New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Security breach: haendler.it
Hello,
Yesterday I received an email from haendler.it (gametownprojects, kts24.com) and it states (according to Google translate, please forgive if I misunderstood anything) that on May 1st somebody gained access to its customer database (name, email, street address, phone and password in SHA512), and some data has been erased by the intruder who's asking for ransom.
I've a VPS with kts24.com but I've not been able to log into my account (site timeouts). My VPS can be accessed fine and don't see any evidence of intruders.
Hello @GameTownProjects, when you've a chance, could you please give an update on this issue?
Thanks,
Oseri.
Comments
He's fucked. The attackers deleted also his backups.
Usually, you setup backups, that the backup server is pulling these.
Unlikely that the attacks also gets on the backup machine
You'd be surprised how many people push backups and screwed up this basic task.
What's a backup? Too much jargon on these forums.
Backup is for pussies. Real men take risks and ..., well, tumble hard like the dude (A2).
Damn, this looks ugly!
It's for me?! I only pray to our Lord and Savor @Jesus and he flips the 1's and 0's for me
Debian? Anyone?
Pushing backups can be ok e.g. Borg append only set is fine as you can't nuke the backups unless the backup server get compromised too.
This hoster offered me a personal lite VPS plan, which hadn't been on his site. I was going to get the offer, but now I see the hoster is in trouble. Why so? He was so nice. Why do bad things happen to good people? It's not fair. I want to find the bad guy and to punish him so hard. Give him a couple of hits to the ribs, and then to the jaw.
Hello,
we are realy fucked thats true, but it seems like most of our customers are still online and he can't get any further controle on our servers.
Currently we still got mails with the threat that tomorrow all data will be deleted (which would affect the vServer in the worst case), so we wanted to wait with the public attitude actually sometime.
Our Team is working nearly 24/7 to secure our infastructure and bring back online the important services so we can communicate through Mail.
We try to keep you all online, but I am not sure how long we need to bring the control panel back online.
If you need some changes, reset or VNC access to your server our support will help you for the next time, but please please keep in mind that at this moment situation some important customers have priority. So an answer can take some time for customers with our cheapest offers.
So, for once, "the end is nigh" truly applies.
The good thing is, @GameTownProjects is being honest and admit that they are being fucked. Unlike some other suckers that get fucked and still wants to hide.
lulz. Not on time and only cus they are fucked-beyond-reasonable-doubt. Having lost the panels and loosing the servers soon, there is not much left.
Their website even states that they are restructuring their software, which is why they are currently not available. So... ¯_(ツ)_/¯
Does this mean if I didn't get an email my data wasn't stolen?
We send a mail to all customers fast as possible. I didn't know what other expect and I am nearly sure that guys who are flaming would do a much worse job then my team did.
At least that's true since it is possible to bring back our old panel and add the customer’s by our own, but we won't do it... We are planning since a long time to change the control panel and now we got a choice to do it.
Put a firewall that restricts access to the vServer management interface (and SSH / whatever other management interface) to one single IP until you sort out the security issue. Make sure access from that IP is very limited and not your office IP.
Hello, when I am right he never got any more access then our panel Wich was connected to any server
We stopped all the software wich is running to communicate between the systems, saved the nodes itself behind a firewall and now I am waiting since a while that the hacker will delete all the VPS as announced but nothing happens.
Ah, it's a good thing you already put firewalls in place. It sounds feasible your panel was compromised, but only logs can really tell. If you haven't done so already, also consider increasing the verbosity of your logging on everything. For all we know, it's just a 15-year old who ran "; OR 1-1" (stupid Cloudflare made me redact this...) in your login field and is spitting out empty threats.
Yes. Most likely at least as they claimed to have informed all customers and are even forced to do so by law in Europe. The infamous DSGVO leaves little to no choice here. Esp. with Art. 33 and Art. 34.
If they fail to report the breach or do not get in touch with the customers, they might get grabbed by the pussy (no pun Trump).
@GameTownProjects
Chill. This is LET overall and you are neither the first, nor the last it will happen to. Even far bigger companys like YAHOO (multiple times) to ADOBE got caught. A little flaming and malicious joy are part of the community as you know.
