All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
A fresh OS installed by the seller and got accessed by someone else. Could anyone explain this?
Basically, I keep getting this problem with WeLoveServers. (Although I had problem with claiming refund from paypal but I don't want believe this is a revenge from seller. Don't want mix them together.)
I have 2 VPSs with them. I asked for a VPS transfer from LA to Dallas.
10/28/2013 21:07 Customer Support
860765 - node transfer request
After a few hours transfer, my VPS was suspended due to what they called is a "DDOS attack" when there was nothing on that VPS since my website database corrupted and I installed the OS. I don't know what happened. I thought maybe it's, as they said, compromised. (I have 20+ VPS, it's never happened although).
This is a notification that your service has now been suspended. The details of this >suspension are below:
Suspension Reason: Sending outbound DoS attack (Please contact us for unsuspension)
2 Nov (3 days ago)The VPS was suspended for sending an outbound DDoS attack. If you did not do this, then your VPS may have been compromised, and if we have your permission to reinstall your VPS and change your root password we can go ahead and proceed with unsuspension.
3.They installed a fresh OS on my vps, and unsuspended the VPS.
I have re-installed your VPS now.
4.Since they reinstalled the OS and unsuspended the VPS, I haven't logged into neither VPS shell(I still don't know the new password) nor Solusvm(no login email shows anybody else did.).
VPS 192.3.172.173 has been suspended for sending outbound DDoS again, over 700Mbps. >Please explain what this process is?
913537 root 20 0 421m 1000 436 S 98.8 0.0 11:00.14 /root/b26
01:56 (10 hours ago)I have unsuspended the VPS.
Here are the last logs:
root@WLS-CAT:/# last
reboot system boot 2.6.32-042stab07 Tue Nov 5 03:12 - 03:12 (00:00)
nan pts/0 222.43.201.93 Mon Nov 4 18:39 - 18:40 (00:00)
root pts/0 222.43.200.55 Sun Nov 3 14:46 - 14:47 (00:00)
reboot system boot 2.6.32-042stab07 Sun Nov 3 07:46 - 03:12 (1+19:26)
wtmp begins Sun Nov 3 07:46:12 2013
root@WLS-CAT:/#
Can anyone explain how this could happen? A fresh system installed by them kept performing DDOS attack. Even now, I haven't logged into solusvm. No solusvm login records indicate panel was logged in after their installation.
although, they unsuspended the VPS again after they paste the shell login log. I'm not gonna use it. If you were me , would you use the VPS or put something important in it when you would never know if your VPS was going to "perform a DOS" attack again while the seller just pasted you a login info without explaining to you what went wrong?
Thanks
Comments
How about turning Off the vps for several hours, and let's wait and see. If you still receiving an alert, then the problem is not from you.
I don't want to login shell (don't know the password anyway) or Solusvm. If I do that, they probably say oh there is a login record from you. At the moment there is not login record at all in Solusvm panel after they reinstalled the OS.
This is ridiculous. a fresh reinstalled VPS with nothing on it got accessed by some one else.
Login to solusvm and shut the vps down.. I assume they will also have a log of the startups and shutdowns too. Take a screenshot too.
And you are logging in now after the DOS has already been initiated.. Keep a screenshot of the time you have logged in and tell them you have donw that to shut it down/
That's weird then.
One reason that might happen is, your host having an abusing user which attacking you. Or, someone stole your SolusVM details while being sent from your host to your email. Or, your host is just want to blame you.
They don't seem to be doing anything. They just pasted the shell login log and unsuspended the vps then told me "you are good to go."
I'm not going anywhere before they tell me what's going on.
WLS: Can I reinstall your VPS?
I: Yes
WLS: "you are good to go"
I: [I don't even touch that]
WLS: "you are attcking, ban!"
I: ftw? I'm not even using the VPS you provided.
WLS: Can I reinstall your VPS?
I: Yes
WLS: "you are good to go"
I: [I don't even touch that]
WLS: "you are attcking, ban!"
I: ftw? I'm not even using the VPS you provided.
WLS: Can I reinstall your VPS?
I: Yes
WLS: "you are good to go"
I: [I don't even touch that]
WLS: "you are attcking, ban!"
I: ftw? I'm not even using the VPS you provided.
WLS: Can I reinstall your VPS?
I: Yes
WLS: "you are good to go"
I: [I don't even touch that]
WLS: "you are attcking, ban!"
I: ftw? I'm not even using the VPS you provided.
what is this loop about? really piss me off
Can't they just look into all the logs in deep? Or it has happened to many users not just me so they are already used to it?
Your base template install probably hasn't had security updates applied. Of course it's going to be compromised without you having logged in. Rebuild and leave it off or at least go in and apt-get update; apt-get upgrade. (or yum)
got a replied from their staff:
>
What can I say now.....
Maybe secure your vps. It's yours. That you don't use it is no excuse. You're leaving it online and probably leaving it open in some way. It is your responsibility to secure the vps, their responsibility to secure the node.
Should they just simply blame this attack was caused by me without investigating on their side?
