How we discovered a database leak in one of the biggest Swiss hosting providers

A little update on the service Security Guardian after the publication of this post.<p>Thanks to Hacker News and its incredible community, there have been a massive number of new users. We are working on adding more resources to the infrastructure to make the scans quicker. For now, it is possible that some of you have to wait some hours before receiving the first results.<p>Thanks for trying our new product, we hope to improve it with your feedbacks.

For whoever was wondering who this provider is: according to whois-nslookup-mxtoolbox_arin_lookup, the server hosting infoteam.ch is provided by metanet (metanet.ch)<p>Not trying to ruin their business, but they should consider handling issues like this one properly.

The moral of the story should have been -- change your hosting provider the minute they commit such a blunder.

Can&#x27;t test the product they try to promote because emails with a `+` in them are not valid.

Their vulnerability scanner is basically an on-demand DOS attack. Tried it on my site and almost brought it down

This is a nice anecdote to promote their new Guardian service.

For the longest time a &quot;clean&quot; MySQL install would set up an no-password superuser for presumably dev convenience. I don&#x27;t know if they changed that (it&#x27;s been a while since I last installed MySQL) but if not, this could simply be a security hole by design, with the maintainers simply not paying attention to their install script flags.

Sounds like they may have had a deploy script which ran again a week later or something like that :&#x2F;<p>(Also overriding scrolling is not cool)

&quot;If you use this network security appliance, you can stop all traffic that doesn&#x27;t match the profile of your normal traffic from leaving your network.&quot;<p>&quot;That&#x27;s expensive, and complicated! We&#x27;ll just do regular audits and be fine.&quot;<p>[some time later]<p>&quot;Someone exfiltrated all our data using mysqldump!&quot;<p>= &#x2F;

currently infoteam.ch seems to be hosted on METANET (metanet.ch). Is there anyone who can deny or confirm that this is the provider they don&#x27;t want to mention?<p>source: nslookup infoteam.ch; whois 80.74.143.113

&gt; &quot;Hopefully, we had ‘only’ read access and could not write or delete anything&quot;<p>Sounds a lot like feigned ignorance about the nature of the root user. Not entirely sure if it would help them in a court of law. They should probably anonymized the whole thing better to be completely on the safe side (not a lawyer though).

I&#x27;m getting a &quot;Something went wrong. Please retry in a moment.&quot; error when trying to submit a domain to Security Guardian (tried different domains and email addresses). I assume you&#x27;re being hugged to death.

Moral of the story. For my sake:<p>Check the access logs.<p>Regularly.

:s i can&#x27;t even get my mysql to get me to be allowed to login root without password &gt;.&lt; that takes a special kind of negligence.... and really, how long was it there before they developed a new product and tested it on themselves? :&#x2F; seems logical, especially for a security service provider that with the lack of such product still this would be noticed?<p>that besides pitching their own product for an issue any similar natured scan would pick up i&#x27;d say it smells like marketing department at work more than chinese hackers or shitty service provider.... &gt;.&gt;<p>i doubt they would have left a passwordless root on their mysql, or didnt they check the initial setup they were given by the provider before taking it in use?

tl;dr, portscanned a server, found an open MySQL port with a weak password.

Important to remember that these “one of the biggest $x in $y” where $y is a country with a population under 10 million means that the statement encompasses many entities which are just a half-dozen people in a small office somewhere.<p>I know nothing about the particular hosting provider in question.

Security Guardian is not a he&#x2F;him. It may be a translation issue ... or maybe you&#x27;ve achieved human-level AI and it&#x27;s become self-aware? In any case, I find it interesting that your first response is that the tool might have a bug ... and the link also on HN at this moment is about the Apollo 13 mission control engineers thinking their telemetry might be at fault. This is an excellent first response and it&#x27;s important to provide a way to distinguish between the two.

They probably use a homebuilt admin panel and sw mgmt, and an update brought back in the old root vuln. They don&#x27;t use cPanel or Plesk. Or the Chinese hacked it again.<p>Interestingly they - <a href="https:&#x2F;&#x2F;security.infoteam.ch&#x2F;" rel="nofollow">https:&#x2F;&#x2F;security.infoteam.ch&#x2F;</a> - offer the very same security service, automatic security audits for their customers. Which explains their angry response the 2nd time.