New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
@AnthonySmith Yeah I noticed one of the people I gave a beta account to tried it on my panel.
That happens anytime an exploit is published for any popular script. Attackers use google to find sites running the script and then attempt to compromise the sites. About the only way to prevent these attack attempts would be to block all search engines from indexing your site which isn't really an option.
Some might have just checked if the host had taken care of it already. I know I did. Also opened a ticket to make sure. Please don't terminate my account .
Yep, no worries, I am doing a bit further validation than just the IP being in that log
Some people probably couldn't not try, I guess... Hope you catch them all :-)
I think with the curiosity of people, it is inevitable. I really do not mind someone trying it on mine if its like one hit in the log but multiple hits from one IP would definitely be something worth looking into.
I admit, I checked if the file existed for I would have taken actions for my personal data if so.
Any idea what is going to Robert Clarke? What about his host, http://servercrate.com? Should we notify people that the owner of ServerCrate ran exploits on other hosts?
http://www.lowendbox.com/blog/a-days-recap-solusvm-exploit-released-ramnode-downtime-and-robert-clarke/
Since Robert seems to be done now, we'll need a new Robert. Any nominations?
Shouldn't really need to have everyone's Solus installations indexed in search engines.
Congrats LEB, RamNode and Robert for making it into an article at Heise, one of Germany's biggest tech news websites (and print magazines)
You can't be sure if these were not a legitimate users - centralbackup.php is accessible for the users to create central backups - it's one of the features of SolusVM.
Or maybe they were "just checking to see if you're affected"...
@AnthonySmith Any POST requests?
Go get 'em, Tiger! I just hope that one day ICO won't get you. It would be really shame to lose so good host!
I had one customer (who also posts here) send a GET request for the affected file and a few other IPs also try and check if it was there (all after I removed it).
I also had a few customers file tickets/email me about the issue (also after I removed it). I appreciate the heads up from concerned customers but think it's best if people just notify their providers and not go probing around themselves.
Oh fun.
Looks like CVPS has fallen victim as well.
@Magiobiwan at least the 4shared team removed it already
Indeed. I'd have censored that, but didn't think of it at the time. It'll probably be back up sooner or later.
Have shut down Solus also in light of things for now.
http://soluslabs.com is now redirecting to http://forum.soluslabs.com/
@Evo that has always been the case no?
@eLohkCalb,
You are right.
@Evo yeah isn't the site http://www.solusvm.com/ ?
Yes, my mistake @concerto49
Host1Free finally got around to releasing an announcement:
more: http://www.host1free.com/forum/8-news-announcements/16902-update-regarding-attack-host1free-com.html
How nice.
Here we go again.....
So far 3 known cases and all of them known just because abusers let us know about (they leaked DB, erased data..). I am wondering how many hosts are really compromised without knowing it.
Host1Free was the largest with 17000+ accounts wiped and no backups. I'd be willing to bet that a large number of SolusVM users still haven't applied the patch or removed centralbackup.php