# SolusVM Vulnerability



## George_Fusioned (Jun 16, 2013)

http://localhost.re/p/solusvm-11303-vulnerabilities

Quick fix: remove/chmod 000 centralbackup.php from your master's /usr/local/solusvm/www/ folder.

(Thanks Patrick)


----------



## George_Fusioned (Jun 16, 2013)

Maybe we should use the exploit to chmod 000 /usr/local/solusvm/www/centralbackup.php for any fellow US VPS providers who are currently probably sleeping - before anything worse happens?


----------



## MartinD (Jun 16, 2013)

Sticky ground that..don't think I'd advocate that!


----------



## George_Fusioned (Jun 16, 2013)

Indeed - I was aware my suggestion would raise reactions. On the other hand would you prefer waking up with your nodes wiped?

PS: Could this be the exploit used to wipe those nodes from ChicagoVPS?


----------



## SeriesN (Jun 16, 2013)

My night shift tech removed it before I could even test this . Besides the password, is there anything else it would show?


----------



## Francisco (Jun 16, 2013)

SeriesN said:


> My night shift tech removed it before I could even test this . Besides the password, is there anything else it would show?


It gives full root to the solus master.

You can then dump the database or do whatever you really want.

Francisco


----------



## George_Fusioned (Jun 16, 2013)

SeriesN said:


> My night shift tech removed it before I could even test this . Besides the password, is there anything else it would show?


Also check if /usr/local/solusvm/www/rofl.php exists and if yes, delete it. Somebody could have already used the exploit before you removed centralbackup.php


----------



## SeriesN (Jun 16, 2013)

Francisco said:


> It gives full root to the solus master.
> 
> 
> You can then dump the database or do whatever you really want.
> ...


Mother FLOWER! What happens when your admin panel is locked to vpn/selected IP's? Will the user still be able to use those info? A lot of big provider might have been snapped if this is possible.


----------



## SeriesN (Jun 16, 2013)

George_Fusioned said:


> Also check if /usr/local/solusvm/www/rofl.php exists and if yes, delete it. Somebody could have already used the exploit before you removed centralbackup.php


PHEW! It is not there.


----------



## Francisco (Jun 16, 2013)

SeriesN said:


> Mother FLOWER! What happens when your admin panel is locked to vpn/selected IP's? Will the user still be able to use those info? A lot of big provider might have been snapped if this is possible.


It doesn't matter. It drops the exploit on the node itself and the user can go to town. being in /www means that any user can view it.

Francisco


----------



## MartinD (Jun 16, 2013)

It's worthwhile checking for any files created/modified recently.

Edit. Try this:



```
$ find /usr/local/solusvm -type f -printf
```


----------



## SeriesN (Jun 16, 2013)

Francisco said:


> It doesn't matter. It drops the exploit on the node itself and the user can go to town. being in /www means that any user can view it.
> 
> 
> Francisco


Gotcha!


----------



## Zach (Jun 16, 2013)

Don't just check /usr/local/solusvm/, you should probably check everywhere for this file or like @MartinD said, any recently created files.


----------



## mitgib (Jun 16, 2013)

Opened a ticket at Solusvm.com and then within 5 minutes recieved



> Soluslabs Ltd
> 
> Sunday, June 16, 2013
> 12:47:18 PM GMT 0
> ...


----------



## Reece-DM (Jun 16, 2013)

Nice to see somewhat of a quick response from solus let's hope there's a proper patch soon enough..


----------



## Ivan (Jun 16, 2013)

Can't connect to my VPS with them. Their whole site, and SolusVM = gone.


----------



## Reece-DM (Jun 16, 2013)

SeriesN said:


> My night shift tech removed it before I could even test this . Besides the password, is there anything else it would show?


It is also providing somewhat of a shell which provides further access rather than just SQL injection.


----------



## concerto49 (Jun 16, 2013)

http://paste.ee/p/jtSva


----------



## shovenose (Jun 16, 2013)

He could have been framed. As much as I hate Robert Clarke I'm not sure he did that.


----------



## DamienSB (Jun 16, 2013)

It seems there is an update in solusvm' admincp already. Has anyone used it yet?


----------



## texteditor (Jun 16, 2013)

shovenose said:


> He could have been framed. As much as I hate Robert Clarke I'm not sure he did that.


