New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Whoops, got it. I had a brain fart and read root on the guests when you said root on the nodes.
Me too!
Situation is curious. A lot of folks are using virtualizor and almost everyone is using WHMCS if that combination is what creates the attack vector. But not everyone is getting pwnd. Mostly the really low end providers of low end talk.
Hasn't the issue of browsers being able to non-interactively check ports on localhost been closed for months now?
I encountered the same problem. Since I had a backup of the data, I immediately reinstalled the system, but the server will have to remain idle until the vulnerability is fixed.
A lot of providers are getting hacked but very few of them are admitting it in public. Strangely it's only the ones using Virtualizor though, but I'm sure that's just a coincidence 🙃
Interesting. My hostslick box seems to have disappeared entirely just before midnight last night (about an hour before your post). I don't seem to have any encryption message, it seems like the machine is entirely powered down (nmap shows every port is filtered) and the client panel doesn't show any information about it / times out if you try to do any action on it.
Also interesting is that the CPU spiked to 25-30% for just over 5 minutes before it went offline, and 15-20% CPU steal during the same period. Disk average waiting time started spiking about 15 minutes before it went offline, approaching 8000ms around the time my CPU spiked. Disk utilisation and queue was also 20-40% for these 15 minutes too.
So, all of that does point to very sudden IO across all the VMs on that node, which would be consistent with encrypting data on every VM simultaneously.
@HostSlick if it helps in data forensics, my node was completely idle apart from monitoring. There was a spike in network traffic at 10PM GMT (about 2 hours before it went offline), so I guess that was the start of their attack.
Actually, just to add some more info. There was also some unusual traffic at 6AM GMT 29/1, and there was someone logged into my machine from 6AM to 1PM following that.
From ~10PM GMT 30/1 the average disk waiting time was pretty constant at just over 500ms up to the point my machine disappeared and there was a shorter spike around 8PM GMT 25/1, so maybe they were experimenting with the process on a few VMs then.
We are investigating. Some VPS are affected. And also some they tried but failed and went offline,
We isoloated affected nodes. And follow up customers shortly.
It seems indeed there is something like 0-day for the terminal function within VIrtualizor admin. (No the whmcs plugin is not involved)
No backdoor, no rootkit, attacker just got on node console and run this;
https://ikvm.oldenvale.ru/roc.sh
What it does it zeros the Boot header it seems. just making the disk image unable to boot. While data is intact. I tried to make a script to extract data out of the image and send it elsewhere to backup but it also zeros some part with the partition informations
Name Type VFS Label MBR Size Parent UUID
/dev/sda filesystem unknown - - 224744308736 - -
/dev/sda device - - - 224744308736 - -
example VPS.
Virtualizor Staff behaving very strange like they know whats going on and dont want to admit it but they are useless.
Right now i am checking how fast i can migrate to VirtFusion today and fix all over.
We need to wipe this Software ASAP for the remaining VPS nodes we have as we dont serve much VPS business anymore and specialized more into other products like dedicated servers.
For now i can say from what i seen, its possible it can hit any Host today or following days that is using virtualizor.
What monitoring package are you using? Netdata? Prometheus?
@virtualizor anything to say?
This was obvious from when @virtualizor jumped on LET to immediately deny they were possibly responsible for the OuiHeberg hack, before that was a credible response.
Kudos to @HostSlick for migrating away from that trash panel, and even more so for encouraging other providers to do the same because this is just going to keep happening!
Looking at that script, there are some interesting choices...
Firstly, it runs on the hypervisor directly and operates on each VM, so they shouldn't need to log into each VM at all.
Quite a lot of data might well be recoverable as the contents of the disk between the first and the last 512MB is left untouched.
Every disk on each VM has its first 512MB encrypted, and the encrypted version is written to the last 512MB of the disk. If you had anything there, it'll be gone for good. Then that first 512MB is zero'd out and a boot sector with the message is put at the beginning.
