ChicagoVPS / CVPS Hacked. New SolusVM exploit? (Content Restored) [PT. 1/2]

[upsetcvps]

Chris has been very vague in his response to me personally today.  

I also had someone grep my username for the Client Area in the stolen data.  It came back 0 results.

yes, your e-mail address would not be hard to guess based on your username, Marc  

 

[jfreak53]

Offline/Online Nodes:

http://stats.pingdom.com/jzrszp4wfu79

 

[drmike]

Offline/Online Nodes:

http://stats.pingdom.com/jzrszp4wfu79

From Pingdom's monitoring shows 19 servers that are broken....

 

[mnsalem]

they are indeed working on it! Last time i checked pingdom, 3 out of the 4 servers in atlanta were offline! now Just 1 is left.

Same for Buffalo! 4 servers were down .. now just 2 ... and i happen to be on the one that is down (facepalm)

 

[upsetcvps]

they are indeed working on it! Last time i checked pingdom, 3 out of the 4 servers in atlanta were offline! now Just 1 is left.


Same for Buffalo! 4 servers were down .. now just 2 ... and i happen to be on the one that is down (facepalm)

We are probably in the same server.  How do you know what server you are on?

 

[mnsalem]

We are probably in the same server.  How do you know what server you are on?

I am on 192.227.129.xxx subnet ... that's BUF19. through the CP back in its working days.


Anything in buffalo other than that will be on BUF17

 

[TheLinuxBug]

I think this thread should just be closed.  If there is anymore real news about this, I think we can open a new thread, or even better, post it in the cest pit.  There is enough CVPS PR threads open here already.

Cheers!

 

[HalfEatenPie]

This is just ridiculous.  Closed.  

 

[HalfEatenPie]

Ok this topic has been re-opened after cleaning up a bit.  Please keep the discussion focused on the topic.  The other discussion can be found here: http://vpsboard.com/topic/777-personal-arguments/

 

[jfreak53]

Thanks mod for cleaning this mess up.

You know cVPS an update no matter how small it is would really be helpful, even if it is small.

 

[CVPS_Chris]

Jfreak, we are still working to get the remaining nodes online.

 

[Marc M.]

How much warning do you need as a software provider about your code being poorly written? And why do you write code like this? Sorry, but I can't fault any provider that was hit by this attack, and all I can say is that I am sorry that some of you guys had to suffer because of this:


<?php
if ($_POST['delete']) {
$xc = $db -> query('SELECT * FROM centralbackup WHERE id = \'' . $_POST['deleteid'] . '\'', true);
#[...]
if ($xc[status] == 'failed') {
exec('php /usr/local/solusvm/system/bus.php -- --comm=deletebackup --serverid=' . $xc['bserver'] . ' --nodeid=' . $vdata['nodeid'] . ' --vserverid=' . $vdata['vserverid'] . ' --filename=' . $xc['filename']);
#[...]
}
}
?>

Hasn't anyone decrypted the source? Couldn't they then run a search for dumb execs?

@D. Strout There's been a decoded version floating around the web for a while now, I guess that's how the vulnerability was found and exploited in the first place. Pretty lame, but it is what it is.

Guys, here is something simple that you should do immediately: restrict access to the admin path. Restrict it by IP, with a password, or ideally both. @Kujoe had some good advice as well on how to secure SolusVM.

Kind regards,

Marc

 

[concerto49]

Has anyone heard back from Solus yet?

 

[MannDude]

Has anyone heard back from Solus yet?

I wouldimagine they're quite busy attempting damage control.

 

[Mun]

MannDude, I know you don't work there, but Urpad got hit too?

 

[Otakumatic]

MannDude, I know you don't work there, but Urpad got hit too?

Their site works for me.

 

[upsetcvps]

How much warning do you need as a software provider about your code being poorly written? And why do you write code like this? Sorry, but I can't fault any provider that was hit by this attack, and all I can say is that I am sorry that some of you guys had to suffer because of this:


<?php
if ($_POST['delete']) {
$xc = $db -> query('SELECT * FROM centralbackup WHERE id = \'' . $_POST['deleteid'] . '\'', true);
#[...]
if ($xc[status] == 'failed') {
exec('php /usr/local/solusvm/system/bus.php -- --comm=deletebackup --serverid=' . $xc['bserver'] . ' --nodeid=' . $vdata['nodeid'] . ' --vserverid=' . $vdata['vserverid'] . ' --filename=' . $xc['filename']);
#[...]
}
}
?>
D. Strout There's been a decoded version floating around the web for a while now, I guess that's how the vulnerability was found and exploited in the first place. Pretty lame, but it is what it is.

Guys, here is something simple that you should do immediately: restrict access to the admin path. Restrict it by IP, with a password, or ideally both. @Kujoe had some good advice as well on how to secure SolusVM.

Kind regards,

Marc

what. the. fuck.

 

[MannDude]

MannDude, I know you don't work there, but Urpad got hit too?

Yeah, don't work there anymore.

I messaged Jason earlier this morning and told him what was going on and it may be best to shut the Solus master off for a while.

Doesn't matter, Adam Ng ("Kevin Hillstrand") has had the URPad WHMCS and SolusVM DB (both dated) for a while and has always threatened to post it anytime we made him mad. I'd change your passwords anyways since I could never get the old owner to force password resets on everyone, nor have the new owners yet. Both parties have indeed been informed that this kid has dated DBs and has threatened, multiple times, to post them if we don't back off on things that upset him. (Like poking the Adam/Kevin thing, etc)

 

[Amitz]

That's somehow unrelated, but is this 'Adam Ng' in any way related to Adam, the former owner of VPSLatch? I still have a bone to pick with that a**hole...

 

[drmike]

Adam Ng ("Kevin Hillstrand") has had the URPad WHMCS and SolusVM DB (both dated) for a while and has always threatened to post it anytime we made him mad

What the f*Ck!?!?!?!

Where is @Miller?