Thought you all might be interested in the email I received regarding the recent attacks on ASO servers and subsequent outages here at TS.
------------------------------------
Dear ASO Customer,
As you may already be aware, we've been the target of several attacks by a
hacker on July 8th and the following week. His attacks have caused service
interruption and data loss for some of you. This email is to describe
those issues, what we've done to fix them, and what we're doing to protect
you.
=== About The Incident ===
This is a post-mortem account of the ASO Hacking Incident and Denial of
Service attacks on our network detailed here:
http://forums.asmallorange.com/index.php?showtopic=12908On July 8th, shortly before midnight (Eastern Daylight Time), an attacker
took advantage of an employee's PC at home to enter our network. Because
of the nature of the employee's access, the attacker was able to access a
number of servers that host customer websites and email. The attacker then
deleted a number of "home" directories of the customer accounts on those
servers (25 servers in all). According to the logs and tripwires, the
attacker did not install any backdoors onto the servers, did not download
or view any of your data, nor did he obtain access to the servers used for
billing and credit card information. Instead, this was as straightforward
act of vandalism.
There were also reports of website redirects for a short period, where
site visitors may have been directed to a fake error message and/or
download site to download and install. This was addressed fairly quickly,
but those site visitors may need to scan their computers with an
anti-virus scanner to ensure that no malicious software was installed. We
suggest using AVG Free
http://free.avg.com/ and MalwareBytes's
Anti-Malware
http://www.malwarebytes.org/ if you do not already have an
anti-virus program on your computer.
While we caught the intruder fairly quickly and were able to block any
further attacks on our remaining servers, it took about 18 hours for the
25 compromised servers to be restored from various states of functionality
to nominal condition. For several days after that, the tech support staff
was restoring individual accounts that weren't restored properly. In some
rare cases, the backups we had available had were unusable, and customers
were required to re-upload their websites.
In the following days after the initial attack, the same intruder began a
series of distributed denial of service (DDOS) attacks against our network
disrupt service to our customers. He followed these attacks with threats
and extortion, attempting to get us to pay large sums of money for him to
stop. After some service disruption, we were able to mitigate these
attacks and restore service to customers. He has since attacked at least
two other hosting companies with similar extortion demands and
denial-of-service attacks.
Since then, A Small Orange has been working with FBI officers and experts
in the field of Internet extortion to take action against this criminal.
We have collected a good deal of identifiable data from the attacks.
Combined with the fact that the attacker threatened the FBI in his emails
to us and has attacked other businesses, the FBI is taking a great
interest in this case. We fully expect to bring this individual to justice
and bring a halt to their activities.
=== Lessons Learned ===
While we are confident of the overall security of our servers, we have
learned an important lesson about employee access. We have already added
additional access controls to help ensure that unauthorized individuals
cannot use employee access to compromise our servers. We are also adding
other levels of security to our systems to go above and beyond what is
necessary. Additionally, we are working on network changes that will allow
us to better deal with Denial of Service attacks against our network. We
host the company's sites and our own personal sites on the same hosting
platform as all ASO accounts, so we feel these attacks just as strongly as
you do. And we take any assault on our security very seriously.
Some customers have expressed concern over our methods of announcements.
While we sent an email notification to customers on July 9th, our primary
method of announcing issues affecting customers has been our forums at
http://forums.asmallorange.com. There was also much Twitter activity
regarding the incident on our account at
http://twitter.com/asmallorange.
While there was much work to be done and our staff was working double
shifts to restore services, we realize that communication with customers
is just as important. We're looking to unify our communications across all
channels and to make sure no one is left in the dark about what is going
on.
Many things have changed in the five years A Small Orange has been in
business, and we will continue to find and implement improvements as we
grow. We hope that you continue to grow with us. Thanks again for being
our customer.
--
Tim Dorr - Owner
BJ Strange - VP of Hosting Operations
Andrew Boring - Director of Customer Relations
