New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
GVH Password Reset?
This discussion has been closed.
Comments
As you are aware, GreenValueHost experienced issues in the past 24 hours where multiple password resets were sent to customers. We apologize for the flurry of emails.
GreenValuehost was NOT hacked, there wasn't a security compromise either. Customers are safe and secure.
What happened involves the WHMCS billing panel.
Two files: cron.php and /admin were accessible to the public. These should have been secured with additional rules. Yes, we have since added multiple layers of security to protect these files from public access.
A marketing email was pre-wrote and placed in WHMCS for a 2014 Spring Overstock Sale. The default template was erroneously set to / left at “Automated Password Reset”. WHMCS defaults the default template pull down option to “Automated Password Reset”.
Marketing emails run from cron.php events. Therefore, when someone accessed the cron.php file it triggered the sending of the marketing email, which was then set as “Automated Password Reset”. This happened a total of 17 times, generating 17 emails per email account.
GreenValueHost debugged this issue by manually running the secured cron.php, analyzing a few emails sent and looking in WHMCS.
We have a ticket with WHMCS which will be appended to reflect the debugging and resolution with recommendations to prevent this in future with other WHMCS users (beyond simply securing said files).
We welcome any customers concerned about the matter or who may be experiencing password problems to submit a ticket.
That seems quite believable, but please take it on board that the 'unwanted' attention on these boards IMO, initiated all this further drama. Keep a lower profile and bear in mind some people are keen to see you fail.
Sorry you can flip this however but if any person can simply run cron.php from accessing the admin directory which should be renamed and passwd protected even restricted to certain ips. What makes us confident in letting you store our personal information on your billing panel that wasn't even secure. Which any numbskull could do in 10 min or less following the simple guide whmcs provided. You say you'll have alot experience between your whole team it just shows how inexperienced you and your team actually are.
Seems legit.
Just one thing though, it you guys who should have secured those files? If so, why log a ticket with WHMCS? If it is their fault, how come nobody has used this this "exploit" on other hosts?
more incompetence from GVH...
...
As you are aware, GreenValueHost experienced issues in the past 24 hours where multiple password resets were sent to customers. We apologize for the flurry of emails.
GreenValuehost was NOT hacked, there wasn't a security compromise either. Customers are safe and secure.
What happened involves the WHMCS billing panel.
Two files: cron.php and /admin were accessible to the public. These should have been secured with additional rules. Yes, we have since added multiple layers of security to protect these files from public access.
A marketing email was pre-wrote and placed in WHMCS for a 2014 Spring Overstock Sale. The default template was erroneously set to / left at “Automated Password Reset”. WHMCS defaults the default template pull down option to “Automated Password Reset”.
Marketing emails run from cron.php events. Therefore, when someone accessed the cron.php file it triggered the sending of the marketing email, which was then set as “Automated Password Reset”. This happened a total of 17 times, generating 17 emails per email account.
GreenValueHost debugged this issue by manually running the secured cron.php, analyzing a few emails sent and looking in WHMCS.
We have a ticket with WHMCS which will be appended to reflect the debugging and resolution with recommendations to prevent this in future with other WHMCS users (beyond simply securing said files).
We welcome any customers concerned about the matter or who may be experiencing password problems to submit a ticket.
Thank You
GreenValueHost Team
blindly copying and pasting that without reading the thread...
Indeed. Someone should test whether the scenario is possible or not as it should really require authentication before doing anything.
It is a design fail though. Barring static content, all this stuff should not be in a publicly (or web accessible) folder. It's been common practice to hide db credentials and whatnot outside the web root and that's advice that's been floating about for over a decade.
I just realized that we can no longer petition for a GVH category on LET because http://gvhtalk.com has been created.
i may have to make a donation to the operator(s) of that forum; as long as its not run by the actual gvh clowns
For the record, Green Value Hosting, Inc/GreenValueHost has no affiliation with gvhtalk.com.
So the petition is still possible?
The soap drama continues!
Ok folks, this is done with, look at the VPSboard thread if you want greater detail, but basically your shit is safe.
If you're concerned about GVH's capability to run a business, CANCEL. If you're not, sit back and enjoy the ride.
Secure your WHMCS, then think about your DMCA takedowns.
Glad no actual 'hack' took place.
@wych Weird thing to do or do you just want traffic?
Don't want to say much, but as far as i know you're not misusing their logo..
Also, don't be afraid for the DMCA takedown, won't work for logo's :P
Was bored, and got fedup of these threads so made them their own little heaven.
>
Im not worried, Ive held sites like that for bigger names than GVH, also its not their logo as it doesn't contain their slogan.
Sense of humour fail.
If they asked me nicely I would have even transferred the domain to them once possible.
Is GVH a registered company? If not, you can use their name etc whenever you want
According to them yes, but I havent checked.
It now has all notices they requested and they wont get that domain via DMCA anyways, technically the logo has been changed from their site so they cant use that and it uses a different style header to the main site so I am not impersonating them.
Also technically it would be the user GreenValueHost not me impersonating them if they wanted to try and take that ground.
Just did a check and Green Value Hosting INC is a registered company, not Green Value HOST
epic, this got better.
Seriously mate your taking this a bit to far and its going to back fire on you. Your getting into boil your rabbit territory here.
Quaking in my boots, take it light heartedly as was meant.
As I have said:
1) If GVH want to ask nicely for the domain name I have no issue handing it over once GD will allow transfer if they really want it could be 301'd to their site with no issues.
2) Running to DMCA takedown instead of speaking to me isnt the best way to try and resolve things anyways.
3) All thats on there is a offer thread and a notice that Amazon hit their cronjob, there are no fake reviews, feedback slander or anything.
Whatever... I'll go back to lurking on LET, less email notifications.
Hardly, it's just banter.
Yep, if it was serious it would have SEO done on it
Its a obsession that's what it is.
Really dude? It's just a bit of a laugh, it's not even on the scale of the stuff Severian pulled the other night.
If anything, you're more obsessed with @wych being obsessed with GVH than he actually is with GVH.
Just ride the bantersaurus with us, let your troubles melt away...
Be careful which one you ride...