amuck-landowner

SolusVM Vulnerability

Francisco

Company Lube
Verified Provider
What's the current situation from SolusVM?

Realize one compromise that slapped at least a half dozen providers and probably caused backdooring of countless others.

Has anyone confirmed the CurtisG and others about exploits?

Has Solus sent anything further to providers?  Obviously, it is a high value target and skids are creative.  I rule nothing out and am about to go cancelling some accounts I have just because of the situation.
If someone has the snippet somewhere I can look it over really quick?

It's possible whatever it is, is just 'handled poorly' but if it's all internal already valid data it wouldn't cause issues.

Francisco
 

anyNode

New Member
Verified Provider
This is why it is good for hosts to use their own panels, the more variety the better, and leaving one panel in power of 90% of hosts is a bad idea. 
 

anyNode

New Member
Verified Provider
Different doesn't mean secure.
 I know, but there is always a vulnerability if you use a large panel used by millions or a small panel used by 10 people. However when there are more panels its a lot more difficult for people to target a specific one. Think of it like Windows Virus's vs Linux Virus's vs Mac Virus's. Macs can get viruses but they aren't as big of a target as Windows.
 
Last edited by a moderator:

SeriesN

Active Member
Verified Provider
Linode got hacked, DO got "hacked", Hetzner did. These are just a few to name. No code is perfect because humans are not perfect. If you are online, you can get hacked/attacked any time. It is now how secure you are, it is how well you handle the situation. This is what that will set you apart and solus doing that pretty well with fast patches and updates.
 

concerto49

New Member
Verified Provider
Linode got hacked, DO got "hacked", Hetzner did. These are just a few to name. No code is perfect because humans are not perfect. If you are online, you can get hacked/attacked any time. It is now how secure you are, it is how well you handle the situation. This is what that will set you apart and solus doing that pretty well with fast patches and updates.
Hearing from those that have seen the SolusVM decoded source code - it's pretty ugly and full of exploits everywhere. They haven't patched it for years it seems. It's just no one's decided to hack it. We'll be continuing to use Solus for a while and I wish they rehaul the whole thing.
 

Shados

Professional Snake Miner
The benefit an industry gets from using a variety of systems is not that any given system might be more secure, but rather that a flaw or weakness in any of the systems only affects a small subset of the industry at any given point in time, rather than all of them at once. Diversification is a fundamental survival tactic, as evolution has shown - there are very, very few surviving species that reproduce via mitosis rather than sexual reproduction. 
 

XFS_Duke

XFuse Solutions, LLC
Verified Provider
Hearing from those that have seen the SolusVM decoded source code - it's pretty ugly and full of exploits everywhere. They haven't patched it for years it seems. It's just no one's decided to hack it. We'll be continuing to use Solus for a while and I wish they rehaul the whole thing.
I saw it... I have it... It's bad actually... Need the new source code to see if they patched everything... Hostbill, all I can say is I wonder if we try and send them the exploit if they're gonna charge us $75 to submit the ticket? lol (if that was out of line, I apologize)
 

concerto49

New Member
Verified Provider
I saw it... I have it... It's bad actually... Need the new source code to see if they patched everything... Hostbill, all I can say is I wonder if we try and send them the exploit if they're gonna charge us $75 to submit the ticket? lol (if that was out of line, I apologize)
That's the problem. Functionality is all and good, but hope there is a robust system behind the scenes.

You should charge Hostbill for doing their security audit, not the other way around :(
 

XFS_Duke

XFuse Solutions, LLC
Verified Provider
That's the problem. Functionality is all and good, but hope there is a robust system behind the scenes.

You should charge Hostbill for doing their security audit, not the other way around :(
Yea, but the problem is that if it doesn't get fixed, the people that use it might get screwed up pretty bad...
 

MartinD

Retired Staff
Verified Provider
Retired Staff
Yet again, people are making claims about it being really bad and that there are countless vulnerabilities. Also the same people being oh-so vocal about how shit the whole situation is however none of you are bothering to tell Solus (or WHMCS, or Hostbill, or whoever) about these so-called problems you're aware of. You then get up and arms and go on a witch hunt. If you know something, TELL SOMEONE WHO CAN SORT IT. Yes, it is Solus's product. Yes, it's their shitty coding however, if you know something and don't tell them then get fucked over by some kid with a hardon then it's YOUR FAULT that it happened. You are to blame for anyone else getting screwed over too because YOU had the chance to get the problem rectified BEFORE the kidiots starting messing around.

GROW A BRAIN!!!
 

concerto49

New Member
Verified Provider
Yet again, people are making claims about it being really bad and that there are countless vulnerabilities. Also the same people being oh-so vocal about how shit the whole situation is however none of you are bothering to tell Solus (or WHMCS, or Hostbill, or whoever) about these so-called problems you're aware of. You then get up and arms and go on a witch hunt. If you know something, TELL SOMEONE WHO CAN SORT IT. Yes, it is Solus's product. Yes, it's their shitty coding however, if you know something and don't tell them then get fucked over by some kid with a hardon then it's YOUR FAULT that it happened. You are to blame for anyone else getting screwed over too because YOU had the chance to get the problem rectified BEFORE the kidiots starting messing around.

GROW A BRAIN!!!
I have to pay them and teach them how to do their job? It's the basics as pointed out here. As part of their pay, they should be doing the security audits and code reviews etc.

And FYI, we tried telling them, e.g. Infinity for sure has and others too.

I like them and will continue to use them, but things like breaking fqdn after an update is frankly silly. Where's the code review? Where's the testing? They released another update to patch it, but it just looks bad.
 

MartinD

Retired Staff
Verified Provider
Retired Staff
Have you bothered asking them? What good does bitching on here do?

No-one's telling you to pay them or tell them how to do their job but if you're aware of an issue it's your duty to inform them of it - not just for yourself but everyone else that uses the software.
 
Top
amuck-landowner