Hi!
I don't know. I have to look into it.
I did setup my template to use SSH key, and disabled password (when importing the template
in ACS). I assumed that password auth would be disabled and only available via that SSH key.
I have to look into this and check if that is happening or not. I guess this should be either
in cloud-init or in the template itself.
I will look into it this week.
Rafael
On Sun, 2020-11-22 03:38 PM, Hean Seng <heanseng@gmail.com> wrote:
> Hi
>
> You did not change the password, and all using the default password ?
>
> On Sun, Nov 22, 2020 at 4:59 PM " target="_blank"><rvalle@livelens.net.invalid>
wrote:
>
> > ​Hi Community!
> >
> > Congratulations to the new committers.
> >
> > One VM in a test environment was infected by a brute force SSH trojan.
> >
> > The OS is debian-9 , the template from openvm.eu
> >
> > It had only SSH (22) and iperf (5001) services running and reachable from
> > anywhere.
> >
> > I believe this article is related because of the tar file (dota3.tar.gz)
> > that I found on the system:
> > ​
> >
> > https://ethicaldebuggers.com/outlaw-botnet-affects-more-than-20000-linux-servers/
> > ​
> > I have a snapshot of the ROOT volume in case anybody is interested to
> > review it.
> >
> > I suspect they got in via SSH, but I wonder how as only one KEY was setup
> > (no password). I am trying to find out more information.
> >
> > Has anybody experienced this ?
> >
> > Regards,
> > Rafael
> >
>
>
> --
> Regards,
> Hean Seng
>
|