Welcome all LEBers! Today has been an unfortunate day for many hosts and indeed a shocking eye-opener for anyone using SolusVM to offer VPS’ to the public. Earlier on today the website localhost.re reported on a shocking SolusVM exploit that effects every SolusVM version – the now defunct/unused file centralbackup.php contained multiple blunders including SQL Injection, direct exec()ution of any command, and access to the SolusVM server-side binary which can execute any command. Unfortunately for hosts this was a surprise to say the least, and one of the first to be targetted seems to be RamNode.
In very short time since the original post was made on localhost.re one of our long term members @vld delivered the news to members via LowEndTalk and that was the first time many of the LE* members had heard about the exploit. Many hosts were quick to patch the exploit & SolusVM released an announcement via Email giving hosts clear instructions on how to patch the exploit not long after being contacted. Unfortunately one very reputable host was caught out and barely hours after the post on LowEndTalk their SolusVM index was replaced with an image giving anyone access to download the database and access the admin panel. (http://cdn-static.com/i/AiBpjTIC.png)
RamNode were quick to respond, removing the exploit and blocking access to anything that might be vulnerable – they are now busy dealing with this nightmare and getting clients back online as fast as possible. We must commend Nick for his perseverance in dealing with such an issue swiftly and calmly.
An announcement from RamNode was soon released and it was confirmed that Robert, was behind the initial breach of security at RamNode via the exploit. “As you are all aware, this has been a nightmare for [us]. Robert ran the SolusVM exploit on our control panel early this morning. Someone, him or else, then logged into several nodes and wiped the data.”
Members of LowEndTalk did post findings that correlate with the above statement that Robert was behind the attack/intrusion. Evidence such as IP-matches & even confirmation that the IP was indeed Roberts’ home network (via the welcome page for a HP media server which clearly stated “Robert’s Pictures” with the hostname ‘clarkeone.homeserver.com’) – not especially good news considering Robert’s previously dubious history and not so great reputation in the industry. While Robert has admitted to the initial “testing” of the exploit he still protests his innocence and vehemently denies doing any of the damange.
Whatever the case, we wish every host the best of luck in dealing with the aftermath of this shocking exploit, and commend RamNode for their quick response & level headed handling of the situation.
Thanks to @Zen for writing up the majority of this.