cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rva...@privaz.io.INVALID
Subject Re: Brute force SSH trojan
Date Mon, 23 Nov 2020 07:42:58 GMT
Hi Ivan,

If there is a legitimate possibility for shipping templates with a password setup, then setting
an SSH key as logon mechanism should imply that any existing password will be cleared.

Or perhaps if a template is ready to "accept" passwords from ACS then no password should be
re-configured?



Rafael




On Mon, 2020-11-23 08:26 AM, Ivan Kudryavtsev <ivan@bw-sw.com> wrote:
> It must be configured upon the first boot, or as you have said,
> preconfigured. Our templates set password upon the first boot.
> 
> пн, 23 нояб. 2020 г., 14:20 " target="_blank"><rvalle@privaz.io.invalid>:
> 
> > Hi Ivan.
> >
> > I can imagine: If the template has the hability to re-set password, that
> > means, that there should not be any password pre-assigned, right?
> >
> > Which piece of code is responsible for password/key reset, is it
> > cloud-init? or is there any other involved part.
> >
> > I will try to workout a fix and report to the template owner.
> >
> > Regards,
> > Rafael
> >
> > On Mon, 2020-11-23 12:32 AM, Ivan Kudryavtsev " target="_blank"><ivan@bw-sw.com>
wrote:
> > > Hi. It looks like an improperly crafted template, not a ACS issue.
> > >
> > > пн, 23 нояб. 2020 г., 02:18 Rafael del Valle "
> > target="_blank">" target="_blank"><rvalle@livelens.net.invalid>:
> > >
> > > > Hi Hean,
> > > >
> > > > Mystery solved.
> > > >
> > > > The template comes with Password Enabled in SSH server. And debian user
> > > > has a default password: "password".
> > > >
> > > > Assigning the SSH key only added the key, without disabling any other
> > > > thing.
> > > >
> > > > Regards,
> > > > Rafael
> > > >
> > > >
> > > >
> > > >
> > > > On Sun, 2020-11-22 03:38 PM, Hean Seng " target="_blank"><
> > " target="_blank">heanseng@gmail.com> wrote:
> > > > > Hi
> > > > >
> > > > > You did not change the password, and all using the default password
?
> > > > >
> > > > > On Sun, Nov 22, 2020 at 4:59 PM "
> > > > target="_blank">" target="_blank">" target="_blank"><rvalle@livelens.net.invalid>
wrote:
> > > > >
> > > > > > ​Hi Community!
> > > > > >
> > > > > > Congratulations to the new committers.
> > > > > >
> > > > > > One VM in a test environment was infected by a brute force SSH
> > trojan.
> > > > > >
> > > > > > The OS is debian-9 , the template from openvm.eu
> > > > > >
> > > > > > It had only SSH (22) and iperf (5001) services running and
> > reachable
> > > > from
> > > > > > anywhere.
> > > > > >
> > > > > > I believe this article is related because of the tar file
> > > > (dota3.tar.gz)
> > > > > > that I found on the system:
> > > > > > ​
> > > > > >
> > > > > >
> > > >
> > https://ethicaldebuggers.com/outlaw-botnet-affects-more-than-20000-linux-servers/
> > > > > > ​
> > > > > > I have a snapshot of the ROOT volume in case anybody is interested
> > to
> > > > > > review it.
> > > > > >
> > > > > > I suspect they got in via SSH, but I wonder how as only one
KEY was
> > > > setup
> > > > > > (no password). I am trying to find out more information.
> > > > > >
> > > > > > Has anybody experienced this ?
> > > > > >
> > > > > > Regards,
> > > > > > Rafael
> > > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Regards,
> > > > > Hean Seng
> > > > >
> > >
> 
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message