amuck-landowner

SolusVM Vulnerability

George_Fusioned

Active Member
Verified Provider
Maybe we should use the exploit to chmod 000 /usr/local/solusvm/www/centralbackup.php for any fellow US VPS providers who are currently probably sleeping - before anything worse happens?
 
Last edited by a moderator:

George_Fusioned

Active Member
Verified Provider
Indeed - I was aware my suggestion would raise reactions. On the other hand would you prefer waking up with your nodes wiped?

PS: Could this be the exploit used to wipe those nodes from ChicagoVPS?
 
Last edited by a moderator:

SeriesN

Active Member
Verified Provider
My night shift tech removed it before I could even test this :(. Besides the password, is there anything else it would show?
 
Last edited by a moderator:

Francisco

Company Lube
Verified Provider
My night shift tech removed it before I could even test this :(. Besides the password, is there anything else it would show?
It gives full root to the solus master.

You can then dump the database or do whatever you really want.

Francisco
 

George_Fusioned

Active Member
Verified Provider
My night shift tech removed it before I could even test this :(. Besides the password, is there anything else it would show?
Also check if /usr/local/solusvm/www/rofl.php exists and if yes, delete it. Somebody could have already used the exploit before you removed centralbackup.php
 

SeriesN

Active Member
Verified Provider
It gives full root to the solus master.


You can then dump the database or do whatever you really want.


Francisco
Mother FLOWER! What happens when your admin panel is locked to vpn/selected IP's? Will the user still be able to use those info? A lot of big provider might have been snapped if this is possible.
 

Francisco

Company Lube
Verified Provider
Mother FLOWER! What happens when your admin panel is locked to vpn/selected IP's? Will the user still be able to use those info? A lot of big provider might have been snapped if this is possible.
It doesn't matter. It drops the exploit on the node itself and the user can go to town. being in /www means that any user can view it.

Francisco
 

MartinD

Retired Staff
Verified Provider
Retired Staff
It's worthwhile checking for any files created/modified recently.

Edit. Try this:


Code:
$ find /usr/local/solusvm -type f -printf
 
Last edited by a moderator:

Zach

New Member
Verified Provider
Don't just check /usr/local/solusvm/, you should probably check everywhere for this file or like @MartinD said, any recently created files.
 

mitgib

New Member
Verified Provider
Opened a ticket at Solusvm.com and then within 5 minutes recieved

Soluslabs Ltd

Sunday, June 16, 2013
12:47:18 PM GMT 0
Dear Tim Flavin (Hostigation),

PLEASE READ THIS INFORMATION CAREFULLY. THIS INFORMATION IS RELEVANT TO ALL VERSION OF SOLUSVM, INCLUDING BETA VERSIONS.

In the last few hours a security exploit has been found. This email is to inform you of a temporary fix to eliminate this exploit whilst the issue is patched and transferred to our file servers for release.

Instructions:

You will need root SSH access to your master server.  You are then required to delete the following file:

/usr/local/solusvm/www/centralbackup.php

Example:

rm
 

Reece-DM

New Member
Verified Provider
Nice to see somewhat of a quick response from solus let's hope there's a proper patch soon enough..
 

Ivan

Active Member
Verified Provider
Can't connect to my VPS with them. Their whole site, and SolusVM = gone.
 
Last edited by a moderator:

Reece-DM

New Member
Verified Provider
My night shift tech removed it before I could even test this :(. Besides the password, is there anything else it would show?
It is also providing somewhat of a shell which provides further access rather than just SQL injection.
 

shovenose

New Member
Verified Provider
He could have been framed. As much as I hate Robert Clarke I'm not sure he did that.
 
Last edited by a moderator:
Top
amuck-landowner