New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
I have no skin in the game, but I wonder how you can so confidently state that. Have you seen the complete results of their investigation into the breach? Have you had access to their systems / logs to know for sure that your products wasn't involved in the breach? Or do you just believe that it's impossible for your product to have any vulnerabilities? Because almost every company believes that until they're wrong.
I just want to share few of my things. I have recently seen some weird login attempts from our old account’s (failed login attempts) that we have only once shared with Virtualizor when we were configuring it few years ago (back when it was only a dev infrastructure). It seems like some insider is on their support system. Same IP also tried using „virtualizorsupport” account that never existed in the first place, that’s why we think they are the source of the attack.
Hello,
Yes, we can comment without any problem.
Our internal teams have successfully reproduced the attack by executing a payload via their WHMCS add-on in communication with their API. Virtualizor denies this attack vector and has asked us to deny it as well to avoid "damaging" their brand image. The result is that the attacker did indeed go through Virtualizor via the WHMCS add-on.
Best regards
And who is the provider of the virtualizor-whmcs-addon? Is that Virtualizor itself or a third party?
Can you share the email / communication?
Also curious.
This is a very serious . To be clear, does this mean there's an unpatched security risk affecting other providers who are completely unaware of the threat?
comments @virtualizor ?
We will communicate exactly how to exploit the vulnerability to Virtualizor in a video so that they can 'try' to patch this type of attack.
@virtualizor any comment?
Id assume they are using the stock Virtualizor addon, present on their site (which seems to be down as of now).
https://web.archive.org/web/20251002195438/https://www.virtualizor.com/docs/billing/whmcs-module/
virtualizor / softaculous page is down now
Virtualizor getting hacked I can understand SSO is risky done wrong but would not worry about softaculous
It’s been down since at least two hours now.
Just leaking this info is enough for everyone to replicate it sorry to say it. They put code into AI agent and ask it to find the problem. Would recommend all hosting providers to disable it for now..
It's also best to keep quiet about issue to avoid spread of the trouble.
Maybe the problem was using AI agent to code this addon in the first place.
Virtualizor was crap even before the breach
And it's even worse now given their reaction in this thread.
You've got to admit that for a small team at @ouiheberg, they reacted fairly well to the breach and shutdown their infrastructure immediately upon detecting the intrusion. If anyone remembers how poorly the colocrossing breach this year was handled, where the hacker was allowed to wreck havoc on the VMs and hold users data to ransom over the course of a few days.
Isn't it best not to keep quiet at this point and to raise awareness so that others who have anything to do with virtualizor can take the precautions right away? What makes you think the same attacker that targeted @ouiheberg won't go on to take down other hosts?
Kudos to @ouiheberg for thorough investigation, handled like pros.
Thank you for your feedback. Our teams are trying to reproduce the attack, but we are having difficulty contacting Virtualizor, so we are waiting before we can show them the flaw on video so that they can try to patch it to prevent other hosts from being attacked by this vulnerability.
There's some truth to this, but as with most things it's not that simple. Also:
Welp.
You can PM us. Or email us at [email protected] / [email protected]
Also you just seem to have mentioned that you are trying to reproduce the matter.
As mentioned in our PM exchange with you, we have been waiting for a POC for the same.
We await details from you. Please PM us or email us.
When we first posted that the attack was not carried out via Virtualizor, we had already been in communication with @ouiheberg. We were unable to reproduce the claimed attack scenario. We requested further data, but received no reply from @ouiheberg for two days, even after a follow-up. Consequently, we posted that the claim of the attack being conducted via Virtualizor could not be substantiated at that time.
Following our post, we are still awaiting the attack video that @ouiheberg is expected to share. If a genuine Proof-of-Concept (POC) existed, we would have issued a patch by now.
I guess Ouiheberg was busy with the results of the attack and this is why they did not respond, if this was the case. It is going very interesting direction, waiting for more details.
@virtualizor said:
So you're simultaneously waiting for a PoC of the exploit, whilst also claiming that this hack has nothing to do with your product? Seems legit... 🙄
Yes, our top priority is to repair our entire infrastructure so that our customers can use the service they pay for. Last night, our teams tried to reproduce the attack, but we had to stop because we were unable to deploy VMs as Virtualizor was no longer online (you'll have to explain to me how that's possible).
We had verified what was given and could not reproduce it as it was not a full POC or substantive proof. And after passage of time and no response we had to make the post stating this fact that for the current details provided by the OuiHeberg team, this was not a Virtualizor exploit.
We still await further details from the OuiHeberg team.
Lots of facts getting thrown around up in here.
Any additional updates?