Below is the post I left on the thread in the link. This exact situation happened to me too. Root cause was the person who installed my OS set the root password to "g0grid". Bulletproof.
----------------------
This exact same thing happened to me! I have a crappy little single box with them and I have been reasonably happy with their service (I was originally with servepath before they got bought by GoGrid). I requested a 64-bit upgrade, which they did promptly. I was contacted by customer service to tell me the upgrade was complete and to tell me how to log in, but I had already gone to bed. The customer service rep left a VM message saying "check your customer portal account for instructions on how to log in." The next morning before I leave for work, I'm just about to log in to my fresh box when I get a call from GoGrid saying my server has been compromised, offering to let me pay for a fresh install, or I can lock it down myself immediately. I'm no security expert, but I damn well wasn't going to pay for a reinstall on a box I never logged in to. I finally managed to get them to do the reinstall for free because they had to admit the password that the customer service rep had picked after the reinstall wasn't so hot: "g0grid". Nice job, guys.
I'm not sure if this person's hack is related (eg an attacker has his portal password/api key/etc) or if it is indicative of vulnerabilities in GoGrid's system.
My former server host, GoGrid, tells me (via my business partner) that it's my fault my server was hacked fifteen hours after they installed it, because I didn't log into it before it was hacked.
To paraphrase freely, GoGrid is admitting that their security is so shitty that I should have known not to trust them to install a safe server. I should have been so suspicious of their policies and practices that I should have rushed to log into the server to lock it down as soon as they made it live, knowing that their default setup is such a screen door that hacking within a matter of hours was inevitable.
And, because of this, GoGrid is not refunding a cent of my year of pre-paid money.
With a little effort they could use ssh keys instead of passwords...
They should ask users to provide their ssh public keys, and use them to give access to a new provisioned server locking down password-based ssh logins. That's how other players (like AWS) do.
For a start they could just use a proper random root password, instead of a default one, and maybe only allow ssh access from the same netblock the install was ordered from.
However, one thing i don't get: Why is it that people don't log in immediately after it is ready? On Linode it only takes a few minutes to (re)install a VM, but GoGrid might be slower of course.
I have used GoGrid for a while. And though originally very critical of them(check my blog) haven't had too many problems lately. For both dedicated servers and cloud servers I've always had a random root password generated. Not sure how this person ended up with one that was g0gr1d.
As for your question, by the sounds of it he ordered a dedicated server not a cloud one. Those usually take them the better part of a day to setup.
That wouldn't help if the backend controlling requisitions is what's compromised (as other comments possibly point to), but you're right, it doesn't sound like these guys have any clue about security at all.
If you know the ip range assigned to a host it would be easy to write a script that listened for new IPs coming up and to perform a dictionary attack on those IPs. Security around provisioning new servers is often ugly with plain text passwords sent in the clear and iptables disabled. Shared keys and disabling plain text passwords in OpenSSH is an obvious solution but for non-technical customers this can be a huge support overhead. Does anyone solve this pattern elegantly?
I do see some responsibility on a customer securing a box as soon as it is provisioned though, unless it is a managed service.
I'm guessing that GoGrid provisioned the server, then sent him an email with his password. After first login, he would have been prompted to change his password, but somebody got to his email before he logged in...
Just wondering, can't you just format the server again? Or doesn't GoGrid provide that option at all? Since it's a brand new server, I guess there's no problem in formatting and installing it again.
That's what I was thinking. When you rent a server you're renting hardware and a connection. If you screw up the software side (like getting hacked) you can always wipe the drive and reinstall. Why would you want to cancel a year long contract because you're set back an hour to reimage?
Pure speculation because I cannot make any sense of GoGrid offering, but if they offer what's usually called a "managed server", it means that you do not have the right to reimage the server yourself, you must submit a ticket and the hosting company is supposed to perform the reimaging.
This is exactly the kind of misinformation campaign that the real hacker would be waging! Blame the victim! I suspect it was ianhawes doing the hacking.
----------------------
This exact same thing happened to me! I have a crappy little single box with them and I have been reasonably happy with their service (I was originally with servepath before they got bought by GoGrid). I requested a 64-bit upgrade, which they did promptly. I was contacted by customer service to tell me the upgrade was complete and to tell me how to log in, but I had already gone to bed. The customer service rep left a VM message saying "check your customer portal account for instructions on how to log in." The next morning before I leave for work, I'm just about to log in to my fresh box when I get a call from GoGrid saying my server has been compromised, offering to let me pay for a fresh install, or I can lock it down myself immediately. I'm no security expert, but I damn well wasn't going to pay for a reinstall on a box I never logged in to. I finally managed to get them to do the reinstall for free because they had to admit the password that the customer service rep had picked after the reinstall wasn't so hot: "g0grid". Nice job, guys.