I have more than 20 VPSs from different providers. Most of them I don't use are just left there without manage. none of them has template security issue. None of them got compromised like this one. Are you saying, of course it should have security issue even there is nothing on the VPS?
OK, some important things which you have not provided:
A. What distribution did you choose?
There are some older versions of Debian 6 which are installed with a vulnerable sshd (if they haven't updated their template) which will allow an attacker to compromise the server. ALWAYS run apt-get update, apt-get upgrade when you login to a new Debian server.
B. Have you secured your install after it is first setup?
Some vendors will have users that are created in their templates with default passwords for setup of certain services. Often they may not tell you the users passwords or even explain they have been added in the template and I have seen in the past someone bruteforce and/or guess these default passwords and gain access to the server. One such user is the www-data user setup by default in some distributions. Make sure you check for these users in your /etc/passwd and either change their shell to /bin/nologin or change the password to something you know is secure.
C. Have you installed DenyHosts, CSF or another firewall product to protect against bruteforce attacks?
Setup DenyHosts, CSF or another firewall product to make sure that no one is simply bruteforcing your root user or any user password and gaining access. As stated before a lot of templates have default users and passwords, not securing your server against brute force attacks is a bad standard to allow.
D. Are you new to working with Linux? Are you aware of the steps needed to secure your server?
If you are not familiar with Linux or how to secure it and are not able to find and follow howtos to do it your self, please consider hiring someone (Maybe your provider?) to assist you with hardening and securing your server to prevent these things from happening.
While I find it sad your provider has not worked with you on these things to start instead of just suspending you, these things are still your responsibility as a system administrator. As I said above, if you are not sure what you are doing ask for help or hire someone to help and teach you the basics.
Edit: You may fine this link helpful for setting up DenyHosts if you are unexperienced.
I hope you find this information helpful.
Cheers!
i think they should atleast monitor if the DDOS traffic was indeed the outbound from their node and its genuine. DDOS traffic could easily be masked / spoofed as to show you are the source but infact it isn't.
Happened to one of my empty VPS once (with denyhosts installed, yum update and upgrade, ssh port changed, strong passwd combination and etc), was still suspended for sending outbound DDOS traffic. They got the report not due to their own outbound monitoring, but the target host complained to them so they only take action. To me, they should really investigate first in depth before they take any action.
Greetings,
The customer's VPS was found sending outbound DDoS in excess of over 700Mbps two times now. We unsuspended his VPS every time offering him the chance to rectify the issue, but it happened again for the second time this morning.
@kyaky it sounds like you have an insecure root password. I would recommend making sure that your SolusVM account and server root password is secure. Remember, this is an outbound DDoS attack, and not inbound, meaning someone is gaining access to your VPS and sending DDoS attacks FROM your vps. As said in the ticket reply from me that you posted in your original post, it looks like IP addresses 222.43.200.55 and 222.43.201.93 were the only ones accessing your server since it was reinstalled.
Chris
It doesn't matter if you initiated it or you were compromised. Either way it comes from you. If you aren't securing the vps, you are responsible for allowing it to happen. I cannot know if that is what is happening, but it's a reasonable assumption since you don't use it.
What can I say, some subnets get scanned and brute forced more than others. That's just how it goes. Your provider can only do so much to prevent it while providing you with the freedom of a root environment. For all I know your root password is on the top 10 most guessed. Just secure it and then let it sit, or shut it down. Don't judge the provider on this unless you figure out what is happening.
This vps was freshly reinstalled by their technician, after that, I haven't logged into either solusvm or shell. After 1 day they reinstalled the OS, they told me the VPS was attacking. I asked them to check login log, or any log that shows what's going on.
all they pasted me is:
root@WLS-CAT:/# last
reboot system boot 2.6.32-042stab07 Tue Nov 5 03:12 - 03:12 (00:00)
nan pts/0 222.43.201.93 Mon Nov 4 18:39 - 18:40 (00:00)
root pts/0 222.43.200.55 Sun Nov 3 14:46 - 14:47 (00:00)
reboot system boot 2.6.32-042stab07 Sun Nov 3 07:46 - 03:12 (1+19:26)
wtmp begins Sun Nov 3 07:46:12 2013
root@WLS-CAT:/#
This is the IP from China according to bgp.he.net
At least you could dig more like access.log or sth else.
Then I got this reply from their staff
What?
Please keep in mind that SolusVM stores your latest root password that you set from the SolusVM VPS control panel interface or the root password that you signed up with (if you did not change the root pass from the interface), so when you reinstall the VPS, the root password is automatically set to the same password... note that it is not stored in SolusVM however if you manually change your root pass in SSH.
To be blunt, it seems like you're woefully negligent with the VPS:
You have a password reset field in SolusVM you can use to change the password to anything you want. Preferably not 's3cret'.
Turn it off or patch the distro.
Unless you're from either 222.43.201.93, 222.43.200.55 a chinese botnet has already commandeered your VPS. That's the investigation they've done - in addition to pointing out the script/exec they've been using. The hackers have probably been probing the root account password for the last 7 days which is ample time if you're using something easy/short.