If you stick a new boot sector with plausible GPT on the disk and put an ext3 header at the start of the root partition, it's likely that e2fsck will manage to recover a lot of stuff using the backup bitmaps later in the partition.
Obviously the first and last 512MB will be destroyed, but for most people there's a good chance that will be the OS files and unused space, so maybe all their useful data is still recoverable.
Zabbix.
Ironically, that VM had been completely idle for the previous 2 years (because I forgot I had it!) and I'd only installed Zabbix on it when I decided to monitor all my idlers after this BF when one of my new ones went down after only a couple of days.
Assuming that's the real script they used (it seems to be written by AI anyway), it really was a ransomware.
This encrypts first 512MB of the disk with randomly generated key and sends the data to attacker's server.
If one used separate boot partition that's larger than 512MB (for luks or something), their data should be entirely unaffected.
Sadly, I don't think that's default for Virtualizor templates.
I went from 2 VMs before black friday to like 13 or 14 now. I need to do something, and it seems like it could help in circumstances like this one. I'll check out Zabbix. Thanks!
At this point, I'm actually really happy with how ZAP Hosting (where I have all my vps these days) have their very own panel (from what I can tell). Having used Solus and Virtualizor in the past, I've always like Virtualizor more as an end-user, but I never really liked either. There was another panel that was more expensive for hosts (forgot the name? Maybe Clouvider used them?), but in the end I preferred the providers with an own panel. Vultr had a cool one (don't know their backend though).
This thread should be made an announcement. We need to inform our providers.
It’s not, they require to remove the boot partition for some reason.
ZAP seems to be completely custom on top of Proxmox, yeah.
VirtFusion is the word you're looking for
Virtualizor's UI can look good to the end user, but once you get to manage more than a single VM, it becomes the most utterly garbage panel I've ever used.
Barely faced any issues with VirtFusion at all. But could also be that the providers that use Virtualizor are more incompetent and care way less about their platform, which wouldn't surprise me, since Virtualizor is cheaper than VirtFusion.
The UI is one of the worst I have ever used, and it makes me skeptical of their claims regarding its security.
When i started Virtfusion didn’t exist, now im stuck with Virtualizor and there is no easy way to realistically migrate the VM’s between both.
Also scale is too small to just let servers expire, i cannot afford that on every region.
What information is stored in this module? Can hackers gain complete access to it?
picvia:https://www.nodeseek.com/post-602642-1
I personally still use and love a few providers who still use Virtualizor but not because they want to but because you're basically stuck like you said, and I totally get it.
A good option, abeit being a bit more expensive, would be to have both platforms and let customers migrate themselves, offering the true benefits of VirtFusion to them.
I believe some providers actually managed to migrate VM disks from Virtualizor to VirtFusion though, by creating a blank VM and then importing the disk manually or something like that.
I could be wrong but I don't think it stores any important information.
https://www.virtualizor.com/docs/admin/kyc/
I am always extraordinarly suspicious of Virtualizor. Even just navigating through the software just screams that it's made by people who don't know what they are doing - why anybody is trusting a large portion of their business to software like that is a mystery to me.
I don't know the specifics on this, but my bias would make me think that this is absolutely an issue on the Virtualizor side. Is this going to be enough to finally get people to ditch that piece of crap?
TBH I never understand why hosts spend so much money on these panels rather than rolling their own. Maybe I'm not a typical customer, but I almost never use any of these control panels, and I really don't care what the provider uses as long as I can SSH into the VPS.
The only features I think are actually useful are: stop, start, reboot, mount ISO, reinstall, VNC, maybe change root password and maybe bandwidth stats. Am I missing something?
That now explains how they bypassed my 2FA. So it’s a terminal 0-day 🤯.
Virtualizor VNC being enabled by default (with barely any provider giving you the option to disable it yourself) with very easy max 6 digit passwords
what could go wrong. It seems very secure to the @virtualizor guys!