100,000 websites destroyed by hackers

As many as 100,000 websites have been destroyed by hackers targeting server virtualisation software HyperVM, which powers most virtual private server (VPS) hosting companies.

Most of the VPS systems hosted by Vaserv, and its sister companies CheapVPS and FSCKVPS were taken offline, with data on some of its servers destroyed without backups, when the hackers exploited a zero-day vulnerability in the LxLabs HyperVM software to gain root access to its servers. The hackers were then able to run commands (such as "rm -rf", Linux parlance for "remove everything, all files and folders, no questions asked,") to destroy both user and system data, preventing the servers from booting, and preventing users from recovering data.

Vaserv has estimated that almost half of the data hosted on their servers has been destroyed by the attack.

The identity of the hackers is unknown, and no hacking groups have claimed the attack. Vaserv stated that "This wasn't someone randomly scanning things. It was a deliberate attack on our infrastructure." It has also stated that, although the hackers had full root access to its systems, all sensitive data such as names, addresses, and credit card details were encrypted.

It is unknown whether any other hosting companies running HyperVM have been attacked. Anybody who uses a server hosted by Vaserv or its sister companies can check the progress of the rescue operation here.

Report a problem with article
Previous Story

China upgrades The Great Firewall, requires new software

Next Story

Apple releases Safari 4

55 Comments

Commenting is disabled on this article.

Either this, or his personal trouble with the family members having hung themselves before. :S

But yes, this could have been contributory and tipped the scale.

Can't say I'm sorry, I hope lawsuits follow in LxLabs inability to patch this sooner, this could have been prevented.
Unlikely as it is, here's hoping the lowlife hackers responsible get found and prosecuted.

How the f*** would a lawsuit help? And does anyone really know it was a zero day flaw that was in fact exploited.

Aiming for a lawsuit always in the end only leaves lawyers as the winners, everyone else has to just pay higher fees to cover the risk of a lawsuit and the PLI that companies need.

Utter fail.

If they were VM servers doesnt Linux hosts have something like Volume Shadow Copy on Windows where they can just undo the damage?

One of the headaches of backing up data for someone is liability.

You're saying you data is safe with us if you muck it up we can put it back to as it was. Which imho can cause all kinds of hassle from customer expectations to when exactly the data was backed up. In a customers mind you will back it all up and put it back to the second that it went astray ... and all for $10 a month. Where-as in the real world no-one will offer that level of management and a) make any money and b) keep everything backed up properly.

Hence you have hosting packages at $1000 p/m and $10 p/m, you pays your money you take your choice the old adage goes :-)

With comments like "Why in the hell would you not have backups?", in fact should reflect on the person WHO owns/manages the website - not the host. And yes WHY the hell did you NOT backup YOUR data!

Everyone mentioning the lack of backups, it's because these were unmanaged VPSes. Unmanaged means that they provide the hardware, but you do everything else (including backups). They have redundant hardware and RAID arrays, but it doesn't really help in an attack like this. VAServ's managed services all have backups, which I believe are currently being restored.

FSCKVPS is a very cheap service ($10 per month for 512 MB RAM, 30 GB space, 600MHz guaranteed), the fact that it's unmanaged and automated is what allows the price to be so cheap. I have a VPS with them, as does one of my friends. His VPS was safe, but mine was deleted in this attack. Luckily, mine was just a backup VPS, used for storing backups and backup DNS. HyperVM (the software with the security hole) is the cheapest enterprise software in the industry ($0.50 per VM per month), which is one of the reasons providers are able to offer VPSes for so cheap.

lol, 100k websites :P What were they? Simple "under construction" sites? I doubt the numbers go over 1-5thousand simply because even if the "hacker" did create a script to attack bunch at a time it would take forever to "rm -rf" 100k websites. With forever I mean DAYS, maybe weeks.

Also if anyone is looking for decent VPS hosting I'd suggest linode[dot]com, they have best VPS system and panel around as far as I know.

As bad as this kind of hack is it's just the beginning of the Virtual OS security issues if the past is any indication. Sure they can fix that loophole but the methodology of the hack can be reapplied to the software in later revisions most likely. Unless they re-code from scratch which no one does. Still sucks though!

jackofalltrades said,
Wonder if these events are connected

i wonder if they lost the project they are talking about because of the news of the security breach...

or does it have something to do with some kind of deep conspiracy involving the hackers and the other company...

My site was one of those 100,000 :P -- luckily I had backups. In a cheap unmanaged setup like those you have to have some sort of fallback plan.

