Below is the post I left on the thread in the link. This exact situation happened to me too. Root cause was the person who installed my OS set the root password to "g0grid". Bulletproof.<p>----------------------<p>This exact same thing happened to me! I have a crappy little single box with them and I have been reasonably happy with their service (I was originally with servepath before they got bought by GoGrid). I requested a 64-bit upgrade, which they did promptly. I was contacted by customer service to tell me the upgrade was complete and to tell me how to log in, but I had already gone to bed. The customer service rep left a VM message saying "check your customer portal account for instructions on how to log in." The next morning before I leave for work, I'm just about to log in to my fresh box when I get a call from GoGrid saying my server has been compromised, offering to let me pay for a fresh install, or I can lock it down myself immediately. I'm no security expert, but I damn well wasn't going to pay for a reinstall on a box I never logged in to. I finally managed to get them to do the reinstall for free because they had to admit the password that the customer service rep had picked after the reinstall wasn't so hot: "g0grid". Nice job, guys.
Back in April GoGrid had their entire customer database - including credit cards - hacked (<a href="http://blog.liox.eu/2011/04/20/security-breach-at-gogrid/" rel="nofollow">http://blog.liox.eu/2011/04/20/security-breach-at-gogrid/</a>). It was a pretty serious breach.<p>I'm not sure if this person's hack is related (eg an attacker has his portal password/api key/etc) or if it is indicative of vulnerabilities in GoGrid's system.
From Lore Sjöberg:<p><i>My former server host, GoGrid, tells me (via my business partner) that it's my fault my server was hacked fifteen hours after they installed it, because I didn't log into it before it was hacked.</i><p><i>To paraphrase freely, GoGrid is admitting that their security is so shitty that I should have known not to trust them to install a safe server. I should have been so suspicious of their policies and practices that I should have rushed to log into the server to lock it down as soon as they made it live, knowing that their default setup is such a screen door that hacking within a matter of hours was inevitable.</i><p><i>And, because of this, GoGrid is not refunding a cent of my year of pre-paid money.</i>
With a little effort they could use ssh keys instead of passwords...<p>They should ask users to provide their ssh public keys, and use them to give access to a new provisioned server locking down password-based ssh logins. That's how other players (like AWS) do.<p>This is basic basic basic security stuff.
If you know the ip range assigned to a host it would be easy to write a script that listened for new IPs coming up and to perform a dictionary attack on those IPs. Security around provisioning new servers is often ugly with plain text passwords sent in the clear and iptables disabled. Shared keys and disabling plain text passwords in OpenSSH is an obvious solution but for non-technical customers this can be a huge support overhead. Does anyone solve this pattern elegantly?<p>I do see some responsibility on a customer securing a box as soon as it is provisioned though, unless it is a managed service.
I'm guessing that GoGrid provisioned the server, then sent him an email with his password. After first login, he would have been prompted to change his password, but somebody got to his email before he logged in...
Just wondering, can't you just format the server again? Or doesn't GoGrid provide that option at all? Since it's a brand new server, I guess there's no problem in formatting and installing it again.
Frankly, I don't buy this at all. It is very difficult in 2011 to provision a server that is really vulnerable by default.<p>I suspect that the person who posted this was in some other way compromised, and is blaming it on GoGrid.
Considering similar reports, maybe their default templates are already cracked with injected code.<p>So everytime they create a new container, it's got a backdoor.