

GoGrid-hosted server hacked between provisioning and first login - jjwiseman
https://plus.google.com/101835000681552189605/posts/RvRnS5xSQJ6

======
grahammather
Below is the post I left on the thread in the link. This exact situation
happened to me too. Root cause was the person who installed my OS set the root
password to "g0grid". Bulletproof.

\----------------------

This exact same thing happened to me! I have a crappy little single box with
them and I have been reasonably happy with their service (I was originally
with servepath before they got bought by GoGrid). I requested a 64-bit
upgrade, which they did promptly. I was contacted by customer service to tell
me the upgrade was complete and to tell me how to log in, but I had already
gone to bed. The customer service rep left a VM message saying "check your
customer portal account for instructions on how to log in." The next morning
before I leave for work, I'm just about to log in to my fresh box when I get a
call from GoGrid saying my server has been compromised, offering to let me pay
for a fresh install, or I can lock it down myself immediately. I'm no security
expert, but I damn well wasn't going to pay for a reinstall on a box I never
logged in to. I finally managed to get them to do the reinstall for free
because they had to admit the password that the customer service rep had
picked after the reinstall wasn't so hot: "g0grid". Nice job, guys.

~~~
valentin
I hope they don't provision their servers with the same default root password;
it would be trivial to compromise.

------
dotBen
Back in April GoGrid had their entire customer database - including credit
cards - hacked (<http://blog.liox.eu/2011/04/20/security-breach-at-gogrid/>).
It was a pretty serious breach.

I'm not sure if this person's hack is related (eg an attacker has his portal
password/api key/etc) or if it is indicative of vulnerabilities in GoGrid's
system.

------
jjwiseman
From Lore Sjöberg:

 _My former server host, GoGrid, tells me (via my business partner) that it's
my fault my server was hacked fifteen hours after they installed it, because I
didn't log into it before it was hacked._

 _To paraphrase freely, GoGrid is admitting that their security is so shitty
that I should have known not to trust them to install a safe server. I should
have been so suspicious of their policies and practices that I should have
rushed to log into the server to lock it down as soon as they made it live,
knowing that their default setup is such a screen door that hacking within a
matter of hours was inevitable._

 _And, because of this, GoGrid is not refunding a cent of my year of pre-paid
money._

------
mborromeo
With a little effort they could use ssh keys instead of passwords...

They should ask users to provide their ssh public keys, and use them to give
access to a new provisioned server locking down password-based ssh logins.
That's how other players (like AWS) do.

This is basic basic basic security stuff.

~~~
adamtulinius
For a start they could just use a proper random root password, instead of a
default one, and maybe only allow ssh access from the same netblock the
install was ordered from.

However, one thing i don't get: Why is it that people don't log in immediately
after it is ready? On Linode it only takes a few minutes to (re)install a VM,
but GoGrid might be slower of course.

~~~
sanswork
I have used GoGrid for a while. And though originally very critical of
them(check my blog) haven't had too many problems lately. For both dedicated
servers and cloud servers I've always had a random root password generated.
Not sure how this person ended up with one that was g0gr1d.

As for your question, by the sounds of it he ordered a dedicated server not a
cloud one. Those usually take them the better part of a day to setup.

------
shapeshed
If you know the ip range assigned to a host it would be easy to write a script
that listened for new IPs coming up and to perform a dictionary attack on
those IPs. Security around provisioning new servers is often ugly with plain
text passwords sent in the clear and iptables disabled. Shared keys and
disabling plain text passwords in OpenSSH is an obvious solution but for non-
technical customers this can be a huge support overhead. Does anyone solve
this pattern elegantly?

I do see some responsibility on a customer securing a box as soon as it is
provisioned though, unless it is a managed service.

------
devinfoley
I'm guessing that GoGrid provisioned the server, then sent him an email with
his password. After first login, he would have been prompted to change his
password, but somebody got to his email before he logged in...

~~~
timf
They respond: "Passwords are never emailed. They are available via the portal
if needed." - <https://twitter.com/#!/GoGrid/status/91345641728512000>

------
TheOnly92
Just wondering, can't you just format the server again? Or doesn't GoGrid
provide that option at all? Since it's a brand new server, I guess there's no
problem in formatting and installing it again.

~~~
dangrossman
That's what I was thinking. When you rent a server you're renting hardware and
a connection. If you screw up the software side (like getting hacked) you can
always wipe the drive and reinstall. Why would you want to cancel a year long
contract because you're set back an hour to reimage?

~~~
jjwiseman
Because the company may have demonstrated both a carelessness about security
and poor customer service on day 1?

------
ck2
Considering similar reports, maybe their default templates are already cracked
with injected code.

So everytime they create a new container, it's got a backdoor.

------
ianhawes
Frankly, I don't buy this at all. It is very difficult in 2011 to provision a
server that is really vulnerable by default.

I suspect that the person who posted this was in some other way compromised,
and is blaming it on GoGrid.

~~~
jjwiseman
I don't know what happened in this case, but it doesn't seem very difficult:

1\. Configure server to use password authentication and allow logins from
anywhere.

2\. Send password to user via unencrypted email.

There's a reason that people are uncomfortable receiving passwords via email.

~~~
sanswork
1\. Is true of GoGrid. 2\. They don't you get the initial passwords from their
admin panel.

