DigitalOcean Root Vulnerability in the Wild

Aren't we jumping the gun a bit by saying, "DigitalOcean Root Vulnerability in the Wild"? I'm not yet comfortable with that conclusion...

TL;DR: Dude's server got hacked with a password-based SSH login. Doesn't definitively find source of hack. Doesn't like host security procedures he could have circumvented (changing password, disabling password-login). Posts on HN: ZOMG, ROOT VULN IN WILD!<p>Edit: Disclosure, I met one of the co-founders at SXSW. Seem like cool dudes.

To answer some common questions about this article:<p>Yes, I know my setup was very flawed. It was a test machine and in the midst of having automated config scripts written for it which were being tested. This is why the machine was vulnerable to the attack, but this does not diminish the importance of the underlying compromise it exposes in DigitialOcean's setup.<p>The point of the article is that someone is able to gain access to DigitalOcean password reset emails or a database of root passwords which shouldn't exist, but seems to given that they set your root password back to a previously reset value after you rebuild your server from the base OS image.

Too bad the author makes it sound like digitalocean has severe problems while his setup was clearly flawed. The really sad part is that this kind problem will unfortunately only grow as vps systems become cheaper and cheaper. People with less knowledge will set up their own stack and not think of the consequences... I wonder what hosting providers will come up with to tackle this problem.

As soon as I saw the text "Your root password will be emailed to you" on the bottom of the droplet create page I opened a ticket, here's how it went:<p>"Your root password will be emailed to you"<p>-- start --<p>Me<p><i>Just seen this at the bottom of the "Create a droplet" page. You're kidding right?</i><p>Them<p><i>The root password is sent via email because it is the easiest and fastest way to get a user online and running a virtual server.<p>We strongly recommend updating the root password after you login for the first time.<p>We also have SSH keys support so you can add your SSH key to the server during creation in which case no email is sent and instead the SSH keys are added under the root user for more secure access.<p>Thanks,</i><p>Me<p><i>Just added an SSH key and you're quite right, I retract my blunt reaction.<p>I must say however that I still think emailing them is a fairly terrible idea and I'm surprised your not worried about being found liable for a subsequent server hack.<p>That aside, thank you for your swift response and for pointing out I can use my SSH key. I look forward to using DO more</i><p>-- end --<p>N.B. I actually received their response twice from different agents suggesting it was a canned response<p>Frankly I don't even think passwords should be an option, as on AWS (not that they're perfect)

You left root login enabled and kept passwords on. And you're upset you got compromised? You can also enable keys in the control panel and you won't have to deal with passwords being emailed.<p>Those are the first few things you should be checking when setting up a new server (disable password logins and only allow keys).

&#62; it is likely that if you reset the root password via the web interface and don't change it afterwards that you are vulnerable<p>shocker.

Off Topic: I met the founders at SXSW, and was wondering what you guys thought of their product? $5/month for a simple ssd vps seems like a good deal (was thinking of running a single wordpress site off of it).

I think the lesson we're all learning here is that if you don't do your own Sysadmin/devops then you're almost guaranteed to be dealing with imperfect systems.

Is it not possible your email was hacked? I know from my experience with DO, they email you the root password.

This makes sense, i got my account blocked for spamming via SMTP, and i didn't send a single mail.<p>It took 5 support letters to get my account unblocked, and the solution was to block SMTP ports...<p>I didn't have anything installed !!! Clear Ubuntu image

"<i>The successful root login followed only one unsuccessful attempt"</i><p>Once a system is compromised by a root exploit what makes you think that <i>any</i> information that this system is giving is true?<p>While it may be likely seen the circumstances it is by no way certain. For all we know it may have been a bruteforce attempt which, once in, got disguised as a known-root-password attack.<p>As long as people are going to think that a compromised system is actually giving true information about what happened we'll be in big trouble.<p>Or OP tells us that SSH login and SSH login attemps are logged automatically on another server which hasn't been compromised and then it's a different story...