You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by rv...@livelens.net.INVALID on 2020/11/22 08:35:12 UTC
Brute force SSH trojan
Hi Community!
Congratulations to the new committers.
One VM in a test environment was infected by a brute force SSH trojan.
The OS is debian-9 , the template from openvm.eu
It had only SSH (22) and iperf (5001) services running and reachable from anywhere.
I believe this article is related because of the tar file (dota3.tar.gz) that I found on the system:
https://ethicaldebuggers.com/outlaw-botnet-affects-more-than-20000-linux-servers/
I have a snapshot of the ROOT volume in case anybody is interested to review it.
I suspect they got in via SSH, but I wonder how as only one KEY was setup (no password). I am trying to find out more information.
Has anybody experienced this ?
Regards,
Rafael
Re: Brute force SSH trojan
Posted by Hean Seng <he...@gmail.com>.
May be do not just assume, you need to check on it
On Mon, Nov 23, 2020 at 1:00 AM <rv...@privaz.io.invalid> wrote:
> Hi!
>
> I don't know. I have to look into it.
>
> I did setup my template to use SSH key, and disabled password (when
> importing the template in ACS). I assumed that password auth would be
> disabled and only available via that SSH key.
>
> I have to look into this and check if that is happening or not. I guess
> this should be either in cloud-init or in the template itself.
>
> I will look into it this week.
>
> Rafael
> On Sun, 2020-11-22 03:38 PM, Hean Seng <he...@gmail.com> wrote:
> > Hi
> >
> > You did not change the password, and all using the default password ?
> >
> > On Sun, Nov 22, 2020 at 4:59 PM "
> target="_blank"><rv...@livelens.net.invalid> wrote:
> >
> > > Hi Community!
> > >
> > > Congratulations to the new committers.
> > >
> > > One VM in a test environment was infected by a brute force SSH trojan.
> > >
> > > The OS is debian-9 , the template from openvm.eu
> > >
> > > It had only SSH (22) and iperf (5001) services running and reachable
> from
> > > anywhere.
> > >
> > > I believe this article is related because of the tar file
> (dota3.tar.gz)
> > > that I found on the system:
> > >
> > >
> > >
> https://ethicaldebuggers.com/outlaw-botnet-affects-more-than-20000-linux-servers/
> > >
> > > I have a snapshot of the ROOT volume in case anybody is interested to
> > > review it.
> > >
> > > I suspect they got in via SSH, but I wonder how as only one KEY was
> setup
> > > (no password). I am trying to find out more information.
> > >
> > > Has anybody experienced this ?
> > >
> > > Regards,
> > > Rafael
> > >
> >
> >
> > --
> > Regards,
> > Hean Seng
> >
--
Regards,
Hean Seng
Re: Brute force SSH trojan
Posted by rv...@privaz.io.INVALID.
Hi!
I don't know. I have to look into it.
I did setup my template to use SSH key, and disabled password (when importing the template in ACS). I assumed that password auth would be disabled and only available via that SSH key.
I have to look into this and check if that is happening or not. I guess this should be either in cloud-init or in the template itself.
I will look into it this week.
Rafael
On Sun, 2020-11-22 03:38 PM, Hean Seng <he...@gmail.com> wrote:
> Hi
>
> You did not change the password, and all using the default password ?
>
> On Sun, Nov 22, 2020 at 4:59 PM " target="_blank"><rv...@livelens.net.invalid> wrote:
>
> > Hi Community!
> >
> > Congratulations to the new committers.
> >
> > One VM in a test environment was infected by a brute force SSH trojan.
> >
> > The OS is debian-9 , the template from openvm.eu
> >
> > It had only SSH (22) and iperf (5001) services running and reachable from
> > anywhere.
> >
> > I believe this article is related because of the tar file (dota3.tar.gz)
> > that I found on the system:
> >
> >
> > https://ethicaldebuggers.com/outlaw-botnet-affects-more-than-20000-linux-servers/
> >
> > I have a snapshot of the ROOT volume in case anybody is interested to
> > review it.
> >
> > I suspect they got in via SSH, but I wonder how as only one KEY was setup
> > (no password). I am trying to find out more information.
> >
> > Has anybody experienced this ?
> >
> > Regards,
> > Rafael
> >
>
>
> --
> Regards,
> Hean Seng
>
Re: Brute force SSH trojan
Posted by rv...@privaz.io.INVALID.
Hi Ivan,
If there is a legitimate possibility for shipping templates with a password setup, then setting an SSH key as logon mechanism should imply that any existing password will be cleared.
Or perhaps if a template is ready to "accept" passwords from ACS then no password should be re-configured?
Rafael
On Mon, 2020-11-23 08:26 AM, Ivan Kudryavtsev <iv...@bw-sw.com> wrote:
> It must be configured upon the first boot, or as you have said,
> preconfigured. Our templates set password upon the first boot.
>
> пн, 23 нояб. 2020 г., 14:20 " target="_blank"><rv...@privaz.io.invalid>:
>
> > Hi Ivan.
> >
> > I can imagine: If the template has the hability to re-set password, that
> > means, that there should not be any password pre-assigned, right?
> >
> > Which piece of code is responsible for password/key reset, is it
> > cloud-init? or is there any other involved part.
> >
> > I will try to workout a fix and report to the template owner.
> >
> > Regards,
> > Rafael
> >
> > On Mon, 2020-11-23 12:32 AM, Ivan Kudryavtsev " target="_blank"><iv...@bw-sw.com> wrote:
> > > Hi. It looks like an improperly crafted template, not a ACS issue.
> > >
> > > пн, 23 нояб. 2020 г., 02:18 Rafael del Valle "
> > target="_blank">" target="_blank"><rv...@livelens.net.invalid>:
> > >
> > > > Hi Hean,
> > > >
> > > > Mystery solved.
> > > >
> > > > The template comes with Password Enabled in SSH server. And debian user
> > > > has a default password: "password".
> > > >
> > > > Assigning the SSH key only added the key, without disabling any other
> > > > thing.
> > > >
> > > > Regards,
> > > > Rafael
> > > >
> > > >
> > > >
> > > >
> > > > On Sun, 2020-11-22 03:38 PM, Hean Seng " target="_blank"><
> > " target="_blank">heanseng@gmail.com> wrote:
> > > > > Hi
> > > > >
> > > > > You did not change the password, and all using the default password ?
> > > > >
> > > > > On Sun, Nov 22, 2020 at 4:59 PM "
> > > > target="_blank">" target="_blank">" target="_blank"><rv...@livelens.net.invalid> wrote:
> > > > >
> > > > > > Hi Community!
> > > > > >
> > > > > > Congratulations to the new committers.
> > > > > >
> > > > > > One VM in a test environment was infected by a brute force SSH
> > trojan.
> > > > > >
> > > > > > The OS is debian-9 , the template from openvm.eu
> > > > > >
> > > > > > It had only SSH (22) and iperf (5001) services running and
> > reachable
> > > > from
> > > > > > anywhere.
> > > > > >
> > > > > > I believe this article is related because of the tar file
> > > > (dota3.tar.gz)
> > > > > > that I found on the system:
> > > > > >
> > > > > >
> > > > > >
> > > >
> > https://ethicaldebuggers.com/outlaw-botnet-affects-more-than-20000-linux-servers/
> > > > > >
> > > > > > I have a snapshot of the ROOT volume in case anybody is interested
> > to
> > > > > > review it.
> > > > > >
> > > > > > I suspect they got in via SSH, but I wonder how as only one KEY was
> > > > setup
> > > > > > (no password). I am trying to find out more information.
> > > > > >
> > > > > > Has anybody experienced this ?
> > > > > >
> > > > > > Regards,
> > > > > > Rafael
> > > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Regards,
> > > > > Hean Seng
> > > > >
> > >
>
Re: Brute force SSH trojan
Posted by Ivan Kudryavtsev <iv...@bw-sw.com>.
It must be configured upon the first boot, or as you have said,
preconfigured. Our templates set password upon the first boot.
пн, 23 нояб. 2020 г., 14:20 <rv...@privaz.io.invalid>:
> Hi Ivan.
>
> I can imagine: If the template has the hability to re-set password, that
> means, that there should not be any password pre-assigned, right?
>
> Which piece of code is responsible for password/key reset, is it
> cloud-init? or is there any other involved part.
>
> I will try to workout a fix and report to the template owner.
>
> Regards,
> Rafael
>
> On Mon, 2020-11-23 12:32 AM, Ivan Kudryavtsev <iv...@bw-sw.com> wrote:
> > Hi. It looks like an improperly crafted template, not a ACS issue.
> >
> > пн, 23 нояб. 2020 г., 02:18 Rafael del Valle "
> target="_blank"><rv...@livelens.net.invalid>:
> >
> > > Hi Hean,
> > >
> > > Mystery solved.
