ChicagoVPS / CVPS Hacked. New SolusVM exploit? [PT 2/2]

Discussion in 'Industry News' started by Magiobiwan, Jun 18, 2013.

  1. Magiobiwan

    Magiobiwan Insert Witty Statement Here Verified Provider

    374
    112
    May 15, 2013
    NOTICE

    EDIT: Original thread content here: http://vpsboard.com/topic/984-chicagovps-cvps-hacked-new-solusvm-exploit-pt-1

    The thread had to be split into two after some errors. All original posts have been restored in that thread. Further discussion can be had within this thread.

    -MannDude

    (Sorry Magiobiwan, could not remove your post as it's the first one so I had to edit it to display this message)
     
    Last edited by a moderator: Jul 1, 2013
  2. mmance

    mmance New Member

    4
    0
    Jun 18, 2013
    Chris has been very vague in his response to me personally today.  

    [​IMG]

    I also had someone grep my username for the Client Area in the stolen data.  It came back 0 results.
     
    Last edited by a moderator: Apr 30, 2017
  3. drmike

    drmike 100% Tier-1 Gogent

    8,573
    2,709
    May 13, 2013
    Ran a bunch of lookups for folks here to see if their details were in the dump.

    I can confirm if you cancelled your services after the last hack in November - February, your details probably aren't in there.

    Anyone else want info looked up, PM me.  

    Will be back in a bit.
     
  4. mnsalem

    mnsalem New Member

    38
    0
    Jun 18, 2013
    Just thought to drop by and mention that i just got the email with the report (that update which was posted several hours ago).
     
  5. DaringHost

    DaringHost New Member

    59
    8
    May 22, 2013
  6. mmance

    mmance New Member

    4
    0
    Jun 18, 2013
    Chris has been very vague in his response to me personally today.  

    [​IMG]

    I also had someone grep my username for the Client Area in the stolen data.  It came back 0 results.
     
    Last edited by a moderator: Apr 30, 2017
  7. saliq

    saliq New Member

    5
    0
    Jun 18, 2013
    If your site and email is same as the username here then you are in it :(
     
    Last edited by a moderator: Apr 30, 2017
  8. upsetcvps

    upsetcvps New Member

    54
    1
    Jun 18, 2013
    yes, your e-mail address would not be hard to guess based on your username, Marc ;) 
     
    Last edited by a moderator: Apr 30, 2017
  9. jfreak53

    jfreak53 New Member

    27
    0
    Jun 18, 2013
  10. drmike

    drmike 100% Tier-1 Gogent

    8,573
    2,709
    May 13, 2013
  11. mnsalem

    mnsalem New Member

    38
    0
    Jun 18, 2013
    they are indeed working on it! Last time i checked pingdom, 3 out of the 4 servers in atlanta were offline! now Just 1 is left.

    Same for Buffalo! 4 servers were down .. now just 2 ... and i happen to be on the one that is down (facepalm)
     
  12. upsetcvps

    upsetcvps New Member

    54
    1
    Jun 18, 2013
    We are probably in the same server.  How do you know what server you are on?
     
  13. mnsalem

    mnsalem New Member

    38
    0
    Jun 18, 2013
    I am on 192.227.129.xxx subnet ... that's BUF19. through the CP back in its working days.


    Anything in buffalo other than that will be on BUF17
     
  14. TheLinuxBug

    TheLinuxBug New Member

    402
    356
    May 15, 2013
    I think this thread should just be closed.  If there is anymore real news about this, I think we can open a new thread, or even better, post it in the cest pit.  There is enough CVPS PR threads open here already.

    Cheers!
     
  15. HalfEatenPie

    HalfEatenPie The Irrational One Retired Staff

    2,890
    1,385
    Mar 25, 2013
    HalfEatenPie
    This is just ridiculous.  Closed.  
     
  16. HalfEatenPie

    HalfEatenPie The Irrational One Retired Staff

    2,890
    1,385
    Mar 25, 2013
    HalfEatenPie
  17. jfreak53

    jfreak53 New Member

    27
    0
    Jun 18, 2013
    Thanks mod for cleaning this mess up.

    You know cVPS an update no matter how small it is would really be helpful, even if it is small.
     
    Last edited by a moderator: Jun 18, 2013
  18. CVPS_Chris

    CVPS_Chris New Member Verified Provider

    155
    51
    May 17, 2013
    Jfreak, we are still working to get the remaining nodes online.
     
  19. Marc M.

    Marc M. Phoenix VPS Verified Provider

    380
    64
    Apr 12, 2013
    How much warning do you need as a software provider about your code being poorly written? And why do you write code like this? Sorry, but I can't fault any provider that was hit by this attack, and all I can say is that I am sorry that some of you guys had to suffer because of this:


    <?php
    if ($_POST['delete']) {
    $xc = $db -> query('SELECT * FROM centralbackup WHERE id = \'' . $_POST['deleteid'] . '\'', true);
    #[...]
    if ($xc[status] == 'failed') {
    exec('php /usr/local/solusvm/system/bus.php -- --comm=deletebackup --serverid=' . $xc['bserver'] . ' --nodeid=' . $vdata['nodeid'] . ' --vserverid=' . $vdata['vserverid'] . ' --filename=' . $xc['filename']);
    #[...]
    }
    }
    ?>
    @D. Strout There's been a decoded version floating around the web for a while now, I guess that's how the vulnerability was found and exploited in the first place. Pretty lame, but it is what it is.

    Guys, here is something simple that you should do immediately: restrict access to the admin path. Restrict it by IP, with a password, or ideally both. @Kujoe had some good advice as well on how to secure SolusVM.

    Kind regards,

    Marc
     
    Last edited by a moderator: Jun 18, 2013
  20. concerto49

    concerto49 New Member Verified Provider

    960
    200
    May 5, 2013
    Has anyone heard back from Solus yet?