New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Spent a whole day searching the leaked Colocrossing database, found a possible hacker’s email
Spent a whole day searching the leaked Colocrossing database, found a possible hacker’s email
So, on 2025-05-24 around 11:25 AM (UTC+8), someone added an admin account with a QQ.com email [adduser].
Then, less than half an hour later at 11:47 AM, all the admin users got deleted from the backend [deluser].
I was digging through the leaked Colocrossing database and this caught my eye. Looks pretty sketchy and might be linked to the hacker — but I’m not sure if this actually caused the hack or if the hacker even left their real email.
Thanked by 1lowendclient
Comments
qq? chinese?
so whats the story
I'm not sure about the exact situation, and I don't know why this email address was added as a backend administrator. Maybe this person joined CCS, or there might be a security loophole?
This is how it appears in the database, and it feels like a suspicious situation, so I didn't share the full email address.
or there might be a security loophole?
You're missing the full context.
The same IP added 2 more admins before the @qq guy.
You can see that this IP belongs to CCS. You can verify this by running dig cloudmain.colocrossing.com. So, I don't think this IP belongs to a hacker.
Could it be a Hypervisor escape? As in the attacker got a VM like any normal customer and then used it to breach the Virtualizor instance?
Here is images which came from the smokah. It clearly show database dump AND admin screenshot of virtualizor. Fully blown crack. This is massive breach.
Anyone from here know what cause this?For fix at our end?What virtualizor version etc...
Turn off Virtualizor.
A great fix is not using Virtualizor
I have spoken to virtualizor, it appears to have been human error not a software issue
But exposing raw passwords is also a human error, right? Or a best practice I haven't been aware of?
Avoid Virtualizor at all costs.
ColoCrossing also hasn't stated it, but full names are also in the db, unless you manually changed it in Virtualizor.
Where do you see the passwords ?
In the tasks table.
So maybe I’m totally dumb or lost track of the story on this, but if the database dump is now out in the wild, what kind of ransom exactly can the hacker extort? Isn’t there no incentive now to pay their extortion?
So what tools do you use in Mac/Windows to view the db data in a clean format? Other than text editors. I tried a few like DBeaver, but it won’t load because the file size is 2GB. Not even after tweaking the .ini file to set a higher memory limit.
I think the db was leaked after CC did not comply with whatever the hackers demanded.
https://github.com/mysql2sqlite/mysql2sqlite
paying back 20k would deffo help
Can someone ping me link to DB exposed so I can see if I’m impacted
To be honest I don't believe the hacker is dumb enough to use QQ as their email...
could be a stolen or just fake email? Even harder to trace if email is just stolen or something bs.
db link?
It might be the official administrator of ColoCloud.
Seems their sales and PM are Chinese.