Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


SolusVM vulnerability - Page 6
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

SolusVM vulnerability

12346»

Comments

  • DamianDamian Member

    I would recommend not hosting with them then, if they haven't... we had several people tell us of the exploit throughout the day, even after we had patched it. It would be completely impossible to ignore the situation, really.

  • nikcubnikcub Member

    There is a reason why there have been more exploits recently, ioncube stuff is being decoded and code audited. Hostbill and now Soluz, they will be targeted thoroughly. You can bet that centralbackup.php is not the only exploit in Soluz - really crappy code like that is an indicator that the rest of the product is full of holes.

    These companies have been hiding their terrible code behind 'encrypted' ioncube and now the curtain is being pulled back.

    There will be a lot more of this, and more worrying for everybody here is that the guys doing the research aren't the people publishing the exploits and deleting servers - those are the kids. The professionals sell their exploits to teams who will steal and sell your data.

    I probed a very popular software application used in this space around 4 weeks ago (I work in penetration testing + security). Within 30 minutes I found two holes and that the main database class does not properly escape user input, so every single sql query can be manipulated. Emailed them, no response. Meh.

    I am completely unsurprised at what has happen today, I lowered the TTL's on two chicagovps servers that I have (used as backups for myself and clients) and copied all the data off a week ago in prep for a move (hadn't gotten around to actually switching, which was easy enough to do as soon as my hosts went down).

    Were I a VPS provider, I would be very, very vigilant with my web logs. Install an IDS and other tools like mod_security, check your POST and GET params for exec calls, UNION queries, etc.

  • erhwegesrgsrerhwegesrgsr Member
    edited June 2013

    @nikcub said:
    There is a reason why there have been more exploits recently, ioncube stuff is being decoded and code audited. Hostbill and now Soluz Solulz, they will be targeted thoroughly. You can bet that centralbackup.php is not the only exploit in Soluz Solulz - really crappy code like that is an indicator that the rest of the product is full of holes.

    These companies have been hiding their terrible code behind 'encrypted' ioncube and now the curtain is being pulled back.

    There will be a lot more of this, and more worrying for everybody here is that the guys doing the research aren't the people publishing the exploits and deleting servers - those are the kids. The professionals sell their exploits to teams who will steal and sell your data and kids in need for more allowance or just for some lulz.

    I probed a very popular software application used in this space around 4 weeks ago (I work in penetration testing + security). Within 30 minutes I found two holes and that the main database class does not properly escape user input, so every single sql query can be manipulated. Emailed them, no response. Meh.

    I am completely unsurprised at what has happen today, I lowered the TTL's on two chicagovps servers that I have (used as backups for myself and clients) and copied all the data off a week ago in prep for a move (hadn't gotten around to actually switching, which was easy enough to do as soon as my hosts went down).

    Were I a VPS provider, I would be very, very vigilant with my web logs. Install an IDS and other tools like mod_security, check your POST and GET params for exec calls, UNION queries, etc.

    Completely agree, made the part that I always was drilling so hard on bold. The code is completely horrible...

    Not escaping right is like MySQL 101, @soluslabs, are you like 12 or is this an escalated school assignment?

    I have seen HF kiddies do PHP better then these lousy wankers

  • AnthonySmithAnthonySmith Member, Patron Provider

    I have heard views like this come and go but no one has done a better job as yet, if they could have they would have if as you say HF kids do PHP better they could be raking in $xxx,xxx per year with little to no effort.

    There really is no need to be so aggressive and personally insulting, 99% of the hosts here use SolusVM so by association this is just pointless and insulting and in no means of any use to anyone.

  • Boy, am I really glad that my backup server on Backupsy doesnt use SolusVM! No uncertainty about whether they've been compromised or not!

  • @AnthonySmith said:
    I have heard views like this come and go but no one has done a better job as yet, if they could have they would have if as you say HF kids do PHP better they could be raking in $xxx,xxx per year with little to no effort.

    There really is no need to be so aggressive and personally insulting, 99% of the hosts here use SolusVM so by association this is just pointless and insulting and in no means of any use to anyone.

    Being able to write proper PHP doesn't grant you the skills to write a panel...

  • I guess the only way to be sure to minimize exploits is to have a fully open source panel. The more peer reviewed the code, the lesser the chance for such blatantly silly code to remain.

  • @joelgm said:
    I guess the only way to be sure to minimize exploits is to have a fully open source panel. The more peer reviewed the code, the lesser the chance for such blatantly silly code to remain.

    Following some proper guidelines should suffice...

  • MaouniqueMaounique Host Rep, Veteran

    People that try to obfuscate code know full well it will be seen sooner or later, so this cant be called even security through obfuscation, sort of speak...

    If they are spending money on encryption schemes instead of making a good product, then that is a failed model and they will fail, encryption is broken, code exposed, security flaws exposed and still they are unable to stop the ppl that decrypt it and null it.

