Page 1 of 2 12 LastLast
Results 1 to 25 of 29
  1. #1
    Join Date
    Jun 2005
    Location
    Lisbon - Portugal
    Posts
    168

    How to check if HyperVM is compromised

    I'm no expert on this, but I recently aquired a VPS with only after activation I saw it was Based on HyperVM.

    I don't know (actualy I didn't find anything on google) about a fix to recent hacks, so how can I check (versions, local machine tests, and son on) if the VPS may become compromised?


    Thank you,
    Rui
    Journalist of Tugaleaks, a Portuguese Wikileaks-inspired media organization.
    Geek with 15+ Years of VPS/Linux/cPanel experience.

    Twitter: @ruicruz

  2. #2
    Join Date
    Feb 2007
    Location
    Wadsworths, IL
    Posts
    231
    Hypervm is only a threat to you if the host you got it from becomes compromised. Hypervm is a just a tool used any hacker gets in. You have nothing to worry about right now. The thing you should be worried about is hypervm going down.
    RomesBlog - Dividend Investing, Financial News, Personal Portfolio and More.
    X - Follow me on X.

  3. #3
    Join Date
    May 2009
    Location
    US
    Posts
    2,503
    Ask them for the HyperVM version, if it is 2.0.7992, it is safe from the vulnerabilities.

  4. #4
    Join Date
    May 2009
    Location
    Kansas City
    Posts
    62
    Even if HyperVM would go down, it will not bring down any VPS on that node. HyperVM is just a management interface. The VPS still run on OpenVZ or Xen.

  5. #5
    Join Date
    Jan 2003
    Location
    U.S.A.
    Posts
    3,928
    As far as I know it appears that it safe from what Ligesh told a staff member...

    http://forum.lxlabs.com/index.php?t=...960&#msg_67960

  6. #6
    Join Date
    Jan 2003
    Location
    U.S.A.
    Posts
    3,928
    Quote Originally Posted by team-vps View Post
    Even if HyperVM would go down, it will not bring down any VPS on that node. HyperVM is just a management interface. The VPS still run on OpenVZ or Xen.
    Yes, its just an interface that gives you the ability to due a lot of damage...

    1. Select all (Containers)
    2. Destroy

    Your done and good luck on trying to recover...

  7. #7
    Join Date
    May 2009
    Location
    Kansas City
    Posts
    62
    Quote Originally Posted by Matt - HostPenguin View Post
    Yes, its just an interface that gives you the ability to due a lot of damage...

    1. Select all (Containers)
    2. Destroy

    Your done and good luck on trying to recover...
    And using that same rational, what is the different with any management interface then? cPanel, Plesk, Virtuozzo....

    They all allow you to do damage *if* the interface is compromised.

  8. #8
    Join Date
    Jan 2003
    Location
    U.S.A.
    Posts
    3,928
    Quote Originally Posted by team-vps View Post
    And using that same rational, what is the different with any management interface then? cPanel, Plesk, Virtuozzo....

    They all allow you to do damage *if* the interface is compromised.
    As, this topic is related to the current vulnerabilities of HyperVM. My response is 100% warranted. The difference between those other management panels is that they don't currently have any publicly announced vulnerabilities and if their is the developer can quickly fix it.

    So for you stating Hypervm is just an interface in a topic related to its vulnerabilities and won't damange/stop a container. You would be incorrect in this situation. The gui is a very powerful tool regardless if it has vulnerabilities or not.

  9. #9
    Join Date
    Feb 2007
    Location
    Wadsworths, IL
    Posts
    231
    Its up to the host to keep security tight...if the host becomes compromised, your compromised...cPanel, plesk, etc rely on the host for security measures as the software allready is sound and pretty well protected.
    RomesBlog - Dividend Investing, Financial News, Personal Portfolio and More.
    X - Follow me on X.

