All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Virtualizor - Live Chat - COMPROMISED
"Dear Clients,
We hope this email finds you well. We are reaching out to inform you of a possible security breach in our live chat account.
If you have ever provided your root details on Live Chat and still use the same password, we request you to change it immediately. Recently, we detected unauthorized installations of XMRig on servers whose credentials were provided via live chat. To safeguard your account and infrastructure, we strongly recommend changing your passwords immediately.
To enhance security, we have permanently removed all past chat records and will no longer accept server credentials via live chat. Moving forward, please provide any necessary server credentials through our support ticket system instead.
This incident was limited only to the live chat support system for Virtualizor, and no other support systems have been affected.
We sincerely apologize for the inconvenience and are taking stringent measures to prevent such occurrences in the future.
Your security remains our top priority. If you have any questions or need further assistance, please reach out to our support team.
Best regards, Virtualizor Team"
Comments
Heard somebody decoded their script and it's full of disasters ready to happen.
Can't say 100% for sure, but I'd personally stay away from it. It's also very buggy as functionality (this one I tested).
Wow, big dumb here!
They actually used to request data via LiveChat... so it's double-dumb.
I've long wanted to switch to VirtFusion, but lack of an easy migration method that wouldn't consist of a week or two of manual migrations / manual data updates in WHMCS is what has been holding me back.
Trust me, it will be worth it
I moved off SolusVM right after Phill released Virtfusion, can't imagine if I didn't at that time... Literally makes support load so much lesser, and it's really a selling point compared to the others. Very well worth it. Really just comes down to manual work of switching the billing service and migrating/converting disk images.
Could always just offer new service on VF and slowly phase out Virtualizor.
Yes, I was going to say that working with VF really did decrease the support load by miles, plus things just work.
Migrations are a pain, but yeah, either whack at it for a week or two in manageable batches, or offer new services on VF and phase out Virtualizor gradually. I guess both work
While we don't use it, VirtFusion is an excellent product and I would encourage you to move over to it. I couldn't ever imagine using Virtualizor again.
>
Same, 1.3k VMs it's just a nightmare
Wait you have 1.3k VMs?
>
A shock for lot of peoples, but yes
In your garage right? Why not show us the screenshot
This gem was from a week or so ago:
I pay all our licenses manually, so I'm in their portal every few days. Noticed one day licenses that were not ours. Keep in mind, new licenses are always added to the bottom of the list, never randomly towards the top or in the middle. The licenses I noticed that were not ours were randomly placed in the list. Why or how? Never was told.
I did contact live chat about this and they just tried to tell me I must have added them myself and that if I did not need them I should delete them.
I guess we'll start the VirtFusion migration in the coming month or so, manually or otherwise. We're already replacing most of our nodes anyway across all 4 main POPs with new hardware so I guess its as a good as time as any... =/
I mean you sort of have to be big dumb to use Virtualizor in the first place, so it's sort of self selecting in a way.
Smart move, move to virtfusion.
VirtFusion is just brilliant, it's a pleasure to use
Probably Its more than creds leak from their live chat support.
However, Virtualizor has been fine for most of our customers, it just works and also improving featurewise. I am not vouching for them but It just works and there are providers for many thousands customers using it wihout much trouble.
They are using tawk.to for live chat. Tawk.to don't offer self hosted version. How their chat was compromised and infected their server? I don't think it's live chat hack. They are hiding something.
It could be the personal computer of one of the support team. We usually create a temporary VPS when contacting Virtualizor and get ip whitelist to the relevant cluster, then the relevant VPS was completely deleted. We hope nothing happens to anyone.
Well, if the live chat got hacked, maybe something else got hacked too.
It was nothing but the live chat at tawk.to being compromised. None of our servers and neither the ticketing system have been affected.
Happy to assist you, if you need any support
How do you explain the random licenses added to accounts?
Use @NDTN method, provide temporary identical VPS and give your client a deadline. Done.
That was 15-20 days ago and was not a compromise. It was a rare case and was due to the new Auto Renewals system which was implemented from 5th of Feb. Users affected were refunded and also the bug was fixed (some 5 customers in total as per our ongoing audit for people who could be affected). The Auto Renewals is nothing related to the tawk.to live chat system compromise.
We are already looking for a new chat system to get us better security options.
P.S. We offer multiple modes of support because we have to attend our customers and we want to be available for them.
Also we are not one of those who would sell out ! We have been here for years and grown with our customers.
Some customers had their root details posted on the chats. Hence only those servers were affected. The advisory we sent is also mentioning this scenario.
This is not a security advisory for a exploit within Virtualizor.
Regards
@cainyxues "Don't trust everything you see even salt looks like sugar", anyway, back in line, the license are 1 USD ? Then you get what you want. Get something solid likes proxmox, vmware, virtfusion, etc.
Well, the software is somewhat entry-level/personal level.
So, if you want an easy way to manage your VMs for personal infra, sure, it can be ok.
I wouldn't recommend it for mid-level+ usage, as it is very buggy, hanging a lot, api fail to communicate properly when there's a little bit of load on the nodes... mysql databases are prone to fail quickly and when they do, good luck with innodb repair.
Can't say anything on VirtFusion as I haven't used the solution, but a big solid + for proxmox (even the FOSS version). It's rock solid and cost no money.
The only "downside" is that you'll need some amount of tech knowledge to operate it, but thank God, YouTube is full of proxmox tutorials.