I will be steering clear from lxlabs' software in the future -- most of the bugs in HyperVM and Kloxo should have been caught with even a small amount of security knowledge.

on the webpage you can see that some of the servers are listed as 'restored' , so i guess thats exactly what theyre doing...

A few vulnerabilities have actually been fixed, though LxLabs' staff (the owner and his employee) haven't been talking since announcing the vulnerabilities.

I have been with them for two years and this is completely disastrous to my business.

The attacks were actually not zero day vulnerabilities, but rather 17day vulnerabilities, depending on the definition you use. They knew for more than two weeks without doing a thing. Great company, isn't it?

Laws do exist.. in the US.

However, where the hackers are is probably Turkey. That is where the LxLabs hackers were (about a year ago the LxLabs servers were hacked by Turkish hackers). I should have moved away from their products then but I didn't.

But yes, most countries don't have anti-hacking laws.

There are laws regarding the release of malicious viruses into the wild but how many new viruses come out per day on average? I don't think certain particular laws do much at all.

Unmanaged servers = You manage your own data.

Cloud computing has a few embedded storms, if it's free, engage your weather radar and watch your altitude. You're PIC and the failure is wholly and solely your own. Backups are your responsibility.

Such virtual destruction on a massive scale! >:o

Now the scumbag hackers will claim they did it to 'educate' people on the importance of having a backup... when we all know it was because they are lowlifes who can't get laid and have no social skills, so they attack others from behind the safety of their moniters in an attempt to make themselves feel like they have some goal in life besides just being scumbags.

Popcorned1 said,
Hackers aren't people with no social skills, but quite the opposite and are usually very confident


So they're confident scumbags then? ok.

mrcool.exe said,
no social skills

Some of the most notorious blackhats in this day and age are incredibly resourceful when it comes to social engineering.

Jesus Mary and Joseph. Why oh, oh why??? That is some malicious, juvenile bull****. The f*****s who did this should be hunted down and imprisoned forever.

waldenasta said,
Jesus Mary and Joseph. Why oh, oh why??? That is some malicious, juvenile bull****. The f*****s who did this should be hunted down and imprisoned forever.

the people who purchased web hosting and no backup? i agree completely.

Did they take down this website? http://www.alol.net.br/

It's a free exchange server and it went down just before you posted this article. I really hope they didn't destroy it, cuz having a free Exchange server is the best thing in life, or at least, close to it.

Free Exchange? Humm sounds like someone on the admin side is doing something a little illegal.

I'd be skeptical shoving my email on a shaddy server, but that's just me...

Unmanaged services rarely have backups, it costs extra. VAServ *do* have backups on some of their managed services, but they cost extra.

Daniel15 said,
Unmanaged services rarely have backups, it costs extra. VAServ *do* have backups on some of their managed services, but they cost extra.

of course they cost extra. its extra labor and extra materials. why include the price of backups in the price for everyone when everyone does not need backups?

Raa said,
OWCH thats going to hurt!

No backups, in today's age? Geez.
On top of what marshalus said, If i was running my own website I would have made backups MYSELF - never know when you'll need to move all your stuff to another server, when your site will get hacked/broken etc...

Its your own responsibility to make backups if you dont pay the extra fees for them to do it for you.

Most hosting companies (especially cheap/low cost ones) don't backup client data, or if they do it's additional service/fee the clients typically don't pay for. They make it pretty clear in their terms of service.

Granted, they probably don't expect someone to come in and delete all their data either.

Marshalus said,
Most hosting companies (especially cheap/low cost ones) don't backup client data, or if they do it's additional service/fee the clients typically don't pay for. They make it pretty clear in their terms of service.

Granted, they probably don't expect someone to come in and delete all their data either.


That is terrible, I am glad I host all of the websites I run and back them up on a regular occasion.

Yeah, any good system admin is doing backups. It's quite possible the sites that were removed had backups outside of the infrastructure provided by the hosting companies. I'm sure once the host gets their stuff back online the webmasters will be able to do their own restores.

are you implying that services like this should provide backups for free? backup, if done correctly, is labor intensive and expensive.

this is 100% the clients fault. if you work merely off the assumption that RAIDs always work and you don't need off site backup, you are a fool, and got what you deserved.

FSCKVPS is $10 per month for 512 MB RAM, 30 GB space, 600MHz guaranteed. Do you really expect them to have backups at that price point? They're an unmanaged service, which means that people are responsible for their own backups and software installation, they just provide and maintain the hardware itself.

TheDisneyMagic said,
Gasp, that is crazy, how comes there was no backup though?

The irony is, I was using a couple of VPSs with these guys for backups of my server, fortunately, I moved to a somewhat different service a week or two back.