Resultados 1 a 9 de 9
  1. #1
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    17,329

    BreachAlarm: OvH (forum)

    Hacker Source Published Users
    Anon kimsufi.com 2017-02-15 680,194


    https://breachalarm.com/all-sources

  2. #2
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    17,329
    OVH response:

    Thanks for the report. There has been a leak of the
    forums database mid-2015, and it appears that breachalarm
    just learnt about it, from our understanding.

    And the English translation is here:
    https://forum.ovh.co.uk/showthread.p...-of-OVH-forums

    The forums are completely separated from the OVH or Kimsufi
    customer accounts.
    https://www.reddit.com/r/webhosting/...kimsufi_hacked

  3. #3
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    17,329

    The security of OVH forums

    17-06-2015

    Hello,

    We've just migrated all OVH forums to shared hosting platform with SSL certificates in place. Now all connections to the forum have to go via an encrypted layer.

    The way the forum is used will not change: it's open to all, i.e. to anyone who is passionate about IT, whether an OVH customer or not.

    Why this change?

    It's now obligatory to have the SSL layer on the web and we've were a little late implementing it on our forums. The forum is not actually connected to our internal information system and was therefore not subject to the same security policy as OVH itself.

    Last week, we received an alert from a forum user regarding a potential security vulnerability on the OVH UK forum. Our analysis showed that a backdoor had been installed on the UK forum, enabling the hacker to retrieve the logins and passwords of all users who log in to forums outside France. But we believe that there's a strong possibility that the hacker's activity extends to all forums, including the French ones. The hacker was therefore able to retrieve the username and password.

    This is why we've migrated the forums to the shared hosting platform which blocks these kind of hacks. Also, to erase any doubts, we've reset the passwords of users of all our forums (apart from hubiC and OVH Canada, which aren't hosted on this infrastructure).

    In compliance with the law, we've notified CNIL [French commission for information technology and civil liberties] of the incident.

    We're really sorry that we didn't secure our forums earlier. For OVH, security is paramount and we need to implement the same standards across the board, including non-critical components.

    Best,
    Octave

    https://forum.ovh.co.uk/showthread.p...-of-OVH-forums

  4. #4
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    17,329
    Esse forum não era (é) a única forma de solicitar suporte para algumas linhas de servidores e produtos?

    E a OvH remeter ao post acima, como assunto antigo e resolvido, é um deboche.

    BreachAlarm apontou 680 mil contas.
    Última edição por 5ms; 18-02-2017 às 08:42.

  5. #5
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    17,329

    Exclamation

    Números não batem:


    • Breach: OVH
    • Date of breach: 1 May 2015
    • Number of accounts: 452,899
    • Compromised data: Email addresses, IP addresses, Passwords, Usernames
    • Description: In mid-2015, the forum for the hosting provider known as OVH suffered a data breach. The vBulletin forum contained over half a million accounts including usernames, email and IP addresses and passwords stored as salted MD5 hashes.



    https://haveibeenpwned.com/PwnedWebsites#OVH

  6. #6
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    17,329

    This goes back to February 17 ... On that date, the hacker was able to connect to

    Bonsoir,

    Le Lundi 20 février, l’équipe SOC a reçu des alertes signalant des tentatives de connexion sur nos systèmes internes à partir de l’ancien serveur qui hébergeait l’ancien forum d’OVH. Ce serveur a été isolé et sorti de la production en avril 2015 suite au piratage du forum. Normalement ce serveur aurait dû être arrêté depuis, mais il est resté allumé. Nous avons procédé à son analyse et y avons constaté des traces d’activité malveillante. En effet, un hacker a été connecté sur ce serveur et a pu accéder, à nouveau, à l’ancienne base de données des utilisateurs du forum qui avait été compromise en 2015 (Incident que nous avions notifié aux membres du forum ainsi qu’à la CNIL : https://forum.ovh.com/showthread.php...vh-com-A-LIRE-!!!).

    Comment le hacker a-t-il pu accéder à l’ancien serveur du forum ? Cela remonte au 17 février, 3 jours avant les alertes. A cette date, le hacker est parvenu à se connecter au serveur en utilisant l’accès à partir d’un ancien serveur de bordure (b10) qui n’était plus en production depuis 2-3 ans. Le serveur b10 a été sorti de la production et tous les éléments sensibles ont été effacés. En effet, il y a 2-3 ans, suite à une migration et une refonte de nos bastions internes, le serveur b10 a pris sa retraite et donc il aurait dû être coupé.

    Nous avons passé ces dernières 72H à analyser les logs afin de comprendre ce que le hacker avait fait et aurait pu faire. Le hacker a gagné l’accès sur le serveur b10 il y a 3 semaines. Il a fait beaucoup de tentatives de connexion à partir de b10 mais sans succès. Et au bout de 3 semaines, il a pu gagner l’accès sur le fameux ancien serveur du forum. Nous pensons qu’il aurait probablement craqué un mot de passe sur le b10 (accidentellement laissé dans /etc/shadow) et ce même mot de passe aurait fonctionné sur l’ancien serveur du forum. Nous n’utilisons plus de mots de passe depuis plusieurs années mais visiblement ces 2 vieux serveurs n’ont pas été correctement nettoyés.

    En l’état, nous ne voyons aucun accès du hacker en dehors de ces 2 anciens serveurs. Aucun accès sur les données sensibles n’a été trouvé. Aucune base de données interne n’a fuité. Vous n’avez pas besoin de changer les mots de passe que vous utilisez chez OVH et bien sûr il est inutile de réinstaller vos services. Aucun bastion n’a été compromis. Aucune clé privée n’a été dérobée.

