cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hean Seng <heans...@gmail.com>
Subject Re: Brute force SSH trojan
Date Sun, 22 Nov 2020 18:44:38 GMT
May be do not just assume,  you need to check on it

On Mon, Nov 23, 2020 at 1:00 AM <rvalle@privaz.io.invalid> wrote:

> Hi!
>
> I don't know. I have to look into it.
>
> I did setup my template to use SSH key, and disabled password (when
> importing the template in ACS). I assumed that password auth would be
> disabled and only available via that SSH key.
>
> I have to look into this and check if that is happening or not. I guess
> this should be either in cloud-init or in the template itself.
>
> I will look into it this week.
>
> Rafael
> On Sun, 2020-11-22 03:38 PM, Hean Seng <heanseng@gmail.com> wrote:
> > Hi
> >
> > You did not change the password, and all using the default password ?
> >
> > On Sun, Nov 22, 2020 at 4:59 PM "
> target="_blank"><rvalle@livelens.net.invalid> wrote:
> >
> > > ​Hi Community!
> > >
> > > Congratulations to the new committers.
> > >
> > > One VM in a test environment was infected by a brute force SSH trojan.
> > >
> > > The OS is debian-9 , the template from openvm.eu
> > >
> > > It had only SSH (22) and iperf (5001) services running and reachable
> from
> > > anywhere.
> > >
> > > I believe this article is related because of the tar file
> (dota3.tar.gz)
> > > that I found on the system:
> > > ​
> > >
> > >
> https://ethicaldebuggers.com/outlaw-botnet-affects-more-than-20000-linux-servers/
> > > ​
> > > I have a snapshot of the ROOT volume in case anybody is interested to
> > > review it.
> > >
> > > I suspect they got in via SSH, but I wonder how as only one KEY was
> setup
> > > (no password). I am trying to find out more information.
> > >
> > > Has anybody experienced this ?
> > >
> > > Regards,
> > > Rafael
> > >
> >
> >
> > --
> > Regards,
> > Hean Seng
> >



-- 
Regards,
Hean Seng

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message