Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


SolusVM vulnerability - Page 5
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

SolusVM vulnerability

1235

Comments

  • HoloshedHoloshed Member
    edited June 2013

    @AnthonySmith Yeah I noticed one of the people I gave a beta account to tried it on my panel.

  • Just a quick FYI, when looking through 'cat /var/log/lighttpd/access.log | grep centralbackup.php' I found around 40 - 50 attempts to get to centralbackup.php within 3 hours of the exploit being released

    That happens anytime an exploit is published for any popular script. Attackers use google to find sites running the script and then attempt to compromise the sites. About the only way to prevent these attack attempts would be to block all search engines from indexing your site which isn't really an option.

  • FrejMoFrejMo Member

    @AnthonySmith said:
    Just a quick FYI, when looking through 'cat /var/log/lighttpd/access.log | grep centralbackup.php' I found around 40 - 50 attempts to get to centralbackup.php within 3 hours of the exploit being released, luckily none before I had taken the appropriate action.

    I am going through the IP's now to see if they match up to users, any that do will be terminated and get a FraudRecord record created for Criminal Intent.

    Some might have just checked if the host had taken care of it already. I know I did. Also opened a ticket to make sure. Please don't terminate my account :(.

  • AnthonySmithAnthonySmith Member, Patron Provider

    Yep, no worries, I am doing a bit further validation than just the IP being in that log :)

  • @AnthonySmith said:
    Just a quick FYI, when looking through 'cat /var/log/lighttpd/access.log | grep centralbackup.php' I found around 40 - 50 attempts to get to centralbackup.php within 3 hours of the exploit being released, luckily none before I had taken the appropriate action.

    I am going through the IP's now to see if they match up to users, any that do will be terminated and get a FraudRecord record created for Criminal Intent.

    Some people probably couldn't not try, I guess... Hope you catch them all :-)

  • I think with the curiosity of people, it is inevitable. I really do not mind someone trying it on mine if its like one hit in the log but multiple hits from one IP would definitely be something worth looking into.

  • I admit, I checked if the file existed for I would have taken actions for my personal data if so.

  • Any idea what is going to Robert Clarke? What about his host, http://servercrate.com? Should we notify people that the owner of ServerCrate ran exploits on other hosts?

  • @Jeffrey said:
    Any idea what is going to Robert Clarke? What about his host, http://servercrate.com? Should we notify people that the owner of ServerCrate ran exploits on other hosts?

    http://www.lowendbox.com/blog/a-days-recap-solusvm-exploit-released-ramnode-downtime-and-robert-clarke/

  • Since Robert seems to be done now, we'll need a new Robert. Any nominations?

  • DamianDamian Member

    @DomainBop said:
    That happens anytime an exploit is published for any popular script. Attackers use google to find sites running the script and then attempt to compromise the sites. About the only way to prevent these attack attempts would be to block all search engines from indexing your site which isn't really an option.

    Shouldn't really need to have everyone's Solus installations indexed in search engines.

  • Congrats LEB, RamNode and Robert for making it into an article at Heise, one of Germany's biggest tech news websites (and print magazines)

  • EvoEvo Member

    @AnthonySmith said:
    Just a quick FYI, when looking through 'cat /var/log/lighttpd/access.log | grep centralbackup.php' I found around 40 - 50 attempts to get to centralbackup.php within 3 hours of the exploit being released, luckily none before I had taken the appropriate action.

    I am going through the IP's now to see if they match up to users, any that do will be terminated and get a FraudRecord record created for Criminal Intent.

    You can't be sure if these were not a legitimate users - centralbackup.php is accessible for the users to create central backups - it's one of the features of SolusVM.

    Or maybe they were "just checking to see if you're affected"...

  • bdtechbdtech Member

    @AnthonySmith Any POST requests?

  • SpiritSpirit Member
    edited June 2013

    @AnthonySmith said:
    I am going through the IP's now to see if they match up to users, any that do will be terminated and get a FraudRecord record created for Criminal Intent.

    Go get 'em, Tiger! I just hope that one day ICO won't get you. It would be really shame to lose so good host! :)

  • OliverOliver Member, Host Rep

    I had one customer (who also posts here) send a GET request for the affected file and a few other IPs also try and check if it was there (all after I removed it).

    I also had a few customers file tickets/email me about the issue (also after I removed it). I appreciate the heads up from concerned customers but think it's best if people just notify their providers and not go probing around themselves.

  • Oh fun.

    image

    Looks like CVPS has fallen victim as well.

  • @Magiobiwan at least the 4shared team removed it already

  • Indeed. I'd have censored that, but didn't think of it at the time. It'll probably be back up sooner or later.

  • Have shut down Solus also in light of things for now.

  • @Evo that has always been the case no?

  • EvoEvo Member

    @eLohkCalb,

    You are right.

  • @Evo yeah isn't the site http://www.solusvm.com/ ?

  • EvoEvo Member

    Yes, my mistake @concerto49

  • DomainBopDomainBop Member
    edited June 2013

    Host1Free finally got around to releasing an announcement:

    As you may have noticed, Host1Free has been the target of a very serious attack. All user data has been wiped and is irrecoverable - as per our terms of service, we are not obligated to keep copies or backup copies in-case these sort of things happen. Luckily we have a SolusVM backup from all the users only a couple of days ago, we will do our best to restore this backup and allow all users to continue using their services. But all client data has been lost. Please do not make threads in-regards to this as we are aware and there is nothing we can do. ...



    more: http://www.host1free.com/forum/8-news-announcements/16902-update-regarding-attack-host1free-com.html

  • How nice.

  • epaslvepaslv Member

    Here we go again.....

  • SpiritSpirit Member

    So far 3 known cases and all of them known just because abusers let us know about (they leaked DB, erased data..). I am wondering how many hosts are really compromised without knowing it.

  • @Spirit said:
    So far 3 known cases and all of them known just because abusers let us know about (they leaked DB, erased data..). I am wondering how many hosts are really compromised without knowing it.

    Host1Free was the largest with 17000+ accounts wiped and no backups. I'd be willing to bet that a large number of SolusVM users still haven't applied the patch or removed centralbackup.php

Sign In or Register to comment.