    Sad reality call.

  • If it isnt obfuscated, the vulnerability has more chance of discovery by a user or peer developer rather than a hacker.

  • 99% of the hosts here use SolusVM so by association this is just pointless and insulting and in no means of any use to anyone.

    What percentage of that 99% bother to do regular vulnerability testing (or use a service like Trustwave or Sitelock, etc to do vulnerability scans) of the 3rd party scripts they use before deploying them in a production environment? If someone blindly puts code on their site without doing any vulnerability testing of that code then they also share some of the blame.

  • dnwkdnwk Member

    @AnthonySmith said:
    I have heard views like this come and go but no one has done a better job as yet, if they could have they would have if as you say HF kids do PHP better they could be raking in $xxx,xxx per year with little to no effort.

    There really is no need to be so aggressive and personally insulting, 99% of the hosts here use SolusVM so by association this is just pointless and insulting and in no means of any use to anyone.

    99% of host using SolusVM, that's why it became a valuable target.

  • @joelgm said:
    I guess the only way to be sure to minimize exploits is to have a fully open source panel. The more peer reviewed the code, the lesser the chance for such blatantly silly code to remain.

    You would think that right? But then you have Vanilla Forums as a great example of why that isn't always the case.

  • dnwkdnwk Member

    Are there new exploits in SolusVM? Already, two providers send me emails saying that there are exploits beside the "centralbackup" one.

  • dnwkdnwk Member

    @SysAdmin said:
    You would think that right? But then you have Vanilla Forums as a great example of why that isn't always the case.

    When it is easier for people to located the problem, it is also easier for hit man to find the exploits.

  • natestammnatestamm Member
    edited June 2013

    @AnthonySmith so a legit user navigating to centralbackup.php who is your customer you are going to terminate?


    I think you need to consider what you just said. Yes I know what you meant..



    @Evo said:

    >

    ..You can't be sure if these were not a legitimate users - centralbackup.php is accessible for the users to create central backups - it's one of the features of SolusVM...





    Thank you.

  • Why don't you just run find . -mtime -7 -fprintf search.log "%f\n"

    I am sure you can even write a cron job to email you every day if any new files have been changed, that way you would know if there is anybody waiting to root your box!

  • epaslvepaslv Member

    While there are many providers trying to deal with this SolusVM incident, its interesting to note how varied the approach is in notifying and updating their customers.

    It is the belief by many (that follow ITIL) that notifying and updating your customers, if of more importance than dealing with technical problem itself.

  • nikcubnikcub Member

    a fully open source panel.

    This is a good idea. I've already seen a couple of comments saying that these incidents and more that are likely to come will drive the larger hosts to create their own panels in-house. This is a bad idea and will only prevent one exploit being used multiple times but it won't prevent exploits - there is little chance that these providers will be able to each create a panel that could withstand modern pen testing.

    These hosts should instead get together and invest in an open source panel - finding some good developers to kick the project off. Stick with PHP but use a proper framework like Symfony2.

    I'd actually be interested in such a project, I just don't know this space well enough to go out and do it on my own (I do know how to break the panels, though :)). If someone wants to give us a rundown on what basic features you would need for a first version i'd be happy to spec it up and find some developers to work on it.

  • MaouniqueMaounique Host Rep, Veteran

    I've already seen a couple of comments saying that these incidents and more that are likely to come will drive the larger hosts to create their own panels in-house. This is a bad idea

    @nikcub well said ! now a few that believe they can code best and nobody will break their panel, however, I seriously doubt that.
    It may be, but the chances are slim.
    I am waiting to see a panel of experts from here picking up a project and I am sure many hosts will part of some bucks to pay a developper to write secure code and make a functional panel.
    Even better, make it like you pay for the feature, you ask for x feature, you pay y money. And everyone will benefit.

  • nikcubnikcub Member

    @Maounique

    I am sure many hosts will part of some bucks to pay a developper to write secure code

    I'd invest in it myself if I got a commitment from a handful of hosts to use it and possibly purchase support. Completely open source with no encoding, a liberal license (BSD - so you can integrate commercial modules) etc. but the initial investment as a commitment to purchase a year of support. Could work.

  • redreamredream Member
    edited June 2013

    @nikcub Seriously awesome idea. I would be in for this for dev/design. Open source = faster development, better quality and more secure code.

    Let me know if you get anything together. Add me on skype (alexanderm781) if you want to talk.

  • nikcubnikcub Member

    @redream

    will definitely look into this further, i'm contemplating building a quick application-level firewall for Solus and WHMCS so that hosts can rest easy for a little while. an interim measure.

  • nikcubnikcub Member
    edited June 2013

  • I was looking into getting SolusVM into our platform but looks like we will be taking an alternative route.. VMWare although it's very pricey...

Sign In or Register to comment.