Forgot your password?
typodupeerror
Security IT

GoDaddy Wants Your Root Password 236

Posted by samzenpus
from the seems-fair dept.
Johnny Fusion writes "The writer of the Securi Security Blog had an alarming awakening when a honeypot on port 22 on a GoDaddy-hosted VPS recorded login attempts using his GoDaddy username and password and even an attempt to login as root. It turns out the attempt was actually from within GoDaddy's network. Before he could 'alert' GoDaddy about the security breach, he got an email from GoDaddy Demanding his root login credentials. There is an update where GoDaddy explains itself and says they will change policy."
This discussion has been archived. No new comments can be posted.

GoDaddy Wants Your Root Password

Comments Filter:
  • by SpazmodeusG (1334705) on Wednesday February 24, 2010 @08:27PM (#31266956)
    You already trust them 100% if you let them have access to your box

    /That sounded wrong somehow
  • Feature, not a bug. (Score:5, Interesting)

    by LostCluster (625375) * on Wednesday February 24, 2010 @08:27PM (#31266960)

    When my trivia game was hosted at EV1Servers (now part of The Planet company) I kept my root password on file with them at all times, and quite a few times support logged in and helped me with a problem, like telling me the reason my webserver went down was that the Warnings file in Apache had hit the Linux system limit.

    This isn't GoDaddy the domain registrar looking for your passwords, this is GoDaddy the hosting provider wanting to log in to a customer's VPS that's running on their hardware, and most likely is calming down a paranoid admin if he's yelling at Slashdot about a "security breach" when support wanted to log in.

    Nothing to see here... move along.

    • by Neil Blender (555885) <neilblender@gmail.com> on Wednesday February 24, 2010 @08:30PM (#31266988)

      Why not just create an alternate account with sudo for them? Why give them root?

    • by batrick (1274632) on Wednesday February 24, 2010 @08:51PM (#31267148)
      A VPS is rented space on hardware in the same way you rent an apartment. You don't own the hardware, but that doesn't mean the host can break into your box whenever he wants. Maybe the contract asserts they have that right (you would be an idiot to contract with them). Use Linode (arguably the best VPS provider in the industry): http://linode.com/ [linode.com] (I am not affiliated with Linode.)
    • by RoFLKOPTr (1294290) on Wednesday February 24, 2010 @09:29PM (#31267402)

      When my trivia game was hosted at EV1Servers (now part of The Planet company) I kept my root password on file with them at all times, and quite a few times support logged in and helped me with a problem, like telling me the reason my webserver went down was that the Warnings file in Apache had hit the Linux system limit.

      This isn't GoDaddy the domain registrar looking for your passwords, this is GoDaddy the hosting provider wanting to log in to a customer's VPS that's running on their hardware, and most likely is calming down a paranoid admin if he's yelling at Slashdot about a "security breach" when support wanted to log in.

      Nothing to see here... move along.

      That would make sense if this was a dedicated server, but this is a VPS. With the two different VM systems I've administered VPSes with (OpenVZ and Xen), you're able to log into any virtual machine as root from the hardware node without a password, negating the need for any of the user's passwords. With OpenVZ it's just `vzctl enter [vpsid]`. There is no reason GoDaddy should be asking for passwords, let alone be automatically probing the VPSes to make sure the passwords on file are correct.

    • by Eil (82413) on Wednesday February 24, 2010 @10:11PM (#31267668) Homepage Journal

      I was just about to write the same thing. This was something that was already brought up weeks ago in an Ask Slashdot. People who who don't have much exposure to the web hosting business (and that includes most Slashdotters) don't understand that web hosting falls into two major categories:

      1) Unmanaged

      2) Managed

      Unmanaged hosting means you have full control over all of the software on your machine. (And by "machine" I mean both a real machine and a VPS or cloud node.) Nobody touches your configuration in the slightest once control has been handed over to you. If something goes wrong, including hardware failure, it's the customer's responsibility to notice it and either fix it or get it fixed. Any technical support beyond typical datacenter stuff usually incurs an hourly fee. Unmanaged hosting is ideal for people who want to admin their setup 100% on their own.