  10. #10
    Join Date
    Oct 2005
    Location
    Six Degrees From You
    Posts
    1,079
    Quote Originally Posted by Matt - HostPenguin View Post
    As far as I know it appears that it safe from what Ligesh told a staff member...

    http://forum.lxlabs.com/index.php?t=...960&#msg_67960
    This might be an odd question but how can Ligesh say that the current version is safe when he's been dead for the past week?

    Or did I dream that?

  11. #11
    Join Date
    Jan 2003
    Location
    U.S.A.
    Posts
    3,928
    Quote Originally Posted by romes View Post
    Its up to the host to keep security tight...if the host becomes compromised, your compromised...cPanel, plesk, etc rely on the host for security measures as the software allready is sound and pretty well protected.
    Yes, its of course up to the host to take proper security steps to protect their assets. If they or someone notices a security issue in one of those panels than they should of course contact the developer. The issue with HyperVM is that no one really knows if the current issues have really been fixed and the only person who can work on the script does not even have full access to it...

    I would have to say at the moment to at least disable HyperVM for at least one month until the whole situation is more understandable. Security should be taken seriously and people need to be proactive!

  12. #12
    Join Date
    Feb 2007
    Location
    Wadsworths, IL
    Posts
    231
    Quote Originally Posted by Matt - HostPenguin View Post
    Yes, its of course up to the host to take proper security steps to protect their assets. If they or someone notices a security issue in one of those panels than they should of course contact the developer. The issue with HyperVM is that no one really knows if the current issues have really been fixed and the only person who can work on the script does not even have full access to it...

    I would have to say at the moment to at least disable HyperVM for at least one month until the whole situation is more understandable. Security should be taken seriously and people need to be proactive!

    Well said.
    RomesBlog - Dividend Investing, Financial News, Personal Portfolio and More.
    X - Follow me on X.

  13. #13
    Join Date
    Jan 2003
    Location
    U.S.A.
    Posts
    3,928
    Quote Originally Posted by DephNet[Paul] View Post
    This might be an odd question but how can Ligesh say that the current version is safe when he's been dead for the past week?

    Or did I dream that?
    I am not sure exactly but what i'm guessing before he committed suicide. He told the staff member that it was fixed. I also remember reading a message from either this staff member or another who stated "to not use either HyperVM or Kloxo as it was unsafe".

    So who knows really...

  14. #14
    Join Date
    Mar 2009
    Posts
    2,222
    Quote Originally Posted by HL-Adam View Post
    Ask them for the HyperVM version, if it is 2.0.7992, it is safe from the vulnerabilities.
    Well, according to this, 2.0.7992 is vulnerable.

    http://www.securityactive.co.uk/

    'A large internet service provider said data for as many as 100,000 websites was destroyed by attackers who targeted a zero-day vulnerability in a widely-used virtualization application.

    'Technicians at UK-based Vaserv.com were still scrambling to recover data on Monday evening UK time, more than 24 hours after unknown hackers were able to gain root access to the company's system, Rus Foster, the company's director told The Register. He said the attackers were able to penetrate his servers by exploiting a critical vulnerability in HyperVM, a virtualization application made by a company called LXLabs.

    '"We were hit by a zero-day exploit" in version 2.0.7992 of the application, he said. "I've heard from other people they've been hit by the same thing." ...'

  15. #15
    Join Date
    Oct 2005
    Location
    Six Degrees From You
    Posts
    1,079
    Quote Originally Posted by tim2718281 View Post
    Well, according to this, 2.0.7992 is vulnerable.

    http://www.securityactive.co.uk/

    'A large internet service provider said data for as many as 100,000 websites was destroyed by attackers who targeted a zero-day vulnerability in a widely-used virtualization application.

    'Technicians at UK-based Vaserv.com were still scrambling to recover data on Monday evening UK time, more than 24 hours after unknown hackers were able to gain root access to the company's system, Rus Foster, the company's director told The Register. He said the attackers were able to penetrate his servers by exploiting a critical vulnerability in HyperVM, a virtualization application made by a company called LXLabs.

