*UPDATE: I just got off the phone with Neil Warner, GoDaddy’s CSO (Chief Security Officer) and he explained the situation to me. Check it out: GoDaddy Security update
I have been a GoDaddy user for a while and never had problems with them. In fact, differently than some people, I had great support and service from them.
However, one recent situation is making me change my mind about them…
I have my domains and a bunch of VPS (virtual private servers) with GoDaddy and one of those servers is/was hosting the Sucuri’s official site.
I am a bit paranoid about security and on all my servers I switch the SSHD port to a different one and restrict to only a few IP addresses. On the offical SSH port (tcp 22), I install a honeypot to detect ssh scans and which passwords/users they use (you can see some of my analysis in this post: Honeypot analysis – Looking at SSH scans)
Anyway, early this year I started posting information about web-based malware and a few days after I did that, I saw on my honeypot logs:
Jan 8 06:55:28 d1 sshd[27670]: Failed password for [mygodaddyuser] from 64.202.160.65 port 49271 ssh2
Jan 8 06:55:30 d1 sshd[27670]: Failed password for [mygodaddyuser] from 64.202.160.65 port 49271 ssh2
Jan 8 06:56:38 d1 sshd[28528]: User root from nat-64-202-160-65.ip.secureserver.net not allowed because listed in DenyUsers
Jan 8 06:56:38 d1 sshd[28528]: Failed none for invalid user root from 64.202.160.65 port 50727 ssh2
Jan 8 06:56:53 d1 sshd[28528]: Failed password for invalid user root from 64.202.160.65 port 50727 ssh2
Jan 8 06:56:55 d1 sshd[28528]: Failed password for invalid user root from 64.202.160.65 port 50727 ssh2
And checking my honeypot logs, I saw:
Jan 8 06:55:28 d1 sshd[27670]: hh: user: [mygodaddyuser]|pass: [MYGODADDYPASS]
Jan 8 06:55:30 d1 sshd[27670]: hh: user: [mygodaddyuser]|pass: [MYGODADDYPREVIOUSPASS]
Jan 8 06:56:53 d1 sshd[28528]: hh: user: root|pass: [MYGODADDYPASS]
I was shocked! My first thought was that someone had stolen my GoDaddy password (that I use to login to their web page) and even my previous password! (I had changed my password a few weeks before that).
I quickly ran and started a panic mode incident response, changed passwords and started to look how I got hacked and what was going on, when I decided to look at the IP address that tried to access my box:
$ whois 64.202.160.65
[Querying whois.arin.net]
[whois.arin.net]OrgName: GoDaddy.com, Inc.
OrgID: GODAD
Address: 14455 N Hayden Road
Address: Suite 226
City: Scottsdale
StateProv: AZ
PostalCode: 85260
Country: USNetRange: 64.202.160.0 – 64.202.191.255
CIDR: 64.202.160.0/19
NetName: GO-DADDY-SOFTWARE-INC
NetHandle: NET-64-202-160-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Allocation
NameServer: CNS1.SECURESERVER.NET
NameServer: CNS2.SECURESERVER.NET
NameServer: CNS3.SECURESERVER.NET
Comment:
RegDate: 2002-10-22
Updated: 2007-06-14
Hum.. It came from Godaddy’s own network. I was about to send an email to abuse@godaddy.com, whem I got this email:
It has come to our attention that the [your site name] may be infected by malware. We would like to investigate this matter further, however the login credentials we have on file for your server do not allow us access to the server. In order for us to proceed to investigate the possible infection, we require that you provide the proper login credentials to access your server with administrative rights within 48 hours or by January 10th @ 2 pm MST (GMT -0700) by using our “Password Sync” option, or your server will be suspended. To update the logon information, please follow these steps:Log into your account.
Click on the ‘My Account’ link.
Click on the ‘Dedicated/Virtual Dedicated Servers’ link.
Select the server you need to update the log on information for.
Click on the ‘Open Manager’ link.
Click on the Support: Sync Passwords button.
Enter the current SSH and root information and save the information.
WTF!WTF!WTF! Yes, I cursed them for a while! Why?
- They tried to SSH to my “private” server without my authorization!
- They wanted my ROOT password and SSH access!
- They HAD MY MAIN GODADDY PASSWORD (AND PREVIOUS ONE) in CLEAR-TEXT!
- They almost gave me a heart attack
I don’t know if anyone find that horrifying, but I do! I would understand storing the initial password for the server in clear-text or something like that. But the main password from my GoDaddy account? Giving their admins access to them so they can SSH to my box? Keeping my old password in clear-text too? SSHing to my box without asking my first? Wow….
