Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


servaRICA Account Compromise
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

servaRICA Account Compromise

Yikes. From servaRICA this morning.


We are sad to inform you that we have identified unauthorized access to the list of our users IP addresses/domain and their initial passwords (the VPS or shared hosting password you get when you first signup with us or when you reinstall through our client area)

What was leaked is the following

1- IP address or hosting account name

2- encrypted VPS or hosting account password

3- VPS internal name

While the passwords in the list are encrypted, the encryption is 2 way and can be reversed which is why we are acting extremely fast to mitigate the security risk.

Since some of our users never change the default password that they get and many don’t use key authentication we decided to immediately change all our users root/Administrator passwords

We did go through all accounts through automated scripts and updated all VPS password that we could.

You can see your new password in your client area

If your password in the client area is still the initial password and you never changed it then please change it ASAP

Regards

servaRICA Team

Comments

  • That looks like a big "oops" right here.. Scary

  • sonicsonic Veteran

    their site was down for more than 24 hours one day ago

  • cochoncochon Member

    @cleverconcierge said:
    Yikes. From servaRICA this morning.


    2- ... or hosting account password

    While the passwords in the list are encrypted, the encryption is 2 way and can be reversed which is why we are acting extremely fast to mitigate the security risk.

    If your password in the client area is still the initial password and you never changed it then please change it ASAP

    I know they e-mail server passwords out after provisioning, but I'm sure I generated the account password when I signed up. I always like to think the password would be hashed at that point, the plain text tossed, and thus be irretrievable. Seems maybe not here.

    Fortunately I always sign up with a transient/temporary password, just in case of this kind of scenario, it's scary how often a password you've offered is then e-mailed back to you via SMTP (and amazing how many don't then change it), or as in this case seemingly, stored in a reversible way.

    Though even that precaution doesn't always work well, as the recent HostVDS flash in the pan demonstrated, their control panel doesn't even have the facility to change your account password at all.

  • defaultdefault Veteran

    I always change the default password.

  • raindog308raindog308 Administrator, Veteran

    What is “2 way” encryption?

    I assume “1 way” is a hash. 2 way is...double ROT13?

    Thanked by 2Shot2 TimboJones
  • d2411d2411 Member

    Ohhhhh yes. Thats a good question. :)

    I ve got the same mail.

  • edited July 2020

    So which provider wants to drop a plan to compete with their horsestorage plan for those of us looking to jump ship?

    • Edited because I was a prick the first time around.
  • @cleverconcierge said:
    So which provider wants to drop a "dump servaRICA" storage plan?

    That would be pretty disrespectful..... :/

    Thanked by 1Aidan
  • @raindog308 said:
    What is “2 way” encryption?

    I assume “1 way” is a hash. 2 way is...double ROT13?

    1 way 2 times. So hashing a hashed password

  • @seriesn said:
    That would be pretty disrespectful..... :/

    Yeah, that came out wrong. I'll edit the post to more clearly reflect what I meant.

    Thanked by 2seriesn Aidan
  • I just assumed that "2-way encryption" implied normal encryption (because some people seem to refer to hashing as "1-way encryption" for whatever reason).

    Not sure what that password is used for besides the initial root password? I change the root password on every new server anyways, so this really didn't affect my server.

    I'm also curious as to what part of their infrastructure was compromised for this information to be leaked, since it doesn't seem to be their actual client area.
    An Excel file on an open Windows share?

  • XsltelXsltel Member, Host Rep
    edited July 2020

    @Decicus said: I'm also curious as to what part of their infrastructure was compromised for this information to be leaked, since it doesn't seem to be their actual client area. An Excel file on an open Windows share?

    Are they using their module Xenica
    https://servarica.com/clients/cart.php?gid=26
    to manage their clients VMs ?

    If so I will assume someone decrypted their module. found a bug and exploited it. though this is just pure speculation.

    Also, WHMCS saves Cpanel passwords/modules passwords in a 2-way encryption method. so the admin can see the password for maintenance. (however, hash won't get decrypted without admin access or configuration.php CC_HASH access).

    Thanked by 1Decicus
  • @Xsltel said:
    Are they using their module Xenica
    https://servarica.com/clients/cart.php?gid=26
    to manage their clients VMs ?

    If so I will assume someone decrypted their module. found a bug and exploited it. though this is just pure speculation.

    Yep, look like it. You might be onto something.

    @Xsltel said: Also, WHMCS saves Cpanel passwords/modules passwords in a 2-way encryption method. so the admin can see the password for maintenance. (however, hash won't get decrypted without admin access or configuration.php CC_HASH access).

    Good to know. Thanks for the insight :)

  • We can always call @servarica_hani to join the conversation

  • servarica_haniservarica_hani Member, Patron Provider

    Hi All,

    Just to answer your questions here about what happened the issue is pure human error.
    One of the admin did something he should have not done which caused the leak

    I believe it is big "oops" on our side as @t0ny0 said.
    Throughout the last 10 years our main security concern is to prevent hackers from hacking our system . We have never focus on the bigger issue which is our own mistakes

    We are a team of 5 who are very active , 2 of us are developers and we do many experiments . When you do many stuff you are bound to do 1 costly mistake and being in the industry for 10 years the issue will happen eventually

    We have always depended on the fact that the team is experienced enough to not do security mistakes which proved to be wrong

    We have never considered that scenario and we had zero checks on what we do and what we leave behind .

    So actually while i am speaking now we are shifting our attention to do checks on us to make sure error of this kind will not occur again

    For the 2 way encryption it is just normal encryption I added the 2 way to it to make sure that users understand that it can be reversed and it is not just hashes that was leaked

    Xenica module is fine , the issue is not related to it at all. plus we have been in a lot of discussions lately internal to open source it (not free but open source) (actually there is already some older versions of it decrypted on the internet in some null sites )

    Thanks
    Hani

  • ben47955ben47955 Member
    edited July 2020

    @servarica_hani said: Just to answer your questions here about what happened the issue is pure human error.

    One of the admin did something he should have not done which caused the leak

    I believe it is big "oops" on our side as @t0ny0 said.

    Throughout the last 10 years our main security concern is to prevent hackers from hacking our system . We have never focus on the bigger issue which is our own mistakes

    We are a team of 5 who are very active , 2 of us are developers and we do many experiments . When you do many stuff you are bound to do 1 costly mistake and being in the industry for 10 years the issue will happen eventually

    Developing in production ? Sound nice.

    Thanked by 1ViridWeb
  • Tr33nTr33n Member

    @ben47955 said: Developing in production ? Sound nice.

Sign In or Register to comment.