New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
OVH Hacked
dragontamer
Member
https://bitcointalk.org/index.php?topic=186902.msg1936161#msg1936161
Here's one thing to the whole bitcoin experiment... it is toward testing the security of these cheaper hosts! Linode and OVH have proven insecure in the wake of bitcoins...
Comments
How you know that they didn't had a dumb password, or their home machines had a trojan? Really the provider is the culprit???
If OVH was hacked, I am sure they would do so much more then just go after one pool. Think about what is stored there.
This is why panels that provide full automation to your servers are a BAD idea.
Colocate and do everything over a VPN + IPMI, use PXE to reinstall servers. Problem solved
Warez and seedboxes?
How you know that they didn't had a dumb password, or their home machines had a trojan? Really the provider is the culprit???
Fair enough. I guess we can wait it out a bit. I know that OVH had a very intrusive daemon running on all of their machines (as root), so I've been waiting for this sort of event to happen.
Linode handled the event very well actually, and detailed where they were at fault.
http://status.linode.com/2012/03/manager-security-incident.html
Perfect security cannot be expected from a VPS provider, so my opinion of Linode is only higher after that event. Full disclosure + quick communication is the best I can expect from a VPS provider.
What is the name of this daemon? I'm not finding it.
I think its in the kernel!
Or you could blame SolusVM for hundreds of VMs lost on about 10 nodes then have your main tech guy leave the company
What is the name of this daemon? I'm not finding it.
I think I'm technically incorrect.
http://forum.ovh.co.uk/showthread.php?t=1642
Its not a daemon, but a backdoor SSH key + backdoor cronjob. Apologies for the technical mixup.
@doughmane I rofled
OVH wasn't hacked. The server of some f**ktard who uses OVH was hacked. Big difference.
edit:
RTM - a real time monitor that alerts OVH if there is a problem (server down, server being attacked or sending attack, etc). It's preinstalled on all OVH servers.
http://help.ovh.com/RealTimeMonitoring
Well, the SSH key I know about... the cron job I've not found.
The kernel's a vanilla grsec-patched kernel. Nothing special there.
OVH wasn't hacked. The server of some f**ktard who uses OVH was hacked. Big difference.
TWO servers run by two different administrators were hacked, both of whom were using OVH. That is Slush's BTC pool, as well as Bitcoin-Central.net.
If it were just one guy, it wouldn't be news. Two independent BTC servers getting hacked at the same time implies a common link. And that common weakness is OVH right now.
Its reason for suspicion. No proof yet, but I think the "OVH was hacked" case is stronger than you imply.
Why OVH is responsible for this?
The owner got pwned regardless of his chest puffing in the forum about his security?
You should license Autoboot (TM) to OVH
the two admins, working together to steal coins, you can not hack OVH servers
wat
Maybe? I don't know how that is relevant, but sure. If you don't like the owner, whatever. Still seems like a blackeye on OVH however, at least until they can explain what the hell is going on.
What makes you immediately think I don't like the owner? Folks puffing their chest and proclaiming their security sometimes make a foolish mistake.
Does OVH manage the server?
Oh, they rent the server to a customer who's responsibility it is to keep the server secure.
If you do not like hosting providers, whatever.
Thankfully I had root login disabled on my OVH dedi. It still worries me somewhat, though.
Does OVH manage the server?
Oh, they rent the server to a customer who's responsibility it is to keep the server secure.
If you do not like hosting providers, whatever.
Fair enough. I admit that I don't like hosting providers who install backdoor SSH keys into the root user, especially when it seems like that backdoor is insecure. It may be the end customer's ultimate responsibility to remove backdoors that your provider puts into the servers you have...
Personally, I think that if the service provider is doing that sort of thing to their customer's servers, then it is the provider's responsibility to ensure that the backdoors do not get compromised.
I kindly suggest that you actually read the forum thread that @dragontamer linked to
The OVH control panel can boot the server into rescue mode and provide SSH access. And there seems to be a security issue related to the password reset feature of the OVH control panel.
I don't know if there really is a security issue or not (perhaps the customer himself is indeed at fault). But if there is, then that's a pretty big deal.
@Sunshine that is what I understood.
Yes, like in the famous Sony case...
I think that if i rent a dedi i would rather not allow any backdoor, if they have to monitor it, they can do externally, it's not like you cant monitor the network or ping the server to see if it is down or something... That is a poor excuse to spy on you.
Thankfully I had root login disabled on my OVH dedi. It still worries me somewhat, though.
I do not have a server at OVH. Have they notified you (or any of their customers) of the potential breach in security? Or are they silent on this issue? The only links I can find on Google relate to bitcoin forums / twitter, where this story is getting spread. I haven't seen any OVH related status update on this.
And it is reaching ~Day 5 since the breach of two systems (April 24 was the first breach, April 25th was the 2nd breach).
Lets move on folks. It's merely a PEBCAK error, nothing that's OVH's issue.
Do you have more information on this? I'd like to move on... but there is only one side of the story right now. I'd like to give OVH the benefit of the doubt, but silence is a bit deafening on security matters.
Sounds like it to me too but folks love to kick the provider around here. Funny how OVH is kicked but the fanboys love OVH prices. Rinse, wash, repeat.
They have about 100,000 servers. These two servers were two, low value customers. They were using their primary product. That the customer got hacked isn't big news for OVH. OVH probably doesn't even KNOW it happened.
Slush's pool is estimated to currently mine ~350 BTC / per day... or ~$49,000 / day in USD. 8% of all bitcoins mined goes to Slush's pool right now.
Bitcoin-central.net is a BTC/Euro market that was also hacked as part of this... with a daily market volume over 1000BTC/day (with some days recently having 4000 BTC volume). As an exchange, that also means that ~130,000EUR (with peaks at 520,000 EUR) were getting traded back and forth per day.
Fortunately, both sites caught the hacks quickly and shut down operations. So only a few hundred BTC were stolen (~order of $10k USD or so).
I imagine that it doesn't take too much resources to run a BTC mining pool (as big as Slush's pool is, it only is farming out ~300 tasks / second), nor does it take many resources to run a BTC exchange (its mostly web traffic). But given the amount of money that these two sites commanded... I wouldn't call them "low value" customers. These single hacks have stolen tens of thousands of dollars in mere minutes.
It sounds like both sites owned multiple servers at OVH as well, so I'm sure they were paying more than just a Kimsufi Atom.
I do question Slush's decision however. He seems hellbent at not owning servers of his own. He rented from Linode till his first server got hacked. Then he rented from OVH, and now he's moved to Amazon Web Services.
AWS is a big target, and a giant mystery to me as far as security. I don't understand why he just doesn't get a locked quarter-rack or half-rack at some data-center and own a few boxes. He can even build his own mining server... much cheaper than renting a GPU cluster from Amazon... especially if he keeps it at 100% load for BTC mining.