SolusVM Vulnerability

[texteditor]

He could have been framed. As much as I hate Robert Clarke I'm not sure he did that.

Nick said he admitted it

 

[SkylarM]

Email update from Solus:

PLEASE READ THIS INFORMATION CAREFULLY. THIS INFORMATION IS RELEVANT TO ALL VERSIONS OF SOLUSVM, INCLUDING BETA VERSIONS.

A security update has now been released for the Stable and Beta versions of SolusVM. We advise you to make this update as soon as possible.

To run the update you can either do it from within the SolusVM admin area or from CLI on the master server. To preform the update from CLI the commands differ depending on the version of SolusVM you are running.

==================

Stable version:

/scripts/upcp

Beta version:

/scripts/upcp-beta

==================

Once the update is complete you will have the patched system.

We have included the original instructions in this email that were given when the exploit was announced and before we released the patched updates. If you feel the need to remove the originally exploited file after the update you can do the following:

==================

Instructions:

You will need root SSH access to your master server.  You are then required to delete the following file:

/usr/local/solusvm/www/centralbackup.php

Example:

rm

 

[darknessends]

Soluslabs Ltd Sunday, June 16, 2013
06:31:41 PM GMT 0

PLEASE READ THIS INFORMATION CAREFULLY. THIS INFORMATION IS RELEVANT TO ALL VERSIONS OF SOLUSVM, INCLUDING BETA VERSIONS.

A security update has now been released for the Stable and Beta versions of SolusVM. We advise you to make this update as soon as possible.

To run the update you can either do it from within the SolusVM admin area or from CLI on the master server. To preform the update from CLI the commands differ depending on the version of SolusVM you are running.

==================

Stable version: 

/scripts/upcp

Beta version:

/scripts/upcp-beta

==================

Once the update is complete you will have the patched system.

We have included the original instructions in this email that were given when the exploit was announced and before we released the patched updates. If you feel the need to remove the originally exploited file after the update you can do the following:

==================

 

[ShardHost]

It seems there is an update in solusvm' admincp already. Has anyone used it yet?

Tested both the beta and the stable and this appears to be now fixed, although can't say there aren't further exploits.

 

[Supicioso]

So glad I decided against solusvm. That's the biggest security hole I've seen in a while. I'm more surprised it took so long for someone to find, seeing how it's in every single version of it.

 

[Reece-DM]

Anybody else reckon this could be what's screwed a few providers over the years there's been a "0day" floating about for awhile affecting people.

 

[MartinD]

I'm pretty sure if that was the case many more providers would have been compromised.

 

[ShardHost]

It's a pretty major flaw in the code.  It may have been exploited before.  I hope SolusVM do a full code review following this incident.  I know they were moving things to PDO starting with 1.14, maybe that now needs to be their priority in addition to an external audit.

 

[SkylarM]

It's a pretty major flaw in the code.  It may have been exploited before.  I hope SolusVM do a full code review following this incident.  I know they were moving things to PDO starting with 1.14, maybe that now needs to be their priority in addition to an external audit.

Maybe it will speed up the release of 1.14

 

[ShardHost]

Maybe it will speed up the release of 1.14

The 1.14 beta suffered from the flaw.  They need to move everything to PDO and not just gradually with each release. I think SolusVM has been getting a lot better as of late; however security must be their priority. 

 

[SkylarM]

The 1.14 beta suffered from the flaw.  They need to move everything to PDO and not just gradually with each release. I think SolusVM has been getting a lot better as of late; however security must be their priority. 

Oh for sure. I'm just glad they acknowledged the issue and provided a resolution as quickly as they did. Some other panels would likely have pretended nothing was wrong.

 

[ShardHost]

Oh for sure. I'm just glad they acknowledged the issue and provided a resolution as quickly as they did. Some other panels would likely have pretended nothing was wrong.

Agreed.  Just a shame some good guys had to suffer as a result of this. 

 

[Patrick]

It's a pretty major flaw in the code.  It may have been exploited before.  I hope SolusVM do a full code review following this incident.  I know they were moving things to PDO starting with 1.14, maybe that now needs to be their priority in addition to an external audit.

From the email:

A full explanation of this exploit will be released in due course. We will also be reviewing the release status of version 1.14 due to the advanced security features it already contains.

Maybe they will speed up 1.14

 

[Francisco]

Remember when I said Solus' code was a mess?

That exploit file is mostly rehashes of their own code just merged into a single page.

Francisco

 

[George_Fusioned]

The only occurrence on our master was a user that attempted to access /rofl.php and it looks like he used Raymi's Control Panel URL list as a source to find our SolusVM URL. He was probably checking all providers one-by-one.

Too bad he was behind a VPN (AnchorFree)...

 

[MartinD]

Let's not post up any info that could potentially cause further issues down the line folks

 

[DamienSB]

Just leaving this here..


cat /var/log/lighttpd/access.log | grep centralbackup.php
Derp.


[root@solus ~]# cat /var/log/lighttpd/access.log | grep centralbackup.php
91.42.26.6 solus.supremebytes.com - [16/Jun/2013:18:44:13 +0200] "GET /centralbackup.php HTTP/1.1" 404 345 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0"

And then we have...


cat /var/log/lighttpd/access.log | grep rofl.php
Derp.


[root@solus ~]# cat /var/log/lighttpd/access.log | grep rofl.php
204.14.79.50 solus.supremebytes.com - [16/Jun/2013:14:22:20 +0200] "GET /rofl.php HTTP/1.1" 404 345 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36"

I did however notice that 204.14.79.50 points to my home city: Columbus, Ohio. Seems a little strange because I am out of state at the moment and the service provider listed in the ip WHOIS has an invalid website address listed.

All the seen requests appear to have popped up after we deleted the files this morning.

 

[qps]

People are definitely trying the exploit...

66.172.11.4 - [16/Jun/2013:20:16:52 -0400] "GET /centralbackup.php HTTP/1.1" 302 0 "-" "Mozilla/5.0 (Windows NT 6.1; rv:21.0) Gecko/20100101 Firefox/21.0"

 

[XFS_Duke]

# cat /var/log/lighttpd/access.log | grep centralbackup.php


84.222.100.135 == - [16/Jun/2013:10:58:06 -0500] "POST /centralbackup.php?_v=s2w2x2o29474z203y2 HTTP/1.1" 302 0 "http://veritron.gnet.eu/exp.php" "Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130515 Firefox/17.0 Iceweasel/17.0.6"

lol

# cat /var/log/lighttpd/access.log | grep rofl.php


173.254.216.66 == - [16/Jun/2013:08:12:50 -0500] "GET /rofl.php HTTP/1.1" 404 345 "-" "Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0"


142.4.210.12 == - [16/Jun/2013:08:16:08 -0500] "GET /rofl.php HTTP/1.1" 404 345 "-" "Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0"


142.4.210.12 == - [16/Jun/2013:08:18:16 -0500] "GET /rofl.php HTTP/1.1" 404 345 "-" "Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0"


77.247.181.164 == - [16/Jun/2013:08:31:30 -0500] "GET /rofl.php HTTP/1.1" 404 345 "-" "Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0"


109.163.233.194 == - [16/Jun/2013:09:00:46 -0500] "GET /rofl.php HTTP/1.1" 404 345 "-" "Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0"

Atleast they tried... Most of these are Tor exit nodes...

 

[vanarp]

Do we know who all hosts are exploited so far? I only see Ramnode's name everywhere.