New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
ChicagoVPS hacked, bunch of VPS customers offline
This discussion has been closed.
Comments
@soluslabs I haven't done a solusvm master installation in a very long time, but IIRC the API user/key is automatically generated and looks random. What random generator function is used for this? How is the random generator seeded at that point?
@rds100 We use our own function for that. It's based around the installs unique key.
Thanks. Sounds reasonable.
And how is the install's unique key generated, what random function is used there and how is it seeded?
Jack seems to be on the money there.. I bet that could be pain in the butt to restore..
@apollo15 I can't really answer that question. I can think of many things it could be but that's just speculation and we don't want to start anymore rumours!
So.... @soluslabs is saying there's nothing to worry about as of yet; CVPS wont reveal details... Publicity Stunt clearly! I bet one Chris just laid on his desk and button smashed until he found the squence for rm -r /;)
ChicagoVPS is definitely something hiding. First post is was brute-force, then something to do with Lighttpd, nothing reported to Soluslabs and so on. If there was an exploit much bigger players would be affected, not just Chris.
What do you mean Chris is the big player.
He's confirming it had something to do with Lighttpd here right? Or am i reading this wrong?
@apollo15
Kujoe said, if it has to something with API access, block it using lighty config so none but white listed IP can access it while we try to figure out what s going wrong. May be it's chris e-pen that got fat instead of long?
Awww
Ouch, hit me where it hurts
You need to regulate your trolling
Trolls know not of regulation. On a serious note, point taken.
Giving them the benefit of the doubt on this until we know more. I think we'd all like that courtesy extended to us in the same situation. I'm sure there's good reason they haven't sat down to write an article yet.
But the question remains, who is that "other" provider?
well I guess we will know everyone once Chris or Jeremiah once wake up. Let's give them a deserved rest now
Is Chris dead? Cause he can sleep then.
LMFAO You would have earned a lot of thanks from me today, but unfortunately there's an exploit in that module as well!
And that is why you do not rely on webserver configuration and add a simple check in your software itself.
End Of Reality, I'd assume.
Wait - does this mean you are not using PDO? If you were using PDO, SQL injection would not even be a possibility, so there would be no reason to pre-fetch all API users. Not to mention that it's very bad practice to move database operations (selecting rows) to your application code.
This is bad. Very very bad. You should not be rolling your own security unless you are an experienced cryptographer that has had his implementations peer-reviewed. Especially deriving it from some other bit of data is a big no-no - it only weakens your security.
:blah:
/me pings @soluslabs about the above post
@joepie91 Sounds like you need to update your resume and give them a ring
A paid, proprietary and closed-source, ioncube-encoded panel with seemingly horrible code practices is the last thing I would want to work on.
EDIT: With probably a non-competition clause thrown in for good measure.
Just a quick reminder on SolusVM's recent security history:
http://safeornot.net/advisories/solusvm-01
http://safeornot.net/advisories/solusvm-02
@joepie91 I did some research on their procedures for generating the random install keys and such - seems they are using perl for this, for example:
Perl internally seeds i it's rand() function via /dev/urandom, unfortunately it only reads 4 bytes of data from there, so it's maximum 32 bits of randomness. Still not too bad, at least they are not using time() for seeding, which would make it easily predictable.
It seems odd though that if this affected about 1000 Vps's that there is not many "WTF, why is my VPS down" or "OMG, CVPS sucks" type threads or customers posting on those that have been created.
I know not every customer will visit WHT or LET but I was expecting to see more upset folks about.
1000 VPS across 10 nodes. Big nodes?
Maybe because it is not 24 hour yet and a lot of falks are still either sleeping or busy with their job and do not have active monitoring....
Or because 99% of them are sitting idle.