> > >
> > > The template comes with Password Enabled in SSH server. And debian user
> > > has a default password: "password".
> > >
> > > Assigning the SSH key only added the key, without disabling any other
> > > thing.
> > >
> > > Regards,
> > > Rafael
> > >
> > >
> > >
> > >
> > > On Sun, 2020-11-22 03:38 PM, Hean Seng " target="_blank"><
> heanseng@gmail.com> wrote:
> > > > Hi
> > > >
> > > > You did not change the password, and all using the default password ?
> > > >
> > > > On Sun, Nov 22, 2020 at 4:59 PM "
> > > target="_blank">" target="_blank"><rv...@livelens.net.invalid> wrote:
> > > >
> > > > > Hi Community!
> > > > >
> > > > > Congratulations to the new committers.
> > > > >
> > > > > One VM in a test environment was infected by a brute force SSH
> trojan.
> > > > >
> > > > > The OS is debian-9 , the template from openvm.eu
> > > > >
> > > > > It had only SSH (22) and iperf (5001) services running and
> reachable
> > > from
> > > > > anywhere.
> > > > >
> > > > > I believe this article is related because of the tar file
> > > (dota3.tar.gz)
> > > > > that I found on the system:
> > > > >
> > > > >
> > > > >
> > >
> https://ethicaldebuggers.com/outlaw-botnet-affects-more-than-20000-linux-servers/
> > > > >
> > > > > I have a snapshot of the ROOT volume in case anybody is interested
> to
> > > > > review it.
> > > > >
> > > > > I suspect they got in via SSH, but I wonder how as only one KEY was
> > > setup
> > > > > (no password). I am trying to find out more information.
> > > > >
> > > > > Has anybody experienced this ?
> > > > >
> > > > > Regards,
> > > > > Rafael
> > > > >
> > > >
> > > >
> > > > --
> > > > Regards,
> > > > Hean Seng
> > > >
> >
Re: Brute force SSH trojan
Posted by rv...@privaz.io.INVALID.
Hi Ivan.
I can imagine: If the template has the hability to re-set password, that means, that there should not be any password pre-assigned, right?
Which piece of code is responsible for password/key reset, is it cloud-init? or is there any other involved part.
I will try to workout a fix and report to the template owner.
Regards,
Rafael
On Mon, 2020-11-23 12:32 AM, Ivan Kudryavtsev <iv...@bw-sw.com> wrote:
> Hi. It looks like an improperly crafted template, not a ACS issue.
>
> пн, 23 нояб. 2020 г., 02:18 Rafael del Valle " target="_blank"><rv...@livelens.net.invalid>:
>
> > Hi Hean,
> >
> > Mystery solved.
> >
> > The template comes with Password Enabled in SSH server. And debian user
> > has a default password: "password".
> >
> > Assigning the SSH key only added the key, without disabling any other
> > thing.
> >
> > Regards,
> > Rafael
> >
> >
> >
> >
> > On Sun, 2020-11-22 03:38 PM, Hean Seng " target="_blank"><he...@gmail.com> wrote:
> > > Hi
> > >
> > > You did not change the password, and all using the default password ?
> > >
> > > On Sun, Nov 22, 2020 at 4:59 PM "
> > target="_blank">" target="_blank"><rv...@livelens.net.invalid> wrote:
> > >
> > > > Hi Community!
> > > >
> > > > Congratulations to the new committers.
> > > >
> > > > One VM in a test environment was infected by a brute force SSH trojan.
> > > >
> > > > The OS is debian-9 , the template from openvm.eu
> > > >
> > > > It had only SSH (22) and iperf (5001) services running and reachable
> > from
> > > > anywhere.
> > > >
> > > > I believe this article is related because of the tar file
> > (dota3.tar.gz)
> > > > that I found on the system:
> > > >
> > > >
> > > >
> > https://ethicaldebuggers.com/outlaw-botnet-affects-more-than-20000-linux-servers/
> > > >
> > > > I have a snapshot of the ROOT volume in case anybody is interested to
> > > > review it.
> > > >
> > > > I suspect they got in via SSH, but I wonder how as only one KEY was
> > setup
> > > > (no password). I am trying to find out more information.
> > > >
> > > > Has anybody experienced this ?
> > > >
> > > > Regards,
> > > > Rafael
> > > >
> > >
> > >
> > > --
> > > Regards,
> > > Hean Seng
> > >
>
Re: Brute force SSH trojan
Posted by Ivan Kudryavtsev <iv...@bw-sw.com>.
