ChicagoVPS / CVPS Hacked. New SolusVM exploit? (Content Restored) [PT. 1/2]

[drmike]

If anyone still wants to know if their email appears in the dump, PM me and I'll run a search for you.

The dump doesn't include all accounts/some prior customer accounts.

 

[MartinD]

Interesting how it doesn't exist then, eh?

Still waiting..... you're lurking but posting nada.

 

[Lanarchy]

My NY node is responding to ping, but inaccessible. The count so far

1 fully functional

2 responding to ping but inaccessible

2 fully down

 

[insaneguy]

One of my VPS's is still down the other went down for a while and came back luckily that is the one with my most important customers data.

 

[Lanarchy]

My node that just came up has a new kernel.

Linux 2.6.32-042stab078.22

And another says

Linux 2.6.32-042stab076.8

Could have been my doing and it just rebooted for me to see it. But that's different from what I remember.

On both, yum says up to date.

 

[nunim]

Which SolusVM file was exploited this time? 

 

[MartinD]

None - it's nonsense.

 

[jfreak53]

None - it's nonsense.

Really, what your theory? ha ha

 

[nunim]

None - it's nonsense.

Well, ChicagoVPS could just be incompetent and been rooted from the centralbackup exploit, but netn00b posted some "code"  that he claimed was responsible, was looking for what file that was from.

Isn't CurtisG (netnub) the guy who was selling "dedicated servers" that were just shell accounts? 

 

[jfreak53]

Considering cVPS is not the only one effected and Solus has launched their own post on the subject on their site, I'd fair to say it's the exploit

 

[MartinD]

Yes, that's the same person.

...how much weight do you want to put on what he says? Also, the code he showed wasn't a vulnerability either. He's obviously decided any instance of 'exec' in any kind of php code is a vulnerability.

 

[MartinD]

Considering cVPS is not the only one effected and Solus has launched their own post on the subject on their site, I'd fair to say it's the exploit

That was a different exploit that was patched. Solus held up their hands to that, too.

 

[nunim]

Yes, that's the same person.

...how much weight do you want to put on what he says? Also, the code he showed wasn't a vulnerability either. He's obviously decided any instance of 'exec' in any kind of php code is a vulnerability.

Which is why I'm trying to figure out what he claims the exploit to be so I can looksie,  it's fairly trivial to decode ioncube, not that I would do such a thing...

I would also take whatever CVPS Chris says with a grain of salt, as he couldn't explain their last hack that had their db released...  Good thing they have backups this time, except in Atlanta it seems?

 

[chronos511]

Anyone else suddenly unable to get LET to load?

 

[mmance]

Chris has been very vague in his response to me personally today.  

I also had someone grep my username for the Client Area in the stolen data.  It came back 0 results.

 

[drmike]

Ran a bunch of lookups for folks here to see if their details were in the dump.

I can confirm if you cancelled your services after the last hack in November - February, your details probably aren't in there.

Anyone else want info looked up, PM me.  

Will be back in a bit.

 

[mnsalem]

Just thought to drop by and mention that i just got the email with the report (that update which was posted several hours ago).

 

[DaringHost]

Anyone else suddenly unable to get LET to load?

See: http://vpsboard.com/topic/770-lowendtalkcom-down/

 

[mmance]

Chris has been very vague in his response to me personally today.  

I also had someone grep my username for the Client Area in the stolen data.  It came back 0 results.

 

[saliq]

Chris has been very vague in his response to me personally today.  

I also had someone grep my username for the Client Area in the stolen data.  It came back 0 results.

If your site and email is same as the username here then you are in it