amuck-landowner

ChicagoVPS / CVPS Hacked. New SolusVM exploit? (Content Restored) [PT. 1/2]

Status
Not open for further replies.

drmike

100% Tier-1 Gogent
Lots of folks are getting segmentation faults.

Usually when you see those, the OS has been destroyed.   I suspect nodes are getting wiped.
 

D. Strout

Resident IPv6 Proponent
To reiterate, someone has posted that they have at least 3 hacks for SolusVM that are unknown and have given a 12 hour timeline for providers to lock things down.

Their rationale is that they reported the vulnerabilities to Solus and Solus hasn't done squat.
Is there any evidence backing up their claim? I mean aside from the ChicagoVPS hack?
 

drmike

100% Tier-1 Gogent
Is there any evidence backing up their claim? I mean aside from the ChicagoVPS hack?
 

Ahh, nope.  But real providers would be mighty foolish not to take strong precautionary actions to prevent being a victim.

If the exploits carry the impact the other known one does, it is a full system compromise.
 

peppr

New Member
I have one in their LA node which is still online, however quite slow. SSH is responding though. 
 

MannDude

Just a dude
vpsBoard Founder
Moderator
Edited the title to be more relevant. This may be a new exploit from what I've been reading and from that LET thread.

Scary stuff.

I'd be turning off my SolusVM master if I were a provider to be safe. If clients complain, just tell them why it's down.

If SolusVM was truly warned about a new exploit, and did not act on it, then shame on them. 
 

D. Strout

Resident IPv6 Proponent
Ahh, nope.  But real providers would be mighty foolish not to take strong precautionary actions to prevent being a victim.
Definitely agree, but I'm just trying to figure out how much chance that this is just some guy making idle threats.
 

D. Strout

Resident IPv6 Proponent
If this is the case I will not be using SolusVM any longer.
...If only it were that easy. There is no really good, no-compromise alternative. SolusVM comes with its own compromises, but generally it works. And people are familiar with it. It won't be easy for any provider to just wave bye-bye to something so well-established.
 

drmike

100% Tier-1 Gogent
There is no really good, no-compromise alternative. SolusVM comes with its own compromises, but generally it works.
 

As usual, I am not a provider.  I fail to see how complicated a panel could be.   Minimal, finite number of things it needs to do.

Certainly are alternatives and certainly should be renewed interest in extending APIs to create your own panel like Backupsy has on top of Proxmox.

Too many complacent folks doing the same as the other providers.  When something breaks, it is mass failure across many businesses.

I miss the days when people built their own solutions for most things.
 

Magiobiwan

Insert Witty Statement Here
Verified Provider
I suspect that following this series of incidents, there's going to be a large increase in home-grown panel solutions. 
 

peterw

New Member
This is insane:

@BradND said: Pulled our solus, seriously suggest everyone else does also
@Patrik: Done the same.
@Magiobiwan: I just pulled BlueVM's SolusVM down as well.
@Maounique: Yes, did too, shut down the machine just to make sure this is not a backdoor left by someone using the old exploit, checked before but you can never be sure, if the 3 new exploits are jokes, we will just reinstall, but so far looks grim.
@john: We've also taken our SolusVM offline now. Better safe than sorry.
@trewq: Versatile IT's SolusVM is now shutdown.
@AnthonySmith: Shut the solusvm masters down completely to avoid being hit, this is just messed up.
 
Last edited by a moderator:

Magiobiwan

Insert Witty Statement Here
Verified Provider
Again, better safe than compromised, with your DB dumped and made public and your nodes rm -rf --no-preserve-root /'ed. 
 

john

New Member
Verified Provider
What @Magiobiwan said. Let's hope any potential exploits can be confirmed soon as real or not so we can restore SolusVM access.
 
Last edited by a moderator:

MartinD

Retired Staff
Verified Provider
Retired Staff
Someone who has access or knowledge of these so-called vulns needs to let SolusVM know so they can be investigated.
 

MartinD

Retired Staff
Verified Provider
Retired Staff
Someone who has access or knowledge of these so-called vulns needs to let SolusVM know so they can be investigated.
 

drmike

100% Tier-1 Gogent
Liam over at LET has read the Kevin = Adam info and he....


 


Liam Administrator


8:58AM





In light of all the evidence given to us, we have gone ahead and changed Adam's username.

About damn time.  Permabanning  the account would be the right thing to do.
 

peterw

New Member
@CVPS_Adam

We had patched the centralbackup.php almost immediately on Sunday morning, and per a post on LEB ( http://www.lowendbox.com/blog/solusvm-vulnerability/#comment-121070 ) - there may be more problems with SolusVM. We've been told that other code besides the originally exploited centralbackup.php also utilizes the PHP exec function, and I personally do not believe it is safe as of right now for any provider to have their SolusVM install on right now until we have a better understanding of things. SolusVM's management staff are engaged and working closely with us.

Further updates will be posted shortly as we work through this ordeal.
 
Status
Not open for further replies.
Top
amuck-landowner