...

Edit: there is already a thread for this :O

blergh_

@joepie91
Ah, never heard of, but RoR is cancer.

seriesn

@unused said: And FWIW, yes DO does suck as far as emailing password in clear text

How do you want a host to send you your initial login credential? Encrypted file that can only be opened using either fingerprint or Eye scan or DNA scan?

yomero

@seriesn said: DNA scan?

https://www.23andme.com/

I want to buy it by the way....
/derailing

/ontopic

Probably he thought that the DO panel asked for a password when you create your VM, but no, it doesn't.

joepie91

@seriesn said: How do you want a host to send you your initial login credential? Encrypted file that can only be opened using either fingerprint or Eye scan or DNA scan?

There's no need for such a ridiculing response. Several alternative options have already been mentioned in the thread.