ChicagoVPS / CVPS Hacked. New SolusVM exploit? (Content Restored) [PT. 1/2]
- Thread starter Magiobiwan
- Start date
-
- Tags
- chicagovps cvps exploit solusvm
- Status
I'm assuming they're going to notify a small portion of their customer base about the hack. When customers complain they never received an email about the hack, one of those customers would likely speak up and say they did receive the email. They'll chalk it up as the email ending up in the spam box or being denied by your mailing provider, makes it look like they did their due diligence.
Just change your passwords... No need to get the list... Nor is there any real reason to ask for it... Just change your passwords to be safe... Just because it may or may not be in the DB dump doesn't mean that they don't have it themselves... Cover your ass and change your passwords... Make it easy on yourself...Does anyone have access to the list still?? I need to check for a couple usernames on there, don't really want to change passwords if I don't have to on about 10 of them
jacobsta811
New Member
I've got 4 nodes on ChicagoVPS, all down, one each in Atlanta, Los Angeles, Chicago, and Buffalo. Buffalo node sent me some emails from a cron job before it went down saying that the drupal directory was gone, so I assume at least the buffalo server was attempted to be deleted. I hope they *don't* put my nodes back up without changing the root password first. Given the speed of port scans, it seems likely that hackers could get to some of my boxes before I can change the password. I am also curious whether the "central backup" backups created from within SolusVM can be restored - you only get one slot per server but I just did that a few days ago and would lose basically zero data or setup time if those can be restored.
I disagree no reason to see the list. If my server root password is in plain text, it means I have to backup data, reinstall and start fresh to be sure I am not compromised. If it isn't or isn't right, I can probably just check the server carefully after changing the password. I always did my VPS by reinstalling and then changing my root password from the one sent initially in SolusVM rather than over SSH, so I expect my passwords are probably in plain text, but I'd still like to know for sure.
I disagree no reason to see the list. If my server root password is in plain text, it means I have to backup data, reinstall and start fresh to be sure I am not compromised. If it isn't or isn't right, I can probably just check the server carefully after changing the password. I always did my VPS by reinstalling and then changing my root password from the one sent initially in SolusVM rather than over SSH, so I expect my passwords are probably in plain text, but I'd still like to know for sure.
upsetcvps
New Member
There is a good reason to ask for it. Namely, to know what information exactly was compromised.
I don't know who JohnnyDbag is.
I am from Denmark - manndude can verify my ip.
I just use my real name - not an alias like many others her.
/Johnny Andersen
True, but a few people said they got the email already and if i'm not mistaken they posted an announcement... Haven't checked their announcement yet though...
AGREED! That was my reasoning, 4 of the ten servers are not just web pages but very sensitive data. If they were compromised then I have a LOT of work todo while as if they are not on the list then there is no point in working that much, just changing passwords.
Wow, if you've been reading, you know that their entire solusvm database was dumped to the public. Meaning... If you had a VPS with them, your information is compromised... If someone with the data wants to pm you that they have it and give you the info that they have on YOU then thats cool, but theres no reason to have the entire database dump... Especially if you have been reading the forums and reading about what has happened...
drmike
100% Tier-1 Gogent
3AM eastern? Wrong.
The hack was like 24 hours prior - when the entire SolusVM customer database was taken.
The physical servers failing and being deleted, 3AM? It was earlier than that.
At no point did I ever "ASK" for the entire dump, I asked if someone had it. In that case if they do I can PM them the users and ask them nicely if they can grep the file to see if my 10 users are there. Simple.
Again, this is NOT about changing passwords, I already did that. It is about the data within the system. Out of the 10, 5 are back online, meaning if they were not brought back from a backup from cVPS the data contained could be compromised (messed with!!), meaning I have more work to do than just changing a password.
This is the reason I am curious, not changing passwords.
chronos511
New Member
This is an example of the info that was leaked in the db:
cvps_???? (assigned by CVPS) (hash of password)=(some have this, some don't. Original password used to sign up) your@email.com first lastname
cvps_???? (same as above) (IP of server) (name of server) (hypervisor) (OS and version) (RAM) (OG password as above)
cvps_???? (assigned by CVPS) (hash of password)=(some have this, some don't. Original password used to sign up) your@email.com first lastname
cvps_???? (same as above) (IP of server) (name of server) (hypervisor) (OS and version) (RAM) (OG password as above)
This has happened before with CVPS, so simply put, your old passwords are now floating around the internet on 50 mirrors with IP addresses to try your password on.
Mun
jacobsta811
New Member
The server that started emailing me, presumably in mid deletion, happened at 3:25AM EDT. DB could have been hacked well before that though, and possibly some targeted attacks performed before the dump ever got posted.
upsetcvps
New Member
3:15AM EDT for me I lost connection
- Status