Slashdot Mirror
GoDaddy Wants Your Root Password
Johnny Fusion writes "The writer of the Securi Security Blog had an alarming awakening when a honeypot on port 22 on a GoDaddy-hosted VPS recorded login attempts using his GoDaddy username and password and even an attempt to login as root. It turns out the attempt was actually from within GoDaddy's network. Before he could 'alert' GoDaddy about the security breach, he got an email from GoDaddy Demanding his root login credentials.
There is an update where GoDaddy explains itself and says they will change policy."
Apparently submitter didn't RTFA.
Fail.
You already trust them 100% if you let them have access to your box
/That sounded wrong somehow
When my trivia game was hosted at EV1Servers (now part of The Planet company) I kept my root password on file with them at all times, and quite a few times support logged in and helped me with a problem, like telling me the reason my webserver went down was that the Warnings file in Apache had hit the Linux system limit.
This isn't GoDaddy the domain registrar looking for your passwords, this is GoDaddy the hosting provider wanting to log in to a customer's VPS that's running on their hardware, and most likely is calming down a paranoid admin if he's yelling at Slashdot about a "security breach" when support wanted to log in.
Nothing to see here... move along.
Not surprising at all.
I had a domain with Godaddy a few years ago when they breached ICANN's rules by threatening to confiscate my domain unless I paid them $200, because I had supposedly breached their TOS.
GoDaddy is not to be trusted.
MABASPLOOM!
Pro tip: never trust your domain or your business to a company who got its name from a Thrill Kill Kult song and advertises its services with soft-core porn.
They only seem to market themselves by objectifying women and their services don't seem low priced or high quality. Frankly I think they are an embarrassment to the tech world.
meep
Back up your data and move to a new host...don't forget to change the passwords though!
You cannot warp because you are warp scrambled.
My understanding is that "VPS" usually implies that you are living in a VM on somebody else's box.
How robust are the various common server operating systems against an attacker breaching the system by either reading or manipulating the VM's state? When your "hard drive" is just a file on somebody else's system, and your RAM is just a block of memory reserved for you by whatever virtualization mechanism is being employed, either could conceivably be read or written without any access to your system through the usual channels(ssh, admin passwords, etc.) If, say, you are using public key authentication, to avoid password attacks entirely, what would stop the VM host from just scribbling their own public key onto the list of approved public keys stored on your filesystem? Or doing something subtler, like scanning your block of RAM to find your SSH daemon, and flipping a few bits to make it interpret your login attempt as valid rather than failed?
Obviously, in theory, you can never win against somebody who controls the hardware(and, with VMs, they don't even need EE skills and an expensive oscilloscope to poke at the hardware, since the "hardware" is actually software). However, theoretical viability and practical doability can be very different animals. In this case, they tried a clumsy password guess, followed by a demand, obviously not uber-hacker material. Has there been any work done, though, on the strengths, weaknesses, and limits of what a VM that doesn't trust its host can do?
We've got a security expert gets an email demanding his root password, and it's all good because they called and said sorry we'll change our policy? HUH? No wonder people are commenting that he's been paid off!!!
These posts express my own personal views, not those of my employer
This isn't surprising coming from a company founded on Christian* values.
*The distorted Protestant American version of the faith.
I am becoming gerund, destroyer of verbs.
With a title this inflammatory I could have sworn I was about to read a kdawson piece.
That's funny... your post history shows otherwise. If you don't want to have such awful karma, stop posting stupid shit all the time... Like the post you just made.
I much prefer the moniker "NoDaddy"
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
That's not the question. The question is if GoDaddy is trustworthy.
Judge for yourself. Here are some stories about GoDaddy on Slashdot, in order by date:
Go Daddy Usurps Network Solutions (2005-05-04)
GoDaddy Serves Blank Pages to Safari & Opera (2005-12-08)
GoDaddy.com Dumps Linux for Microsoft (2006-03-23)
GoDaddy Holds Domains Hostage (2006-06-17)
GoDaddy Caves To Irish Legal Threat (2006-09-16)
MySpace and GoDaddy Shut Down Security Site (2007-01-26) That incident prompted this web site:
Exposing the Many Reasons Not to Trust GoDaddy with Your Domain Names.
