SolusVM Vulnerability

Discussion in 'Hosting Talk & Reviews' started by George_Fusioned, Jun 16, 2013.

  1. George_Fusioned

    George_Fusioned Active Member Verified Provider

    111
    37
    May 16, 2013
    Last edited by a moderator: Jun 16, 2013
  2. George_Fusioned

    George_Fusioned Active Member Verified Provider

    111
    37
    May 16, 2013
    Maybe we should use the exploit to chmod 000 /usr/local/solusvm/www/centralbackup.php for any fellow US VPS providers who are currently probably sleeping - before anything worse happens?
     
    Last edited by a moderator: Jun 16, 2013
  3. MartinD

    MartinD Retired Staff Retired Staff Verified Provider

    1,410
    1,278
    May 15, 2013
    Sticky ground that..don't think I'd advocate that!
     
  4. George_Fusioned

    George_Fusioned Active Member Verified Provider

    111
    37
    May 16, 2013
    Indeed - I was aware my suggestion would raise reactions. On the other hand would you prefer waking up with your nodes wiped?

    PS: Could this be the exploit used to wipe those nodes from ChicagoVPS?
     
    Last edited by a moderator: Jun 16, 2013
  5. SeriesN

    SeriesN New Member Verified Provider

    753
    152
    Mar 29, 2013
    My night shift tech removed it before I could even test this :(. Besides the password, is there anything else it would show?
     
    Last edited by a moderator: Jun 16, 2013
  6. Francisco

    Francisco Company Lube Verified Provider

    2,476
    1,770
    May 15, 2013
    It gives full root to the solus master.

    You can then dump the database or do whatever you really want.

    Francisco
     
  7. George_Fusioned

    George_Fusioned Active Member Verified Provider

    111
    37
    May 16, 2013
    Also check if /usr/local/solusvm/www/rofl.php exists and if yes, delete it. Somebody could have already used the exploit before you removed centralbackup.php
     
  8. SeriesN

    SeriesN New Member Verified Provider

    753
    152
    Mar 29, 2013
    Mother FLOWER! What happens when your admin panel is locked to vpn/selected IP's? Will the user still be able to use those info? A lot of big provider might have been snapped if this is possible.
     
  9. SeriesN

    SeriesN New Member Verified Provider

    753
    152
    Mar 29, 2013
    PHEW! It is not there. 
     
  10. Francisco

    Francisco Company Lube Verified Provider

    2,476
    1,770
    May 15, 2013
    It doesn't matter. It drops the exploit on the node itself and the user can go to town. being in /www means that any user can view it.

    Francisco
     
    SeriesN likes this.
  11. MartinD

    MartinD Retired Staff Retired Staff Verified Provider

    1,410
    1,278
    May 15, 2013
    It's worthwhile checking for any files created/modified recently.

    Edit. Try this:


    Code:
    $ find /usr/local/solusvm -type f -printf 
     
    Last edited by a moderator: Jun 16, 2013
    Zach likes this.
  12. SeriesN

    SeriesN New Member Verified Provider

    753
    152
    Mar 29, 2013
    Gotcha!
     
  13. Zach

    Zach New Member Verified Provider

    180
    28
    May 15, 2013
    Don't just check /usr/local/solusvm/, you should probably check everywhere for this file or like @MartinD said, any recently created files.
     
  14. mitgib

    mitgib New Member Verified Provider

    284
    219
    May 15, 2013
    Opened a ticket at Solusvm.com and then within 5 minutes recieved

     
  15. Reece-DM

    Reece-DM New Member Verified Provider

    400
    58
    May 16, 2013
    Nice to see somewhat of a quick response from solus let's hope there's a proper patch soon enough..
     
  16. Ivan

    Ivan New Member Verified Provider

    252
    35
    May 16, 2013
    Can't connect to my VPS with them. Their whole site, and SolusVM = gone.
     
    Last edited by a moderator: Jun 16, 2013
  17. Reece-DM

    Reece-DM New Member Verified Provider

    400
    58
    May 16, 2013
    It is also providing somewhat of a shell which provides further access rather than just SQL injection.
     
  18. concerto49

    concerto49 New Member Verified Provider

    960
    200
    May 5, 2013
  19. shovenose

    shovenose New Member Verified Provider

    819
    101
    May 13, 2013
    He could have been framed. As much as I hate Robert Clarke I'm not sure he did that.
     
    Last edited by a moderator: Jun 16, 2013
  20. DamienSB

    DamienSB Active Member Verified Provider

    123
    26
    Mar 24, 2013
    It seems there is an update in solusvm' admincp already. Has anyone used it yet?