Nick said he admitted it


----------



## SkylarM (Jun 16, 2013)

Email update from Solus:



> *PLEASE READ THIS INFORMATION CAREFULLY. THIS INFORMATION IS RELEVANT TO ALL VERSIONS OF SOLUSVM, INCLUDING BETA VERSIONS.*
> 
> A security update has now been released for the Stable and Beta versions of SolusVM. We advise you to make this update as soon as possible.
> 
> ...


----------



## darknessends (Jun 16, 2013)

Soluslabs Ltd Sunday, June 16, 2013
06:31:41 PM GMT 0

*PLEASE READ THIS INFORMATION CAREFULLY. THIS INFORMATION IS RELEVANT TO ALL VERSIONS OF SOLUSVM, INCLUDING BETA VERSIONS.*

A security update has now been released for the Stable and Beta versions of SolusVM. We advise you to make this update as soon as possible.

To run the update you can either do it from within the SolusVM admin area or from CLI on the master server. To preform the update from CLI the commands differ depending on the version of SolusVM you are running.

*==================*

*Stable version: *

/scripts/upcp

*Beta version:*

/scripts/upcp-beta

*==================*

Once the update is complete you will have the patched system.

We have included the original instructions in this email that were given when the exploit was announced and before we released the patched updates. If you feel the need to remove the originally exploited file after the update you can do the following:

*==================*


----------



## ShardHost (Jun 16, 2013)

DamienSB said:


> It seems there is an update in solusvm' admincp already. Has anyone used it yet?


Tested both the beta and the stable and this appears to be now fixed, although can't say there aren't further exploits.


----------



## Supicioso (Jun 16, 2013)

So glad I decided against solusvm. That's the biggest security hole I've seen in a while. I'm more surprised it took so long for someone to find, seeing how it's in every single version of it.


----------



## Reece-DM (Jun 16, 2013)

Anybody else reckon this could be what's screwed a few providers over the years there's been a "0day" floating about for awhile affecting people.


----------



## MartinD (Jun 16, 2013)

I'm pretty sure if that was the case many more providers would have been compromised.


----------



## ShardHost (Jun 16, 2013)

It's a pretty major flaw in the code.  It may have been exploited before.  I hope SolusVM do a full code review following this incident.  I know they were moving things to PDO starting with 1.14, maybe that now needs to be their priority in addition to an external audit.


----------



## SkylarM (Jun 16, 2013)

ShardHost said:


> It's a pretty major flaw in the code.  It may have been exploited before.  I hope SolusVM do a full code review following this incident.  I know they were moving things to PDO starting with 1.14, maybe that now needs to be their priority in addition to an external audit.


Maybe it will speed up the release of 1.14


----------



## ShardHost (Jun 16, 2013)

SkylarM said:


> Maybe it will speed up the release of 1.14


The 1.14 beta suffered from the flaw.  They need to move everything to PDO and not just gradually with each release. I think SolusVM has been getting a lot better as of late; however security must be their priority.


----------



## SkylarM (Jun 16, 2013)

ShardHost said:


> The 1.14 beta suffered from the flaw.  They need to move everything to PDO and not just gradually with each release. I think SolusVM has been getting a lot better as of late; however security must be their priority.


Oh for sure. I'm just glad they acknowledged the issue and provided a resolution as quickly as they did. Some other panels would likely have pretended nothing was wrong.


----------



## ShardHost (Jun 16, 2013)

SkylarM said:


> Oh for sure. I'm just glad they acknowledged the issue and provided a resolution as quickly as they did. Some other panels would likely have pretended nothing was wrong.


Agreed.  Just a shame some good guys had to suffer as a result of this.


----------



## Patrick (Jun 16, 2013)

ShardHost said:


> It's a pretty major flaw in the code.  It may have been exploited before.  I hope SolusVM do a full code review following this incident.  I know they were moving things to PDO starting with 1.14, maybe that now needs to be their priority in addition to an external audit.


From the email:



> A full explanation of this exploit will be released in due course. We will also be reviewing the release status of version 1.14 due to the advanced security features it already contains.


Maybe they will speed up 1.14


----------



## Francisco (Jun 16, 2013)

Remember when I said Solus' code was a mess?

That exploit file is mostly rehashes of their own code just merged into a single page.

Francisco


----------



## George_Fusioned (Jun 16, 2013)

The only occurrence on our master was a user that attempted to access /rofl.php and it looks like he used Raymi's Control Panel URL list as a source to find our SolusVM URL. He was probably checking all providers one-by-one.

