back to article Top server host OVH warns of 'multi-stage' hacking attack

French-based server host OVH has warned that its systems have been penetrated in a multi-stage attack that leaves US and European customers at risk. In an advisory on its forum board, the company warned that an attacker had gained control of a system administrator's account, and used that to gain access to a VPN account of one …


This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    I've always seen OVH in my Fail2Ban reports more than any other non-Chinese owners of blocks of IPs. And they never reply to reports of abuse.

    So I guess this is about to get worse...

    1. Soruk

      This might explain why I've already firewalled off most of their address space for repeatedly prodding my VoIP server...

  2. Captain DaFt

    Rule #1

    "In short, we were not paranoid enough so now we're switching to a higher level of paranoia."

    It's not paranoia if it's proven that they *are* out to hack you, it's prudence, otherwise known as due diligence.

  3. Anonymous Coward
    Anonymous Coward

    From the article:

    "European customers' surname, first name, nic, address, city, country, telephone, fax, and encrypted password are all open to the attackers," and

    "customers of the firm's Canadian hosting company have be[e]n advised to change SSH keys"

    From the mail I received from the [non-Canadian branch of the] hosting company:

    "Even if your password encryption is very strong, we encourage you to change it [assuming they mean the password] as soon as possible."

    So different advice being given there. Hashed, salted password compromised definitely means you should change password (as my email said). But SSH keys(*)? That would imply that the attacker can log in to steal the private SSH key. Totally different kettle of fish. Bad reporting, or was the hack on Canadians worse than that for (at least this) non-Canadian customers?

    * the other possibility is that the attacker somehow managed to grab an admin's ssh login. My account was set up wtih one by default. If this is standard and the admin account's private key was snatched, then it definitely warrants advice to delete that from the authorized_keys file. Still, doesn't sound exactly like a cause to change one's own private SSH key, and deleting the admin login wasn't what I was advised to do.

    So what exactly is the extent of the breach and proper remedial action? Inquiring minds want to know!

    1. Pete Foster

      OVH install 'maintenance' ssh keys on their default builds.

      See here:

      So, your keys may not have been compromised, but the OVH ones have.

  4. Anonymous Coward
    Anonymous Coward


    I would like to know from where that hack originates.

    We have legally mandated requirements to lock our admin interfaces from only being accessible from inside the country. We've gone one further and locked it to the office IP range only, plus added cert based VPN tunnels, but that's because we rather over-engineer than have to say sorry afterwards (we ARE paranoid :) ).

    Or is this another case of "we have so many clients we can afford to lose some" negligence? Enquiring minds want to know.

  5. This post has been deleted by its author

  6. Anonymous Coward
    Anonymous Coward

    not notified

    Had nothing from OVH re this, nor the last breach.

    Fortunately my personal details, nor any payment details are stored on my ovh account and the server we have with them does not run their build of linux (thus no ovh back door).


This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2021