All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
My GreenCloud VPS got ransomwared, the entire mothership?
Hello,
I have a Green CloudVPS virtual house that went offline.
They emailed me leaving me to believe it was the mothership machine disk, but this is not the case.
Mothership EpycSjc2 was infected. I went to my SolusVM to see why the VM not booting and when I mount rescue CD I see this. This is example of /var/log.
When I log in here, someone else recalls the same.
This is dishonest, they send me this:
Dear valued customer,
We regret to inform you about an unforeseen situation on the EPYCSJC2 node that happened today (October 21st, 2024) leading to unavailability of your services. There was a RAID controller error on the node, which is an extremely rare event and we're working hard to rebuild it which may take up a few hours or days.
We will inform you asap via email once it's completed.We apologize for the inconvenience and thank you for your understanding and patience in this situation.
Sincerely,
Your GreenCloud Team.
So they send me above 21/10 at 3:15 AM US time.
Then after this day, 22/10 at 2:54 AM:
Dear (Customer),
We are reaching out to update you regarding the RAID failure on the node that hosted your VPS. Despite our efforts to restore the RAID, mdadm was unable to scan and assemble it. As a result, we will need to replace the affected drives and reinstall the node.
You have a couple of options moving forward:
- Receive a full refund of your recent payment to your original payment method, or receive account credit.
- Recreate your VPS and extend it for 1 year
We can recreate your VPS on a SolusVM node (instantly) or Virtfusion node. For Virtfusion node, it will include one free backup slot to help protect against issues like this in the future.Please note that it may take 24-48 hours for the Virtfusion node to be ready.
We sincerely apologize for any inconvenience this may have caused.
Best regards,
GreenCloud Team
But when I check rescue CD:
They have now deleted the VMs from SolusVM, but user above was right. I saw the same when mounting rescue CD. Why did @GreenCloudVPS lie to us?
I just bought another 11 birthday sale, but this makes me fearful of using it.
Why the dis-trustfulness? Seems like a crockpot vendor to make their way like this. This was not the failure of a SWAT card, rather a ransomware. Please be weary.
- Would you trust host vendor in future, when lied about ransoms50 votes
- 是的16.00%
- 不84.00%
Comments
Yes, I feel they lied to us. Why they can't just tell straight to the point about this issue.
They also removed SJ listing from 'Premium KVM Sale' page
Proof of ransomware?
His YABS result is encrypted and junglesec has their name plastered everywhere. That seems like a fair assessment.
Take a glance above at the screen blasts.
When your RAID card fail does it re-name the file [email protected] ?
It looks like this :
https://www.bleepingcomputer.com/news/security/junglesec-ransomware-infects-victims-through-ipmi-remote-consoles/
The gangsters have just change to another mail host, but other poster is right, the same . I feel betrayed ( ̄ー ̄)
@NDTN
I apologize for the situation; it is our fault. A few senior technicians and I were on days off after an overloaded week due to our birthday sale with limited access to the system. Initially, the node had its disks become read-only. The technician on that shift booted into rescue iso to perform a manual fsck, but it was unsuccessful. He then downloaded the VM images, and I was informed that those images were also broken and unable to boot. The staff decided to email affected customers and reinstall the node. We should have handled this better and are conducting further investigation to ensure it does not happen again.
So, when you caused irreparable damage because of your security problems, you chose to cheat consumers to deal with the problem?It's hard to imagine that this is what a responsible IDC would do.
So nobody at greencloud was not able to identify the issue, being honest about the ransomware, and update the customer about weakness security on your side? No update after 2 days? Are you expecting customer doing his/her own research to find out about what's happening.
It is obvious that they are trying to shift the blame from their own inadequate security measures to the accidental failure of the hard drive.
It's not intended as explained. There is a delay because I was away and there is a lack of senior technicians. We have the same security setups across our hundreds of nodes with no issues. This particular node is under investigating for the root cause of it. I will share the details once we have the confirmed information.
You seemed to be hiding a reason. The second letter was sent twenty-four hours after the first.
Before that happens of membership emails, I think a senior engineer would check if someone can read the file contents on the hypervisor.
I stumble across this document and Low End Talk found out why. It's hard to believe that even a novice computer repairman would miss this, and easily google something like I did.
Good morning, learn what a hardware error is, but not the truth. I'm sorry you didn't mention this before two forum members. It's a pity, and have lost face, but this just my thought that now I cannot trust being surrounded by mountain demons.
Check your upstream,
NetActuate
for supplier chain attack? Or your IPMI open to outside perimeter? Either USB drive or bad IPMI, but not SWAT card.gangsters? which gang?
Can someone explain what mountain demons are
I'm having 2 3-year VPS at greencloud and saw this posts... Will follow to see what's happening.
JungleSec 魍魎
You running SuperMicro pizza box with admin / admin ?
I didn't expect such an old platform as SolusVM to be hacked.
Hope GreenCloud can honestly announce some details of this security incident.
Sorry for my words, not native。
It's a bad spirit
How cant they find this? Why few members make this discovery, not admins before 24 hour sending email of dishonest remarks。
No Tripwire on mothership。 IPMI likely an outside IP with admin/ admin?
Really sad, server was perfect before now my works gone and I am too slow to make more than weekly offsite
Now I do not know what is lurking if the host is questioning(・A・)
They must change IPMI's credentials ADMIN/ADMIN on all hundred nodes since it has the same security setup.
Not the Solus. The JungleSec gangster says all is open IPMI from article。
They said the machine is taken offline, but I remember my Solus bookmark, and tried to troubleshoot my disk failure, but found that instead
It's a slap to be lied to. Machine is on when said it was off, and my VM sitting there encrypted, sad, alone and desperate, but it cannot reach to public internet. Just on the VNC console, locked, and grub is with despair when trying to boot。
Before then Green Cloud was fine, now I am a little jaded
they live in the virtual house with the SWAT team
amazing the hissyfits thrown by MJJs when they can't access their VPSes and their PH proxies
i dont understand why you are kicking up such a big fuss
OP is encrypted, sad, alone and desperate ... with despair when trying to boot
Sorry, I mistranslate. R A I D card, not a team。 Google got this wrong。
Will you be so mighty on your high horse when your machine is ransomwared? Or take it like a ladyboy and accept the lies?
Did not mean to be a comedian here - I think it's serious a rather popular virtual housing company became ransom-wared, all houses gone on San Jose mothership, and everyone sit around with thumbs up asses。
Transfer your service to me if it is not working anymore. Must throw in free iPad.
Restore from backup and move on - rather than abusing randoms on an Internet forum?
Everyone on my node got lies about the mothership being infected。Perhaps we lucky it is just encrypted and not dumped to internet?
This seemed serious, but I guess with low end machines, this is expected。I will go back to the bare metal servers
I'm not very familiar with VPS management. I want to know if the attacker can get the plaintext content of my file with this attack method?
This thread is better read while listening to this:
Yes。We were just
lucky
that they encrypted the machine instead of interested in data。You make jokes about data security, and ninja edit to add tears when I reply。Sorry but this is serious. I had backups, but lack of disclosure concerning.
Of course, once they got access, the attacker can read, write, remove, download, and encrypted your files. FYI the attacker encrypted all files in SJ nodes and append [email protected] to file name.
The edit was to make a grammatical change not to "add tears" (whatever the heck that means).
@NDTN disclosed but you weren't happy with the response.
If you've lost trust your provider, cancel the service and move on (just like everything else in life). The whole point of virtual infrastructure (and backups) is to make this process trivial.