• Announcements

    • MannDude

      Current state of vpsBoard   02/04/2017

      Dear vpsBoard members and guests:

      Over the last year or two vpsBoard activity and traffic has dwindled. I have had a change of career and interests, and as such am no longer an active member of the web hosting industry.

      Due to time constraints and new interests I no longer wish to continue to maintain vpsBoard. The web site will remain only as an archive to preserve and showcase some of the great material, guides, and industry news that has been generated by members, some of which I remain in contact to this very day and now regard as personal friends.

      I want to thank all of our members who helped make vpsBoard the fastest growing industry forum. In it's prime it was an active and ripe source of activity, news, guides and just general off-topic banter and fun.

      I wish all members and guests the very best, whether it be with your business or your personal projects.

      -MannDude
Magiobiwan

ChicagoVPS / CVPS Hacked. New SolusVM exploit? [PT 2/2]

210 posts in this topic

NOTICE

 

EDIT: Original thread content here: http://vpsboard.com/topic/984-chicagovps-cvps-hacked-new-solusvm-exploit-pt-1

 

The thread had to be split into two after some errors. All original posts have been restored in that thread. Further discussion can be had within this thread.

 

-MannDude

 

(Sorry Magiobiwan, could not remove your post as it's the first one so I had to edit it to display this message)

Edited by MannDude
Trying to fix stuff.

Share this post


Link to post
Share on other sites

Chris has been very vague in his response to me personally today.  

 

17316044_screenshot.png

 

I also had someone grep my username for the Client Area in the stolen data.  It came back 0 results.

Share this post


Link to post
Share on other sites

Ran a bunch of lookups for folks here to see if their details were in the dump.

 

I can confirm if you cancelled your services after the last hack in November - February, your details probably aren't in there.

 

Anyone else want info looked up, PM me.  

 

Will be back in a bit.

Share this post


Link to post
Share on other sites

Just thought to drop by and mention that i just got the email with the report (that update which was posted several hours ago).

Share this post


Link to post
Share on other sites

Chris has been very vague in his response to me personally today.  

 

17316044_screenshot.png

 

I also had someone grep my username for the Client Area in the stolen data.  It came back 0 results.

Share this post


Link to post
Share on other sites

Chris has been very vague in his response to me personally today.  

 

17316044_screenshot.png

 

I also had someone grep my username for the Client Area in the stolen data.  It came back 0 results.

If your site and email is same as the username here then you are in it :(

Share this post


Link to post
Share on other sites

Chris has been very vague in his response to me personally today.  

 

17316044_screenshot.png

 

I also had someone grep my username for the Client Area in the stolen data.  It came back 0 results.

yes, your e-mail address would not be hard to guess based on your username, Marc ;) 

Share this post


Link to post
Share on other sites

they are indeed working on it! Last time i checked pingdom, 3 out of the 4 servers in atlanta were offline! now Just 1 is left.

Same for Buffalo! 4 servers were down .. now just 2 ... and i happen to be on the one that is down (facepalm)

Share this post


Link to post
Share on other sites

they are indeed working on it! Last time i checked pingdom, 3 out of the 4 servers in atlanta were offline! now Just 1 is left.

Same for Buffalo! 4 servers were down .. now just 2 ... and i happen to be on the one that is down (facepalm)

We are probably in the same server.  How do you know what server you are on?

Share this post


Link to post
Share on other sites

We are probably in the same server.  How do you know what server you are on?

 

I am on 192.227.129.xxx subnet ... that's BUF19. through the CP back in its working days.

Anything in buffalo other than that will be on BUF17

Share this post


Link to post
Share on other sites

I think this thread should just be closed.  If there is anymore real news about this, I think we can open a new thread, or even better, post it in the cest pit.  There is enough CVPS PR threads open here already.

 

Cheers!

Share this post


Link to post
Share on other sites

This is just ridiculous.  Closed.  

Share this post


Link to post
Share on other sites

Thanks mod for cleaning this mess up.

 

You know cVPS an update no matter how small it is would really be helpful, even if it is small.

Share this post


Link to post
Share on other sites

Jfreak, we are still working to get the remaining nodes online.

Share this post


Link to post
Share on other sites

How much warning do you need as a software provider about your code being poorly written? And why do you write code like this? Sorry, but I can't fault any provider that was hit by this attack, and all I can say is that I am sorry that some of you guys had to suffer because of this:

<?php
if ($_POST['delete']) {
    $xc = $db -> query('SELECT * FROM centralbackup WHERE id = \'' . $_POST['deleteid'] . '\'', true);
    #[...]
    if ($xc[status] == 'failed') {
           exec('php /usr/local/solusvm/system/bus.php -- --comm=deletebackup --serverid=' . $xc['bserver'] . ' --nodeid=' . $vdata['nodeid'] . ' --vserverid=' . $vdata['vserverid'] . ' --filename=' . $xc['filename']);
    #[...]
    }
 }
?>
Hasn't anyone decrypted the source? Couldn't they then run a search for dumb execs?

 

@D. Strout There's been a decoded version floating around the web for a while now, I guess that's how the vulnerability was found and exploited in the first place. Pretty lame, but it is what it is.

 

Guys, here is something simple that you should do immediately: restrict access to the admin path. Restrict it by IP, with a password, or ideally both. @Kujoe had some good advice as well on how to secure SolusVM.

 

Kind regards,

Marc

Share this post


Link to post
Share on other sites