The end of the story… After I calmed down, I contacted them and explained about my web-based malware security research and told that I would not give anyone SSH access. If they really required that I would switched providers. They did some investigation, apologized and let me stay… How nice they are…
Another anonymous poster here saying "get off your high horse". If you were in my data center and refused to facilitate access to the dedicated server you are leasing from us when something needs to be investigated, I'd shut your box down and reset the root password myself.
Yes, you would be more than welcome to go find another provider.
For colo, I wouldn't touch your server without consent but I would disconnect it from the network if I suspected compromise.
Get over yourselves. Your hosting provider has a reputation to uphold, and as the owner of the address blocks that you operate from, they have a responsibility. It's the rest of their customers that will suffer if your compromised server is getting subnets put on block lists.
Anyone that has a hosted VPS running on the Virtuozzo infrastructure can have their VPS accessed without a password by the hosting team without permission..
The hosting company would simply enter; vzctrl enter VE_ID
This would give them full root access without bash history, you can do the same on OpenVZ.. Naturally they can also open /vz/root/VE_ID/root/_
If you have Plesk, your password is stored in /etc/psa/.psa.shadow
Why anyone would use any service of GoDaddy baffles me. These people are hacks (not hackers), thieves and domain hijackers.
I'm working for yet-another-Xen-instance-provider as a programmer. Like yours, they offer a "managed" service. I don't know anything about GoDaddy's product, but the guys I'm working for have clearly labeled "managed" and "unmanaged" ones. These guys were doing managed dedicated hosts before this. Most people do like this a lot — if something isn't how they want it, they call up and someone logs in and changes for them. They're exploring ways to keep passwords in sync. The (numerous, automated) administration options that don't require shutting the instance down (and directly mounting the filesystem) require ssh'ing in as root (also automated). Backups use your root password. If you colo and people have physical access, you're extending a measure of trust to the colo. But being on a VPS goes further. I'm not sure how I feel about all of that. I guess I still want my own hardware even though the VPS thing is great for a lot of people.
The Planet does store server passwords, but it's stored using a two-way encryption. I am not able to divulge the details on the encryption schemes or methods that we use.
When a technician needs a password, they click a button which decrypts the password. It also logs the IP and credentials of the technician.
The customer is given the option to keep the password updated or not. The SLA is affected to some degree if the password is not up to date.
Keep in mind, with physical access, one doesn't need the password. One can simply boot into single user mode, or in the case of Windows, use BartPE to reset the password.
Our technicians will only log into a server if it's explicitly requested either by ticket, escalation procedures, or at the proper and justified request from law enforcement.
Thanks for the heads up. Never thought much about godaddy before, but now you've pointed out a sure security flaw everyone should be aware of. And not just of godaddy, but any other hosting solutions that may not be responsible.
Amazing they wanted access to your private network. I would be just as irate.
Someone got first but I'll say it again:
linode.com
I have never had a problem with linode.com doing anything like this. I'm not sure if your VPS is considered managed or not, but if not, I would drop them like a hot potato.
As it is Godaddy lost me as a customer several years ago due to their abusive customer service reps.
Switch to Linode
.
Former GoDaddy Investigator here. Did you read your Terms of Service. GoDaddy reserves the right to access your dedicated hosting box at any time for any reason and yes they do encrypt customer passwords. What you experienced is not out of the norm. They've got thousands of dedicated hosts all crammed together on the same network and are charging you a fraction of what it would cost for you to have your own truly private box on your own truly private network. The reason they wanted to investigate your box is because it strange or large amounts of traffic was detected to or from you box. Granted, it's legitimate… but they won't know that without investigating.
There are a lot of bad people out there who use stolen credit card numbers to get dedicated hosting boxes and use them for malicious purposes. Any not having any right to investigate, would result in absolute chaos. Imagine if they didn't investigate anything. I can guarantee your box would be under a DoS attack from another dedicated host right now, or the network would be completely congested with port scan, or your box could be infected or compromised leading to other customers getting infected or compromised. It's for the greater good my friend. A word to the wise, be nice to them and explain what the traffic is… There are no-name hosting providers that don't give a ****. Those hosting providers typically can't brag about 99.9% uptime because so often they have botnets and infections running wild. Think on that a bit…
i moved to gandi since i discover bad issues from godaddy reading one day in nmap.org, after this i think i was totally righ migrating from then
http://tools.softsutra.com/locip/index.php >> Get Ip Address & Location Of A Person….Best Tool I Found To Get Some One's Computer Information… X