在2026年1月30日早上,我就惊奇的发现我的一台cloudcone的美国洛杉矶的服务器无法登录了,当时我是一脸懵逼,我急忙登录了cloudcone的状态页面查看了原因。
原来是遭到了黑客的勒索攻击!
事件详情
他们利用了virtualizor控制面板的漏洞,直接获取了宿主机的控制权限,并对服务器上的文件造成不可逆的损毁,他们加密了文件,并通过局域网对其他服务器进行横向渗透,并开始进行勒索,除了cloudcone还有很多家主机提供商也被他们攻击渗透。
经过四天的紧急修复,cloudcone已恢复正常,但硬盘里的数据已经永久丢失!
目前,cloudcone已经在今天的邮件中承诺,将停止使用virtualizor控制面板,并在三月底上线全新的内部开发的管理面板。
下面是cloudcone在今天给我发送的邮件。
Hello mike,
We’re reaching out with an important update regarding a recent incident that affected your VPS (Virtual Private Server) in LA, USA.
What We First Observed
Our team was initially alerted when our monitoring systems detected that several virtual machines had lost network connectivity.
We confirmed that multiple host nodes were compromised and that the disks of the affected VMs had been corrupted. Our engineering teams immediately isolated the impacted servers and began a detailed analysis.
We attempted data recovery through multiple methods, including examining raw block devices, reconstructing partition tables, and searching for intact filesystems; however, these recovery attempts were unsuccessful.
Scope of Impact
- Only VPS nodes in LA, USA were affected.
- Affected VPS data is in an irrecoverable state.
- LA VPSs will remain offline until they are re-installed.
Incident Analysis
- We identified that a third-party platform, which acts as the VPS deployment gateway, was compromised due to a vulnerability and was used to gain access to host nodes connected to it. As a result, disks of the affected VMs were corrupted and are in an irrecoverable state.
- We also discovered that this was not an isolated incident, as it affected several other hosting providers utilizing the same third-party platform.
- Your personal information in the CloudCone Client Area is safe . We do not store personal information, billing data, or payment details within this third-party platform.
Actions Taken
To secure our infrastructure and prevent a recurrence, we have taken the following actions:
- Performed clean re-installations of the VPS deployment gateway and affected host nodes.
- Rotated all API keys and credentials.
- Further hardened IP-level access controls and firewalls on the VPS deployment gateway to prevent this vulnerability from being exploited again.
Additionally, as part of our long-term improvement strategy, we are moving away from the third-party platform
. All VPS services will be transitioned to our new in-house platform
, which is currently in the final stages of testing and will be launched by the end of March.
Next Steps for Our Clients
90% of the affected nodes are now ready for VPS re-installation. When you visit your VPS management page, you will see a banner similar to the one below:
Once this banner appears on your VPS management page, it is safe to proceed with re-installation and restore any backups you have available.
Note: VPS re-installation may take 3–6 hours due to the current re-install queue.
We truly understand the frustration and challenges this incident may have caused, and we sincerely apologize for the disruption. While this situation was outside of our control, please know that we are taking this matter very seriously and are fully committed to improving our systems and processes to prevent similar incidents in the future.
If you have any immediate concerns or need assistance, our support team is here to help.
A detailed incident report will be available upon request once the incident is fully resolved.
Thank you for your patience and continued trust in CloudCone.
Sincerely,
The CloudCone Team
cloudcone的处理时间线
January 30, 2026 · 08:48 AM
Issue
We have identified an outage on our services, at this stage, some services should be facing network timeouts, Our network engineers and sysadmins are investigating the issue at the moment.
January 30, 2026 · 05:49 PM
Investigating
What We First Observed
We were initially alerted to the incident when our monitoring systems detected that several virtual machines experienced network connectivity issues. Upon investigation, we observed abnormal system behavior during the boot process on a subset of affected VMs.
Our engineering teams immediately isolated the impacted servers and began a detailed technical investigation. During this process, we identified signs of unauthorized system-level modification on affected virtual machines, and recovery efforts were initiated.
We are actively exploring all viable recovery options, including low-level disk analysis and filesystem validation, while preparing contingency plans to ensure services can be restored as quickly as possible.
How the Incident Occurred
As part of the investigation, our team identified that an unauthorized script had been executed on the affected nodes. Evidence suggests that this activity originated through management-layer access rather than direct SSH connectivity, which explains the absence of anomalous SSH login records.
During our review, we also identified irregularities in logs associated with a single VPS management instance responsible for coordinating the affected nodes. Based on the available evidence, we believe this management layer was used to execute commands across connected systems.
Our investigation remains ongoing, and additional safeguards have been implemented while analysis continues.
Scope of Impact
We utilize multiple independent platforms to operate our VPS services. At this time, we have confirmed that the incident was limited to nodes associated with a single management instance. Other infrastructure, platforms, and service regions were not impacted.
We do not store customer personal data or billing information within VPS management platforms. Our investigation has found no evidence that customer databases, billing systems, or other internal services were accessed or compromised.
We are currently finalizing recovery steps and next actions. All affected customers will be contacted directly via email with further information, and we sincerely apologize for the inconvenience this incident has caused.
January 31, 2026 · 07:11 PM
We are continuing recovery efforts following a security incident that impacted a limited portion of our Los Angeles VPS infrastructure.
The affected systems were promptly isolated, and our engineering teams are rebuilding impacted nodes from a clean state. Platform-level security reviews and additional safeguards are being applied as part of this process.
At this time:
- The incident has been contained
- Only a subset of VPS infrastructure was affected
- Core systems, billing platforms, and customer databases remain unaffected
Once rebuilding and validation are complete, affected customers will be able to reinstall their VPS and restore services. Detailed guidance and timelines will be communicated directly to impacted users via email.
We appreciate your patience while we complete the recovery and strengthen our platform. Further updates will be posted here as progress continues.
February 1, 2026 · 02:25 AM
Recovery of affected Los Angeles VPS nodes is in progress; customers will be able to reinstall and restore services once rebuilds are complete.
February 3, 2026 · 06:33 PM
Re-installation of services are made available for the clients. The re-install tasks could take 3-6 hours to complete as the system works on a queue.
对我造成的影响
我在那台服务器上有一个站点,openlist和一个在阅读调用的番茄api服务端。
此次中断也对我造成部分影响,包括部分数据的丢失。
对我的警醒
万幸的是,这些没有依靠太大的数据库,没有造成严重的数据丢失。
不过幸亏我的是静态网站,所有文件都在本地,只需要重新上传网站页面即可恢复。
所以,如果用的诸如WordPress、typecho、halo等网站,务必要进行网站备份!
利用管理脚本、openlist的webdav等定期进行必要的网盘备份,或者在服务商管理面板中多多创建服务器快照。
严防紧手在这类事情再次发生的时候出现的可能的数据丢失!
end
评论