Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


SolusVM vulnerability
New on LowEndTalk? Please Register and read our Community Rules.

SolusVM vulnerability

vldvld Member

Via http://www.webhostingtalk.com/showthread.php?t=1276286
Looks like it's a serious one.

«13456

Comments

  • krokro Member

    Shit software :(

  • I manually moved the mentioned php file outside of the web root directory. At the very least I would suggest everyone do that until an update comes through.

  • SpeedBusSpeedBus Member, Host Rep

    I just saw the link, says "SolusVM 1.13.03 Vulnerabilities"

    So, v1.14 is safe ?

  • RobertClarkeRobertClarke Member, Host Rep
    edited June 2013

    Just tested this out offline, all versions including beta are affected.

    Confirmed very serious and VERY active.

  • BradNDBradND Member

    Never fear... Detective Robertclarke is on the case.

    Thanked by 1GM2015
  • RobertClarkeRobertClarke Member, Host Rep

    @BradND said:
    Never fear... Detective Robertclarke is on the case.

    As in, I was able to obtain complete database dump and admin login of my own SolusVM installation within seconds, this is pretty bad.

  • BradNDBradND Member

    Try

    Chmod 000 /usr/local/solusvm/www/centralbackup.php

  • this seem bad

    @RobertClarke secure my gawd darn data rawr

  • That´s bad..i hope for a fast bugfix. Anyone reported it to solusvm? In 1.14 it comes PDO so that should help against this vulnerabilities.

    Remove the file should fix it, centralbackup isn´t used anymore.

  • RobertClarkeRobertClarke Member, Host Rep

    Basically if you can reach centralbackup.php (or rofl.php if someone already caught it), on a provider's Solus installation, the provider is pretty much compromised :/

    This is considered a zero day issue for providers using SolusVM.

    As @BradND said it's a simple fix by renaming, deleting, or changing the permissions on the centralbackup file.

  • Rookie mistake, really. Wonder how many hosts will be affected.

    Reminds me a bit of the CheapVPS/Rus Foster fiasco, although I can't remember the details of it.

  • @mpkossen said:
    Rookie mistake, really. Wonder how many hosts will be affected.

    Reminds me a bit of the CheapVPS/Rus Foster fiasco, although I can't remember the details of it.

    http://www.webhostingtalk.com/showpost.php?p=6227712&postcount=7

  • Just patched this by removing the centralbackup.php file.

  • DerekDerek Member

    SolusVM left this in for the NSA.

    Joking aside, I would say most major hosts have been compromised already, most likely unknowningly.

  • Deleted file on our install.

  • vldvld Member

    Ramnode just got hit... they replaced the solus index.php with http://cdn-static.com/i/AiBpjTIC.png

    Sad.

  • seriesnseriesn Member, Host Rep

    Nick is already on it I think. Index has been removed.

  • BradNDBradND Member

    You can check if you are infected by running

    grep -i -r -n "list($db_name, $db_user" *

    in /usr/local/solusvm/www/

  • Just shot off a mail to my VPS providers. For some odd reason my password on WillHosting does not work any longer. Wondering if this means they got hit.

  • RobertClarkeRobertClarke Member, Host Rep

    @joelgm said:
    Just shot off a mail to my VPS providers. For some odd reason my password on WillHosting does not work any longer. Wondering if this means they got hit.

    I have his number, I'll add him to the rotation, thanks for reminding me. Currently just calling up as many providers as I can :/

  • Ram Nodes site has gone: http://cl.ly/image/3h0M0l3p1r3u

  • vldvld Member
    edited June 2013

    I analyzed the Ramnode database a bit, and, well, just draw your own conclusions: http://paste.ee/p/jtSva

  • PLEASE READ THIS INFORMATION CAREFULLY. THIS INFORMATION IS RELEVANT TO ALL VERSION OF SOLUSVM, INCLUDING BETA VERSIONS.
    In the last few hours a security exploit has been found. This email is to inform you of a temporary fix to eliminate this exploit whilst the issue is patched and transferred to our file servers for release.
    Instructions:
    You will need root SSH access to your master server. You are then required to delete the following file:
    /usr/local/solusvm/www/centralbackup.php
    Example:
    rm –f /usr/local/solusvm/www/centralbackup.php
    Once the file is deleted the exploit can no longer be used. This file only exists on the master server and the slaves will not be affected.
    You will receive a follow-up email once the patch versions are available.
    Regards,
    Soluslabs Security Team

  • Applied the patch once I saw this. Hope RamNode is ok.

  • Ouch, this is a big one, how that code could get through any kind of review is amazing.

  • jarjar Patron Provider

    @vld said:
    I analyzed the Ramnode database a bit, and, well, just draw your own conclusions: http://paste.ee/p/jtSva

    Conclusion I'd be drawing is that it went from a game to a legal matter that will severely damage his future.

  • laaevlaaev Member

    @vld said:
    I analyzed the Ramnode database a bit, and, well, just draw your own conclusions: http://paste.ee/p/jtSva

    Yikes, so @RobertClarke is behind this? Never expected this from him...

    Best of luck @Nick_A and RamNode team.

  • trewqtrewq Administrator, Patron Provider
    edited June 2013

    I applied the fix a couple of hours ago. I really do hope ramnode recover from this. It's a shame people would be so low as to attack someone's livelihood.

  • IvanIvan Member
    edited June 2013

    Well this really sucks. Well hopefully RamNode will be able to recover.

  • SPSP Member

    Well, this is horse balls. Hope they didn't lose data, as I have quite a few sites running on their Seattle nodes.

Sign In or Register to comment.