FirstHeberg, a disturbing experiment

This is a cross post with

We wanted to try firstheberg VPS to run some Tor-nodes. This was a bad idea, for multiples reasons.

We bought on of the cheapest one, to play around, try the bandwith, check the CPU behavior, …

Default setup

The default system is akward, with some gtk2-related files (libgtk2 is installed) in /etc, emacs, Muttrc, tex-mf, … 30 binaries are setuid, more than my desktop. Awesomeness is awesome. The setup pulls some files from this host.It adds a backdoor^monitoring access. We installed tor, set a firewall up, and the relay started smoothly (with reasonable bandwidth limits).

And then it went down.

Welcome to hell

We didn’t hear anyhing from the support, nor got an email, or saw a notice on the website. Doesn’t seems nice. We rebooted it. Aproximatively three hours later, it went down again.

Time to email the support. Maybe they detected the fact that we ran a Tor node and weren’t happy with this ?

This is the answer we got:

The copy is over, I just rebooted your server

What the fuck are you talking about?! What copy? What were you doing to our VPS?

And it went down. Again. This was becoming ridiculous.

Once again, we emailed the support.

This one is on the login screen on the VNC console, could you give us the root password or log into it in order to let us verify its configuration without rebooting it?

This is insane. Maybe the support didn’t get the “V” in VPS? Did they lost the password of the hypervisor?

At this point, we abandoned the idea of using firstheberg for anything, and added it to our blacklist. We grabed some popcorn, sat up a poor-man’s keylogger, changed then gave the root password.

The holy-shit-batman-mayhem

The support installed tcpdump.

I don’t even know what to say. I mean, we are inside an hypervisor: they can monitor our traffic. Why the hell do they need to check from inside our VM?

Then, they took a look if the ssh backdoor^wmonitoring key was still there, some bogus network commands, and then, the epic fail happened /etc/init.d/networking restart, and then a shitload of ^c and ^d. The network is gone. The shell is gone. The VNC is gone. Aren’t you supposed to help instead of locking us out of our machine?

I was bitching about this on twitter, and surprise, I got an email notifying that : (@FirstHebergcom) a ajouté un de vos Tweets à ses favoris !

I rebooted the VPS, and it went online. Or was it ? The super-siny-web2.0 half-working (I’m dead serious: The web interface is a piece of crap, and half of the links are not even working) interface doesn’t even provides this indication: I don’t care about your monitoring nor your about shiny graphes: Just tell me if the machine if off or on!

This is completely wtf.

Everything is normal

Since it seems that the main way to get support is Twitter (Emails are so 1990), we asked on it for a refund (And were to told to fuck off).

We were told that the downtime was due to a scheduled maintainance, and that the support was informed.

Despite the fact that it’s clearly written in the article 4.3 that they must inform the client of any deliberate downtime, we didn’t get any email, nor did the support told us anything related.

The VPS is now online since 2 days, but for how long?


Don’t go for firstheberg for anything serious. In fact, don’t choose them for anything at all.


  • They are running old and vulnerable versions of mediawiki, SMF, …
  • People behind firstheberg has a nice website
  • You can scares your friends with their we-are-always-in-maintainance webpage.
  • Feel free to port-scan your server’s gateway, and be amazed.
  • Their internal network is looking like a vulnerable pentesting lab.