    '"We were hit by a zero-day exploit" in version 2.0.7992 of the application, he said. "I've heard from other people they've been hit by the same thing." ...'
    No they were not, they were hit because of Rus' insecure set up.

    I mean, even a monkey knows not to keep direct root SSH access open, and to have a more secure password the "f0ster"

  16. #16
    Join Date
    May 2009
    Location
    US
    Posts
    2,503
    Quote Originally Posted by DephNet[Paul] View Post
    No they were not, they were hit because of Rus' insecure set up.

    I mean, even a monkey knows not to keep direct root SSH access open, and to have a more secure password the "f0ster"
    Correct, vaserv did not get hacked from the HyperVM, as 2.0.7992 is patched.

  17. #17
    Join Date
    Mar 2009
    Posts
    3,816
    Quote Originally Posted by HL-Adam View Post
    Correct, vaserv did not get hacked from the HyperVM, as 2.0.7992 is patched.
    You're going by the word of a random untrusted person who pasted a .txt w/stuff available completely from public info/

  18. #18
    Join Date
    Mar 2009
    Posts
    2,222
    Quote Originally Posted by HL-Adam View Post
    Correct, vaserv did not get hacked from the HyperVM, as 2.0.7992 is patched.
    What makes you think that?

  19. #19
    Join Date
    Oct 2005
    Location
    Six Degrees From You
    Posts
    1,079
    Quote Originally Posted by quantumphysics View Post
    You're going by the word of a random untrusted person who pasted a .txt w/stuff available completely from public info/
    I used to do some work for VAServ, and so I have a small insight into Rus' setup.

    Also, if there was more 0days in HyperVM, why have there been no other hosts compromised?

  20. #20
    Join Date
    Feb 2007
    Location
    Wadsworths, IL
    Posts
    231
    vaserv was compromised due to their fault...HyperVM was not the reason of the failure. Blaming HyperVM is wrong, and the blame should be put on vaserv.
    RomesBlog - Dividend Investing, Financial News, Personal Portfolio and More.
    X - Follow me on X.

  21. #21
    Join Date
    Mar 2009
    Posts
    2,222
    Quote Originally Posted by romes View Post
    vaserv was compromised due to their fault...HyperVM was not the reason of the failure. Blaming HyperVM is wrong, and the blame should be put on vaserv.
    That's certainly what the hackers would like you to believe ("Trust us, keep using HyperVM, it's safe, it's a complete coincidence that providers were compromised shortly after all the security bugs in HyperVM was published.")

    But other providers have posted here that they have been compromised.

    Have you got a list from LxLabs saying which of the "Multiple security vulnerabilities" (their words) they fixed?

    Extracts from

    http://www.webhostingtalk.com/showthread.php?t=866960

    "Just got this email

    Quote:
    Dear Customers,

    Multiple security vulnerabilities were discovered in hyperVM and Lxadmin/Kloxo. It is recommended that you update your hyperVM/Kloxo systems to the latest version, as soon as possible.

    Details of the vulnerabilities will be posted in the coming days in our forum.

    On hyperVM or Kloxo master, Run:

    /script/upcp

    Lxlabs Support Team
    "

    ...

    " Spunkyasp Spunkyasp is online now
    View Beta Profile
    WHT Addict

    Join Date: Sep 2008
    Location: New York City
    Posts: 143
    Send a message via MSN to Spunkyasp
    This happened to my system. 20 VPS' were deleted."

    ...

    " John-EarthVps John-EarthVps is offline
    View Beta Profile
    Temporarily Suspended

    Join Date: May 2009
    Location: New Jersey
    Posts: 8
    server was compromised
    Today our VPS server was compromised do to security vulnerabilities were discovered in hyperVM and Lxadmin/Kloxo

    The person who compromised our server was using a server from SoftLayer and we contact SoftLayer and gave them the logs and they refuse to do anything about it.Here is the ip "208.43.228.75" that the person used to compromised server."

    ...

