All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Reddit user has their VPS backdoored
jackdoggett
Member
Looking on r/homelab a reddit user reported that someone used local TTY access to create a user on their VPS and use for botnet purposes.
This was a california based RackNerd VPS. We're early in the details, but if you have a racknerd VPS hosted in Cali may want to check..
https://www.reddit.com/r/homelab/comments/1se88yz
MOD EDIT (April 7, 2026):
RackNerd has publicly responded on Reddit regarding this matter and clarified that the IP address referenced in the discussion is NOT part of RackNerd’s infrastructure.
It appears the earlier assumption originated from a Reddit user simply checking WHOIS data and attributing the IP to RackNerd. However, WHOIS/SWIP records can sometimes be inaccurate or outdated, especially when upstream providers reassign or manage IP space on behalf of multiple customers.
In this case, RackNerd stated the IP was incorrectly SWIP’d to them by an upstream provider, despite not being under their control or routed through their network.
As of the time of this edit (April 7, 2026), the original Reddit poster has not confirmed which VPS provider is actually involved.
For reference, RackNerd’s full response is included below:
"Just to clarify, as we were tagged -- the IP address being referenced here is not part of RackNerd’s infrastructure. I am sure the OP can confirm that this is not related to any services with RackNerd either.
We understand the assumption may be based on WHOIS/SWIP data, however in this case that data appears to be inaccurate/outdated. After reviewing internally and double checking, we can confirm that this IP range is not assigned to RackNerd, nor routed through any infrastructure of ours.
For some context -- RackNerd operates using a mix of our own IPv4 allocations directly from ARIN, and additional leased IPv4 space from upstream providers (to support growth).
Occasionally, upstream providers on leased IP space will SWIP (reassign) IP ranges in ARIN records, and in rare cases this can be done incorrectly or left stale. That appears to be what happened here -- this IP was inadvertently SWIP’d to RackNerd, despite not actually being under our control.
Based on our findings, this IP most likely belongs to another customer within the upstream provider’s network (in this case, AS36352) and is not related to RackNerd services.
If you’re investigating this further, we recommend reaching out directly to the upstream provider for accurate ownership and abuse handling (AS36352 would be the correct party to assist here).
That said, we’re happy to help facilitate -- feel free to DM me and I can connect you with the appropriate point of contact at AS36352 as well.
We also take abuse matters very seriously, and on our end, we will also follow up with the upstream provider to have our information removed from this IP range (due to incorrect SWIP record), to prevent further confusion."
Comments
🍿
@dustinc
at least they paid 200 usd for the provider tag
i keep my racknerd root passwordless that way everyone can join and leave me nice comments in my bash history
30c someone installed a stealer, and the stealer got their racknerd password.
Perhaps VNC was hacked? Like in Virtualizor way, that has open VNC port and 8 digit passwords by default.
But it depends on the implementation what you can do there exactly.
tty1 used, attacker got console access, provider dashboard is compromised.
Virtualizor again?
Racknerd have commented in the thread and said the IP isn't theirs:https://www.reddit.com/r/homelab/comments/1se88yz/comment/oeol09b/
They seem to be suggesting the affected host is HostPapa, (AS36352): https://ipinfo.io/AS36352
yep, just saw that too. Looks like this was recently colocrossing AS?
@angstrom Since it's not Racknerd, could we have the title changed to avoid reputational harm?
Is it also possible to add an update to the post:
Update: looks like this is an issue with AS36352, HostPapa, not Racknerd.
Do you accept the challenge for 1¢?
My rack nerd VPS in "Los Angeles" reports as HostPapa as well.
kind of annoying the guy didn't mention the provider
So does mine: https://ipinfo.io/23.95.167.100
Isn't that because ColoCrossing uses HostPapa and Racknerd is a ColoCrossing reseller?
They share the same ASN, the "Host" or Company field is what you should look for since most RackNerd subnets are owned by HostPapa/ColoCrossing.
colocrossing is hostpapa, racknerd is resells colocrossing
The OP vps ip from reddit shows it has over 4,000 reports in abuseipdb lol. Not surprised for Colocrossing. It would also be a good reminder that you can disable tty.
I'm really curious to find out what happened here, just saw this pop up on reddit as well. If it's related to the Virtualizor hack I'd be surprised as it's been a while out
Not even a year has not even passed since ColoCrossing had a database breach.
HostPapa bought Colocrossing and now owns all IPs originally belonging to CC as assigned to Papa.
this is very interesting to read on...I will see how the provider responses...