Author Topic: Email from A Small Orange re: recent attacks on servers  (Read 2432 times)

Offline Paddy

  • Administrator
  • TS Addict
  • *****
  • Posts: 13797
    • View Profile
    • https://www.paddyduncan.com
Email from A Small Orange re: recent attacks on servers
« on: July 22, 2009, 08:36:02 PM »
Thought you all might be interested in the email I received regarding the recent attacks on ASO servers and subsequent outages here at TS.
------------------------------------

Dear ASO Customer,

As you may already be aware, we've been the target of several attacks by a
hacker on July 8th and the following week. His attacks have caused service
interruption and data loss for some of you. This email is to describe
those issues, what we've done to fix them, and what we're doing to protect
you.


=== About The Incident ===

This is a post-mortem account of the ASO Hacking Incident and Denial of
Service attacks on our network detailed here:

http://forums.asmallorange.com/index.php?showtopic=12908

On July 8th, shortly before midnight (Eastern Daylight Time), an attacker
took advantage of an employee's PC at home to enter our network. Because
of the nature of the employee's access, the attacker was able to access a
number of servers that host customer websites and email. The attacker then
deleted a number of "home" directories of the customer accounts on those
servers (25 servers in all). According to the logs and tripwires, the
attacker did not install any backdoors onto the servers, did not download
or view any of your data, nor did he obtain access to the servers used for
billing and credit card information. Instead, this was as straightforward
act of vandalism.

There were also reports of website redirects for a short period, where
site visitors may have been directed to a fake error message and/or
download site to download and install. This was addressed fairly quickly,
but those site visitors may need to scan their computers with an
anti-virus scanner to ensure that no malicious software was installed. We
suggest using AVG Free http://free.avg.com/ and MalwareBytes's
Anti-Malware http://www.malwarebytes.org/ if you do not already have an
anti-virus program on your computer.

While we caught the intruder fairly quickly and were able to block any
further attacks on our remaining servers, it took about 18 hours for the
25 compromised servers to be restored from various states of functionality
to nominal condition. For several days after that, the tech support staff
was restoring individual accounts that weren't restored properly. In some
rare cases, the backups we had available had were unusable, and customers
were required to re-upload their websites.

In the following days after the initial attack, the same intruder began a
series of distributed denial of service (DDOS) attacks against our network
disrupt service to our customers. He followed these attacks with threats
and extortion, attempting to get us to pay large sums of money for him to
stop. After some service disruption, we were able to mitigate these
attacks and restore service to customers. He has since attacked at least
two other hosting companies with similar extortion demands and
denial-of-service attacks.

Since then, A Small Orange has been working with FBI officers and experts
in the field of Internet extortion to take action against this criminal.
We have collected a good deal of identifiable data from the attacks.
Combined with the fact that the attacker threatened the FBI in his emails
to us and has attacked other businesses, the FBI is taking a great
interest in this case. We fully expect to bring this individual to justice
and bring a halt to their activities.


=== Lessons Learned ===

While we are confident of the overall security of our servers, we have
learned an important lesson about employee access. We have already added
additional access controls to help ensure that unauthorized individuals
cannot use employee access to compromise our servers. We are also adding
other levels of security to our systems to go above and beyond what is
necessary. Additionally, we are working on network changes that will allow
us to better deal with Denial of Service attacks against our network. We
host the company's sites and our own personal sites on the same hosting
platform as all ASO accounts, so we feel these attacks just as strongly as
you do. And we take any assault on our security very seriously.

Some customers  have expressed concern over our methods of announcements.
While we sent an email notification to customers on July 9th, our primary
method of announcing issues affecting customers has been our forums at
http://forums.asmallorange.com. There was also much Twitter activity
regarding the incident on our account at http://twitter.com/asmallorange.
While there was much work to be done and our staff was working double
shifts to restore services, we realize that communication with customers
is just as important. We're looking to unify our communications across all
channels and to make sure no one is left in the dark about what is going
on.

Many things have changed in the five years A Small Orange has been in
business, and we will continue to find and implement improvements as we
grow. We hope that you continue to grow with us. Thanks again for being
our customer.


--
Tim Dorr - Owner
BJ Strange - VP of Hosting Operations
Andrew Boring - Director of Customer Relations
"If computers get too powerful, we can organize them into committees. That'll do them in." ~Author unknown •iMac 5K, 27" 3.6Ghz i9 (2019) • 16" M1 MBP(2021) • 9.7" iPad Pro • iPhone 13

Offline sandbox

  • TS Addict
  • *****
  • Posts: 7825
    • View Profile
    • http://
Email from A Small Orange re: recent attacks on servers
« Reply #1 on: July 22, 2009, 11:04:06 PM »
I've received the notice as well. I sympathize with them but there are inaccuracies in that email with my accounts and others.

In my view this attack has not only woke them up to provide better security but exposed their sloppy server management.

Many have lost much as blogs around the web will attest and it may have been caused by a perpetrator but some of the damage done was their own doing. The FBI will do what they do to find the criminal, now who do you call to discipline sloppy hosts?

Offline Xairbusdriver

  • Administrator
  • TS Addict
  • *****
  • Posts: 26388
  • 27" iMac (mid-17), Big Sur, Mac mini, Catalina
    • View Profile
    • Mid-South Weather
Email from A Small Orange re: recent attacks on servers
« Reply #2 on: July 23, 2009, 12:50:11 PM »
Why ghostbusters, of course! smile.gif
« Last Edit: July 23, 2009, 12:51:31 PM by Xairbusdriver »
THERE ARE TWO TYPES OF COUNTRIES
Those that use metric = #1 Measurement system
And the United States = The Banana system
CAUTION! Childhood vaccinations cause adults! :yes:

Offline LR827

  • TS Addict
  • *****
  • Posts: 1840
  • Let's take care of each other
    • View Profile
    • http://www.deardrroth.com/
Email from A Small Orange re: recent attacks on servers
« Reply #3 on: July 24, 2009, 12:46:46 PM »
QUOTE(Xairbusdriver @ Jul 23 2009, 12:50 PM) <{POST_SNAPBACK}>
Why ghostbusters, of course! smile.gif



 Groaner.gif


But seriously...

I was wondering about the security issue. If you can't count on a hosting company to know security, who can you count on? The Director of the VA has joked (but it is serious) that he is "one stolen laptop away from the unemployment line," meaning that he would be held responsible if data were missing from a laptop taken home. And he only knows as much about internet security as I do (which is to say, zero). But how can a hosting company let this happen? It is scary, b/c we like to think the experts are expert.

Offline Mayo

  • TS Addict
  • *****
  • Posts: 3215
    • View Profile
    • http://
Email from A Small Orange re: recent attacks on servers
« Reply #4 on: July 24, 2009, 04:37:30 PM »
I am sympathetic but that explanation does nothing to change my mind about A Small Orange.

I'm just thankful that it happened right before I setup two Web sites on their servers...  whew.gif