      Managed hosting means the web hosting provider monitors the machine which can include external probes (checking for a response on various TCP ports) and internal metrics like system load and disk utilization. When a red flag pops up, a technician logs into the machine and tries to fix whatever is happening. You can call them up with all manner of ridiculous requests ("install WordPress for me and apply this theme") and they have to do it because, well, that's what the customers expect with a managed hosting account. Managed hosting is awesome for people who want a web server but don't have the expertise or will to actually configure and maintain it.

      What the submitter ran into is that he though he had unmanaged hosting but actually has managed hosting. I don't completely blame him, because a lot of hosting providers don't explicitly state which style they provide. Sometimes it's even hard to tell after you've purchased the product. But its something you have to figure out or else you're going to be deeply dissatisfied with the company's technical support, as the submitter was.

    • by OverlordQ (264228) on Wednesday February 24, 2010 @11:00PM (#31268010) Journal

      This isn't GoDaddy the domain registrar looking for your passwords, this is GoDaddy the hosting provider wanting to log in to a customer's VPS that's running on their hardware, and most likely is calming down a paranoid admin if he's yelling at Slashdot about a "security breach" when support wanted to log in.

      Why would, nay, should they log in when there are no indications your box is infected? Asking them for help is a bit different then them arbitrarily accessing it whenever they feel like it, 'we have a process' or not. Most sane providers would send you something like "Hey, we think there's malware $foo coming from your box $bar because $baz, can you please look into it" rather then straight accessing your data.

  • No Surprises Here (Score:5, Interesting)

    by neoform (551705) <djneoform@gmail.com> on Wednesday February 24, 2010 @08:29PM (#31266968) Homepage

    Not surprising at all.

    I had a domain with Godaddy a few years ago when they breached ICANN's rules by threatening to confiscate my domain unless I paid them $200, because I had supposedly breached their TOS.

    GoDaddy is not to be trusted.

    • by LostCluster (625375) * on Wednesday February 24, 2010 @08:32PM (#31267002)

      I had supposedly breached their TOS.

      What was your alleged offense and how do we know you didn't do it?

  • by straponego (521991) on Wednesday February 24, 2010 @08:31PM (#31266994)
    Pro tip: never trust your domain or your business to a company who got its name from a Thrill Kill Kult song and advertises its services with soft-core porn.
  • by beakerMeep (716990) on Wednesday February 24, 2010 @08:31PM (#31267000)
    They only seem to market themselves by objectifying women and their services don't seem low priced or high quality. Frankly I think they are an embarrassment to the tech world.
  • I wonder... (Score:5, Insightful)

    by fuzzyfuzzyfungus (1223518) on Wednesday February 24, 2010 @08:38PM (#31267072) Journal
    My understanding is that "VPS" usually implies that you are living in a VM on somebody else's box.

    How robust are the various common server operating systems against an attacker breaching the system by either reading or manipulating the VM's state? When your "hard drive" is just a file on somebody else's system, and your RAM is just a block of memory reserved for you by whatever virtualization mechanism is being employed, either could conceivably be read or written without any access to your system through the usual channels(ssh, admin passwords, etc.) If, say, you are using public key authentication, to avoid password attacks entirely, what would stop the VM host from just scribbling their own public key onto the list of approved public keys stored on your filesystem? Or doing something subtler, like scanning your block of RAM to find your SSH daemon, and flipping a few bits to make it interpret your login attempt as valid rather than failed?

    Obviously, in theory, you can never win against somebody who controls the hardware(and, with VMs, they don't even need EE skills and an expensive oscilloscope to poke at the hardware, since the "hardware" is actually software). However, theoretical viability and practical doability can be very different animals. In this case, they tried a clumsy password guess, followed by a demand, obviously not uber-hacker material. Has there been any work done, though, on the strengths, weaknesses, and limits of what a VM that doesn't trust its host can do?
    • by theJML (911853) on Wednesday February 24, 2010 @10:34PM (#31267822) Homepage

      You know, This is the first thing I thought of.

