From users-return-35338-apmail-cloudstack-users-archive=cloudstack.apache.org@cloudstack.apache.org Mon Nov 23 07:43:09 2020 Return-Path: X-Original-To: apmail-cloudstack-users-archive@www.apache.org Delivered-To: apmail-cloudstack-users-archive@www.apache.org Received: from mxout1-he-de.apache.org (mxout1-he-de.apache.org [95.216.194.37]) by minotaur.apache.org (Postfix) with ESMTP id 3376A19211 for ; Mon, 23 Nov 2020 07:43:08 +0000 (UTC) Received: from mail.apache.org (mailroute1-lw-us.apache.org [207.244.88.153]) by mxout1-he-de.apache.org (ASF Mail Server at mxout1-he-de.apache.org) with SMTP id 3F81B65C19 for ; Mon, 23 Nov 2020 07:43:07 +0000 (UTC) Received: (qmail 88472 invoked by uid 500); 23 Nov 2020 07:43:02 -0000 Delivered-To: apmail-cloudstack-users-archive@cloudstack.apache.org Received: (qmail 88426 invoked by uid 500); 23 Nov 2020 07:43:02 -0000 Mailing-List: contact users-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@cloudstack.apache.org Delivered-To: mailing list users@cloudstack.apache.org Received: (qmail 88406 invoked by uid 99); 23 Nov 2020 07:43:01 -0000 Received: from spamproc1-he-de.apache.org (HELO spamproc1-he-de.apache.org) (116.203.196.100) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 23 Nov 2020 07:43:01 +0000 Received: from localhost (localhost [127.0.0.1]) by spamproc1-he-de.apache.org (ASF Mail Server at spamproc1-he-de.apache.org) with ESMTP id 248621FF0EB for ; Mon, 23 Nov 2020 07:43:01 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamproc1-he-de.apache.org X-Spam-Flag: NO X-Spam-Score: 0.001 X-Spam-Level: X-Spam-Status: No, score=0.001 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.2, MIME_QP_LONG_LINE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamproc1-he-de.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=privaz.io; domainkeys=pass (2048-bit key) header.from=rvalle@privaz.io header.d=privaz.io Received: from mx1-he-de.apache.org ([116.203.227.195]) by localhost (spamproc1-he-de.apache.org [116.203.196.100]) (amavisd-new, port 10024) with ESMTP id D1bCqHzeG_8U for ; Mon, 23 Nov 2020 07:43:00 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=37.123.164.49; helo=mail.privaz.io; envelope-from=rvalle@privaz.io; receiver= Received: from mail.privaz.io (mail.privaz.io [37.123.164.49]) by mx1-he-de.apache.org (ASF Mail Server at mx1-he-de.apache.org) with ESMTPS id 282F67F7AB for ; Mon, 23 Nov 2020 07:42:59 +0000 (UTC) X-ASF-DKIM-Sig: v=1; a=rsa-sha256; d=privaz.io; s=smtp; c=relaxed/relaxed; q=dns/txt; h=from:date:to:cc:message-id:subject; bh=8bqGSkt/lJHPGVfFGrkYAsSmjwzQP9410W2mLpUy6Ks=; b=xsxRGVrk3myFP3l9QamsBNWUSGrXC27foUmxWGhisAUnnX3xft20x08qsYyfi429Jxpm/N7VgkJ2gKWsv9pDlOaLc9lcgeogJa3aHqEB/g6sfJYEOCNl/OKtpAbDZ2TULT2IvOzw9/nxM+XBJSPa7uatzjFAMw4qlhaggynQtKz5EBTQc67I1ady6n9VvYt8Nmq+M/5RzHHnsQSsdaJy8thrLhg5autEl6xuj5DJg2W/LTunwDwTBQPGdyr8IDNMZJRMRPYIybtnQaq6E2vtFuAvIVX/jCZ+3G0gwyAr7W0OAabfaNXmxJc40YOekshuxfYJWq/zJQpkOy7k7t/z/Q==; DomainKey-Signature: a=rsa-sha1; b=kqP1xg98k+FEFfhv6gwOmaMyseGuywCVFUmnSUKD5T9b1PlZ75lC1wEm8S+CxYvf/pjIMC8N2VmxoPicHLJiH83ckTMw66wwIco11Ghm5Xw4suLlCVQoQIBrZdDlNgsizK62Qi+VGnZT4thStc1Mu1q74gP1KDuOvefxGaABPHFc2rluIYjErK6wJFu0YUZjLf65sGQBQco3hfPhj/D2jU0Sf+OA/amG7aNgpia1TDpJPrUeSdQ0XpZVB0VD0ueelwihf8Y3ZtR8ED1VR7AXZr6b+veI8AGPgXSk4hQtsM4fndfgTUZBLS1tmYnfmezuRZ3vWYs2oNhDV5yk78NpIw==; c=nofws; q=dns; d=privaz.io; s=smtp; h=from:date:to:cc:message-id:subject; Received: from [155.4.90.206] by privaz.io with HTTP; Mon, 23 Nov 2020 07:42:58 +0000 From: rvalle@privaz.io.INVALID Date: Mon, 23 Nov 2020 07:42:58 +0000 X-Mailer: Axigen WebMail To: users@cloudstack.apache.org Cc: users Reply-To: rvalle@privaz.io Message-ID: <1606117378760971159@privaz.io> In-Reply-To: References: <1606034112531722905@livelens.net> <1606065216460637366@livelens.net> <1606116020746676296@privaz.io> Subject: Re: Brute force SSH trojan Importance: Normal MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="===axigen=0213944090808931641130009174209128293702=axigen===" Received-SPF: X-AXIGEN-SPF-Result: Ok X-AXIGEN-DK-Result: Ok DomainKey-Status: good X-AXIGEN-DKIM-Result: Ok DKIM-Status: good --===axigen=0213944090808931641130009174209128293702=axigen=== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Hi Ivan, If there is a legitimate possibility for shipping templates with a password= setup, then setting an SSH key as logon mechanism should imply that any ex= isting password will be cleared. Or perhaps if a template is ready to "accept" passwords from ACS then no pa= ssword should be re-configured? Rafael On Mon, 2020-11-23 08:26 AM, Ivan Kudryavtsev wrote: > It must be configured upon the first boot, or as you have said, > preconfigured. Our templates set password upon the first boot. >=20 > =D0=BF=D0=BD, 23 =D0=BD=D0=BE=D1=8F=D0=B1. 2020 =D0=B3., 14:20 " target= =3D"_blank">: >=20 > > Hi Ivan. > > > > I can imagine: If the template has the hability to re-set password, tha= t > > means, that there should not be any password pre-assigned, right? > > > > Which piece of code is responsible for password/key reset, is it > > cloud-init? or is there any other involved part. > > > > I will try to workout a fix and report to the template owner. > > > > Regards, > > Rafael > > > > On Mon, 2020-11-23 12:32 AM, Ivan Kudryavtsev " target=3D"_blank"> wrote: > > > Hi. It looks like an improperly crafted template, not a ACS issue. > > > > > > =D0=BF=D0=BD, 23 =D0=BD=D0=BE=D1=8F=D0=B1. 2020 =D0=B3., 02:18 Rafael= del Valle " > > target=3D"_blank">" target=3D"_blank">: > > > > > > > Hi Hean, > > > > > > > > Mystery solved. > > > > > > > > The template comes with Password Enabled in SSH server. And debian = user > > > > has a default password: "password". > > > > > > > > Assigning the SSH key only added the key, without disabling any oth= er > > > > thing. > > > > > > > > Regards, > > > > Rafael > > > > > > > > > > > > > > > > > > > > On Sun, 2020-11-22 03:38 PM, Hean Seng " target=3D"_blank">< > > " target=3D"_blank">heanseng@gmail.com> wrote: > > > > > Hi > > > > > > > > > > You did not change the password, and all using the default passwo= rd ? > > > > > > > > > > On Sun, Nov 22, 2020 at 4:59 PM " > > > > target=3D"_blank">" target=3D"_blank">" target=3D"_blank"> wrote: > > > > > > > > > > > =E2=80=8BHi Community! > > > > > > > > > > > > Congratulations to the new committers. > > > > > > > > > > > > One VM in a test environment was infected by a brute force SSH > > trojan. > > > > > > > > > > > > The OS is debian-9 , the template from openvm.eu > > > > > > > > > > > > It had only SSH (22) and iperf (5001) services running and > > reachable > > > > from > > > > > > anywhere. > > > > > > > > > > > > I believe this article is related because of the tar file > > > > (dota3.tar.gz) > > > > > > that I found on the system: > > > > > > =E2=80=8B > > > > > > > > > > > > > > > > > > https://ethicaldebuggers.com/outlaw-botnet-affects-more-than-20000-linu= x-servers/ > > > > > > =E2=80=8B > > > > > > I have a snapshot of the ROOT volume in case anybody is interes= ted > > to > > > > > > review it. > > > > > > > > > > > > I suspect they got in via SSH, but I wonder how as only one KEY= was > > > > setup > > > > > > (no password). I am trying to find out more information. > > > > > > > > > > > > Has anybody experienced this ? > > > > > > > > > > > > Regards, > > > > > > Rafael > > > > > > > > > > > > > > > > > > > > > -- > > > > > Regards, > > > > > Hean Seng > > > > > > > > > --===axigen=0213944090808931641130009174209128293702=axigen===--