Web Hosting Talk : Web Hosting Main Forums : Dedicated Server : Layeredtech network hacked again, how?

[mikef374]

I've been reading that layeredtech's helpdesk or whatever they call there backend has been hacked again just a few days ago and the hackers got the customers root passwords. This happened about a year ago also with them. How does this keep happening?
I thought about not giving my datacenter my password but then if it goes down they can't do anything. What's the best thing to do?

[bear]

Where did you read this? Have a link?

[woods01]

If I recall correctly, when we hosted with LT (little under a year ago) they had the same thing happen. I've never heard of giving LT my passwords though they are unmanaged I believe.

[r00ter]

I believe bear is talking about the incident you're referring to right now. You just said, "I've been reading..."

[CretaForce]

Why someone will trust a dedicated company's portal with his dedicated server passwords?
I use Limestone's portal (managing a server for a customer) for a while and they have the option to provide the root password, keep it on their database and when you close the ticket the password automatically deleted from the database.

[mikef374]

Here's one i found on google http://www.stephanmiller.com/bugs-viruses-backups-and-prevedvsem123cn/ for the one that happened a few days ago on 10/20/2008. the one before that i think happened last year on Sep 2007 according to some posts i found.

[RyanD]

Here's one i found on google http://www.stephanmiller.com/bugs-viruses-backups-and-prevedvsem123cn/ for the one that happened a few days ago on 10/20/2008. the one before that i think happened last year on Sep 2007 according to some posts i found.
that has notihng to do with LT, thats someone's individual server and poor security.

[mikef374]

that has notihng to do with LT, thats someone's individual server and poor security.
If you read the post, it says that every server he saw that happen on was at layered tech only. here's another one on google http://digg.com/security/Layered_Tech_Hacked_and_Affecting_Major_Sites
read the whole thing. here's a quote from that page: "I have contacts that have reported dozens and dozens of servers being affected by this recent exploit--- all at layered tech."

Dear Layered Tech Customer ~
As a result of a routine internal security analysis, a vulnerability was detected which allowed certain communications between the Layered Tech help desk and clients to be vulnerable to interception. While normal help desk communications are not a source of concern, occasionally LT clients submit unencrypted passwords via e-mail or the help desk ticketing system which could result in unauthorized system access by 3rd parties.
As a result, we strongly advise all customers to take proactive measures and change user and system credentials.
Given the overall industry rise in security issues, it is best to err on the side of caution and maintain robust security procedures. Layered Tech also recommends the following security practices:
1) Always change passwords after sharing them via e-mail, or upon receipt of new system login details.
2) Ensure that you have a defined interval for password changes (every 30, 60, or 90 days)
3) Disable/remove non-essential applications, services, and user accounts
4) Set regular maintenance intervals to update core applications and kernels, to address known security issues
5) Change default ports for administration and remote access to non-standard so they are not easily identifiable
We value your business, and will continue working diligently to safeguard against any future vulnerabilities. Please note that SSL is now required to access the LT help desk system. Clients who are unable to gain access to the system should contact our Client Services team.
Should further information become available following our extensive security review and analysis, we will update you.
Thank you,
Received by email on 24 OCT
I am with LT and have had no issues, though direct root access is disabled, ssh is on a different port etc, basic server security stuff.

[bear]

I didn't get this email.
But it doesn't state there was a compromise, just that the possibility existed. Still not very comforting, however.

[Jame$]

a vulnerability was detected which allowed certain communications between the Layered Tech help desk and clients to be vulnerable to interception.
Seems it's pretty clearly explained where the problem was. I think it's always good when providers come clean with these sort of things. They could just be silent.

[123finder.com]

I didn't see this thread when posted so I had a new topic, if mod could merge, thanks.
There is a law in California that REQUIRES businesses (who have clients in California, and I'm sure all major hosts do) to disclose these incidents.
So don't say that they're being nice or upfront. They have to do this to avoid possible legal consequences.

[Fudevs]

thats really big problem when DC like LayeredTech can't protect themselves..... who can trust them

[scoopy]

Here's a good thread I found on this situation:
This was done above any security any individual webhost could provide... Someone logged in as root on my box on the first try (even with a special SSH port enabled and a secure password).
Changing root passwords then or now (as LT suggests in that email) did NOT and ain't gonna do any good... as I hear this intruder has his backdoors set up to email any password changes right to him. He does not need to log in any more.
I had reported this to LT on Oct. 8/9. Their pathetic response was to check [u]MY security and left us all to find our boxes filled with these iframe injections 2-3 weeks later.

[peruviantalk]

Good for LT.