Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Backdoor'd, this ever happen to you?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Backdoor'd, this ever happen to you?

AsuraHostingAsuraHosting Member
edited February 2012 in General

Hey guys,

We sold a VPS to a Filipino user and he tried to backdoor my dedicated; we caught him on the spot. I noticed something a bit weird... I use SolusVM + OpenVZ, and usually the bandwidth counter is on point. But he used this script 'stealth' to DOS from his VPS; the thing is, the container statistics did not show him using up his bandwidth. But when I went to view the statistical graphs for the dedicated itself, it showed an output of 8mb/s.

So I was wondering, how is that possible? He was able to avoid using up his own bandwidth.

I run RKHunter, Root Check, and ChkRootKit every single day with a cron job and e-mail report; and I have LFD which alerts me of any suspicious processes being run... but I was wondering is there anyway to prevent this from happening at all?

Comments

  • Dump an image and maybe someone will be able to help finding the bad stuff :P

  • AsuraHostingAsuraHosting Member
    edited February 2012

    Oh, I've found it without even trying. LFD made it very easy; here is the links he wget'd and used...

    I would not suggest actually using it, as it may attempt to backdoor your own dedicated...

    [cut by breton]

    PLEASE BE WARNED, I HAVE NO IDEA WHAT THESE FILES ACTUALLY DO; CHECK IT OUT ON YOUR OWN RISK.

  • Forbidden Q_Q

  • @yomero said: Forbidden Q_Q

    Yeah, I'm not sure but they work for me.

  • @yomero said: Forbidden Q_Q

    Getting that aswell.

  • bretonbreton Member
    edited February 2012

    I removed the links. There is some tricky javascript, which shows ads and suggests to download .zip archive. Forbidden is not really forbidden, some code gets executed and downloaded.

    Please, don't post those links.

    Thanked by 1debug
  • @breton said: Please, don't post those links.

    Ah alright, sorry about that. But yeah, anyone have tips/tricks for these type of situations?

  • bretonbreton Member
    edited February 2012

    Depending on the user agent it suggests different links - it showed "forbidden" page for my Iceweasel (all hail noscript) and sent some binary data to curl.

  • @breton said: it showed "forbidden" page for my Iceweasel (all heil noscript) and sent some binary data to curl.

    Hmm, I'm not even sure what those are; but I know he downloaded it to his VPS and then ran it inside a hidden folder.

  • AldryicAldryic Member
    edited February 2012

    Iceweasel is the Debian answer to Firefox. Noscript is a highly useful tool that prevents hijack scripts (like what was on those links) from maliciously affecting your PC (among other things).

  • Opera Here o_O

    PS: OMG, there are moderators! :D

  • Finally decided to install noscript. :3

  • FranciscoFrancisco Top Host, Host Rep, Veteran

    You could start by not selling on hackforums and drawing unneeded attention to that kinda crap.

    There's no public software that assists in monitoring VPS nodes, you'd have to develop something like we did. I just recently wrote a kernel module that speeds up detection to < 0.01 seconds so i'm pretty damn excited :D

    Francisco

  • yomeroyomero Member
    edited February 2012

    Probably you need to download them 2 times? (cookie stuff?) Because... I got da zips! :D

    And they contain lots of files, if someone wants to read...

    http://www.kentoyer.com/2009/12/21/removing-the-shv5-rootkit/

    The other one seems like something related to IRC o_O

  • @Francisco said: You could start by not selling on hackforums and drawing unneeded attention to that kinda crap.

    Well, we have already stopped paying for pinned threads; but I don't mind advertising there since we've only had 3 abusers in the past month while we still gained some legit users.

    Detection is not a problem; it's just the prevention from allowing them to use that kind of script which bypasses the BW counter in SolusVM.

  • FranciscoFrancisco Top Host, Host Rep, Veteran

    @AsuraHosting said: Detection is not a problem; it's just the prevention from allowing them to use that kind of script which bypasses the BW counter in SolusVM.

    It isn't 'bypassing' it, it's simply solus hasn't had accurate BW accounting in a very long time. I've heard multiple complaints from people on my MSN that will report their nodes showing 10 - 15TB usage and they get an overage bill, but Solus only reported maybe 5 - 6 TB usage.

    Francisco

  • @DotVPS said: Have you tried Maldet?

    Again, detection is not the problem; I'm more interested in the prevention method for allowing them to bypass the BW counter.

  • @Francisco said: It isn't 'bypassing' it, it's simply solus hasn't had accurate BW accounting in a very long time.

    I doubt this is the case, because when the past abusers used their perl scripts; I was able to clearly see the BW usage... exact transmission speed and time. But this script, it literally allowed them to go under the radar.

  • FranciscoFrancisco Top Host, Host Rep, Veteran

    @AsuraHosting said: I doubt this is the case, because when the past abusers used their perl scripts; I was able to clearly see the BW usage... exact transmission speed and time. But this script, it literally allowed them to go under the radar.

    Stealth uses a simple UDP port flood, it's nothing special. Solus uses iptables to do all accounting for IP's so unless the VM isn't documented in the FORWARD chains, iptables will see it.

    Francisco

  • @Francisco said: Solus uses iptables to do all accounting for IP's so unless the VM isn't documented in the FORWARD chains, iptables will see it.

    Ah I see... thanks.

Sign In or Register to comment.