    Pour être totalement serein, nous continuons les analyses de tout le périmètre interne. Même si le hacker n’a pas pu avoir l’accès aux données sensibles, nous prenons cet incident très au sérieux. Par précautions, nous repassons sur toutes les infrastructures internes et nous en profitons pour éteindre les serveurs qui auraient dû l’être et mettre au carré tous les systèmes en profondeur qui n’auraient pas encore été. Des opérations qui auraient dû être faites depuis 1 an. En effet, il s’agit d’une négligence de notre part et nous aurions dû éteindre ces 2 serveurs il y a déjà longtemps.

    La sécurité est un aspect essentiel de notre métier. C’est la base de la confiance que vous nous accordez. Lorsque nous n’atteignons pas le niveau attendu, même s’il s’agit d’un évènement qui ne vous impacte pas directement, nous vous devons la plus grande transparence. D’où ce task travaux.

    Amicalement
    Octave

    http://travaux.ovh.net/?do=details&id=23300

    [bing]

    Good evening

    Monday, February 20, the SOC team received alerts indicating attempts to connect on our internal systems from the old server that housed the old forum of OVH. This server was isolated and out of production in April 2015 following the hacking of the forum. This server would normally be stopped since then, but he's been on. We conducted its analysis and are found traces of malicious activity. Indeed, a hacker has been connected to this server and was able to again access the old database of users of the forum which had been compromised in 2015 (Incident that we had notified to the members of the forum as well as to the CNIL: https://forum.ovh.com/showthread.php...vh-com-A-LIRE-!).

    How did the hacker access to the old server to the forum? This goes back to February 17, 3 days before the alerts. On that date, the hacker is able to connect to the server by using the access from a former border Server (b10) which was no longer in production for 2-3 years. The b10 server was out of production and all sensitive elements have been deleted. Indeed, 2-3 years ago, after a migration and a redesign of our internal bastions, the b10 Server retired and so it would have to be cut.

    We spent the last 72 hours to analyze the logs in order to understand what the hacker had done and could have done. The hacker gained access on the server b10 3 weeks ago. He made a lot of attempts to connect from b10 but without success. And after 3 weeks, he was able to gain access on the famous old server forum. We believe that it would have probably cracked a password on the b10 (accidentally left in/etc/shadow) and this same password would have worked on the old server to the forum. We use more passwords for several years but obviously these old 2 servers have not been properly cleaned.

    In the State, we have no access the hacker outside these 2 old servers. No access to sensitive data were found. No internal database has leak. You don't need to change the passwords you use OVH and of course there is no need to reinstall your services. No bastion has been compromised. No private key was stolen.

    To be totally serene, we continue the entire internal analyses. Even if the hacker could not have access to sensitive data, we take this incident very seriously. By precautions, we iron all internal infrastructure and we take this opportunity to turn off the servers that should be and put all systems in depth that would not yet have been squared. Operations that should be made for 1 year. Indeed, it is negligence on our part and we would have to turn off these 2 servers already long ago.

    Security is an essential aspect of our business. This is the basis for the trust you have placed in us. When we do not reach the expected level, even if it is an event that don't will not impact you directly, we owe you the greater transparency. Where this work task.

    Friendly
    Octave

  7. #7
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    17,329
    Octave Klaba / Oles‏@olesovhcom Feb 20

    Ingénieur Software en detection de fraude (H/F) - #OVH Careers https://www.ovh.com/fr/careers/ing_s...-de-fraude-h-f

    Translated from French by Bing

    Software Engineer in detection of fraud (H/F) - #OVH Careers https://www.ovh.com/fr/careers/ing_s...-de-fraude-h-f


  8. #8
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    17,329

    Ovh & Kimsufi leaked database: 969 084 accounts

    Feb 23rd, 2017

    Here is the link to this hacked database:
    http://goo.gl/QjFrP2

    This leak includes the emails and passwords for 969 084 ACCOUNTS OVH KIMSUFI Users Accounts.
    Just open up the database in your favorite text editor and Ctrl + F for the email you want to hack.

    Proof of content, first 100 lines of accounts:
    Format is user:email:ip: password (password is VBulletin hashed)

    ...

    Yes, this means that for $30 you can hack ANY OVH & KIMSUFI user, and if they use the same password on other sites you can hack into there too. Their iCloud with all their personal photos, their email accounts, facebook and instagram and there profile on other web hosting sites like hostgator, medhahosting, godaddy and much more are all vulnerable to being hacked once you have this database.

    Enjoy and please help keep this leak private by not sharing it after you've purchased.
    http://pastebin.com/4hdLMeHh

    Vigarice ou verdade?

    Segundo Octave (ver acima), o hacker obteve acesso durante 3 semanas antes da OvH perceber. Alega que o acesso foi via um servidor que deveria ter sido desligado, onde foi obtida uma senha que permitiu acessar um outro servidor, que utilizava a mesma senha e que também deveria ter sido desligado anos atrás, que continha os dados roubados em 2015.
    Última edição por 5ms; 23-02-2017 às 07:42.

  9. #9
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    17,329
    Se foram obtidos novos dados, ou não, e Octave assegura não ser preciso mudar senhas (e não poderia agir diferente sem fragilizar a narrativa postada), a nova invasão abre espaço para todo tipo de especulação e malandragens, inclusive dos concorrentes. Alegadas três semanas de livre acesso (em fevereiro/2017) não são 3 horas. A OvH sendo a OvH, trocar a senha mal não faz, mesmo porque eles cancelam (e sem restituição de pagamentos adiantados) dedicados/VPS invadidos.

Permissões de Postagem

  • Você não pode iniciar novos tópicos
  • Você não pode enviar respostas
  • Você não pode enviar anexos
  • Você não pode editar suas mensagens
  •