Too bad he was behind a VPN (AnchorFree)...


----------



## MartinD (Jun 16, 2013)

Let's not post up any info that could potentially cause further issues down the line folks


----------



## DamienSB (Jun 16, 2013)

Just leaving this here..


cat /var/log/lighttpd/access.log | grep centralbackup.php
Derp.


[[email protected] ~]# cat /var/log/lighttpd/access.log | grep centralbackup.php
91.42.26.6 solus.supremebytes.com - [16/Jun/2013:18:44:13 +0200] "GET /centralbackup.php HTTP/1.1" 404 345 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0"

And then we have...


cat /var/log/lighttpd/access.log | grep rofl.php
Derp.


[[email protected] ~]# cat /var/log/lighttpd/access.log | grep rofl.php
204.14.79.50 solus.supremebytes.com - [16/Jun/2013:14:22:20 +0200] "GET /rofl.php HTTP/1.1" 404 345 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36"

I did however notice that 204.14.79.50 points to my home city: Columbus, Ohio. Seems a little strange because I am out of state at the moment and the service provider listed in the ip WHOIS has an invalid website address listed.

All the seen requests appear to have popped up after we deleted the files this morning.


----------



## qps (Jun 16, 2013)

People are definitely trying the exploit...




> 66.172.11.4 - [16/Jun/2013:20:16:52 -0400] "GET /centralbackup.php HTTP/1.1" 302 0 "-" "Mozilla/5.0 (Windows NT 6.1; rv:21.0) Gecko/20100101 Firefox/21.0"


----------



## XFS_Duke (Jun 17, 2013)

> # cat /var/log/lighttpd/access.log | grep centralbackup.php
> 
> 
> 84.222.100.135 == - [16/Jun/2013:10:58:06 -0500] "POST /centralbackup.php?_v=s2w2x2o29474z203y2 HTTP/1.1" 302 0 "http://veritron.gnet.eu/exp.php" "Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130515 Firefox/17.0 Iceweasel/17.0.6"


lol



> # cat /var/log/lighttpd/access.log | grep rofl.php
> 
> 
> 173.254.216.66 == - [16/Jun/2013:08:12:50 -0500] "GET /rofl.php HTTP/1.1" 404 345 "-" "Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0"
> ...


Atleast they tried... Most of these are Tor exit nodes...


----------



## vanarp (Jun 17, 2013)

Do we know who all hosts are exploited so far? I only see Ramnode's name everywhere.


----------



## XFS_Duke (Jun 17, 2013)

Not confirmed, but it seems as though something is going on with BudgetVM/Enzu, Inc... Can't confirm because their phone is down as well as their ticket system...


----------



## Magiobiwan (Jun 17, 2013)

Well, found someone who tried to exploit BlueVM's SolusVM. THIS is why we use HyperVM, not SolusVM, for our OpenVZ!


----------



## drmike (Jun 17, 2013)

+1 for BlueVM  Another day and something positive out of BuyVM.  Keep it up!

I am sure providers will find all sorts of interesting log entries if they look.


----------



## drmike (Jun 17, 2013)

Do a custom rewrite for the pages people are poking at to hack.  Maybe a double barrel shotgun aimed at them with something funny.

Waiting to see who else gets smashed by the gaping security hole.   Folks round here are fairly diligent, many providers elsewhere are not.


----------



## Magiobiwan (Jun 17, 2013)

Just in case you providers using SolusVM didn't know, you can find the IPs clients logged in with under the Client Log page in SolusVM.


----------



## Jack (Jun 17, 2013)

Magiobiwan said:


> Just in case you providers using SolusVM didn't know, you can find the IPs clients logged in with under the Client Log page in SolusVM.


Couldn't find that but after looking found another provider that attempted it on me. nice.


----------



## maounique (Jun 17, 2013)

Jack said:


> Couldn't find that but after looking found another provider that attempted it on me. nice.


How do you know ? Could have been a VPN/proxy from their IP space. Unless they were logged in, of course.


----------



## Jack (Jun 17, 2013)

Mao said:


> How do you know ? Could have been a VPN/proxy from their IP space. Unless they were logged in, of course.


IP matches logins of them doing actions to the VM, it wasn't IP space of a server its a home connection.


----------



## MartinD (Jun 17, 2013)

Perhaps a collation of addresses who have tried this would be good.


