
OVH has been compromised - mrb
https://bitcointalk.org/index.php?topic=186902.msg1936161#msg1936161
======
h2s
This type of shit will keep happening until people stop trying to store money
in relatively insecure consumer-grade hosting environments. The entire bitcoin
economy is built on sand. Look into how much expense real banks go to in order
to secure their systems. Then look at this never-ending parade of surprised
victims who lost their bitcoins just because somebody found a vulnerability in
some hosting company's bespoke password reset form.

~~~
nodata
Well banks generally refund stolen money, so you won't see a lot of noise from
victims... but anyway:

How do you think banks got more secure? Trial and error, incremental progress.
These repeated break-ins should make consumer-grade hosting environments more
secure.

~~~
Tuna-Fish
It's just not that easy. People running these things completely lack the
understanding of just how seriously security needs to be taken. Various sites
handle millions of dollars worth of bitcoin with "patch all flaws" style
security. People need to understand that millions of dollars of easily
disposed of goods _are worth killing people for_.

It won't be long now until we'll hear the first case where some employee of a
third-rate exchange or something will wake up with a barrel of a gun pointed
at him, forcing him to go to work and turn over all the float at his company
or have his family killed. It's been done in the USA, and for much less than
what these exchanges and mining pools routinely manage.

Banks have security against this sort of thing. They manage it by making
actually keeping that money after obtaining it without getting caught really
hard. I have no idea how it can be protected against when it's bitcoin.

~~~
moheeb
" _People need to understand that millions of dollars of easily disposed of
goods are worth killing people for._ "

If this were my site you would be banned.

~~~
Tuna-Fish
Care to explain why?

------
dotmanish
To make it easier for everyone reading the HN Post Title, they're talking
about " _Their Server(s) at OVH_ " being compromised, with no evidence of
"OVH" itself (along with all customer servers) being compromised.

Now you may go ahead and read the post.

~~~
chmike
The author suggest the manager interface may have been used to get access to
the servers. He saw a password reset mail he didn't asked for. So he suspect
that there is a security weakness in the manager. Lets wait OVH manager
explanation before calling back into question OVH's security.

~~~
moepstar
Most strange thing is that he says the email was untouched so he concluded
that the attacker somehow must've bypassed the email - if such a thing is
possible..

~~~
X-Istence
On OVH's manager you can add secondary email addresses to a single account. I
for example have three emails linked to my account. Upon logging in all those
email addresses will get an email notifying me, AND upon doing a password
reset all three email accounts will get the password reset link.

At the first compromise which may have been external to OVH's systems the
attacker may have added their email address to the list of valid emails, and
may have received the password reset email at the other email address. This
could explain why the second reset password email was unread...

------
thomasjoulin
OVH founder, Oles, posted on Twitter that OVH has not been compromised
<https://twitter.com/olesovhcom/status/328845993867083776>

~~~
mrb
He just said "no" and "I will post a longer answer to @hosting".

What is "@hosting"?

It sounds like Oles has _just_ been informed of the potential compromise,
despite it happening 6 days ago (Apr 23) and 5 days ago (Apr 24) for
respectively slush's pool and bitcoin-central. He better has irrefutable proof
that the compromise did not happen at the OVH level. Two highly technical
clients (slush has been running a pool for more than 2 years so he has
countered many attack attempts during this time, his mailbox linked to his OVH
account is secured via OTP, etc) compromised at just the same time, with their
OVH manager password reset with no explanation, and no email?

~~~
ddave
The main communication medium between OVH and its clients is by private
mailing list, so hosting@ matches the list hosting@ml.ovh.net IMO Oles hasn't
just been informed of the compromise, it is a common practice for OVH to
resolve this kind of problems in private. But as the bad rep is growing he
will soon provide explanations to the mailing list.

------
dcc1
Well OVH do install backdoors on all the servers, its a surprise how many
people dont know about it, here is how to remove it

echo "" > /root/.ssh/authorized_keys2 rm -rf /usr/local/rtm echo "" >
/etc/crontab killall -9 rtm

more here > <https://news.ycombinator.com/item?id=4839414>

~~~
lucb1e
Regardless of whether the backdoor-building of theirs is documented, someone
obtained unauthorized access to the machines, be it an employee or not. This
means OVH really is compromised, even if they documented the installation of
this backdoor.

~~~
nwh
I'm not entirely sure why they bothered with the root SSH key. If they really
wanted they'd just pop open a serial console on the virtual machine wouldn't
they?

