Virmach is charging suspension/administration fee for a canceled service

Xei

I have no idea what you're saying. None of my other VPS's have ever been compromised with the base Debian template after performing aptitude updates and installing SSH Guard. In any case given I have VPS's that are in some cases 5+ years old and they're not compromised and fine... I have enough faith in Debian if it's unaltered w/o extra services. I have nginx on a few and some other daemons without issues, granted I installed those myself. In any case, this is kind of derailing the thread so people should make a new thread about default templates if they want to continue. /end

AnthonySmith

This topic is so off topic now it reminds me of Damien.

You had to be there.

uptime

@AnthonySmith said:
This topic is so off topic now it reminds me of Damien.

not sure but I believe that this thread at one point was explicitly claimed as Soverign Letizen Territorah ...

Maybe best to start a new thread about securing after installation from default debian template(s) ...

@Xei said:
[...]
I do wonder if you installed fail2ban, check history?

Yup - I checked history, I am sure that sudo is the only package I installed via apt or any other method.

@Xei said:
[...]
apt-get update && apt-get upgrade

That's the exact same command that I used.

I now prefer to use apt update && apt --with-new-pkgs upgrade

But not sure that would make a difference in this case.

My BF-SPECIAL-OVZ is on node NYOVZ12 with 640 MB ram / 30 GB ssd, ordered on November 25 2018

Here are the 217 packages currently installed as per dpkg:

adduser apt apt-utils base-files base-passwd bash bsdmainutils bsdutils bzip2 coreutils cpio cron dash dbus debconf debconf-i18n debian-archive-keyring debianutils dh-python diffutils dmidecode dmsetup dpkg e2fslibs:amd64 e2fsprogs fail2ban file findutils gcc-6-base:amd64 gnupg gnupg-agent gpgv grep gzip hostname ifupdown init init-system-helpers iproute2 iptables iputils-ping isc-dhcp-client isc-dhcp-common kmod krb5-locales libacl1:amd64 libapparmor1:amd64 libapt-inst2.0:amd64 libapt-pkg5.0:amd64 libassuan0:amd64 libattr1:amd64 libaudit-common libaudit1:amd64 libblkid1:amd64 libbsd0:amd64 libbz2-1.0:amd64 libc-bin libc6:amd64 libcap-ng0:amd64 libcap2:amd64 libcomerr2:amd64 libcryptsetup4:amd64 libdb5.3:amd64 libdbus-1-3:amd64 libdebconfclient0:amd64 libdevmapper1.02.1:amd64 libdns-export162 libedit2:amd64 libelf1:amd64 libestr0 libexpat1:amd64 libfastjson4:amd64 libfdisk1:amd64 libffi6:amd64 libgcc1:amd64 libgcrypt20:amd64 libgdbm3:amd64 libgmp10:amd64 libgnutls30:amd64 libgpg-error0:amd64 libgssapi-krb5-2:amd64 libhogweed4:amd64 libidn11:amd64 libidn2-0:amd64 libip4tc0:amd64 libip6tc0:amd64 libiptc0:amd64 libisc-export160 libk5crypto3:amd64 libkeyutils1:amd64 libkmod2:amd64 libkrb5-3:amd64 libkrb5support0:amd64 libksba8:amd64 liblocale-gettext-perl liblogging-stdlog0:amd64 liblognorm5:amd64 liblz4-1:amd64 liblzma5:amd64 libmagic-mgc libmagic1:amd64 libmnl0:amd64 libmount1:amd64 libmpdec2:amd64 libncurses5:amd64 libncursesw5:amd64 libnetfilter-conntrack3:amd64 libnettle6:amd64 libnewt0.52:amd64 libnfnetlink0:amd64 libnpth0:amd64 libp11-kit0:amd64 libpam-modules:amd64 libpam-modules-bin libpam-runtime libpam-systemd:amd64 libpam0g:amd64 libpcre3:amd64 libpipeline1:amd64 libpopt0:amd64 libprocps6:amd64 libpsl5:amd64 libpython-stdlib:amd64 libpython2.7-minimal:amd64 libpython2.7-stdlib:amd64 libpython3-stdlib:amd64 libpython3.5-minimal:amd64 libpython3.5-stdlib:amd64 libreadline7:amd64 libseccomp2:amd64 libselinux1:amd64 libsemanage-common libsemanage1:amd64 libsepol1:amd64 libslang2:amd64 libsmartcols1:amd64 libsqlite3-0:amd64 libss2:amd64 libssl1.0.2:amd64 libssl1.1:amd64 libstdc++6:amd64 libsystemd0:amd64 libtasn1-6:amd64 libtext-charwidth-perl libtext-iconv-perl libtext-wrapi18n-perl libtinfo5:amd64 libudev1:amd64 libunistring0:amd64 libustr-1.0-1:amd64 libuuid1:amd64 libwrap0:amd64 libx11-6:amd64 libx11-data libxapian30:amd64 libxau6:amd64 libxcb1:amd64 libxdmcp6:amd64 libxext6:amd64 libxmuu1:amd64 libxtables12:amd64 login logrotate lsb-base mawk mime-support mount multiarch-support nano ncurses-base ncurses-bin ncurses-term net-tools netbase openssh-client openssh-server openssh-sftp-server passwd perl-base pinentry-curses procps python python-minimal python2.7 python2.7-minimal python3 python3-minimal python3-pyinotify python3-systemd python3.5 python3.5-minimal readline-common rsyslog sed sensible-utils ssh sudo systemd systemd-sysv sysvinit-utils tar tasksel tasksel-data tcpd tzdata ucf udev util-linux vim-common vim-tiny wget whiptail whois xauth xxd xz-utils zlib1g:amd64

I haven't gone over this list with a fine-tooth comb but xauth was the only thing that stood out as potentially interesting.

I'm of the opinion that Virmach generally has their act together but that's just based on my relatively limited experience with them over the last couple years (mostly on KVM with debian installed from ISO, just a couple OVZ installed from template).

Anyway, I'd be interested to learn more about what happened but in fairness to Virmach (and as a general principle) would suggest focusing on explanations beyond their default template. The welcome emails also contain login information for the VNC console, and I suspect people may not be as quick to update that password as they would (hopefully) know to do for their VPS. So be sure to consider that possibility as well.

EDIT2:

As they say, there's more than one way to skin a buffalo ...

eol

The xauth program is used to edit and display the authorization information used in connecting to the X server. This program is usually used to extract authorization records from one machine and merge them in on another (as is the case when using remote logins or granting access to other users).

https://www.x.org/archive/current/doc/man/man1/xauth.1.xhtml

uptime

Indeed - I suspect having xauth in the mix would have something to do with forwarding the X11 protocol via ssh, which is a common practice.

Anyway, I see @Xei has started a new thread for discussion: https://www.lowendtalk.com/discussion/156020/admins-how-do-you-analyze-a-compromised-vps-or-node

eol

EDIT2: