This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Latest Hack of Serv-U - Any News from SW?

Latest Hack of Serv-U - Any News from SW on the versions, extent, patches, and possible threat evaluation/detection*

*How do we know if we've been hacked unless a hacker tells me?

Yes, today, in case anyone hasn't seen an earlier this year version of Serv-U is reported hacked
https://www.theregister.com/2021/11/10/stor_a_file_ransomware_attack_solarwinds_serv_u/#:~:text=Stor%2Da%2DFile%2C%20a,that%20it%20refused%20to%20pay

Parents
  • It looks like this relates to a hack of someone using the old 15.2.3 HF1 which was patched by Solarwinds a while back (HF2). I dont think its a new vulnerability but an article about an old one?

    Here is the excerpt from the previous hotfix for this..

    =======================================
    SolarWinds® Serv-U® 15.2.3.742 HotFix 2
    =======================================

    This SolarWinds hot fix addresses the following functionality issue:
    * Unauthenticated Remote Code Execution in SSH protocol

  • calc2014, thanks for the re-post of the link originally provided; those details are understood

    the question is...

    *How do we know if we've been hacked unless a hacker tells me?

    In the article they didn't pay, which means there was an ask/notice from the hacker(s), so how would we know if we've been hacked ahead of time; and in the past this was directed to our AV vendor, but I'm not sure there shouldn't be some component w/in Serv-U to thwart intrusion.

    Expanding further, if a file arrives in a Serv-U folder, is there a way w/in Serv-U (by api or other) to document the file arrived and when it leaves has not been altered?

Reply
  • calc2014, thanks for the re-post of the link originally provided; those details are understood

    the question is...

    *How do we know if we've been hacked unless a hacker tells me?

    In the article they didn't pay, which means there was an ask/notice from the hacker(s), so how would we know if we've been hacked ahead of time; and in the past this was directed to our AV vendor, but I'm not sure there shouldn't be some component w/in Serv-U to thwart intrusion.

    Expanding further, if a file arrives in a Serv-U folder, is there a way w/in Serv-U (by api or other) to document the file arrived and when it leaves has not been altered?

Children
  • Hi - that would be the same for any software that has had a zero-day vulnerability. If you contact Solarwinds support they will assist you with logs etc to assess this for you.

    Not limited to Serv-U, if you wanted to check any file is what you expected when downloading from the internet, you could do a hash check on the file before & after upload/download to ensure it is an exact match. An example of that in PowerShell can be found here, however it would not be a function of a SFTP Server to do this as you may want to also ensure it has not been changed in transit, like the days of standard unencrypted HTTP.