The continuing fallout from a hacking incident at U.K.-based Web hosting company VAserv should serve as a powerful reminder that companies need proper data backup and disaster recovery procedures.
The incident, which could result in a fire sale of VAserv to another hosting provider, is also an especially stark example of the kind of havoc that a malicious attacker can wreak on businesses.
Late Sunday, an unknown hacker or hackers attacked VAserve's virtual server infrastructure and deleted about 100,000 sites, or about half of those being hosted by the company, according to The Register. The attackers apparently took advantage of security flaws in a virtualization software platform called HyperVM to break into the company's servers and essentially issue commands to erase all of the contents hosted on them. According to news reports, the hackers appear to have accessed customer credit card data and other information stored on the compromised servers.
VAserv basically offers low-cost Web hosting services using virtualized private servers based on HyperVM. As of Wednesday morning, it was not clear how many of its customers -- many of them based in the U.S -- had irretrievably lost data in the attack. That number could be high, though, because half of those affected had apparently signed up for an unmanaged service that doesn't include backups, according to the Register.
This morning it was also not clear whether the servers had been compromised because of vulnerabilities in HyperVM, as VAserv claims, or whether weak administrator passwords were to blame, as posited by the Inquisitr. The site links to a post, ostensibly by someone behind the attack, that talks about it having been facilitated by "excessive passwd reuse."
"Z3r0 day in hypervm?? plz u give us too much credit," the poster said, adding that he or she had compromised the VAserv billing system, installed backdoors on it and stolen lots of credit card numbers. "Telling you this cuz we got bored of this ****, it's just too easy and monotonous."
A note on VAserv's Web site, which is now just a text document with details on the company's restoration efforts, claimed its staff had been working "tirelessly" over the last 48 hours. "However, we have now reached the end of all of our servers, and as such, if your server is not currently up, or not partly up, then it is unfortunate that you will have lost your data due to this third-party attack," the note said.
Attempts to reach Rus Foster, VAserve's director via e-mail and phone were unsuccessful. But the terse updates on the company's Web site and the thousands of customer posts on a discussion forum painted a picture of total chaos.
Judging from the posts, many of VAserve's customer's appear to have been left stranded after the attack. "Right, we're now into our third day and no news," said "moviedrome" in a post made late yesterday. "Server is exactly the same state as 5 minutes after the attack and I know nothing about the data on it, or my backups. Really frustrating to just keep being told to check vaserv.com for updates."
Another, "Host4cheap," claimed that VAserv had not responded for 15 hours; other customers complained of not getting any information from the company about the status of their sites.
A large number of people, though, were sympathetic to VAserve's plight and appeared to be willing to give the company time to restore services, if possible, under the circumstances. VAserv's limited staff appeared to been overwhelmed by the affects of the attack.
"I've personally reached the end of my physical and emotional tether" Foster wrote in one post on the discussion forum late Tuesday evening. "We have worked pretty much continuously for the last few days firefighting."
Foster wrote in a post that suggested he was putting the company up for sale. In his note, Foster said he had two options: Do what'ss best for the customer base by getting "some big boys in behind" to help get things back up and running. The other he said was to simply "Run away and hide and just say to everyone "good bye""
This story, "U.K Web hoster, customers scramble after attack deletes 100,000 sites" was originally published by Computerworld.