~~~
stereo
At the serial console, you end up with a password prompt. It's also easier to
just ssh over than to go over to the server and connect a serial cable.

~~~
jaxb
a virtual serial cable.

------
dan15
Are they blaming OVH for their own server being poorly configured and/or
insecure?

~~~
hackerboos
I host with OVH and the only way to reset a password is with the email or the
customer number which both send a reset link to the email address.

This isn't OVH's fault.

Also in the forum post...

"I asked OVH support to provide some additional information and restrict
Manager access to my IP range."

This is already available.

------
tedchs
It sounds like the problem here was the OVH account's password was reset
without the account owner's authorization.

Why isn't critical infrastructure for Bitcoin hosted on a first-rate, known,
trusted provider like Amazon AWS, Google App Engine, Rackspace, Terremark,
Joyent, etc.?

~~~
babuskov
Amazon? Trusted? Don't get me started. I got my credit card info and e-mail
addresses stolen from Amazon database twice in the past 5 years.

~~~
FireBeyond
Hmm, I've placed 291 orders on Amazon since 2004, used upwards of 6 cards
there, and not had one compromise. About as anecdotal as your story.

~~~
babuskov
Well, I could write down card numbers, but that would not prove anything would
it. I had cards used exclusively on amazon.com for 3-4 years. Suddenly, one
day, I got a report from my bank that my card number is among some numbers
stolen in USA and they cancelled it. As I only used it with Amazon, I can only
conclude that it must have leaked from there. Luckily, I did not lose any
money, as the card was blocked by the bank immediately.

E-mail addresses are even better. At first I used an email I rarely used for
anything else for some 4-5 years. The day I completed my first purchase on
Amazon using this e-mail to open an account, was the day I got first spam
message on it. And it kept flooding with more and more messages each day. Once
it reached about 200+ spams a day, I decided to ditch the address and created
a new one for myself and a specific new one on my domain for Amazon
exclusively. It was amazn123894@[mydomain]. Anyway, when I got the first order
using that e-mail, the same story happened. Now, I don't think hackers have a
got a hold on the Amazon servers, it's more probable that you have employees
selling the data. Especially since I never heard anything like this happening
to some of my friends in western countries. I guess it's easy to decide that
nobody would care or notice if a guy from eastern Europe gets screwed.

I'd really like to see Amazon's internal rules of data access clearance.

------
aen0
OVH just confirmed, they were compromised.

<http://forum.ovh.com/showthread.php?t=88277> (in french).

Nutshell: \- attacker brute forced the unique ID used in the reset URL \- they
could do it because the unique ID was not random enough \- they analysed 3
years worth of logs (still ongoing to 10) and concluded that only 3 clients
(all bitcoin related) were affected.

------
jobigoud
OVH is one of the biggest hoster in the world, are there any third parties
confirmations of this ?

------
gesman
People, keep bitcoins in _your own_ , preferably determenistic wallets, such
as Electrum.

Trust other services only for a few minutes when you need to exchange
bitcoins. Once done - transfer everything back to _your own_ wallet.

------
andyhmltn
I had my finger over the buy button with these guys yesterday.

~~~
noir_lord
I tried to get a trial with them, their signup gateway 500'd out every time
and a couple of hours later I got a bunch of emails to say my trial was
ready...meh.