----------



## mikho (Jun 17, 2013)

Magiobiwan said:


> Well, found someone who tried to exploit BlueVM's SolusVM. THIS is why we use HyperVM, not SolusVM, for our OpenVZ!


Well, by the looks of it the vuln could be used on kvm nodes aswell. Or am I wrong?


----------



## MartinD (Jun 17, 2013)

The vuln itself is only for the SolusVM master however gaining access to that gives you access to all the other nodes.


----------



## Magiobiwan (Jun 17, 2013)

It's a vulnerability in SolusVM's Control Panel, so anyone using SolusVM for anything (be it OVZ, KVM, Xen-PV, or Xen-HVM) is vulnerable unless they patch.


----------



## peterw (Jun 17, 2013)

Looking to this picture:



Even remote commands were possible.

What a mess.


----------



## Magiobiwan (Jun 17, 2013)

@Jack it's this page:


----------



## MartinD (Jun 17, 2013)

peterw said:


> Even remote commands were possible.


That's just a php shell script, uploaded after gaining access via the vuln, not the vuln itself.


----------



## MartinD (Jun 17, 2013)

netnub - your previous post with code was removed for the same reason this one has been.

If you have information relating to security issues with SolusVM then I would suggest you contact them so a fix can be issued instead of posting snippets of code on here. All you're doing is opening other hosts to possible issues.

Just for the record, you are far from perfect yourself. I'm pretty sure some of your attempts at producing code were FAR worse than this and when the countless mistakes and glaringly obvious security issues were pointed out you brushed them away as though you didn't care or that you 'meant' to do it because it wasn't in production.

We wont let sensitive code be posted in here for the sake of other hosts and their clients. Use your brain.


----------



## D. Strout (Jun 18, 2013)

XFS_Duke said:


> Not confirmed, but it seems as though something is going on with BudgetVM/Enzu, Inc... Can't confirm because their phone is down as well as their ticket system...


Looks fine to me, fortunately.


----------



## Cameron (Jun 18, 2013)

Just taken a look at our Lighttpd access logs, seems 4 people have tried to access our central backup (multiple times, I may add...) file but have failed!

I have also heard from a few others that there may be more exploits available? As a precaution I've decided to take down my entire SolusVM web server, better to be safe than sorry!


----------



## turfhosting (Jun 18, 2013)

ChicagoVPS was attacked last night as well I believe. If it was the same exploit and they didnt patch it i would be very angry if i was a customer of theres. thats just laziness and stupidity


----------



## drmike (Jun 18, 2013)

What's the current situation from SolusVM?

Realize one compromise that slapped at least a half dozen providers and probably caused backdooring of countless others.

Has anyone confirmed the CurtisG and others about exploits?

Has Solus sent anything further to providers?  Obviously, it is a high value target and skids are creative.  I rule nothing out and am about to go cancelling some accounts I have just because of the situation.


----------



## Francisco (Jun 18, 2013)

buffalooed said:


> What's the current situation from SolusVM?
> 
> Realize one compromise that slapped at least a half dozen providers and probably caused backdooring of countless others.
> 
> ...


If someone has the snippet somewhere I can look it over really quick?

It's possible whatever it is, is just 'handled poorly' but if it's all internal already valid data it wouldn't cause issues.

Francisco


----------



## anyNode (Jun 19, 2013)

This is why it is good for hosts to use their own panels, the more variety the better, and leaving one panel in power of 90% of hosts is a bad idea.


----------



## MartinD (Jun 19, 2013)

Like....cPanel?


----------



## ShardHost (Jun 19, 2013)

anyNode said:


> This is why it is good for hosts to use their own panels, the more variety the better, and leaving one panel in power of 90% of hosts is a bad idea.


Different doesn't mean secure.


----------



## anyNode (Jun 19, 2013)

ShardHost said:


> Different doesn't mean secure.


 I know, but there is always a vulnerability if you use a large panel used by millions or a small panel used by 10 people. However when there are more panels its a lot more difficult for people to target a specific one. Think of it like Windows Virus's vs Linux Virus's vs Mac Virus's. Macs can get viruses but they aren't as big of a target as Windows.


----------



## SeriesN (Jun 19, 2013)

Linode got hacked, DO got "hacked", Hetzner did. These are just a few to name. No code is perfect because humans are not perfect. If you are online, you can get hacked/attacked any time. It is now how secure you are, it is how well you handle the situation. This is what that will set you apart and solus doing that pretty well with fast patches and updates.


