You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by Antoine Boucher <an...@haltondc.com> on 2022/04/05 19:46:36 UTC
Unauthorized access to VR VM
Someone has externally gained access to one of our VR vm and installed an application that tried to ssh to other ips on the web.
The VR started to miss health checks about a day ago, looking at the VR running process we discovered that the process ksoftirqd was 95% busy. We killed the VR and discovered during our investigation from other systems that the vm was blasting the web trying to connect on port 22. Unfortunately, the vr has been deleted.
What could have happened? Any known security issues on the 4.16.1.0 vr template?
Regards,
Antoine
Re: Unauthorized access to VR VM
Posted by Rohit Yadav <ro...@shapeblue.com>.
Thanks for sharing and investigating Antoine. As you've found it was the guest VM and not the VR that for compromised. VR can't be ssh'd into public network at all.
Regards.
________________________________
From: Antoine Boucher <an...@haltondc.com>
Sent: Wednesday, April 6, 2022 5:11:28 AM
To: users@cloudstack.apache.org <us...@cloudstack.apache.org>
Subject: Re: Unauthorized access to VR VM
Thank you gents,
I just discovered that the customer was experimenting with the vr and left ip forwarding on port 22/22 to a vm created with the template with password=password!
Antoine Boucher
AntoineB@haltondc.com
[o] +1-226-505-9734
www.haltondc.com<http://www.haltondc.com>
“Data security made simple and affordable”
Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system.
On Apr 5, 2022, at 18:33, ahmed jabbar <ah...@gmail.com> wrote:
Dear Antoine,
You can simply block inbound connections on your virtual router public ip's
by any external firewall,And accept just outbond connections.
BR
Ahmed
On Tue, Apr 5, 2022 at 10:46 PM Antoine Boucher <an...@haltondc.com>
wrote:
> Someone has externally gained access to one of our VR vm and installed an
> application that tried to ssh to other ips on the web.
>
> The VR started to miss health checks about a day ago, looking at the VR
> running process we discovered that the process ksoftirqd was 95% busy. We
> killed the VR and discovered during our investigation from other systems
> that the vm was blasting the web trying to connect on port 22.
> Unfortunately, the vr has been deleted.
>
> What could have happened? Any known security issues on the 4.16.1.0 vr
> template?
>
> Regards,
> Antoine
Re: Unauthorized access to VR VM
Posted by Antoine Boucher <an...@haltondc.com>.
Thank you gents,
I just discovered that the customer was experimenting with the vr and left ip forwarding on port 22/22 to a vm created with the template with password=password!
Antoine Boucher
AntoineB@haltondc.com
[o] +1-226-505-9734
www.haltondc.com
“Data security made simple and affordable”
Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system.
On Apr 5, 2022, at 18:33, ahmed jabbar <ah...@gmail.com> wrote:
Dear Antoine,
You can simply block inbound connections on your virtual router public ip's
by any external firewall,And accept just outbond connections.
BR
Ahmed
On Tue, Apr 5, 2022 at 10:46 PM Antoine Boucher <an...@haltondc.com>
wrote:
> Someone has externally gained access to one of our VR vm and installed an
> application that tried to ssh to other ips on the web.
>
> The VR started to miss health checks about a day ago, looking at the VR
> running process we discovered that the process ksoftirqd was 95% busy. We
> killed the VR and discovered during our investigation from other systems
> that the vm was blasting the web trying to connect on port 22.
> Unfortunately, the vr has been deleted.
>
> What could have happened? Any known security issues on the 4.16.1.0 vr
> template?
>
> Regards,
> Antoine
Re: Unauthorized access to VR VM
Posted by ahmed jabbar <ah...@gmail.com>.
Dear Antoine,
You can simply block inbound connections on your virtual router public ip's
by any external firewall,And accept just outbond connections.
BR
Ahmed
On Tue, Apr 5, 2022 at 10:46 PM Antoine Boucher <an...@haltondc.com>
wrote:
> Someone has externally gained access to one of our VR vm and installed an
> application that tried to ssh to other ips on the web.
>
> The VR started to miss health checks about a day ago, looking at the VR
> running process we discovered that the process ksoftirqd was 95% busy. We
> killed the VR and discovered during our investigation from other systems
> that the vm was blasting the web trying to connect on port 22.
> Unfortunately, the vr has been deleted.
>
> What could have happened? Any known security issues on the 4.16.1.0 vr
> template?
>
> Regards,
> Antoine
Re: Unauthorized access to VR VM
Posted by Ricardo Pertuz <ri...@kuasar.co>.
From what I know, the only services exposed by default to the public interface on a VR is HAProxy and IKE, maybe something there.
BR,
Ricardo
________________________________
From: Antoine Boucher <an...@haltondc.com>
Sent: Tuesday, April 5, 2022 2:46:36 PM
To: users <us...@cloudstack.apache.org>
Subject: Unauthorized access to VR VM
Someone has externally gained access to one of our VR vm and installed an application that tried to ssh to other ips on the web.
The VR started to miss health checks about a day ago, looking at the VR running process we discovered that the process ksoftirqd was 95% busy. We killed the VR and discovered during our investigation from other systems that the vm was blasting the web trying to connect on port 22. Unfortunately, the vr has been deleted.
What could have happened? Any known security issues on the 4.16.1.0 vr template?
Regards,
Antoine