Alternative Registrars to GoDaddy? (2007-02-03)
GoDaddy Bobbles DST Changeover? (2007-03-11)
850K RegisterFly Domains Moved To GoDaddy (2007-05-29)
According to this March 11, 2008 story in Wired, GoDaddy shut down an entire web site of 250,000 pages because of one archived mailing list comment: GoDaddy Silences Police-Watchdog Site RateMyCop.com. See below for Slashdot's story about RateMyCop.com.
GoDaddy Silences RateMyCop.com (2008-03-12)
ICANN Moves Against GoDaddy Domain Lockdowns (2008-04-08)
GoDaddy VP Caught Bidding Against Customers (2008-06-29)
Those are just the stories until July of 2008.
GoDaddy's reputation is not just one of extremely negative stories. In my opinion, GoDaddy tries to confuse non-technical people by offering services they don't need and presenting them as valuable.
Here are some of the opinions of Bob Parsons, the owner of GoDaddy. He is pro-violence: Close Gitmo? No way!!
He uses women's bodies to advertise: Bob Parson's Video Blog.
They have physical access which means they don't need the root password. The fact that they store the password just shows plain lack of skill or laziness to implement a better access method by their admins. Store the pass where they could potentially be accessed is the issue here. What happens if the database is hacked and the passwords stolen without their knowledge. Insider hacking is also an major issue. Having the root password could allow an attacker to log in and erase all traces easily. Of course it's doable with physical access too but in that case, it's a little more intrusive.
Care to include some proof to backup your claim?
Exactly.
And IF a company tries that BS, start making a LOT of noise and shame the SOBs ro at the very least warn the rest of us so we can put a kibosh on any business.
Wow, that is the cleverest, most original post I have ever seen on Slashdot. I mean whoa - a negative Microsoft post. Who would have ever though of it? Hats off to you sir!
Quote from the story, Registrars Still Ignoring ICANN Rules: "Over a year ago ICANN moved to clean up misbehaving registrars like GoDaddy..." (2009-07-22)
Another quote from that Slashdot story: "GoDaddy (and their reseller arm, Wild West Domains) have a different problem: They still block transfers for 60 days after a registrant's contact update, even after the ICANN update specifically prohibited doing so."
Heck, if their sysadmins are definitely like the chicks in the commercials, I'd definitely give them my "root".
As someone that has been around the block with running a lot of web sites (well, a couple thousand at least) for say the last 10 years, I have learned the hard way to not put all your eggs in one basket. Registries come and go, even the big boys (at least service comes and goes, policies change), hosting providers can go bad for all kinds of reasons, and your DNS services are your keys to the castle in terms of just how much damage an outage can do to a buisness (backup DNS severs people).
Living in Chile
Quote from the Slashdot story, KnujOn Updates Top 10 Spam-Friendly Registrars List: "Network Solutions and GoDaddy sister company Wild West domains - have popped up on the [spammer-friendly] list." (2009-02-06)
Say what you will about Godaddy, but they put out quality commercials.
Fuck systemd. Fuck Redhat. Fuck Soylent, too. Wait, scratch the last one.
Make a backup of your server, and then tell them that they won’t get it.
If they switch off your server, sue them for extortion, trespassing (in case they entered the server) and damages. [Same rules as with a (business) apartment and a landlord.]
But I personally already had hosters asking me for the root password. I refused. That was it. They did not do anything. (We still had a contract, after all.) Of course they told me that they wouldn’t give me support for the software. But I wouldn’t have wanted that anyway, since on the last managed server, they wrecked my database when one of their idiot admins did “fix” something.
I don’t see the problem. Let them bitch. Tell them to fuck off or you’ll sue. Done.
Any sufficiently advanced intelligence is indistinguishable from stupidity.
Don't they use Imperva for security. I guess it's a testament of how Imperva is a bad choice.
Has anyone else noticed that the Securi blog sets off a malware alarm when attempting to access the main site?!?! I'm currently using Avast!
all they need to do is send Danica over to ask for it.
GoDaddy: We spend all our money on shitty Superbowl commercials, and our customers get screwed.
GoDaddy is a joke. Why they still have any customers is beyond me.
I don't know if this proves anything, but I just went to GoDaddy and searched for the domain "godaddysucksdonkeycock.com" and was told to "please select a different domain name to search on". What does that mean, exactly?
