Latest Hack of Serv-U - Any News from SW?

Latest Hack of Serv-U - Any News from SW on the versions, extent, patches, and possible threat evaluation/detection*

*How do we know if we've been hacked unless a hacker tells me?

Yes, today, in case anyone hasn't seen an earlier this year version of Serv-U is reported hacked
https://www.theregister.com/2021/11/10/stor_a_file_ransomware_attack_solarwinds_serv_u/#:~:text=Stor%2Da%2DFile%2C%20a,that%20it%20refused%20to%20pay

  • It looks like this relates to a hack of someone using the old 15.2.3 HF1 which was patched by Solarwinds a while back (HF2). I dont think its a new vulnerability but an article about an old one?

    Here is the excerpt from the previous hotfix for this..

    =======================================
    SolarWinds® Serv-U® 15.2.3.742 HotFix 2
    =======================================

    This SolarWinds hot fix addresses the following functionality issue:
    * Unauthenticated Remote Code Execution in SSH protocol

  • calc2014, thanks for the re-post of the link originally provided; those details are understood

    the question is...

    *How do we know if we've been hacked unless a hacker tells me?

    In the article they didn't pay, which means there was an ask/notice from the hacker(s), so how would we know if we've been hacked ahead of time; and in the past this was directed to our AV vendor, but I'm not sure there shouldn't be some component w/in Serv-U to thwart intrusion.

    Expanding further, if a file arrives in a Serv-U folder, is there a way w/in Serv-U (by api or other) to document the file arrived and when it leaves has not been altered?

  • Hi - that would be the same for any software that has had a zero-day vulnerability. If you contact Solarwinds support they will assist you with logs etc to assess this for you.

    Not limited to Serv-U, if you wanted to check any file is what you expected when downloading from the internet, you could do a hash check on the file before & after upload/download to ensure it is an exact match. An example of that in PowerShell can be found here, however it would not be a function of a SFTP Server to do this as you may want to also ensure it has not been changed in transit, like the days of standard unencrypted HTTP.