Attacker leaves “SECURITY TIPS” after invading anti-DDoS firm Staminus

Staminus, a California-based internet hosting provider that specializes in helping sites stay online when distributed denial of service (DDoS) attackers try to elbow them off, was itself the target of a cyber broadside last week.

At any rate, it started last week, with reports of the company’s site being down as of Thursday. But as of Monday, it was again, or maybe still, sucking wind.

Staminus on Friday put out a statement confirming that its network security had been popped and invaded, systems had been “temporarily” taken offline, and customer data had been published online.

The company posted a series of updates on Twitter and Facebook while its website was down, explaining that this was a “rare event.”

But even while Staminus techs were scrambling to drag the company’s site back online, whoever mugged it was dumping its private data online in what security journalist Brian Krebs called a “classic ‘hacker e-zine’ format” called “F**k ’em all.”

Krebs reports that the page included links to download databases reportedly stolen from Staminus and from Intreppid, another Staminus project that targets customers looking for protection against large DDoS attacks.

The huge data dump included customer names and email addresses, database table structures, routing tables, support tickets, credit card numbers (according to Krebs, at any rate; Ars Technica’s Sean Gallagher didn’t see any when he viewed the dump), and other sensitive data.

A Staminus customer who requested anonymity confirmed to Ars that his data was part of the dump.

Those behind the dump claimed to have gained control of Staminus’s routers and to have reset them to factory settings.

The hacker “e-zine” that contained all the sensitive data began with a note from the attacker titled “TIPS WHEN RUNNING A SECURITY COMPANY.”

Then, it went on to list tips for what were supposedly the security holes found during the breach:

  • Use one root password for all the boxes
  • Expose PDU’s [power distribution units in server racks] to WAN with telnet auth
  • Never patch, upgrade or audit the stack
  • Disregard PDO [PHP Data Objects] as inconvenient
  • Hedge entire business on security theatre
  • Store full credit card info in plaintext
  • Write all code with wreckless [sic] abandon

On Thursday, Staminus reported that some services were back online or in the process of being brought back and that “We expect full service restoration soon.”

Then, another message posted on Friday pointed to the statement from the company’s CEO.

That was the last message. What followed was radio silence, unbroken as of Monday evening.

Krebs pointed out that the attack isn’t surprising: anti-DDoS providers are a common target for attackers.

Image of DDoS attacker courtesy of