GoDaddy can have my root password when they pry it out of my warm, fapping hand!!
Ewww. I think I just grossed myself out.
He was actually saying something good about Microsoft, and that they are worth every $1 to their name for assuring that your computer will always be safe from password loss.
The FUD is strong in you, JetAye.
This is quite an understatement. I do occasional web development on the side, and I recently had my first client in a while. I told her to go ahead and sign up for the domain with GoDaddy, but she said she couldn't figure out what to do. So I helped her out in person and I couldn't *believe* the amount of crap they try to push on you. Pages full of options and "upgrades" and packages on every step ... even after you finish your purchase! It's a tremendously confusing experience for someone who doesn't know how to filter out the signal from the noise.
That's why I use ChangeIP.com for domain registrations.
You pick the name, give them a credit card, press the button and get on with your life. They won't hijack it, hold it hostage, try to sell you anything (except DDNS if you want it). You pay, they register. As it should be.
I now have three (count'em 3) clients that have lost their domains to GoDaddy. However, for only $400 or so, GoDaddy will sell you back your own domain.
I wouldn't use GoDaddy if my ass was on fire and they had free water.
Whatever they don't like, they overcompete against it.
The same moral values they disapprove, they are the sole monopolists in that practice.
The cause disputes to hurt theirselves, to justify sweeping policy changes that never were involved in the first place.
By far, they must be the greatest religion the world has ever known.
Godaddy already had the root password, presumably from when you set the VPS up.
- We have no way of knowing that they store these in cleartext that I can see, unless I missed something.
The abnormal (not wrong, just not what most people do) setup with the honeypot allowed their security scanner to think it had logged into your box successfully using a brute-force method.
They then found they could not *actively* log in with the password on file, because they were hitting a honeypot, not the real SSH port.
They followed up with an email to what they thought was an infected box.
So - glad they are changing policy - but even more glad they are at least pro-active about it. For every securiyt-conscious admin such as indicated here, there are tons and tons of VPS out there without even minimal security practices.
Basically, it looks like a process mismatch between the expectations of godaddy and the guy managing the server..... nothing that you can't work out, and you get what you pay for.
I am glad I don't have any services with godaddy, I don't want any of my passwords stored in a easily retrievable manner, much less a company as easy to social as godaddy.
GoDaddy called me on my cell to sell me some unnecessary bullshit, as is their business model. Well it was a woman who called me. So after I refused their bullshit offering she asked if I had any more questions.
"Yeah, how do you feel about working for someone that objectifies women in their advertising?"
Silence, then pissiness ensued. Whatever, She knows I am right.
Don't call my cell and pitch me shit that's a waste of my time.
"Another dumb freetard."
Another comment from someone who didn't bother to read the article or understand the issue.
Here's a quote from the Microsoft press release: "Upon completion of the migration, Go Daddy® will have moved all its parked domains from Linux to the Windows platform."
A "parked domain" is one with no real content, but just one small static web page that says something like "coming soon". The implication is that Microsoft Windows servers are fully capable of serving parked domains.
At the time, March 21, 2006, the story was that the Microsoft marketing department got GoDaddy to make the change by offering a lucrative deal. Why would Microsoft do that? This April 7, 2006 story explains: Microsoft Server gains 4.7% market share of hosted domains.
A parked domain, even though it is never visited except by accident, is a "hosted domain". Now it was possible for Microsoft sales people to talk about how Microsoft Windows server software was rapidly gaining market share. That would be entirely misleading, however.
Note that the press release misspelled GoDaddy as "Go Daddy", even though it was spelled correctly a few words earlier. That gives a picture of the level of competence involved at Microsoft's P.R. agency, Waggener Edstrom.
You may find it interesting that Pam Edstrom's daughter Jennifer and a former Microsoft manager wrote the book, Barbarians Led by Bill Gates. (August 15, 1998, eight years earlier) The Amazon.com review says the book "... presents a harsher and messier history, sharply questioning Microsoft's ethics and corporate wisdom..." The book seems authoritative; the authors certainly had inside access to the facts. It's certainly unusual that the daughter of one of the heads of Microsoft's P.R. agency would write a book discussing Microsoft's abusiveness in detail.
Or will Daddy have to spank you?
