All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
servaRICA Account Compromise
Yikes. From servaRICA this morning.
We are sad to inform you that we have identified unauthorized access to the list of our users IP addresses/domain and their initial passwords (the VPS or shared hosting password you get when you first signup with us or when you reinstall through our client area)
What was leaked is the following
1- IP address or hosting account name
2- encrypted VPS or hosting account password
3- VPS internal name
While the passwords in the list are encrypted, the encryption is 2 way and can be reversed which is why we are acting extremely fast to mitigate the security risk.
Since some of our users never change the default password that they get and many don’t use key authentication we decided to immediately change all our users root/Administrator passwords
We did go through all accounts through automated scripts and updated all VPS password that we could.
You can see your new password in your client area
If your password in the client area is still the initial password and you never changed it then please change it ASAP
Regards
servaRICA Team
Comments
That looks like a big "oops" right here.. Scary
their site was down for more than 24 hours one day ago
I know they e-mail server passwords out after provisioning, but I'm sure I generated the account password when I signed up. I always like to think the password would be hashed at that point, the plain text tossed, and thus be irretrievable. Seems maybe not here.
Fortunately I always sign up with a transient/temporary password, just in case of this kind of scenario, it's scary how often a password you've offered is then e-mailed back to you via SMTP (and amazing how many don't then change it), or as in this case seemingly, stored in a reversible way.
Though even that precaution doesn't always work well, as the recent HostVDS flash in the pan demonstrated, their control panel doesn't even have the facility to change your account password at all.
I always change the default password.
What is “2 way” encryption?
I assume “1 way” is a hash. 2 way is...double ROT13?
Ohhhhh yes. Thats a good question.
I ve got the same mail.
So which provider wants to drop a plan to compete with their horsestorage plan for those of us looking to jump ship?
That would be pretty disrespectful.....
1 way 2 times. So hashing a hashed password
Yeah, that came out wrong. I'll edit the post to more clearly reflect what I meant.
I just assumed that "2-way encryption" implied normal encryption (because some people seem to refer to hashing as "1-way encryption" for whatever reason).
Not sure what that password is used for besides the initial root password? I change the root password on every new server anyways, so this really didn't affect my server.
I'm also curious as to what part of their infrastructure was compromised for this information to be leaked, since it doesn't seem to be their actual client area.
An Excel file on an open Windows share?
Are they using their module Xenica
https://servarica.com/clients/cart.php?gid=26
to manage their clients VMs ?
If so I will assume someone decrypted their module. found a bug and exploited it. though this is just pure speculation.
Also, WHMCS saves Cpanel passwords/modules passwords in a 2-way encryption method. so the admin can see the password for maintenance. (however, hash won't get decrypted without admin access or configuration.php CC_HASH access).
Yep, look like it. You might be onto something.
Good to know. Thanks for the insight
We can always call @servarica_hani to join the conversation
Hi All,
Just to answer your questions here about what happened the issue is pure human error.
One of the admin did something he should have not done which caused the leak
I believe it is big "oops" on our side as @t0ny0 said.
Throughout the last 10 years our main security concern is to prevent hackers from hacking our system . We have never focus on the bigger issue which is our own mistakes
We are a team of 5 who are very active , 2 of us are developers and we do many experiments . When you do many stuff you are bound to do 1 costly mistake and being in the industry for 10 years the issue will happen eventually
We have always depended on the fact that the team is experienced enough to not do security mistakes which proved to be wrong
We have never considered that scenario and we had zero checks on what we do and what we leave behind .
So actually while i am speaking now we are shifting our attention to do checks on us to make sure error of this kind will not occur again
For the 2 way encryption it is just normal encryption I added the 2 way to it to make sure that users understand that it can be reversed and it is not just hashes that was leaked
Xenica module is fine , the issue is not related to it at all. plus we have been in a lot of discussions lately internal to open source it (not free but open source) (actually there is already some older versions of it decrypted on the internet in some null sites )
Thanks
Hani
One of the admin did something he should have not done which caused the leak
Throughout the last 10 years our main security concern is to prevent hackers from hacking our system . We have never focus on the bigger issue which is our own mistakes
Developing in production ? Sound nice.