ChicagoVPS / CVPS Hacked. New SolusVM exploit? (Content Restored) [PT. 1/2]

[drmike]

Lots of folks are getting segmentation faults.

Usually when you see those, the OS has been destroyed.   I suspect nodes are getting wiped.

 

[D. Strout]

To reiterate, someone has posted that they have at least 3 hacks for SolusVM that are unknown and have given a 12 hour timeline for providers to lock things down.

Their rationale is that they reported the vulnerabilities to Solus and Solus hasn't done squat.

Is there any evidence backing up their claim? I mean aside from the ChicagoVPS hack?

 

[drmike]

Is there any evidence backing up their claim? I mean aside from the ChicagoVPS hack?

 

Ahh, nope.  But real providers would be mighty foolish not to take strong precautionary actions to prevent being a victim.

If the exploits carry the impact the other known one does, it is a full system compromise.

 

[peppr]

I have one in their LA node which is still online, however quite slow. SSH is responding though. 

 

[MannDude]

Edited the title to be more relevant. This may be a new exploit from what I've been reading and from that LET thread.

Scary stuff.

I'd be turning off my SolusVM master if I were a provider to be safe. If clients complain, just tell them why it's down.

If SolusVM was truly warned about a new exploit, and did not act on it, then shame on them. 

 

[D. Strout]

Ahh, nope.  But real providers would be mighty foolish not to take strong precautionary actions to prevent being a victim.

Definitely agree, but I'm just trying to figure out how much chance that this is just some guy making idle threats.

 

[trewq]

If SolusVM was truly warned about a new exploit, and did not act on it, then shame on them. 

If this is the case I will not be using SolusVM any longer.

 

[D. Strout]

If this is the case I will not be using SolusVM any longer.

...If only it were that easy. There is no really good, no-compromise alternative. SolusVM comes with its own compromises, but generally it works. And people are familiar with it. It won't be easy for any provider to just wave bye-bye to something so well-established.

 

[drmike]

There is no really good, no-compromise alternative. SolusVM comes with its own compromises, but generally it works.

 

As usual, I am not a provider.  I fail to see how complicated a panel could be.   Minimal, finite number of things it needs to do.

Certainly are alternatives and certainly should be renewed interest in extending APIs to create your own panel like Backupsy has on top of Proxmox.

Too many complacent folks doing the same as the other providers.  When something breaks, it is mass failure across many businesses.

I miss the days when people built their own solutions for most things.

 

[Magiobiwan]

I suspect that following this series of incidents, there's going to be a large increase in home-grown panel solutions. 

 

[peterw]

This is insane:

@BradND said: Pulled our solus, seriously suggest everyone else does also

@Patrik: Done the same.

@Magiobiwan: I just pulled BlueVM's SolusVM down as well.

@Maounique: Yes, did too, shut down the machine just to make sure this is not a backdoor left by someone using the old exploit, checked before but you can never be sure, if the 3 new exploits are jokes, we will just reinstall, but so far looks grim.

@john: We've also taken our SolusVM offline now. Better safe than sorry.

@trewq: Versatile IT's SolusVM is now shutdown.

@AnthonySmith: Shut the solusvm masters down completely to avoid being hit, this is just messed up.

 

[Magiobiwan]

Again, better safe than compromised, with your DB dumped and made public and your nodes rm -rf --no-preserve-root /'ed. 

 

[john]

What @Magiobiwan said. Let's hope any potential exploits can be confirmed soon as real or not so we can restore SolusVM access.

 

[MartinD]

Someone who has access or knowledge of these so-called vulns needs to let SolusVM know so they can be investigated.

 

[MartinD]

Someone who has access or knowledge of these so-called vulns needs to let SolusVM know so they can be investigated.

 

[drmike]

Liam over at LET has read the Kevin = Adam info and he....


 

Liam Administrator


8:58AM





In light of all the evidence given to us, we have gone ahead and changed Adam's username.

About damn time.  Permabanning  the account would be the right thing to do.

 

[MannDude]

Liam over at LET has read the Kevin = Adam info and he....


 




About damn time.  Permabanning  the account would be the right thing to do.

That's hilarious. I've been saying it all along.

 

[peterw]

@CVPS_Adam

We had patched the centralbackup.php almost immediately on Sunday morning, and per a post on LEB ( http://www.lowendbox.com/blog/solusvm-vulnerability/#comment-121070 ) - there may be more problems with SolusVM. We've been told that other code besides the originally exploited centralbackup.php also utilizes the PHP exec function, and I personally do not believe it is safe as of right now for any provider to have their SolusVM install on right now until we have a better understanding of things. SolusVM's management staff are engaged and working closely with us.

Further updates will be posted shortly as we work through this ordeal.

 

[drmike]

 

BradND Member


9:21AM





@CVPS_Adam I'm not sure anyone cares about you being hacked, why did you lie about being kevin?


Bradley, NodeDeploy

 

[D. Strout]

Hasn't anyone decrypted the source? Couldn't they then run a search for dumb execs?