Dear community,
First of all, I'd like to apologize for not communicating with you earlier. I was in London for 4 days doing some paperwork for the company when this incident happened.
Last Friday around 3 AM GMT, there was an intrusion in our system, specifically on the administration panel. The criminal first accessed the WoM webserver through the KVM console and deleted the database straight away. Thereafter, he started deleting our customer's vm. At this moment, we shut down all of our servers to prevent further damage. Between 25 and 50% of the vm had been deleted by then.
We could find out that the machine they used to break in was not one of our servers, but the laptop of one of our staff which was infected by a FUD RAT (Fully Undetectable Remote Access Tool). This was used to get the administration panel URL and password.
Now, I guess you have some questions, which I will try to answer here:
1. Is my data lost?
99% not, but recovering it is not an easy task, due to the large size of the node disks. We are using disk recovery tools but if this is not effective we will hire an external specialized firm for this purpose. Recovering the data is our first priority.
2. Who did it?
We do have clear evidences, but they will not be published yet until we contact our lawyer for advice about how to handle it.
3. Why is the WoM server up? Wasn't it hosted there as well?
Weeks ago, we noticed that due to the growth of the server, the disk was delaying i/o on the node (WoM was using more hard disk than all the other VMs together). Therefore we decided to move it to a dedicated server so we could make better use of the node. The hacker deleted the database through the website VPS (which is still under eterhost), but there was a backup.
4. Has my data been stolen?
Most likely, not. The interest of the hacker was purely destroying things.
5. How long will it take for the vms to go back up?
We are working whole day on it, but we can't give an exact date. As I was in London at that time and without PC, it was not easy to organize the team for this. At the moment, both the Eterhost and WoM teams are fully dedicated to this task.
6. Is there any compensation for this downtime?
As per our policy, you will get your monthly payment back as compensation. However it's not possible yet to refund you because the eterhost site itself (and your customer details) is in one of the nodes. Disk recovery requires that the nodes are not used at all. Due to the unusually long downtime, we will try to give other compensation to the best of our possibilities.
7. Could this have been prevented?
Yes, but it would cost money, and Eterhost was designed as a low cost solution and therefore does not make a lot of profit that can be used to expand the technology or services. However, from now on, we will use WoM's earnings from now on to secure Eterhost better, even if that means that the company is making losses for a certain time.
8. You suck! I won't ever use Eterhost again!
We understand your frustration very well and accept our responsability on the incident. But don't forget that these things don't happen if there isn't a criminal behind them, and someone paying him to commit his crimes. Taking anger on the victim instead of the attacker is just wrong.
First of all, I'd like to apologize for not communicating with you earlier. I was in London for 4 days doing some paperwork for the company when this incident happened.
Last Friday around 3 AM GMT, there was an intrusion in our system, specifically on the administration panel. The criminal first accessed the WoM webserver through the KVM console and deleted the database straight away. Thereafter, he started deleting our customer's vm. At this moment, we shut down all of our servers to prevent further damage. Between 25 and 50% of the vm had been deleted by then.
We could find out that the machine they used to break in was not one of our servers, but the laptop of one of our staff which was infected by a FUD RAT (Fully Undetectable Remote Access Tool). This was used to get the administration panel URL and password.
Now, I guess you have some questions, which I will try to answer here:
1. Is my data lost?
99% not, but recovering it is not an easy task, due to the large size of the node disks. We are using disk recovery tools but if this is not effective we will hire an external specialized firm for this purpose. Recovering the data is our first priority.
2. Who did it?
We do have clear evidences, but they will not be published yet until we contact our lawyer for advice about how to handle it.
3. Why is the WoM server up? Wasn't it hosted there as well?
Weeks ago, we noticed that due to the growth of the server, the disk was delaying i/o on the node (WoM was using more hard disk than all the other VMs together). Therefore we decided to move it to a dedicated server so we could make better use of the node. The hacker deleted the database through the website VPS (which is still under eterhost), but there was a backup.
4. Has my data been stolen?
Most likely, not. The interest of the hacker was purely destroying things.
5. How long will it take for the vms to go back up?
We are working whole day on it, but we can't give an exact date. As I was in London at that time and without PC, it was not easy to organize the team for this. At the moment, both the Eterhost and WoM teams are fully dedicated to this task.
6. Is there any compensation for this downtime?
As per our policy, you will get your monthly payment back as compensation. However it's not possible yet to refund you because the eterhost site itself (and your customer details) is in one of the nodes. Disk recovery requires that the nodes are not used at all. Due to the unusually long downtime, we will try to give other compensation to the best of our possibilities.
7. Could this have been prevented?
Yes, but it would cost money, and Eterhost was designed as a low cost solution and therefore does not make a lot of profit that can be used to expand the technology or services. However, from now on, we will use WoM's earnings from now on to secure Eterhost better, even if that means that the company is making losses for a certain time.
8. You suck! I won't ever use Eterhost again!
We understand your frustration very well and accept our responsability on the incident. But don't forget that these things don't happen if there isn't a criminal behind them, and someone paying him to commit his crimes. Taking anger on the victim instead of the attacker is just wrong.
