New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
ChicagoVPS hacked, bunch of VPS customers offline
This discussion has been closed.
Comments
[removed due to fear of thunder striking me]
Might I suggest locking down your API directory in /etc/lighttpd/lighttpd.conf:
$HTTP["remoteip"] !~ "1.1.1.1|2.2.2.2" { $HTTP["url"] =~ "^/api/admin/" { url.access-deny = ( "" ) } }
If there is an exploit in SolusVM, Lighttpd won't let them access it.
@Jack Your comment is epic, but I don't know what you're talking about since I haven't mentioned them in any of my comments :P
It had to do with Lighttpd
Thanks, I was given additional information via PM so I updated the code.
According to a lot of the comments on Twitter this seemed to have happened ~7 or more hours ago.
https://twitter.com/search/realtime?q=chicagovps&src=typd
Anyone think it's related to the other antics that has been happening here over the last few days? Seems coincendantal?
@serverbear what other antics? what have I missed?
http://www.lowendtalk.com/discussion/5631/and-this-is-fair
Ok so if you use my code above, the only way to access the API is with the IP you specify and only with the API username and password. I did a quick check and both our API username and password are completely random and over 100 bits, to put that into perspective...
So not only do they have to guess both the username and password, they have to guess them at the exact same time. OUCH!
Now if there is an exploit to bypass the IP restrictions and the username/password... then I would say "Bye Bye" to SolusVM in the future.
Regardless, this whole situation feels like the HyperVM situation all over again so I don't know what to expect as I wait in limbo.
About ~300 comments on there. Still, you think someone had a bone to pick with with @CVPS_Chris and decided to take it to this level of "childish"?
Thank you @KuJoe.. This was the kind of answer I was asking for earlier.
@CNJeremy No problem, I try to help out where I can. With all of the negativity in this thread I figured I'd post something positive and beneficial.
@KuJoe course in that line of thinking, if solusvm had an 'exploit' it wouldn't require any brute-forcing to get in, but if brute-force was used, then the password was probably simple as hell (alphanumeric or simply alpha), and used a common username (admin, etc). Which begs the question... which was it? brute-force attack (guessing every conceivable combination), or an exploit?
SolusVM API username and passwords are randomly generated alphanumeric (uppercase and lowercase).
Symbols are not used because it can easily break the API with certain symbols.
Maybe I don't get how SolusVM works on a provider level, but I haven't heard anybody say iptables yet. I'd never trust some software's IP whitelisting or blacklisting, I'd go for the solution built for doing just that: a firewall.
So, if iptables would have been used (given that it's possible to do so with SolusVM and that they were not), could that have prevented this? (@CVPS_Chris)
@KuJoe Thank you for the lighttpd information.
As far as the issue at hand I don't believe that @CVPS_Chris has to provide any kind of public explanation as this is an internal security issue that concerns ChicagoVPS. Their only duty is towards their customers. Further speculation doesn't really help anyone, so I for one will be waiting on the next update from Solus Labs.
The problem is that the API uses the webserver ports so if you use iptables to setup whitelists for the ports, no clients could manage their VPS.
@marcm No problem. I'm not sure if the rest of your post was directed towards me but I didn't mean to imply anything about ChicagoVPS. If it was interpreted that way I apologize.
The rest of the comment wasn't directed at you at all. It was just a general statement meant to prevent more speculation because it doesn't really help anyone. I was always of the opinion that small providers should help each other because there is certainly enough business to go around for everyone
I just received this email:
Edit: mangled @jshinkle's email address, the last thing he needs right now is spam...
That may be true, but it's common courtesy.
Phew! None of my servers are on that nodes
Lucky, only one of mine were effected and it happened to be the one where I just started a new project from scratch yesterday and I don't have any backups or copies of it. Thought I would be safe for one day...
2 out of 3 VPSs I own are affected. Just hoping I don't have to rebuild those VPSs...
Karma is a bitch.
@GetKVM_Ash Life has a balancing effect.
Disturbs me though that there may be a significant security issue in commonly used software. Lots of other folks could be equally impacted.
My VPS with ChicagoVPS is still offline
Definitely and it was good of you to inform us all. Now we just need to wait for confirmation from SolusVM.
I kind of doubt this was a SolusVM issue. Most probably they just left their nodes' sshds accessible to the world and had the root password bruteforced or something.
If it was SolusVM issue - all VMs on all nodes could have been terminated pretty quickly. But let's wait and see.
If it was SolusVM issue - all VMs on all nodes could have been terminated pretty quickly. But let's wait and see.
I was thinking the same. If this was SolusVM, there would be a ton more and the timing of this is a bit of a coincidence.
I wouldn't be surprised if their root password was "winning" either ;-)
LMFAO