New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All my dedi infected with Junglesec Ransomware from Fiberstate colo
All the dedicated AMD server hosted with fiberstate are now infected with Ransomware. I even not able to do root login @fiberstate due to open ipmi provided by @fiberstate
Thanked by 1mustafamw3
Comments
there is another thread today about a ransomware here,
probably both interlinked.
something related to ipmi
https://lowendtalk.com/discussion/199608/junglesec-ransomware-9-linux-vms-are-affected-backup-your-data-ryzen-7000/p1
Look like it is @fiberstate issues as servers with them are getting affected. We have almost more 100+ dedi in other colos none have issue. But all server in @fiberstate got Ransomware!
I just hope you have the backups of important data.
We have backup of all the data, We do have automatic remote backup every 2hrs, But to restore data will take much time. And i am not sure if after restore of data it can again be hacked. May be they might have added some backdoor anything possible not sure.
I hope the operations/ restore happen fast for you guys.
Any vulnerability can be attacked any time, with any provider. Lets see what @fiberstate rep has to say on this.
Maybe they will clarify how many are impacted and what is the resolution.
Running IPMI on public IPs or what?
Statement @fiberstate ?
I have a dedi with fibrestate too...backing up my data now lol
We do not manage colocation servers, entirely up to the customer to secure IPMI and or setup a solution to do such. There are many variations of hardware that are sent to us, it's entirely the customers responsibility to secure machines and IPMI.
Yours is colocation? Or rental from Fiberstate?
If thats a colocation why would provider have to secure their server IPMI since they don't setup those
@bikrama Do you have a ticket number, please?
So what happened here? The attacker picked on a vulnerability of the ipmi software?
-_- No Fiber, This your stupidity, why you give IPMI public IP in 2024 ??
Give customers Vlan and VPN segregated, this is your mess and shows lost face, and disrespectful to customers whom you've outed.
It is not colocation server, It is rented server from you.
Just weak management of physical hardware. You can Google they literally didn't change the default password.
We just request to reinstall our server with Ubuntu 22.04 , I will share ticket number in pm
Your title mentioned colo. We do not see any ticket at the moment mentioning this, can you please open and or give us your ticket number @bikrama
Thank you. We'll follow up on it.
Mentally strong people unplug the IPMI cord and perform remote management through KVM switch over VGA + PS/2.
Ticket #XTM-154706 - cannot SSH or IPMI.
This server had almost 4 times hardware failure in last 6 month from renting server from you guys, Check all ticket. Sometimes hdd issue, sometimes you replace network card, sometimes you replace board and so on. Now it is affected by ransomware and we had to complete reinstall again.
We show this ticket was handled and fully resolved for you earlier today.
The server was only reinstalled with new OS, But IPMI is still open so it can again get attack with ransomware. It is not permanent solution to just reinstall the OS
@fiberstate so is this customer infected with JungleSec?
Can you show masqueraded screenshot without public info showing they gave the IPMI motherboard public IP? This is egg on face all over again like my Green Cloud VM
Your IPMI is secure. We've provided you the necessary information on your ticket.
It's standard. My Fiberstate dedi rental came with a public IPMI IP + login. It's also unclear how I'm expected to secure it against any IPMI exploit that could be used to install ransomware.