ChicagoVPS / CVPS Hacked. New SolusVM exploit? (Content Restored) [PT. 1/2]

[atho]

Mine wasnt touched either.

[email protected].*.*:~# uptime
 21:51:44 up 134 days,  1:38,  1 user,  load average: 0.07, 0.02, 0.00
 

 

[mystic]

Looks like a lot of you got lucky.  Mines been down all day, completely out of commission.  This is directly impacting my business with clients...

 

[jfreak53]

Does anyone have access to the list still?? I need to check for a couple usernames on there, don't really want to change passwords if I don't have to on about 10 of them

 

[crspyjohn]

CVPS did send out an email... Some people didn't get it... Not sure why... but there was an email sent

 I'm assuming they're going to notify a small portion of their customer base about the hack. When customers complain they never received an email about the hack, one of those customers would likely speak up and say they did receive the email. They'll chalk it up as the email ending up in the spam box or being denied by your mailing provider, makes it look like they did their due diligence.

 

[XFS_Duke]

Does anyone have access to the list still?? I need to check for a couple usernames on there, don't really want to change passwords if I don't have to on about 10 of them

Just change your passwords... No need to get the list... Nor is there any real reason to ask for it... Just change your passwords to be safe... Just because it may or may not be in the DB dump doesn't mean that they don't have it themselves... Cover your ass and change your passwords... Make it easy on yourself...

 

[jacobsta811]

I've got 4 nodes on ChicagoVPS, all down, one each in Atlanta, Los Angeles, Chicago, and Buffalo. Buffalo node sent me some emails from a cron job before it went down saying that the drupal directory was gone, so I assume at least the buffalo server was attempted to be deleted. I hope they *don't* put my nodes back up without changing the root password first. Given the speed of port scans, it seems likely that hackers could get to some of my boxes before I can change the password. I am also curious whether the "central backup" backups created from within SolusVM can be restored - you only get one slot per server but I just did that a few days ago and would lose basically zero data or setup time if those can be restored.

I disagree no reason to see the list. If my server root password is in plain text, it means I have to backup data, reinstall and start fresh to be sure I am not compromised. If it isn't or isn't right, I can probably just check the server carefully after changing the password. I always did my VPS by reinstalling and then changing my root password from the one sent initially in SolusVM rather than over SSH, so I expect my passwords are probably in plain text, but I'd still like to know for sure.

 

[upsetcvps]

Just change your passwords... No need to get the list... Nor is there any real reason to ask for it... Just change your passwords to be safe... Just because it may or may not be in the DB dump doesn't mean that they don't have it themselves... Cover your ass and change your passwords... Make it easy on yourself...

There is a good reason to ask for it.  Namely, to know what information exactly was compromised.

 

[netsat]

I am not sure who netstat is but signed his post /johnny which I figured since Eric is here JohnnyDbag can't be far behind.

notFound not sure haven't read alot of your posts, so can't tell who you are based on this thread.

I don't know who JohnnyDbag is.

I am from Denmark - manndude can verify my ip.

I just use my real name - not an alias like many others her.

/Johnny Andersen

 

[XFS_Duke]

 I'm assuming they're going to notify a small portion of their customer base about the hack. When customers complain they never received an email about the hack, one of those customers would likely speak up and say they did receive the email. They'll chalk it up as the email ending up in the spam box or being denied by your mailing provider, makes it look like they did their due diligence.

True, but a few people said they got the email already and if i'm not mistaken they posted an announcement... Haven't checked their announcement yet though...

 

[jfreak53]

I've got 4 nodes on ChicagoVPS, all down, one each in Atlanta, Los Angeles, Chicago, and Buffalo. Buffalo node sent me some emails from a cron job before it went down saying that the drupal directory was gone, so I assume at least the buffalo server was attempted to be deleted. I hope they *don't* put my nodes back up without changing the root password first. Given the speed of port scans, it seems likely that hackers could get to some of my boxes before I can change the password. I am also curious whether the "central backup" backups created from within SolusVM can be restored - you only get one slot per server but I just did that a few days ago and would lose basically zero data or setup time if those can be restored.