----------



## concerto49 (Jun 19, 2013)

SeriesN said:


> Linode got hacked, DO got "hacked", Hetzner did. These are just a few to name. No code is perfect because humans are not perfect. If you are online, you can get hacked/attacked any time. It is now how secure you are, it is how well you handle the situation. This is what that will set you apart and solus doing that pretty well with fast patches and updates.


Hearing from those that have seen the SolusVM decoded source code - it's pretty ugly and full of exploits everywhere. They haven't patched it for years it seems. It's just no one's decided to hack it. We'll be continuing to use Solus for a while and I wish they rehaul the whole thing.


----------



## Shados (Jun 20, 2013)

The benefit an industry gets from using a variety of systems is not that any given system might be more secure, but rather that a flaw or weakness in any of the systems only affects a small subset of the industry at any given point in time, rather than all of them at once. Diversification is a fundamental survival tactic, as evolution has shown - there are very, very few surviving species that reproduce via mitosis rather than sexual reproduction.


----------



## XFS_Duke (Jun 20, 2013)

concerto49 said:


> Hearing from those that have seen the SolusVM decoded source code - it's pretty ugly and full of exploits everywhere. They haven't patched it for years it seems. It's just no one's decided to hack it. We'll be continuing to use Solus for a while and I wish they rehaul the whole thing.


I saw it... I have it... It's bad actually... Need the new source code to see if they patched everything... Hostbill, all I can say is I wonder if we try and send them the exploit if they're gonna charge us $75 to submit the ticket? lol (if that was out of line, I apologize)


----------



## concerto49 (Jun 20, 2013)

XFS_Duke said:


> I saw it... I have it... It's bad actually... Need the new source code to see if they patched everything... Hostbill, all I can say is I wonder if we try and send them the exploit if they're gonna charge us $75 to submit the ticket? lol (if that was out of line, I apologize)


That's the problem. Functionality is all and good, but hope there is a robust system behind the scenes.

You should charge Hostbill for doing their security audit, not the other way around


----------



## XFS_Duke (Jun 20, 2013)

concerto49 said:


> That's the problem. Functionality is all and good, but hope there is a robust system behind the scenes.
> 
> You should charge Hostbill for doing their security audit, not the other way around


Yea, but the problem is that if it doesn't get fixed, the people that use it might get screwed up pretty bad...


----------



## MartinD (Jun 20, 2013)

Yet again, people are making claims about it being really bad and that there are countless vulnerabilities. Also the same people being oh-so vocal about how shit the whole situation is however none of you are bothering to tell Solus (or WHMCS, or Hostbill, or whoever) about these so-called problems you're aware of. You then get up and arms and go on a witch hunt. If you know something, TELL SOMEONE WHO CAN SORT IT. Yes, it is Solus's product. Yes, it's their shitty coding however, if you know something and don't tell them then get fucked over by some kid with a hardon then it's YOUR FAULT that it happened. You are to blame for anyone else getting screwed over too because YOU had the chance to get the problem rectified BEFORE the kidiots starting messing around.

GROW A BRAIN!!!


----------



## concerto49 (Jun 20, 2013)

MartinD said:


> Yet again, people are making claims about it being really bad and that there are countless vulnerabilities. Also the same people being oh-so vocal about how shit the whole situation is however none of you are bothering to tell Solus (or WHMCS, or Hostbill, or whoever) about these so-called problems you're aware of. You then get up and arms and go on a witch hunt. If you know something, TELL SOMEONE WHO CAN SORT IT. Yes, it is Solus's product. Yes, it's their shitty coding however, if you know something and don't tell them then get fucked over by some kid with a hardon then it's YOUR FAULT that it happened. You are to blame for anyone else getting screwed over too because YOU had the chance to get the problem rectified BEFORE the kidiots starting messing around.
> 
> GROW A BRAIN!!!


I have to pay them and teach them how to do their job? It's the basics as pointed out here. As part of their pay, they should be doing the security audits and code reviews etc.

And FYI, we tried telling them, e.g. Infinity for sure has and others too.

I like them and will continue to use them, but things like breaking fqdn after an update is frankly silly. Where's the code review? Where's the testing? They released another update to patch it, but it just looks bad.


----------



## MartinD (Jun 20, 2013)

Have you bothered asking them? What good does bitching on here do?

No-one's telling you to pay them or tell them how to do their job but if you're aware of an issue it's your duty to inform them of it - not just for yourself but everyone else that uses the software.


----------

