New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
PhotonVPS aka Psychz Networks use by default "changeme!@#" pass for all new VPS
TheGreatOakley
Member
Had a call recently with this provider for fun (seems like they outsource all support to India). Explained that they have shitty security practices and should not have the same default pass on every machine (tested all regions).
The answer was basically — "Hmphm, please open the ticket if you want non-default root password, before ordering" LMAO WHAT.
Either way I used many providers and this is first time seeing this. They don't even acknowledge that this is bad.
inb4 use SSH keys
Comments
@PhotonVPS
Maybe the problem will just cure itself as there's probably like 6 kiddies scanning their ranges right now for systems accepting changeme!@#. I mean out of 10 users there's bound to be at least one who's to lazy to changeit!@#.
I think most realistic and worst case scenario you deploy VPS and decide to check it later, because of meeting/eating/going sleep/shitting/what ever.
I do that a lot of times, I reinstall and forget.
at least now chances of my VPS idling are less, I hope someone will make good use of it.
You are a perfect citizen, bless you.
Never underestimate the lazyness of people.
I like my uptime low and my servers all hacked
The last time I experienced this somewhere, keys were required to login, the default password was used VNC console login and sudo. They recommended it be changed.
There can be reasons it be done, not all of them good..
There is a few shitty providers that do this, and when you call them out of it they claim your assertion that this is a risk is absurd. Just nmap their tiny IP space for new 22 listeners and away you go.. you can script it (including the ssh login) with a tiny python tornado script.
They deserve to deadpool.
You should presume that your system has already been compromised and find a new provider, the risk is very real.
That's been my experience with any provider being told that their security practices are shit (in polite terms).
Maybe the following is obvious/not necessary, but this thread is evidence to the contrary so here it is:
Hosts, use it in your automation. Or if you want to copy-pasta, might as well c-p the output of that line instead of some generic shit.
Will tag here @GeoBeo as well. Let's see if they take security seriously or don't give a flying fuck.
Year is 1995.
Oh wait, it is not.
Expired certificates on their apex domain, looking good too.