      The second thing is that they REALLY didn't even need to ask. Seriously, it's a VM, they can copy and crack the vm. They can restart it single user. They can mount the vm disk to another vm, change the password to what they want, and then put the disk back. They could make themselves a nice little backdoor of some sort. Etc...

      In fact, the more I think about it, the nicer it was that they just asked for it. Once you trust someone to hold your entire machine in virtual space, they really might as well just have the password.

  • Double take (Score:5, Insightful)

    by syousef (465911) on Wednesday February 24, 2010 @08:39PM (#31267080) Journal

    We've got a security expert gets an email demanding his root password, and it's all good because they called and said sorry we'll change our policy? HUH? No wonder people are commenting that he's been paid off!!!

  • by nicolas.kassis (875270) on Wednesday February 24, 2010 @09:03PM (#31267236)
    They have physical access which means they don't need the root password. The fact that they store the password just shows plain lack of skill or laziness to implement a better access method by their admins. Store the pass where they could potentially be accessed is the issue here. What happens if the database is hacked and the passwords stolen without their knowledge. Insider hacking is also an major issue. Having the root password could allow an attacker to log in and erase all traces easily. Of course it's doable with physical access too but in that case, it's a little more intrusive.
  • by DoofusOfDeath (636671) on Wednesday February 24, 2010 @09:20PM (#31267352)

    Heck, if their sysadmins are definitely like the chicks in the commercials, I'd definitely give them my "root".

  • by cenc (1310167) on Wednesday February 24, 2010 @09:20PM (#31267356) Homepage

    As someone that has been around the block with running a lot of web sites (well, a couple thousand at least) for say the last 10 years, I have learned the hard way to not put all your eggs in one basket. Registries come and go, even the big boys (at least service comes and goes, policies change), hosting providers can go bad for all kinds of reasons, and your DNS services are your keys to the castle in terms of just how much damage an outage can do to a buisness (backup DNS severs people).

    • by socsoc (1116769) on Wednesday February 24, 2010 @11:05PM (#31268048)
      Not only should you have backups of DNS servers, you should have redundant ones from multiple providers. For example, slave ns1 at provider a, slave ns2 at provider b, master hidden somewhere else...
      • by cenc (1310167) on Thursday February 25, 2010 @12:07AM (#31268396) Homepage

        Totally agree. There are plenty of affordable backup dns services like dnsmadeeasy.com, that will give you global dns backup coverage for very little money and still allow you to maintain ns6.mydomain.com type servers.

        I don't think a lot of people with just a couple sites realize that if you can keep dns up, even really cheap hosting going up and down will keep those outages from doing real damage such as with mail not arriving. servers will keep trying normally for a long time as long as the DNS resolves. That is aside from being able to reach your host to be able to work on it in an emergency.

        A lot of cheap hosting packages provide dns servers in their reseller package, but not many people really appreciate what a bad idea it is to have your only dns server on the same machine.

  • by Hurricane78 (562437) <.gro.todhsals. .ta. .deteled.> on Wednesday February 24, 2010 @09:42PM (#31267484)

    Make a backup of your server, and then tell them that they won’t get it.

    If they switch off your server, sue them for extortion, trespassing (in case they entered the server) and damages. [Same rules as with a (business) apartment and a landlord.]

    But I personally already had hosters asking me for the root password. I refused. That was it. They did not do anything. (We still had a contract, after all.) Of course they told me that they wouldn’t give me support for the software. But I wouldn’t have wanted that anyway, since on the last managed server, they wrecked my database when one of their idiot admins did “fix” something.

    I don’t see the problem. Let them bitch. Tell them to fuck off or you’ll sue. Done.

  • by eagl (86459) on Wednesday February 24, 2010 @10:19PM (#31267712) Journal

    all they need to do is send Danica over to ask for it.

The first version always gets thrown away.

Working...