Yes Chris. If the password doesn't get reset, it should have my old 10 digits complex password. This is just weird. I hope you don't mind I post a thread in LEB because I just don't what to do next. just trying to get some advice and help from people here.
Absolutely. We have verified that the outbound DDoS was a process running from his vps which was sending DDoS in excess of over 700Mbps.
913537 root 20 0 421m 1000 436 S 98.8 0.0 11:00.14 /root/b26
Traffic usage on the network interface for the server reduced from 700Mbps UP to below 30Mbps UP after suspending his VPS.
Sure it's not bouncing off an open resolver? Meh nvm you've got a process. Sounds like an insecure template or password. Nothing an update or reset can't fix.
Heh, was just about to mention that too.
I pasted this result at the beginning of this thread already. This is what they found out.
@kyaky
As you spent no time to really answer my questions or consider what I told you, I am guessing you have little to no experience with managing a linux server and I highly suggest you find a Managed VPS provider and go with them so they can assist you with setting up and securing your server correctly. I am not sure if WeLoveServers offers managed support at all, but if they do and they haven't offered this to you yet, shame on them.
It doesn't matter how your server becomes compromised. As an unmanaged server it is your responsibility to manage and secure the server and insure that it does not become compromised or used for attacking other servers.
Cheers!
sorry was busy replying tickets. thanks for your help.
A. they asked what I wanted to reinstalled due to the first DDOS attack issue, I told them 12.04 64bit was fine (I could do that but I just didn't want to login, I wanted to see what would happen if I didn't touch it at all)
B. I didn't login at all after they reinstalled the os
C. nothing on that VPS
D. not new but just left this VPS there without manage.
It's not a problem with our OS template, otherwise you would see other LET threads of our customers reporting similar incidents, which is not the case. We use the official OpenVZ templates and all OS templates are thoroughly tested by myself before throwing into production. I explained above how SolusVM stores root passwords, so after reinstalling your VPS it uses the same root password. If you did not change the root pw, then reinstalling won't do much as the intruder still has your root password which remained the same after reinstallation. Please take a few seconds to change your root password and take care to make sure it is a secure one.
>
Okay, so as several people in this thread have said, you have failed to login, update and secure your server. This is why it continues to become compromised. Just because you haven't logged into it yet doesn't give you an excuse to allow it to be taken advantage of. Sure, it would be nice if WLS would update their templates regularly to make sure they are not vulnerable out of the box, however, this isn't their responsibility to do as an unmanaged provider. If they unsuspend your server again I highly suggest you take the time to secure your server by both updating the software and installing a firewall or bruteforce protection. DenyHosts is a great place to start with this and the link to the scripts I provided above, the Debian installer listed there should also work in Ubuntu.
If you can't handle doing the simple things to update and secure your server, once again, I suggest you either hire someone to assist you or purchase a managed server instead.
Cheers!
Yep... his server was already unsuspended again. We are all for second (and third) chances.
just for a quick update:
I've reset the password and logged into the VPS
`root@WLS-CAT:~# last -n user
root pts/1 110-174-26-XXX.s Tue Nov 5 10:39 still logged in
reboot system boot 2.6.32-042stab07 Tue Nov 5 03:12 - 10:39 (07:27)
nan pts/0 222.43.201.93 Mon Nov 4 18:39 - 18:40 (00:00)
root pts/0 222.43.200.55 Sun Nov 3 14:46 - 14:47 (00:00)
reboot system boot 2.6.32-042stab07 Sun Nov 3 07:46 - 10:39 (2+02:53)
wtmp begins Sun Nov 3 07:46:12 2013
root@WLS-CAT:~# history 100
1 paswd nan
2 useradd -u 0 -o -g root -G root -d /bin nan
3 useradd -u 0 -o -g root -G root -d /bin porasd
4 passwd nan
5 passwd porasd
6 last -n user
7 history 100
root@WLS-CAT:~#`
The attacker is: IP from China
nan:x:0:0::/bin:/bin/sh
`root@WLS-CAT:~# ls -la
total 1520
drwx------ 3 root root 4096 Nov 4 18:40 .
drwxr-xr-x 22 root root 4096 Oct 5 2012 ..
-rw------- 1 root root 132 Nov 3 14:47 .bash_history
-rw-r--r-- 1 root root 3106 Apr 19 2012 .bashrc
drwx------ 2 root root 4096 Nov 3 14:46 .cache
-rw-r--r-- 1 root root 140 Apr 19 2012 .profile
-rwxr-xr-x 1 root root 1524643 Oct 26 20:41 b26
-rw-r--r-- 1 root root 30 Nov 4 18:40 fake.cfg
root@WLS-CAT:~# ^C
root@WLS-CAT:~#
`
he got two things at /root
fake.cfg and b26 which was mentioned ealier
your email address might be compromised, which would contain all the login information someone would need to access the server.
Nothing is emailed upon reinstallation. OP should just set an overpowered random password in solus, then log in and set a somewhat powerful password.
10 digits is NOT secure