From users-return-35327-apmail-cloudstack-users-archive=cloudstack.apache.org@cloudstack.apache.org Sun Nov 22 18:45:03 2020 Return-Path: X-Original-To: apmail-cloudstack-users-archive@www.apache.org Delivered-To: apmail-cloudstack-users-archive@www.apache.org Received: from mxout1-he-de.apache.org (mxout1-he-de.apache.org [95.216.194.37]) by minotaur.apache.org (Postfix) with ESMTP id 583061A385 for ; Sun, 22 Nov 2020 18:45:03 +0000 (UTC) Received: from mail.apache.org (mailroute1-lw-us.apache.org [207.244.88.153]) by mxout1-he-de.apache.org (ASF Mail Server at mxout1-he-de.apache.org) with SMTP id EDDFF6594E for ; Sun, 22 Nov 2020 18:45:01 +0000 (UTC) Received: (qmail 85057 invoked by uid 500); 22 Nov 2020 18:44:59 -0000 Delivered-To: apmail-cloudstack-users-archive@cloudstack.apache.org Received: (qmail 85021 invoked by uid 500); 22 Nov 2020 18:44:59 -0000 Mailing-List: contact users-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@cloudstack.apache.org Delivered-To: mailing list users@cloudstack.apache.org Received: (qmail 85009 invoked by uid 99); 22 Nov 2020 18:44:58 -0000 Received: from spamproc1-he-de.apache.org (HELO spamproc1-he-de.apache.org) (116.203.196.100) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 22 Nov 2020 18:44:58 +0000 Received: from localhost (localhost [127.0.0.1]) by spamproc1-he-de.apache.org (ASF Mail Server at spamproc1-he-de.apache.org) with ESMTP id 157801FF39C for ; Sun, 22 Nov 2020 18:44:58 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamproc1-he-de.apache.org X-Spam-Flag: NO X-Spam-Score: 0.5 X-Spam-Level: X-Spam-Status: No, score=0.5 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.2, KAM_EU=0.5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamproc1-he-de.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-he-de.apache.org ([116.203.227.195]) by localhost (spamproc1-he-de.apache.org [116.203.196.100]) (amavisd-new, port 10024) with ESMTP id wR2gnXsIPrMb for ; Sun, 22 Nov 2020 18:44:57 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=2607:f8b0:4864:20::b35; helo=mail-yb1-xb35.google.com; envelope-from=heanseng@gmail.com; receiver= Received: from mail-yb1-xb35.google.com (mail-yb1-xb35.google.com [IPv6:2607:f8b0:4864:20::b35]) by mx1-he-de.apache.org (ASF Mail Server at mx1-he-de.apache.org) with ESMTPS id 510237E151 for ; Sun, 22 Nov 2020 18:44:57 +0000 (UTC) Received: by mail-yb1-xb35.google.com with SMTP id t33so13908156ybd.0 for ; Sun, 22 Nov 2020 10:44:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=QkFfFyT11ffQ+bZ27v02PjLoTxWnEWm73EJSXujIK30=; b=t/bzsg1nTFOkbu70IuMP5Qh7DK1TSe0NPKCKgHfMjG+7WvUK5d8s8NAbY+GpVm+/IS fVYiyInjoajgUW74jvfcjco7Nx0CBNp+n+QK1wq47Q9IAHLhiUyv7o7QR3N1Y7G2qbHc 9eYulxAITdIAkIucjZvAba4OEjYKIT7YqLc0TOr2U5BeXTY43sEYPsBZZXF/7CCEmleK NtxskWfvkJ6Vm02Tn2VV0uCHG+2A9CYRI3J0o7/fWWkM5qwJDhjzk735NlIb7toAQ443 1Q/xWRFVZY0TxAUxfGQIcC9rHsuSkrbz27Gy9bgR4B/e75zEVVWBNLgJuDek5VeVrxop +rrA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=QkFfFyT11ffQ+bZ27v02PjLoTxWnEWm73EJSXujIK30=; b=deP/6OuXtJwGno74cocB6Ck4giJmKy6Ej5jncKWcjJI0+sMkRetrT20fP8Nybo2bJa BziPjpMKDDkvSzmR5cU+ovDUUy1TS0WqATbghWZaTPIEejfbOOTQLcXAFxbGQPnTozVR kr9ha+kp/VDCvqF06jk0GFKuZxtodDaI76kKxCQCUyhvGClrth0jiGdZGj9yGZniAutm UN6o/JJsY5zW0kMak4McAo3gRaCNBVjk7wKfzUDMUrZsyijAWC6gED2JM4ESwSigXItw oqzlaBHFQZbY+Mt6zRZizGFt5kABoClscEGpaP34opyn2IFT6qHOJ8QbdaYPJ+J6FWt2 F6vw== X-Gm-Message-State: AOAM532UifGPPSYbDMjfVu8t+ravirWNUS5HmlnZ8TBF+1hngSJWSvpE v9dndDaszbyCC1i5tsPKTFzFAzHOH3BU54U+nbUgELix3njULQ== X-Google-Smtp-Source: ABdhPJyPQYaJby5gf6wmDNXJcYKig7yjV9a4+2igNshE0jSPJIDxnLpSsM9j49sl5RiIRNInilvycDVHauvinS0TWBg= X-Received: by 2002:a25:3185:: with SMTP id x127mr22354902ybx.381.1606070689644; Sun, 22 Nov 2020 10:44:49 -0800 (PST) MIME-Version: 1.0 References: <1606034112531722905@livelens.net> <1606064440461637907@privaz.io> In-Reply-To: <1606064440461637907@privaz.io> From: Hean Seng Date: Mon, 23 Nov 2020 02:44:38 +0800 Message-ID: Subject: Re: Brute force SSH trojan To: users@cloudstack.apache.org, Rafael del Valle Content-Type: multipart/alternative; boundary="000000000000f0c70e05b4b67888" --000000000000f0c70e05b4b67888 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable May be do not just assume, you need to check on it On Mon, Nov 23, 2020 at 1:00 AM wrote: > Hi! > > I don't know. I have to look into it. > > I did setup my template to use SSH key, and disabled password (when > importing the template in ACS). I assumed that password auth would be > disabled and only available via that SSH key. > > I have to look into this and check if that is happening or not. I guess > this should be either in cloud-init or in the template itself. > > I will look into it this week. > > Rafael > On Sun, 2020-11-22 03:38 PM, Hean Seng wrote: > > Hi > > > > You did not change the password, and all using the default password ? > > > > On Sun, Nov 22, 2020 at 4:59 PM " > target=3D"_blank"> wrote: > > > > > =E2=80=8BHi Community! > > > > > > Congratulations to the new committers. > > > > > > One VM in a test environment was infected by a brute force SSH trojan= . > > > > > > The OS is debian-9 , the template from openvm.eu > > > > > > It had only SSH (22) and iperf (5001) services running and reachable > from > > > anywhere. > > > > > > I believe this article is related because of the tar file > (dota3.tar.gz) > > > that I found on the system: > > > =E2=80=8B > > > > > > > https://ethicaldebuggers.com/outlaw-botnet-affects-more-than-20000-linux-= servers/ > > > =E2=80=8B > > > I have a snapshot of the ROOT volume in case anybody is interested to > > > review it. > > > > > > I suspect they got in via SSH, but I wonder how as only one KEY was > setup > > > (no password). I am trying to find out more information. > > > > > > Has anybody experienced this ? > > > > > > Regards, > > > Rafael > > > > > > > > > -- > > Regards, > > Hean Seng > > --=20 Regards, Hean Seng --000000000000f0c70e05b4b67888--