New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
GreenValueHost hacked, data stolen
This discussion has been closed.
Comments
@Jack answer this please
From what I see, its two separate incidents, Jack used it as an opportunity to grab a second copy of the database. I recall a DDoS attack around the same time as the dump.
If you notice the Russian postings on VPSB appear to be significantly older based on the epoch date for the last entries. "GMT: Sun, 09 Feb 2014 16:23:35 GMT"
The insinuations of a db floating around were made before the dump.sql modification date (which would be its creation date for that kind of file).
@Jack - you've got some explaining to do here... and I suggest you do it pretty damn quickly.
@Jack so which is it? Just happen to find DB or Hack to have it?
@Jack where did you find it?
@WebSearchingPro - when you said timezone offset, do you mean Jack grabbed the dump the same minute it was created?
Correct a gvh.sql was not to be found, using grep contexts, you randomly guessed on the first try.
Correct.
While I don't know much about @Jack personally, I find it hard to believe anyone who bothered to "hack" GVH would get the DB dump from a server so obviously associated with him. It is an extremely trifling matter to just spin up a quick hourly VPS at any number of providers(see: DO) that don't check up much on client info and pay with a virtual/throwaway card to get a VPS with no association to himself whatsoever.
As I said, I don't know @Jack personally, but I sure hope he isn't this dumb if he did have a hand in it.
Granted most of the server was deleted, the /root and /usr were still in-tact, that was likely accidental.
I see, but still, I don't see why anyone would take that risk in the first place, it is really not even slightly hard to grab a throwaway VPS somewhere. Now, if this were a rush job, I suppose I could see it being more likely then. Still really dumb though.
I'd like to mention too that the dump.sql had to have been made from SSH. By the looks of the .bash_history, it was very hectic and rushed for the person, typos and constant checking to see if someone is looking.
Oh yeah, the dump on VPSB is SolusVM - This was WHMCS that you downloaded.
Just to be clear, what you are saying is that:
Someone logged in via SSH, was obviously looking to see if anyone else was logged in, did the dump locally, probably grabbed it with an scp client then tried to wipe the server with rm -Rf /* assuming any evidence would be removed but then killed the session (and thus the running process on that tty) meaning logs were left behind as the rm -Rf /* did not finish?
Well, judging by that info, and other available info from around here. It sure doesn't look all that good, I still can see it as being something else though. I guess at the very least you can assume it wasn't premeditated otherwise he(if guilty) would have been better prepared I'd assume.
From reading the thread:
Dump was downloaded via HTTP as per the logs.
So suggested series of events:
Someone logged in via SSH.
Did the dump.
Downloaded the dump.
Proceeded to RM everything.
Disconnected before it completed.
Why would you really care if anyone found out you did some work for them, sounds like a convenient alibi to me
Seems plausible, however, why would @Jack do so?
My GVH server was wiped like months ago, still to this day i have no clue what happened, the support said its weird and dunno why it happened. I'm sure it wasn't hacked since i have gazillion other more important servers with unique random generated password and running csf on all of them. Luckily i wasn't using the vps much and it was sitting almost idle most of the time.
I was just making a list of the order things that were reported in the thread for @AnthonySmith.
@Jack That poor lad was talking about suicide because of what happened. If it was you that had been messing with his server you ought to be ashamed of yourself.
Or http, it was dumped in the public_html for easy access. The .bash_history is abnormally short, and they ran a history command in the middle of removing things to check their tracks. Perhaps they ran a rm .bash_history before continuing after the dump. Correct, the rm didnt finish before the exit command was executed. Unfortunately /var/log/* was wiped.
Could all be one huge coincidence.
http://greenvaluehost.com/ is up!
Do you still work for Oktay?
so... what's the deal, Jack?
Then I don't really get your point, why would you care now?
Wait wat?? LOL GVH_Tyjon_Alanoslav
Well, we finally got the GVH SolusVM server booted onto a recovery disk, only /dev /proc /sys remain. So nothing to go on there.
GVH will start restoring from backups shortly.