Since we do not know WHAT your team did, we might never know if it was better or worse, but okay. Anyway, I'm curious about the new panel
Beside that just a friendly reminder, that you should still have your Privacy Policy (Datenschutzbestimmungen) accessible on your websites. And if it's just because you still use GoogleFonts (lol for DSGVO) and have a Mail-Form.
And you might also want to force an auto-redirect to the HTTPS - Version of your pages. Guess this has no prio right now and might only be broken due to the incident.
Our current websites were made by me this night before I got to bed so that there are anything online.
I see a lot of missings and mistakes there, but I think it was better to put something online then keep a empty site.
@Tion Did you ever got a invoice from us? If yes it seems like we forgot to send mail to users who disabled the newsletter (or the mail received in your spam folder).
No offense. Just don't want you to get in trouble with stuff you were forced to rush.
Only thing left to think about is why you wait for the 'hacker' to do something? If you sealed the boxes access and swapped (if required / logs if not removed) keys and passwords, there should not be no attack surface.
Overall. Just wish you and your team the best. Get back on your feet and come back stronger as before with new offers.
Hope you get at least some rest the next days.
We changed everything what can be used to login, also he never seems to got access to our servers itself... But I can't be 100% sure, so I am not talking about everything is save.
Dedicated, Colocation and the most important VPS customer are 1000% save... But I thought that did not affect to many customers from here.
PS: we are not planning to come back with low end offers in the next weeks or maybe months. First we will do a lot of changes to improve our service and security.
Being honest and communicating proactively is the right thing to do - appreciated. Shit happens and it can happen to everyone.
I have a small VPS with you. For security, I wiped it and shut it down. I hope you keep us posted in the same way you have done so far. When the trouble is over, I hope to get the VPS up and running again. Service has been very reliable so far.
Backup is always great, but shutdown is unfortunately unfavorable.
On the one hand it makes it easier for the hacker to access your data and above all it is not so easy for us to locate and restart the VM.
I do not think he already got access, but we will see soon:
Interesting that he assumes we would change the passwords because we did not do that.
He said before we got time until today 15 o'clock GMT+2. Then he will delete all our data.
It will take some time to finish the new panel so that the customers can control the server by there own again. On request Proxmox Accounts are available, but keep in mind that we neet to search your server on around 100 nodes (No Cluster available since this was provided by our own software wich I shutdown since the hacker got the sourcecode) so it can take until we got a list off all existing VPS Servers.
Meanwhile all mails should arrive again. Also our helpdesk should be back online for anybody: https://[email protected]
lol. That person is just insane. Quite well written in german, without any mistakes. Any ex-employees?
Mh. Tbh. I'd have prop. assumed you already swapped all keys / passwords once it happend but on the other hand it might not even be required. Maybe he thought he had access but is now blocked by the firewall and wrongly assumes you changed the access details?
Just -please- save all the logs, mail details, whatever so you might be able to get him accountable at a later time. Does he want bitcoin? Or any other method of payment which can be utilized against him?
We swapped all keys wich was used by our panel or other software and so stored on any of our servers, but not any of our personal keys or passwords (We checked ofc if there are some strange logins through these accounts in the last weeks)
I am nearly sure he never got SSH Access to any other server then out git, but there are no logs from his hack since he deleted all servers wich was used to get access to our database before I could save all logs
Yes he wanted Bitcoin. Criminal complaint was written together with the message to the data protection officer of the state of North Rhine-Westphalia yesterday.
Any info over how did they get in ?
over 100 nodes and no central logging with something like graylog2? anyway, all the best.
Yes, we know how the hacker got into our system. In the mail to our customers, we also tried to describe.
Unfortunately, it is a chain for us actually very embarrassing vulnerabilities.
Who is responsible for us rather less important than to find a solution so that something in the future can not go unnoticed (The public security vulnerability that was used is probably already 6 years old)
unfortunately yes. Last year we grew from about 10 servers to well over 100 which made our already not really good system absolutely unmanageable.
We have always had suggestions for improvement that we have moved to the migration to the new panel ... now we have the perfect template to rethink everything and take the new panel in operation.
Currently, two people are working on a concept for managing the vCloud in future.