amuck-landowner

SolusVM Vulnerability

XFS_Duke

XFuse Solutions, LLC
Verified Provider
Not confirmed, but it seems as though something is going on with BudgetVM/Enzu, Inc... Can't confirm because their phone is down as well as their ticket system...
 

Magiobiwan

Insert Witty Statement Here
Verified Provider
Well, found someone who tried to exploit BlueVM's SolusVM. THIS is why we use HyperVM, not SolusVM, for our OpenVZ!
 

drmike

100% Tier-1 Gogent
+1 for BlueVM :) Another day and something positive out of BuyVM.  Keep it up!

I am sure providers will find all sorts of interesting log entries if they look.
 

drmike

100% Tier-1 Gogent
Do a custom rewrite for the pages people are poking at to hack.  Maybe a double barrel shotgun aimed at them with something funny.

Waiting to see who else gets smashed by the gaping security hole.   Folks round here are fairly diligent, many providers elsewhere are not.
 

Magiobiwan

Insert Witty Statement Here
Verified Provider
Just in case you providers using SolusVM didn't know, you can find the IPs clients logged in with under the Client Log page in SolusVM. 
 

Jack

Active Member
Just in case you providers using SolusVM didn't know, you can find the IPs clients logged in with under the Client Log page in SolusVM. 
Couldn't find that but after looking found another provider that attempted it on me. nice.
 
Last edited by a moderator:

maounique

Active Member
Couldn't find that but after looking found another provider that attempted it on me. nice.
How do you know ? Could have been a VPN/proxy from their IP space. Unless they were logged in, of course.
 
Last edited by a moderator:

Jack

Active Member
How do you know ? Could have been a VPN/proxy from their IP space. Unless they were logged in, of course.
IP matches logins of them doing actions to the VM, it wasn't IP space of a server its a home connection.
 
Last edited by a moderator:

MartinD

Retired Staff
Verified Provider
Retired Staff
Perhaps a collation of addresses who have tried this would be good.
 

MartinD

Retired Staff
Verified Provider
Retired Staff
The vuln itself is only for the SolusVM master however gaining access to that gives you access to all the other nodes.
 

Magiobiwan

Insert Witty Statement Here
Verified Provider
It's a vulnerability in SolusVM's Control Panel, so anyone using SolusVM for anything (be it OVZ, KVM, Xen-PV, or Xen-HVM) is vulnerable unless they patch. 
 

Magiobiwan

Insert Witty Statement Here
Verified Provider
@Jack it's this page: 

5mu.png
 

MartinD

Retired Staff
Verified Provider
Retired Staff
netnub - your previous post with code was removed for the same reason this one has been.

If you have information relating to security issues with SolusVM then I would suggest you contact them so a fix can be issued instead of posting snippets of code on here. All you're doing is opening other hosts to possible issues.

Just for the record, you are far from perfect yourself. I'm pretty sure some of your attempts at producing code were FAR worse than this and when the countless mistakes and glaringly obvious security issues were pointed out you brushed them away as though you didn't care or that you 'meant' to do it because it wasn't in production.

We wont let sensitive code be posted in here for the sake of other hosts and their clients. Use your brain.
 
Last edited by a moderator:

Cameron

New Member
Just taken a look at our Lighttpd access logs, seems 4 people have tried to access our central backup (multiple times, I may add...) file but have failed!

I have also heard from a few others that there may be more exploits available? As a precaution I've decided to take down my entire SolusVM web server, better to be safe than sorry!
 

turfhosting

New Member
ChicagoVPS was attacked last night as well I believe. If it was the same exploit and they didnt patch it i would be very angry if i was a customer of theres. thats just laziness and stupidity
 

drmike

100% Tier-1 Gogent
What's the current situation from SolusVM?

Realize one compromise that slapped at least a half dozen providers and probably caused backdooring of countless others.

Has anyone confirmed the CurtisG and others about exploits?

Has Solus sent anything further to providers?  Obviously, it is a high value target and skids are creative.  I rule nothing out and am about to go cancelling some accounts I have just because of the situation.
 
Top
amuck-landowner