SolusVM Vulnerability

[George_Fusioned]

http://localhost.re/p/solusvm-11303-vulnerabilities

Quick fix: remove/chmod 000 centralbackup.php from your master's /usr/local/solusvm/www/ folder.

(Thanks Patrick)

 

[George_Fusioned]

Maybe we should use the exploit to chmod 000 /usr/local/solusvm/www/centralbackup.php for any fellow US VPS providers who are currently probably sleeping - before anything worse happens?

 

[MartinD]

Sticky ground that..don't think I'd advocate that!

 

[George_Fusioned]

Indeed - I was aware my suggestion would raise reactions. On the other hand would you prefer waking up with your nodes wiped?

PS: Could this be the exploit used to wipe those nodes from ChicagoVPS?

 

[SeriesN]

My night shift tech removed it before I could even test this . Besides the password, is there anything else it would show?

 

[Francisco]

My night shift tech removed it before I could even test this . Besides the password, is there anything else it would show?

It gives full root to the solus master.

You can then dump the database or do whatever you really want.

Francisco

 

[George_Fusioned]

My night shift tech removed it before I could even test this . Besides the password, is there anything else it would show?

Also check if /usr/local/solusvm/www/rofl.php exists and if yes, delete it. Somebody could have already used the exploit before you removed centralbackup.php

 

[SeriesN]

It gives full root to the solus master.


You can then dump the database or do whatever you really want.


Francisco

Mother FLOWER! What happens when your admin panel is locked to vpn/selected IP's? Will the user still be able to use those info? A lot of big provider might have been snapped if this is possible.

 

[SeriesN]

Also check if /usr/local/solusvm/www/rofl.php exists and if yes, delete it. Somebody could have already used the exploit before you removed centralbackup.php

PHEW! It is not there. 

 

[Francisco]

Mother FLOWER! What happens when your admin panel is locked to vpn/selected IP's? Will the user still be able to use those info? A lot of big provider might have been snapped if this is possible.

It doesn't matter. It drops the exploit on the node itself and the user can go to town. being in /www means that any user can view it.

Francisco

 

[MartinD]

It's worthwhile checking for any files created/modified recently.

Edit. Try this:

$ find /usr/local/solusvm -type f -printf

 

[SeriesN]

It doesn't matter. It drops the exploit on the node itself and the user can go to town. being in /www means that any user can view it.


Francisco

Gotcha!

 

[Zach]

Don't just check /usr/local/solusvm/, you should probably check everywhere for this file or like @MartinD said, any recently created files.

 

[mitgib]

Opened a ticket at Solusvm.com and then within 5 minutes recieved

Soluslabs Ltd

Sunday, June 16, 2013
12:47:18 PM GMT 0
Dear Tim Flavin (Hostigation),

PLEASE READ THIS INFORMATION CAREFULLY. THIS INFORMATION IS RELEVANT TO ALL VERSION OF SOLUSVM, INCLUDING BETA VERSIONS.

In the last few hours a security exploit has been found. This email is to inform you of a temporary fix to eliminate this exploit whilst the issue is patched and transferred to our file servers for release.

Instructions:

You will need root SSH access to your master server.  You are then required to delete the following file:

/usr/local/solusvm/www/centralbackup.php

Example:

rm

 

[Reece-DM]

Nice to see somewhat of a quick response from solus let's hope there's a proper patch soon enough..

 

[Ivan]

Can't connect to my VPS with them. Their whole site, and SolusVM = gone.

 

[Reece-DM]

My night shift tech removed it before I could even test this . Besides the password, is there anything else it would show?

It is also providing somewhat of a shell which provides further access rather than just SQL injection.

 

[concerto49]

http://paste.ee/p/jtSva

 

[shovenose]

He could have been framed. As much as I hate Robert Clarke I'm not sure he did that.

 

[DamienSB]

It seems there is an update in solusvm' admincp already. Has anyone used it yet?