Hi. It looks like an improperly crafted template, not a ACS issue.
пн, 23 нояб. 2020 г., 02:18 Rafael del Valle <rv...@livelens.net.invalid>:
> Hi Hean,
>
> Mystery solved.
>
> The template comes with Password Enabled in SSH server. And debian user
> has a default password: "password".
>
> Assigning the SSH key only added the key, without disabling any other
> thing.
>
> Regards,
> Rafael
>
>
>
>
> On Sun, 2020-11-22 03:38 PM, Hean Seng <he...@gmail.com> wrote:
> > Hi
> >
> > You did not change the password, and all using the default password ?
> >
> > On Sun, Nov 22, 2020 at 4:59 PM "
> target="_blank"><rv...@livelens.net.invalid> wrote:
> >
> > > Hi Community!
> > >
> > > Congratulations to the new committers.
> > >
> > > One VM in a test environment was infected by a brute force SSH trojan.
> > >
> > > The OS is debian-9 , the template from openvm.eu
> > >
> > > It had only SSH (22) and iperf (5001) services running and reachable
> from
> > > anywhere.
> > >
> > > I believe this article is related because of the tar file
> (dota3.tar.gz)
> > > that I found on the system:
> > >
> > >
> > >
> https://ethicaldebuggers.com/outlaw-botnet-affects-more-than-20000-linux-servers/
> > >
> > > I have a snapshot of the ROOT volume in case anybody is interested to
> > > review it.
> > >
> > > I suspect they got in via SSH, but I wonder how as only one KEY was
> setup
> > > (no password). I am trying to find out more information.
> > >
> > > Has anybody experienced this ?
> > >
> > > Regards,
> > > Rafael
> > >
> >
> >
> > --
> > Regards,
> > Hean Seng
> >
Re: Brute force SSH trojan
Posted by Rafael del Valle <rv...@livelens.net.INVALID>.
Hi Hean,
Mystery solved.
The template comes with Password Enabled in SSH server. And debian user has a default password: "password".
Assigning the SSH key only added the key, without disabling any other thing.
Regards,
Rafael
On Sun, 2020-11-22 03:38 PM, Hean Seng <he...@gmail.com> wrote:
> Hi
>
> You did not change the password, and all using the default password ?
>
> On Sun, Nov 22, 2020 at 4:59 PM " target="_blank"><rv...@livelens.net.invalid> wrote:
>
> > Hi Community!
> >
> > Congratulations to the new committers.
> >
> > One VM in a test environment was infected by a brute force SSH trojan.
> >
> > The OS is debian-9 , the template from openvm.eu
> >
> > It had only SSH (22) and iperf (5001) services running and reachable from
> > anywhere.
> >
> > I believe this article is related because of the tar file (dota3.tar.gz)
> > that I found on the system:
> >
> >
> > https://ethicaldebuggers.com/outlaw-botnet-affects-more-than-20000-linux-servers/
> >
> > I have a snapshot of the ROOT volume in case anybody is interested to
> > review it.
> >
> > I suspect they got in via SSH, but I wonder how as only one KEY was setup
> > (no password). I am trying to find out more information.
> >
> > Has anybody experienced this ?
> >
> > Regards,
> > Rafael
> >
>
>
> --
> Regards,
> Hean Seng
>
Re: Brute force SSH trojan
Posted by Hean Seng <he...@gmail.com>.
Hi
You did not change the password, and all using the default password ?
On Sun, Nov 22, 2020 at 4:59 PM <rv...@livelens.net.invalid> wrote:
> Hi Community!
>
> Congratulations to the new committers.
>
> One VM in a test environment was infected by a brute force SSH trojan.
>
> The OS is debian-9 , the template from openvm.eu
>
> It had only SSH (22) and iperf (5001) services running and reachable from
> anywhere.
>
> I believe this article is related because of the tar file (dota3.tar.gz)
> that I found on the system:
>
>
> https://ethicaldebuggers.com/outlaw-botnet-affects-more-than-20000-linux-servers/
>
> I have a snapshot of the ROOT volume in case anybody is interested to
> review it.
>
> I suspect they got in via SSH, but I wonder how as only one KEY was setup
> (no password). I am trying to find out more information.
>
> Has anybody experienced this ?
>
> Regards,
> Rafael
>
--
Regards,
Hean Seng