By the time they got back to be on my ticket I'd gone with Hetzner, so far
can't fault them and the price is pretty much the same, extra bonus I signed
up for an i7-2600K/32Gb and got an i7-3770K/32Gb, pretty nifty increase (I
figure they have a mix of 2600's and 3770 so it may be random which you get).

~~~
andyhmltn
I would go with Hetzner, but principle tells me not to. I was with them for
about 3 months. I was talking to an account manager (or w/e the official title
is) and asked them to cancel my account for a short period of time until I
need to launch (and remove the server of course.) They agreed happily.

Then 3 months later, I found out they were still charging me. I forwarded them
the conversation and they just kept responding with canned messages refusing
to acknowledge the wrong on their part. It's a shame because they are by far
the best value :-(

~~~
moepstar
Just in case you don't know: there's an customer-only internal forum at
http:/forum.hetzner.de/ for which you can sign up.

There's no guarantee that anyone from their staff will look at your post but
even Martin Hetzner, the founder, frequents the board and occassionally
answers & helps out, so that's another route to get support there.

~~~
andyhmltn
Thanks, I'll use it if I do decide to go back!

------
DanBC
Have I understood this?

> _Today at 3pm UTC I noticed that somebody succesfully resetted the password
> to OVH manager,_

[...]

> _but at 11pm UTC I realized that there's another succesful password reset at
> OVH.

> _This time I realized that the attacker resetted the machine with the wallet
> to rescue mode, which means that I lost the control to this machine.*

The machine gets hacked, but 8 hours later the wallet is still on the same
machine, which gets hacked again?

------
DiabloD3
Duplicate of <https://news.ycombinator.com/item?id=5598775>

------
anologwintermut
I wonder: is there is any user in a variant of bitcoin that disallow's mining
pools ? Obviously we can't prevent users for cooperating, but we might be able
make it so they have incentives to defect rather than cooperate (i.e. can use
the computed hash solution on their own).

~~~
wmf
If you disallow pools the network might stabilize at a fairly low difficulty
(because mining is too risky if you make nothing for months on end) and then
it would get 51%'ed.

~~~
anologwintermut
If the difficulty of a given block is that high,yes. I was thinking something
more like litecoin: you'd have way more computational power total witha lot of
participants, but each individual amount of work would be smal and so the risk
would be low.

~~~
wmf
Fundamentally if there are N blocks mined per month and, say, 10N miners, each
miner will get paid _very_ rarely which will scare them away. The only
advantage of Litecoin is that it mines blocks at a faster rate than Bitcoin.

------
dreamdu5t
Isn't it funny that people who keep a cryptocurrency behind a website don't
use a key pair to sign-in.

~~~
pyre
Not everyone that has put money into bitcoin is a cypherpunk.

------
Usu
Oles posted on Twitter that he will send an email about what happened tomorrow
(Apr 30th): <https://twitter.com/olesovhcom/status/328882263913811968>

------
D9u
One of the first things I do on a server is disable root logins, disable
password authentication, install sudo, add my_user to sudoers, and copy my
public key to the server, as well as only allow connections from my IP
address.

~~~
pfg
In this case, the attacker (supposedly) booted the machines into rescue mode
through OVH's control panel. None of the steps you listed would've prevented
that (I'm not saying it won't prevent other attacks.)

------
ilanco
Is anyone else affected by this hack? I have a server at OVH and I haven't
seen any suspicious activity.

------
theahindle
I have 10 servers at OVH and haven't seen anything out of the ordinary.

~~~
SG-
you likely aren't hosting a BTC exchange too, they were likely specifically
targeted.

------
kbar13
> stores /currency/ on consumer service

> doesn't have physical access to servers

> "budget" provider

> hurr durr why are my buttcoins gone??!?!?!?!

People are going to draw parallels between buttcoins and /real/ currency, but
they're not the same. However, they both hold value. Therefore, people with
big buttcoin wallets should value their stash, and get some physical servers
and host it in their own locking cab or somewhere more secure.

