Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


ChicagoVPS hacked, bunch of VPS customers offline - Page 3
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

ChicagoVPS hacked, bunch of VPS customers offline

1356716

Comments

  • marcmmarcm Member
    edited November 2012

    [removed due to fear of thunder striking me]

  • KuJoeKuJoe Member, Host Rep
    edited November 2012

    Might I suggest locking down your API directory in /etc/lighttpd/lighttpd.conf:

    $HTTP["remoteip"] !~ "1.1.1.1|2.2.2.2" { $HTTP["url"] =~ "^/api/admin/" { url.access-deny = ( "" ) } }

    If there is an exploit in SolusVM, Lighttpd won't let them access it.

  • @Jack Your comment is epic, but I don't know what you're talking about since I haven't mentioned them in any of my comments :P

  • CVPS_ChrisCVPS_Chris Member, Patron Provider

    @KuJoe said: If there is an exploit in SolusVM, Lighttpd won't let them access it.

    It had to do with Lighttpd

  • KuJoeKuJoe Member, Host Rep

    @CVPS_Chris said: It had to do with Lighttpd

    Thanks, I was given additional information via PM so I updated the code. :)

  • According to a lot of the comments on Twitter this seemed to have happened ~7 or more hours ago.

    https://twitter.com/search/realtime?q=chicagovps&src=typd

    Anyone think it's related to the other antics that has been happening here over the last few days? Seems coincendantal?

  • @serverbear what other antics? what have I missed?

  • KuJoeKuJoe Member, Host Rep

    Ok so if you use my code above, the only way to access the API is with the IP you specify and only with the API username and password. I did a quick check and both our API username and password are completely random and over 100 bits, to put that into perspective...

    As of October 12, 2011, distributed.net estimates that cracking a 72-bit key using current hardware will take about 45,579 days or 124.8 years.

    So not only do they have to guess both the username and password, they have to guess them at the exact same time. OUCH!

    Now if there is an exploit to bypass the IP restrictions and the username/password... then I would say "Bye Bye" to SolusVM in the future.

    Regardless, this whole situation feels like the HyperVM situation all over again so I don't know what to expect as I wait in limbo. :(

  • About ~300 comments on there. Still, you think someone had a bone to pick with with @CVPS_Chris and decided to take it to this level of "childish"?

  • CNJeremyCNJeremy Member
    edited November 2012

    Thank you @KuJoe.. This was the kind of answer I was asking for earlier.

  • KuJoeKuJoe Member, Host Rep

    @CNJeremy No problem, I try to help out where I can. With all of the negativity in this thread I figured I'd post something positive and beneficial. :)

  • @KuJoe course in that line of thinking, if solusvm had an 'exploit' it wouldn't require any brute-forcing to get in, but if brute-force was used, then the password was probably simple as hell (alphanumeric or simply alpha), and used a common username (admin, etc). Which begs the question... which was it? brute-force attack (guessing every conceivable combination), or an exploit?

  • KuJoeKuJoe Member, Host Rep
    edited November 2012

    @kbeezie said: Which begs the question... which was it?

    SolusVM API username and passwords are randomly generated alphanumeric (uppercase and lowercase).

    Symbols are not used because it can easily break the API with certain symbols.

  • Maybe I don't get how SolusVM works on a provider level, but I haven't heard anybody say iptables yet. I'd never trust some software's IP whitelisting or blacklisting, I'd go for the solution built for doing just that: a firewall.

    So, if iptables would have been used (given that it's possible to do so with SolusVM and that they were not), could that have prevented this? (@CVPS_Chris)

  • @KuJoe Thank you for the lighttpd information.

    As far as the issue at hand I don't believe that @CVPS_Chris has to provide any kind of public explanation as this is an internal security issue that concerns ChicagoVPS. Their only duty is towards their customers. Further speculation doesn't really help anyone, so I for one will be waiting on the next update from Solus Labs.

  • KuJoeKuJoe Member, Host Rep
    edited November 2012

    @mpkossen said: So, if iptables would have been used (given that it's possible to do so with SolusVM and that they were not), could that have prevented this?

    The problem is that the API uses the webserver ports so if you use iptables to setup whitelists for the ports, no clients could manage their VPS.

    @marcm No problem. I'm not sure if the rest of your post was directed towards me but I didn't mean to imply anything about ChicagoVPS. If it was interpreted that way I apologize.

  • @KuJoe said: @marcm No problem. I'm not sure if the rest of your post was directed towards me but I didn't mean to imply anything about ChicagoVPS. If it was interpreted that way I apologize.

    The rest of the comment wasn't directed at you at all. It was just a general statement meant to prevent more speculation because it doesn't really help anyone. I was always of the opinion that small providers should help each other because there is certainly enough business to go around for everyone :)

  • lbftlbft Member
    edited November 2012

    I just received this email:

    [Status Update]
    re: Chicago VPS11, Chicago VPS12, Chicago VPS14, Chicago VPS16, Chicago VPS17, Chicago VPS20, Chicago VPS21, Chicago VPS26, Chicago VPS28, Chicago VPS29, Chicago VPS30, Chicago VPS31, Chicago VPS32
    ChicagoVPS support staff are working on reinstalling all VM's back to a default state with the desired base OS. Recovery of the individual VPS files will continue once all VM's have been resumed.
    Chicago VPS11, Chicago VPS12, Chicago VPS14, and nearly all of Chicago VPS16 should be back operational at this time.
    If you have any questions in the mean time, feel free to directly email me at jshinkle-at-chicagovps.net
    Jeremiah L. Shinkle
    Chief Networking Officer
    ChicagoVPS

    Edit: mangled @jshinkle's email address, the last thing he needs right now is spam...

  • @Dionysus said: I'm certain that a simple Google search would bring up his e-mail @lbft...

    That may be true, but it's common courtesy.

  • netomxnetomx Moderator, Veteran

    Phew! None of my servers are on that nodes :)

  • @netomx said: Phew! None of my servers are on that nodes :)

    Lucky, only one of mine were effected and it happened to be the one where I just started a new project from scratch yesterday and I don't have any backups or copies of it. Thought I would be safe for one day...

  • 2 out of 3 VPSs I own are affected. Just hoping I don't have to rebuild those VPSs...

  • Ash_HawkridgeAsh_Hawkridge Member
    edited November 2012

    Karma is a bitch.

  • @GetKVM_Ash :) Life has a balancing effect.

    Disturbs me though that there may be a significant security issue in commonly used software. Lots of other folks could be equally impacted.

    My VPS with ChicagoVPS is still offline :(

  • @pubcrawler said: Disturbs me though that there may be a significant security issue in commonly used software. Lots of other folks could be equally impacted.

    Definitely and it was good of you to inform us all. Now we just need to wait for confirmation from SolusVM.

  • I kind of doubt this was a SolusVM issue. Most probably they just left their nodes' sshds accessible to the world and had the root password bruteforced or something.
    If it was SolusVM issue - all VMs on all nodes could have been terminated pretty quickly. But let's wait and see.

  • @rds100 said: I kind of doubt this was a SolusVM issue. Most probably they just left their nodes' sshds accessible to the world and had the root password bruteforced or something.

    If it was SolusVM issue - all VMs on all nodes could have been terminated pretty quickly. But let's wait and see.

    I was thinking the same. If this was SolusVM, there would be a ton more and the timing of this is a bit of a coincidence.

  • rds100rds100 Member
    edited November 2012

    I wouldn't be surprised if their root password was "winning" either ;-)

  • @rds100 said: I wouldn't be surprised if their root password was "winning" either ;-)

    LMFAO

This discussion has been closed.