IPXCORE security issue notification - passwords changed

Damian

Sending this out via email, however since humans have done an excellent job of making valid emails difficult to send, also posting it here:

It has recently come to our attention that on or before Tuesday, March 12th, 2013 some of our internal systems were compromised.

Owing to this alarming development, we are immediately notifying you that we have reset your billing, VPS Control Panel, and cPanel passwords. We are *not* sending these new passwords out via email; please request a new password from the various panels via the "I forgot my password" function that they provide.

It appears that the attack method was limited only to VPS Control Panel passwords that were never changed from the default password sent to new clients via email. The attacker then logged into these default-passworded VPS Control Panels, but did not seem to do anything further. A limited number of you will receive further emails regarding these logins. If you have received a notification that an IP address logged into your VPS Control Panel account, and you do not recognize it, please contact us immediately.

All of us at IPXcore are embarrassed and concerned about this ordeal, and we've begun an immediate review of our security policies. These events are an unfortunate part of doing business online, and we appreciate your patience as we work to ensure that this doesn't happen again. At the same time, it's important for us to be up front and honest with our customers, because we take the privacy of your data very seriously.

If you have any questions or concerns, feel free to contact us via any means.

-Damian Harouff
IPXcore LLC

If anyone wants to additionally block the IPs in question:

Date/Time: 12/03/2013 14:49:01
IP Address: 68.49.159.203
Hostname: c-68-49-159-203.hsd1.md.comcast.net

Date/Time: 12/03/2013 14:56:52
IP Address: 172.162.22.87
Hostname: ACA21657.ipt.aol.com

HalfEatenPie

They still use AOL? hm... well... dang...

Good luck on this Damian and IPXCore

Ash_Hawkridge

How did they get in? Software related or bad practice?

Damian

@GetKVM_Ash said: bad practice?

I wish it were something cool like a hack, but instead, it was a really bad practice. I feel completely terrible about the situation, and we're going to revise our policies to ensure that it doesn't happen ever again.

Ash_Hawkridge

@Damian said: I wish it were something cool like a hack, but instead, it was a really bad practice. I feel completely terrible about the situation, and we're going to revise our policies to ensure that it doesn't happen ever again.

Understood, at least your honest. Best of luck!

jar

@Damian said: I wish it were something cool like a hack, but instead, it was a really bad practice. I feel completely terrible about the situation, and we're going to revise our policies to ensure that it doesn't happen ever again.

Best of luck and respect for honesty. You know exactly how well I understand this.

Damian

I fully understand and am prepared that I will take blows for this, however, I cannot and am not going to spin it any other way.

Zetta

@Damian said: All of us at IPXcore are embarrassed and concerned about this ordeal, and we've begun an immediate review of our security policies. These events are an unfortunate part of doing business online, and we appreciate your patience as we work to ensure that this doesn't happen again. At the same time, it's important for us to be up front and honest with our customers, because we take the privacy of your data very seriously.

Now where have I seen that before?

Damian

@Zetta said: Now where have I seen that before?

I liked what he wrote, and it sums up how we feel. Additionally, English is not my forte.

And seriously, i'm a bit too frazzled and running around like a crazyman to write good prose at the moment

YKM

@Damian said: I fully understand and am prepared that I will take blows for this, however, I cannot and am not going to spin it any other way.

Good on you !

taronyu

I also received the email, and obvious it isn't nice to receive.

However I'm really happy they explained it to us, AND created a topic by their self. It shows they care about the customers and want to be fair.

Good luck!

gsrdgrdghd

Good handling of the situation

Gary

Can't fault their honesty. Full disclosure is always good.

DStrout

I tried to reset my client area PW, but I never got the new password, either on the client area's "reset complete" page or by e-mail. I'm now locked out of the client area. I would open a support ticket, but...

sleddog

@DStrout said: I tried to reset my client area PW, but

Please take this to PM if you can't contact IPXCore by other means. Let's not turn this into another support desk marathon.

netomx

anyone got their CP address? i cant access the one i got on bookmark

mikho

try ipxcore.com and go from there

swsnyder

I tried to reset my client area PW, but I never got the new password

Me too. I'm not piling on IPXCore; I just mention it to show that DStrout's problem is not a fluke (caught in spam trap, etc.). The site was quick enough to send the reset confirmation link, but it's been over a half-hour since then and I haven't received the new password. Which means that I too am locked out of the Client Area.

Damian

@DStrout said: I would open a support ticket, but..

Can you send an email? I think i know who you are, but not exactly sure and dont' want to guess. Either damian@ or email@ ipxcore.com

(edit) it looks like you contacted us by sending an email via the live chat system, which we then responded to... did you receive it?

@netomx said: anyone got their CP address?

https://vpscp.us for Solus
https://billingcp.us for WHMCS

bdtech

I don't quite understand. Were the new system assigned (default) passwords not randomized with some complexity? Brute force on predictable pw's?

vedran

My Solus password is still the same?

Edit: billing too

Janevski

@Damian Thank You for Your fast and honest response. It is a smart and good move that prevents further damage level increase. I respect that.
I did receive an e-mail regarding this matter, however all of my passwords are the same old that i used to use (WHMCS, SolusVM, OpenVZ VPS).

Regarding this event, i believe that detailed internal analysis of the intrusion should be performed (if they haven't been performed), also if proven that even a minor chance of compromise exists system fresh install and configuration should be performed too (regaining system integrity). Because, in my opinion, from my personal security experience, an attacker would have left a backdoor or software timebomb or such, and covered his/hers trails as much as possible on the way out.

Damian

@vedran said: My Solus password is still the same?

Turns out that the Solus module is fucked, because WHMCS arbitrarily decided to update their database details and didn't bother to tell anyone. I'm working on a different plan.

Soylent

Nice letter text! Your business writer deserves a lot more than whatever you're paying them.

eastonch

@Damian
Mind sharing what fuck-up it was? Something like not protecting a directory or leaving an admin password simple and it got bruted?

Fair play if you don't want to disclose, hope everything is resolved, let's hope they didnt dump the DB.

Damian

I would much prefer to not disclose, however, the account that they got ahold of wouldn't have had permissions to dump the DB, unless there was some obtuse method I haven't thought of.

eastonch

@Damian no problem, least you've realised your mistake before repeated attacks took place,

Damian

@vedran said: My Solus password is still the same?

This should be fixed. Working on WHMCS now.

u4ia

@Damian very nice job with the disclosure. Much respect for that.

Now, am I understanding this correctly that passwords that were changed from the initially generated one were not compromised?

netomx

@Damian said: https://vpscp.us for Solus

https://billingcp.us for WHMCS

danke

black

@Damian said: https://vpscp.us for Solus

https://billingcp.us for WHMCS

Fancy.