New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
SolusVM vulnerability
Via http://www.webhostingtalk.com/showthread.php?t=1276286
Looks like it's a serious one.
Comments
Shit software
I manually moved the mentioned php file outside of the web root directory. At the very least I would suggest everyone do that until an update comes through.
I just saw the link, says "SolusVM 1.13.03 Vulnerabilities"
So, v1.14 is safe ?
Just tested this out offline, all versions including beta are affected.
Confirmed very serious and VERY active.
Never fear... Detective Robertclarke is on the case.
As in, I was able to obtain complete database dump and admin login of my own SolusVM installation within seconds, this is pretty bad.
Try
Chmod 000 /usr/local/solusvm/www/centralbackup.php
this seem bad
@RobertClarke secure my gawd darn data rawr
That´s bad..i hope for a fast bugfix. Anyone reported it to solusvm? In 1.14 it comes PDO so that should help against this vulnerabilities.
Remove the file should fix it, centralbackup isn´t used anymore.
Basically if you can reach centralbackup.php (or rofl.php if someone already caught it), on a provider's Solus installation, the provider is pretty much compromised
This is considered a zero day issue for providers using SolusVM.
As @BradND said it's a simple fix by renaming, deleting, or changing the permissions on the centralbackup file.
Rookie mistake, really. Wonder how many hosts will be affected.
Reminds me a bit of the CheapVPS/Rus Foster fiasco, although I can't remember the details of it.
http://www.webhostingtalk.com/showpost.php?p=6227712&postcount=7
Just patched this by removing the centralbackup.php file.
SolusVM left this in for the NSA.
Joking aside, I would say most major hosts have been compromised already, most likely unknowningly.
Deleted file on our install.
Ramnode just got hit... they replaced the solus index.php with http://cdn-static.com/i/AiBpjTIC.png
Sad.
Nick is already on it I think. Index has been removed.
You can check if you are infected by running
grep -i -r -n "list($db_name, $db_user" *
in /usr/local/solusvm/www/
Just shot off a mail to my VPS providers. For some odd reason my password on WillHosting does not work any longer. Wondering if this means they got hit.
I have his number, I'll add him to the rotation, thanks for reminding me. Currently just calling up as many providers as I can
Ram Nodes site has gone: http://cl.ly/image/3h0M0l3p1r3u
I analyzed the Ramnode database a bit, and, well, just draw your own conclusions: http://paste.ee/p/jtSva
PLEASE READ THIS INFORMATION CAREFULLY. THIS INFORMATION IS RELEVANT TO ALL VERSION OF SOLUSVM, INCLUDING BETA VERSIONS.
In the last few hours a security exploit has been found. This email is to inform you of a temporary fix to eliminate this exploit whilst the issue is patched and transferred to our file servers for release.
Instructions:
You will need root SSH access to your master server. You are then required to delete the following file:
/usr/local/solusvm/www/centralbackup.php
Example:
rm –f /usr/local/solusvm/www/centralbackup.php
Once the file is deleted the exploit can no longer be used. This file only exists on the master server and the slaves will not be affected.
You will receive a follow-up email once the patch versions are available.
Regards,
Soluslabs Security Team
Applied the patch once I saw this. Hope RamNode is ok.
Ouch, this is a big one, how that code could get through any kind of review is amazing.
Conclusion I'd be drawing is that it went from a game to a legal matter that will severely damage his future.
Yikes, so @RobertClarke is behind this? Never expected this from him...
Best of luck @Nick_A and RamNode team.
I applied the fix a couple of hours ago. I really do hope ramnode recover from this. It's a shame people would be so low as to attack someone's livelihood.
Well this really sucks. Well hopefully RamNode will be able to recover.
Well, this is horse balls. Hope they didn't lose data, as I have quite a few sites running on their Seattle nodes.