New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
GreenValueHost hacked, data stolen
This discussion has been closed.
Comments
Did that happen? I thought it was only some Solus admin accounts
http://prntscr.com/3w1dfu
Jon took a pic of the convo with timestamps. As you can see there is at least a 45 minute delay, between his get request to dump.sql perhaps longer and telling Jon it existed - timezones. Between the get request to dump.sql and telling Jon. - the server was partly rm -rf'd (all /var/log and /etc /bin)
Please don't take @jack as the bad guy until you actually prove it.
That's how it's done in the courts and that's how we all should do it. What if he is innocent and was trying to help? He would not deserve to be treated the way he is being treated right now - as a liar.
@Jack show it then
@WebSearchingPro Mind if I ask what the Backup-date was/is?
I'm told the WHMCS backup was done after @Jack alerted Jon and the server was subsequently powered off. The SolusVM backup is a day old. I believe they are out of sync slightly but that can be resolved.
An innocent person, no matter who they are, tries to download an sql dump and subsequently become confused as to why they did it.
No email from GVH yet. Would expect something soon.
@WebSearchingPro so the date is around 22nd or 23rd, would that be a WHMCS backup-date?
23rd. If need be, we still have the dump.sql too that was made, looks complete.
"-- Dump completed on 2014-06-23 18:13:33"
@WebSearchingPro so the data is all there since it is very recent backup.
Exactly, you had access.
I believe so yes, some tickets may not be if they were done after that time.
Interesting thing pointed out to me.
Hate to jump into conclusions but thats pretty much it for me.
Hmmm, he seems to care about GVH really much.
37.187.22.205 is Jerk's i.p, and it says what he did...
-- Dump completed on 2014-06-23 18:13:33
37.187.22.205 - - [23/Jun/2014:18:13:44 -0500] "GET /dump.sql HTTP/1.1" 200 235469939 "-" "Wget/1.13.4 (linux-gnu)"
hmm 11 seconds..??
Although this might have not helped much in this case, setting your server up to email yourself every time someone logs into SSH is a good idea!
http://www.tecmint.com/get-root-ssh-login-email-alerts-in-linux/
I think hacker is another hosting administrator or anti-GVH user.
I find it very suspicous that some random person @WebSearchingPro in this case is helping GVH out of nowhere. what if jack is being framed right now? and WebSearchingPro is the real "hacker" ?
that would be a turn of events.
i am almost sure someone paid one of the dozens of so called admins of gvh, not surprised since gvh would be paying their admins not more than $50/month
Or what if this is all a reverse physiological PR campaign.
if that is well.. then it is of a great degree
If I understand correctly, the partition was rf -rf'ed, not dd'ed.
Could someone explain me why no one has tried to recover /var/log completely using http://extundelete.sourceforge.net/ ? Is it really impossible? Or just not needed?
When I formatted a partition and later found out that I had some documents there which I shouldn't have deleted, I recovered them easily. though that was on NTFS.
We were given a .tar file from RamNode support to parse through, so only the files themselves were zipped. The amount of read/writes on an openvz node would make it unlikely to be able to recover if we had access to the physical node.
I've helped GVH in the past, I started helping as its not worth anyone to take their life over a hack regardless of how silly they may be. The original .tar is still there, we only did analysis on extracted portions, if any 3rd parties wish to look. I'm sure that could be arranged.
client area ?
At this point in time I'm inclined to believe that Jack was not the instigator.
Will the record reflect that the witness has identified the defendant?
Alright can somebody explain what actually happened? There are so many replies I can't figure out what data was stolen... Was it only SQL data?
Well at least one good thing came of it. Seem Jon is talking about better security & more frequent backups. So at least there was something learned from this ordeal.
@WebSearchingPro when do you think SolusVM will be connected to the slaves?