As many as 100,000 websites have been destroyed by hackers targeting server virtualisation software HyperVM, which powers most virtual private server (VPS) hosting companies.Most of the VPS systems hosted by Vaserv, and its sister companies CheapVPS and FSCKVPS were taken offline, with data on some of its servers destroyed without backups, when the hackers exploited a zero-day vulnerability in the LxLabs HyperVM software to gain root access to its servers. The hackers were then able to run commands (such as "rm -rf", Linux parlance for "remove everything, all files and folders, no questions asked,") to destroy both user and system data, preventing the servers from booting, and preventing users from recovering data.
Vaserv has estimated that almost half of the data hosted on their servers has been destroyed by the attack.
The identity of the hackers is unknown, and no hacking groups have claimed the attack. Vaserv stated that "This wasn't someone randomly scanning things. It was a deliberate attack on our infrastructure." It has also stated that, although the hackers had full root access to its systems, all sensitive data such as names, addresses, and credit card details were encrypted.
It is unknown whether any other hosting companies running HyperVM have been attacked. Anybody who uses a server hosted by Vaserv or its sister companies can check the progress of the rescue operation here.
Granted, they probably don't expect someone to come in and delete all their data either.
Granted, they probably don't expect someone to come in and delete all their data either.
That is terrible, I am glad I host all of the websites I run and back them up on a regular occasion.
this is 100% the clients fault. if you work merely off the assumption that RAIDs always work and you don't need off site backup, you are a fool, and got what you deserved.
The irony is, I was using a couple of VPSs with these guys for backups of my server, fortunately, I moved to a somewhat different service a week or two back.
No backups, in today's age? Geez.
No backups, in today's age? Geez.
Its your own responsibility to make backups if you dont pay the extra fees for them to do it for you.
you are cheep or you have no idea what the hell you are doing.
of course they cost extra. its extra labor and extra materials. why include the price of backups in the price for everyone when everyone does not need backups?
It's a free exchange server and it went down just before you posted this article. I really hope they didn't destroy it, cuz having a free Exchange server is the best thing in life, or at least, close to it.
Last edited by andrewbares on 09 Jun 2009 - 00:12
I'd be skeptical shoving my email on a shaddy server, but that's just me...
the people who purchased web hosting and no backup? i agree completely.
Hacking has EVERYTHING to do with it, regardless of the term you use.
So they're confident scumbags then? ok.
Some of the most notorious blackhats in this day and age are incredibly resourceful when it comes to social engineering.
Cloud computing has a few embedded storms, if it's free, engage your weather radar and watch your altitude. You're PIC and the failure is wholly and solely your own. Backups are your responsibility.
Such virtual destruction on a massive scale! >:o
However, where the hackers are is probably Turkey. That is where the LxLabs hackers were (about a year ago the LxLabs servers were hacked by Turkish hackers). I should have moved away from their products then but I didn't.
But yes, most countries don't have anti-hacking laws.
Last edited by andrewbares on 09 Jun 2009 - 00:34
Since it is up at this exact moment, I highly doubt it went down.
I have been with them for two years and this is completely disastrous to my business.
The attacks were actually not zero day vulnerabilities, but rather 17day vulnerabilities, depending on the definition you use. They knew for more than two weeks without doing a thing. Great company, isn't it?
Crazy as heck even!!
I will be steering clear from lxlabs' software in the future -- most of the bugs in HyperVM and Kloxo should have been caught with even a small amount of security knowledge.
... :/
i wonder if they lost the project they are talking about because of the news of the security breach...
or does it have something to do with some kind of deep conspiracy involving the hackers and the other company...
Also if anyone is looking for decent VPS hosting I'd suggest linode[dot]com, they have best VPS system and panel around as far as I know.
;-)
FSCKVPS is a very cheap service ($10 per month for 512 MB RAM, 30 GB space, 600MHz guaranteed), the fact that it's unmanaged and automated is what allows the price to be so cheap. I have a VPS with them, as does one of my friends. His VPS was safe, but mine was deleted in this attack. Luckily, mine was just a backup VPS, used for storing backups and backup DNS. HyperVM (the software with the security hole) is the cheapest enterprise software in the industry ($0.50 per VM per month), which is one of the reasons providers are able to offer VPSes for so cheap.
You're saying you data is safe with us if you muck it up we can put it back to as it was. Which imho can cause all kinds of hassle from customer expectations to when exactly the data was backed up. In a customers mind you will back it all up and put it back to the second that it went astray ... and all for $10 a month. Where-as in the real world no-one will offer that level of management and a) make any money and b) keep everything backed up properly.
Hence you have hosting packages at $1000 p/m and $10 p/m, you pays your money you take your choice the old adage goes :-)
With comments like "Why in the hell would you not have backups?", in fact should reflect on the person WHO owns/manages the website - not the host. And yes WHY the hell did you NOT backup YOUR data!
http://www.theregister.co.uk/2009/06/09/lxlabs_funder_death/
Might want to post an update to this article.
But yes, this could have been contributory and tipped the scale.
Unlikely as it is, here's hoping the lowlife hackers responsible get found and prosecuted.
Aiming for a lawsuit always in the end only leaves lawyers as the winners, everyone else has to just pay higher fees to cover the risk of a lawsuit and the PLI that companies need.
Utter fail.
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.