GoDaddy is absolutely the worst Internet company I have ever dealt with. Before I was through with them they "fined" me $199 for alleged spamming (posting some links in a chat room of all things), they threatened to hold all of my domains hostage until I paid. I highly recommend anyone with GoDaddy leave now, before the same happens to you.
http://nodaddy.com/
That talk rubish in an anonymous cowardly fashion so that you never get moded down, you know, I'd rather freely express my opinions and be moded down than behave like a coward like you do.
Just in case it was you (Oh! Surprise) that moded me down this time with OFFTOPIC, just let you know, dear coward, that I just made a joke about GoDaddy so, it might be funny, it might be not, but funny or not is not OFFTOPIC.
Just in case you don't know, there is no mod down for "I disagree" or "I don't like you" and NO, OFFTOPIC is not a substitute.
And about the censorship and post history, obviously you didn't look a it. afther I made this post:
http://slashdot.org/comments.pl?sid=1522590&cid=30888708
my next post got moded UP 1 point and, all in a sudden, my Karma went from positive to BAD for NO reason.
So keep doing you ANONYMOUS COWARD things, you will never EVER get moded down.
Dear
Clearly Godaddy are not a company anyone should not need to deal with. I currently have several domains hosted there and wish to move them (including a paid-for email service for one of them).
What other domain registrars would be recommended? I am after one who I will be able to trust, and I'm willing to pay a bit more for this.
to confuse non-technical people by offering services they don't need and presenting them as valuable.
Congratulations, you just described Marketing's purpose in life...
That's why if you are serious about your data you should run your own server on your own rack on your own hosting company connected with your own pipes; Use your own DNSs servers, your own CA and of course your TLD.
Enough said...
I have had my share of BS from godaddy, and that is why I stopped referring my web dev clients to them. I now send all my clients to siteground. They absolutely rock. Their tech support people are highly competent, quick, and polite . . . they are actual geeks, not fucktard sales dept rejects that have been put through some bs support course for mental defectives, like gocrappy.
I can't say enough good things about them, sorry if this sounds like an ad, but, they truly rock.
MOE
SARAVA!
A GoDaddy Virtual Dedicated Server is *not* the property of the party who purchases the service, it is the property of GoDaddy. Read the product literature and the service agreement, and you will find that at no point are you granted the right to take sole control of the root account. This would be like insisting on changing the lock on an apartment so that only you have access to it. The strongest promise they make is that you will have administrative access so that you can install whatever you want.
GoDaddy did nothing wrong, but it's good that they put the best possible face on it.
Not Found
The requested URL
Parsons Technology, the company that peddled income tax and DIY wills a few years ago?
``Tension, apprehension & dissension have begun!'' - Duffy Wyg&, in Alfred Bester's _The Demolished Man_
We have been collecting some of the tools/scripts used on web attacks for our research.
You publicly stated you had malware. That either got misinterpreted along the line as being infected by or hosting malware (thus the threat of disconnection), or someone inside GodAddy was using it as an excuse to get a copy of your collection of malware, maybe to protect themselves from it or learn to develop more under cover of being proactive on security matters.
Feigned stupidity can be a cover for actual malice.
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
"... radical feminist rant."
There is a lot more to the stories of the head of GoDaddy supporting violence and being involved with models. I just didn't have the time to add to what I already wrote.
For example: GoDaddy Super Bowl Ad Pulled After One Run. Quote: "The decision was prompted by NFL officials complaining to Fox..."
The image of the NFL being radical feminist makes me laugh.
See this story: Why I Don't Owe GoDaddy $6,579.51 (or $969).
On a VPS, it really doesn't matter if the hosting company has your root password or not - they can directly access the filesystem to view or modify any files any time they want.
For some virtualization types (like Xen and KVM) it is more convenient for the host to know the root password so they can login to manage the VPS. Without it, filesystem access requires that the VPS be shut down, with is worse for everyone.
For other types like OpenVZ, the host can login as root any time they want, without even knowing the password.
In the case of GoDaddy, they would probably be better off setting up VPSs they sell with an additional root-equivalent account or using SSH keys - that way the customer can keep their root password secret.
That was *HOT*!!!
Great. This from the guy who just spent several million dollars buying Cher's house in Hawaii. The guy has a private jet. How the hell does a web hosting company pull that off?