New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
I am so sad I am not a customer of ColoCrossing! Now I don't get to be part of this huge drama!
its okay 50% of this thread is just about my quality website anyway
Rubben on his website is "Ruben". Why the extra/lost "b"🤨?
BWAHAHAHAHAHAHAHAA WHAT IS THIS
RU Boob Boob EN
how much coffee is enough for legal fees against francisco dias? @Rubben
$3.50
On the left is RU (Russian), on the right is EN (English).
how to unsee this?
serious
plz
my mental state is worsening
WE NEED REFUGEE DEALS
I'm currently using their atrociously outdated backend for my dedicated server. It looks like only their cloud backend was hacked.
The company that refuses to implement ipv6 has an outdated backend?
Naaaah i don't believe you
For all those that are saying there was no breach, you're wrong.
All 3 of our ColoCrossing VMs (with no important or sensitive data) were breached.
We take several measures to secure our infra, and SSH access was completely disabled externally and only accessible via a WG tunnel. They appeared to actually login to the servers through VNC, as they were already logged in via the VNC tty.
This is not just a spoof or breach of their email system, they have full access.
Did you leave your VNC password the same?
Did you change your initial root password?
Maybe it's just a rehearsal.
https://colocrossing.com/blog/what-to-learn-from-historys-biggest-data-breaches/
None of my VMs are actually compromised (or seems like, at least there's not a "Contact us" file), and I have quite a few.
You probably left the default root password or qemu-guest-agent installed (from which they could've just reset the password and get in).
Yes to VNC, and no to root password being the same. It's also possible they brute-forced VNC with the default password, as they set an 8 char password (which is the max surprisingly).
However, I find this hard to believe, because the Telegram user is the same one claiming to have breached ColoCrossing. I think it's unlikely that they brute-forced VNC only.
This is just a guess but probably they breached the node and accessed each VM on it. Considering the dude's name is ransombot, he could just use a ransomware to modify files in each VPS instead of encrypting everything like a usual ransom bot does.
So probably their nodes are breached also, and they would scan all the files and collect the good shit. Only missing part is whole data getting ransomwared, but probably thats next.
This would suggest they do actually have access to their systems, either WHMCS or Virtualizor, or both. The breacher logged in directly through VNC.
They do have access, I've said that multiple times. I've asked the guy several times about node info and all the IPs matched the VNC IP node.
I'm 99% sure what simply happened on your case is that you haven't removed qemu-guest-agent and prevented it from being installed again, and so they did reset your password and simply VNCd in.
You are right. I didn't read your previous messages.
Can anyone access the Virtualizor? It seems like I can no longer access it...
so TLDR. I did see if mr Biloh commented on this thread and he hasnt , which to me leads credibility to the issue. I have Racknerd VPS. Does racknerd use CC (ATlanta) ? Can racknerd be affected by this ?
I thought I was the only one who received it!!!
Everyone charge back yesterday
Not financial advice
It’s Memorial Day Weekend in the USA now so it will be interesting to see whether ColoCrossing will be out of office until Tuesday to see the carnage…
RackNerd is not affected by this breach, it’s worth noting that there have been several Virtualizor vulnerabilities floating around as of late (even affecting other providers here, some who haven’t even made statements) - one more recent one being Virtualizor’s support/live chat system being compromised.
For the record, we do not use Virtualizor. Additionally, all of our infrastructure and control panels are managed by us directly, and not by any of our datacenter providers/vendors.
I would likely expect ColoCrossing to release a statement here soon, I can only imagine it must be all hands on deck at the moment to determine and mitigate the cause, etc. Wishing them the best with their recovery and mitigation efforts.
Virtualizor Hall of Vulnerability