New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
This was posted on VPSBoard, from a ticket
Any idea on what data these backups contain and when they were taken? Do they have all the data of the VPS on them or only configuration?
Just trying to figure out what I need to prepare for restoring.
Cloudmin is really undervalued.
That's how serious he is about his project.
That is an understatement of the week!
If i remember right from the last hack in November you had to restore form the backup made from the solusvm panel backup option. But you only had backups if you manually clicked the create backup button. I don;t know if they had any scheduled vps backups. Based off the pingdom reports it looks like their backup servers didn't go offline.
Since the hack we implemented offsite backups of the entire VPS. IF there is data loss we can restore it to the latest backup.
Can you give us an idea of when the most recent backup was? Thankfully I didn't have anything mission critical on the VPS yet but I imagine there are others who are in a serious panic.
@chronos511 Their offsite backups are made every Thursday.
edit: I should say that when I requested a restore a month ago from offsite backup it was from the previous Thurs. I don't know if they stagger them for different nodes or what.
update #2 just emailed:
My VPS in chicago is still down, I'll wait another 24 hours before I bug them with a ticket.
One of my servers is still down and looks to be lost. Ironically it is the node that I had moved after my outage incident a few weeks ago:
http://www.lowendtalk.com/discussion/10760/chicagovps-outage#latest
The server that I kept on the node stayed up. There was one database that I wasn't backing up since I renamed it - urgh.
I spent the last 10 days preparing to switch all reliance completely off CVPS but even with all that preparation I still lost some data.
@CVPS_Chris
sounds like a good time to signup for an email provider like Mailchimp or Amazon SES
@mpkossen
mysqli_real_escape_string on its own is also not enough to stop exploits. there are plenty of ways and places you can inject SQL or XSS that don't rely on an apostrophe, quote mark, carriage return, null character or a backslash (mysql syntax is very flexible).
the most common culprit is uncase integer field, for eg.
$sql = "select username, password from users where id = " . mysql_real_escape_string($_GET['id']);
Old school injections won't work, but something like:
1 and 1=0 union select null,password,null from users limit 1,1-- -
will. you really need to cast and in string filter out anything that isn't A-Za-z0-9 with regular expressions or the filter_var functions. developers almost always slip up, especially with more complex fields such as emails (nobody gets validating emails correct). unicode opens up an entire pandoras box. you need to bind parameters (all the db libraries support it).
it is a real mistake to create a function like safe_var() that just escapes ' " etc. not all variables are the same and you can't have one filter function that fits all. there is a very popular commercial software application used by VPS companies that makes this mistake.
oh no.., now ChicagoVPS..
@nikcub is it blind sql injection ?
@dgprasetya
yep, in most cases you blind, double blind, timing or error-based to extrapolate the schema and then exploit by inserting a user record or updating an existing. for eg. you can usually update permission levels and tokens on an existing user using blind queries.
it is more complicated, but there are tools like sqlmap that automate it. you'd be surprised at what type of data you can get even without there being an error page or any data output.
@Nick_A,
Unfortunately sales are with higher priority than security.
It's good to see that they started a "full audit" of the code ... ...after a few years of negligence, so:
"Thank you for your patience and continued support."
My Customers threat with lawsuit. ChicagoVPS cant answer the tickets.
When system up and running ?
I need net time for system up and running!
I can't work out if I am on LA18. The details panel in the control panel simply says 'unavailable. anybody have a clue how I can find out which node a server is on?
@dnwk
If somebody wants to send me the source, i'd be happy to build something like this. either as a separate server or a new front controller that parses all input through sane rules.
how i can find im which node ?
@nikcub: indeed, mysqli_real_escape_string on its own is not enough. However, SolusVM does escape passwords to some extent, by using single quotes around the variable. If you combine this with mysqli_real_escape_string, you prevent breaking out of it, AFAIK.
How solus does it:
What I would recommend if PDO is no option:
Anyway, I shudder from both the above. I'm all for PDO.
@BlackKnight said: My Customers threat with lawsuit.
Call their bluff. They'll never file lawsuit.
I'm still down lol, in LA, node 18, who's up?
(skype, One hour ahead of UK)
Maybe he did get everyone else up?
what is chris skype address ?
As of now, it looks like we have 10 nodes back online and 10 left to go.
Any updates from those who have been restored as to what date the backup restored was?
So this statement and the email sent this morning contradict each other. My VPS is in Atlanta - can you restore from the latest backup I made or did I lose data?
Just saw this notice posted on chicagovps's website - I guess this means my data from the offsite central backup is still there, I just have to open a ticket and wait for it to be restored? If so - this is good news, I don't mind waiting - I just want to know my data is still there.
with light of all the recent lies and lack of communication from cvps, i think its time customers begin to demand refunds.. but I doubt this process will go smoothly..
Still wondering what the holdup is, the 10 servers that were down earlier are still down even though they aren't restoring from backups?