I disagree no reason to see the list. If my server root password is in plain text, it means I have to backup data, reinstall and start fresh to be sure I am not compromised. If it isn't or isn't right, I can probably just check the server carefully after changing the password. I always did my VPS by reinstalling and then changing my root password from the one sent initially in SolusVM rather than over SSH, so I expect my passwords are probably in plain text, but I'd still like to know for sure.

There is a good reason to ask for it.  Namely, to know what information exactly was compromised.

AGREED! That was my reasoning, 4 of the ten servers are not just web pages but very sensitive data. If they were compromised then I have a LOT of work todo while as if they are not on the list then there is no point in working that much, just changing passwords.

 

[Chankster]

Assume any password you used is compromised and just change your passwords already.

 

[JDiggity]

netsat alright will take your word since dbag signed up!

 

[XFS_Duke]

There is a good reason to ask for it.  Namely, to know what information exactly was compromised.

Wow, if you've been reading, you know that their entire solusvm database was dumped to the public. Meaning... If you had a VPS with them, your information is compromised... If someone with the data wants to pm you that they have it and give you the info that they have on YOU then thats cool, but theres no reason to have the entire database dump... Especially if you have been reading the forums and reading about what has happened...

 

[drmike]

Around 3am Eastern Standat Time (EST) today, there was a security breach, due to a vulnerability in SolusVM that allowed a command line to be run to dump the ChicagoVPS SolusVM client database and attempt to delete all data from our nodes. Our staff is working tirelessly to get everything back online, along working with SolusVM to address the root issue and no furthur impact is expected.

 

3AM eastern?  Wrong.

The hack was like 24 hours prior - when the entire SolusVM customer database was taken.

The physical servers failing and being deleted, 3AM?    It was earlier than that.

 

[jfreak53]

Wow, if you've been reading, you know that their entire solusvm database was dumped to the public. Meaning... If you had a VPS with them, your information is compromised... If someone with the data wants to pm you that they have it and give you the info that they have on YOU then thats cool, but theres no reason to have the entire database dump... Especially if you have been reading the forums and reading about what has happened...

At no point did I ever "ASK" for the entire dump, I asked if someone had it. In that case if they do I can PM them the users and ask them nicely if they can grep the file to see if my 10 users are there. Simple.

Again, this is NOT about changing passwords, I already did that. It is about the data within the system. Out of the 10, 5 are back online, meaning if they were not brought back from a backup from cVPS the data contained could be compromised (messed with!!), meaning I have more work to do than just changing a password.

This is the reason I am curious, not changing passwords.

 

[chronos511]

This is an example of the info that was leaked in the db:

cvps_???? (assigned by CVPS) (hash of password)=(some have this, some don't. Original password used to sign up) [email protected] first lastname

cvps_???? (same as above) (IP of server) (name of server) (hypervisor) (OS and version) (RAM) (OG password as above)

 

[Mun]

At no point did I ever "ASK" for the entire dump, I asked if someone had it. In that case if they do I can PM them the users and ask them nicely if they can grep the file to see if my 10 users are there. Simple.

Again, this is NOT about changing passwords, I already did that. It is about the data within the system. Out of the 10, 5 are back online, meaning if they were not brought back from a backup from cVPS the data contained could be compromised (messed with!!), meaning I have more work to do than just changing a password.

This is the reason I am curious, not changing passwords.

This has happened before with CVPS, so simply put, your old passwords are now floating around the internet on 50 mirrors with IP addresses to try your password on.

Mun

 

[jacobsta811]

The server that started emailing me, presumably in mid deletion, happened at 3:25AM EDT. DB could have been hacked well before that though, and possibly some targeted attacks performed before the dump ever got posted.

 

[upsetcvps]

I sent you a pm, jfreak53

 

[upsetcvps]

The server that started emailing me, presumably in mid deletion, happened at 3:25AM EDT. DB could have been hacked well before that though, and possibly some targeted attacks performed before the dump ever got posted.

3:15AM EDT for me I lost connection