    " TonyB TonyB is online now
    View Beta Profile
    Premium Member
    Image: Premium Member Badge

    Join Date: Aug 2004
    Location: Canada
    Posts: 2,014
    Quote:
    Originally Posted by John-EarthVps View Post
    We did they took care of it there server was compromised also

    Not exactly none of our servers were compromised but a specific VPS we host.

    A specific customer was compromised who were running Kloxo. I don't know if it was this topic or not but the actual malicious user did a rm -fr on the entire VPS wiping it clean before we could even login to it."

    ...

    "

    ...

    " Kody Kody is offline
    View Beta Profile
    Premium Member
    Image: Premium Member Badge

    Join Date: Aug 2007
    Location: Cincinnati, Ohio
    Posts: 625
    Send a message via AIM to Kody Send a message via MSN to Kody
    Thanks for that lets hope the patch provided via LXLABS works this time.

    ~Kody"

    ...

    "
    May 10th:
    Posted by Viz0n
    Quote:
    Anyway, for those who do not know already, I've been hosting h4cky0u on a VPS as a temporary thing, and yesterday they got hacked in a very secure environment. I have narrowed the hack to an 0day in HyperVM.

    BASIC SETUP:
    - uploading disabled(PHP)
    - chroot environment(no access to system binaries, perl, ect...)
    - heck load of php functions disabled
    - no ftp, sendmail ect... only had HTTPD running

    I found a shell chown'd as root:root which does not happen unless you upload via root or from a GUI/Panel like HyperVM. When I attempted to log into HyperVM, I noticed that the password was changed and noticed a lot of strange IPs had accessed the system.

    I've not had the chance to document this hack completely, but all I am pretty damn sure that the hack did start from the HyperVM Panel. "

    ...

    "
    Last edited by tim2718281; 06-14-2009 at 04:08 PM.

  22. #22
    Join Date
    May 2009
    Location
    US
    Posts
    2,503
    Quote Originally Posted by quantumphysics View Post
    You're going by the word of a random untrusted person who pasted a .txt w/stuff available completely from public info/
    Quote Originally Posted by tim2718281 View Post
    What makes you think that?
    Nope, several people at Webhostingtalk tested the latest version, 2.0.7992 to see if the 24 exploits would work, and they have said that it does not work.

    Read this thread for more information on that: http://www.webhostingtalk.com/showth...67#post6231167

  23. #23
    Join Date
    Feb 2006
    Posts
    1,107
    Quote Originally Posted by HL-Adam View Post
    Nope, several people at Webhostingtalk tested the latest version, 2.0.7992 to see if the 24 exploits would work, and they have said that it does not work.

    Read this thread for more information on that: http://www.webhostingtalk.com/showth...67#post6231167
    and that means anything how?

    do you honestly think that there were only 24? that there aren't 0 days that haven't been released?

    with those kind of simple things, no error checking, no anything checking, no sanitizing, you can expect to see a hellof a lot more
    semi-retired

  24. #24
    Join Date
    Oct 2005
    Location
    Six Degrees From You
    Posts
    1,079
    Enough to delete all VPS's on over 200 separate servers pretty much instantly?

    Come on, if you think that the only reason VAServ was compromised was because of HyperVM then seriously you need to re-evaluate things.

    I am not saying that there are no exploits in HyperVM, I AM saying that there are other factors, the re use of insecure passwords and direct root SSH access are two.

  25. #25
    Join Date
    Mar 2009
    Posts
    2,222
    Quote Originally Posted by DephNet[Paul] View Post
    I am not saying that there are no exploits in HyperVM ...
    But that's the question being asked: is it safe to use HyperVM?

    The answer seems to be "no":

    There is no clear statement from the vendor of what were the "multiple exposures" they admitted existed; nor is there a list of releases they made during a period of a couple of days, with info on what they think they fixed in each of those releases.

    So - maybe it's OK now, maybe it isn't; how can anyone be sure it's safe?

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •