Vulnerability in SolusVM Debian 10 template - "debianuser" backdoor/default user

DP

@zafouhar said: What does the username have to do with anything since the recommended solution is to reinstall the VPS?

Not everyone uses templates, and not everyone uses ISOs either.

This is just a heads-up for those who are using templates, informing them of a possible backdoor found in the Debian (and maybe Ubuntu) templates provided by Solus.

@zafouhar said: Why is there a working hack posted in this forum when there are possibly thousands of VPS's and users affected by this?

This isn't a howto - it's an FYI/FYA.

cold

@zafouhar said:
I believe the @Mods should remove all mentions of the username of this attack for a few days.

This is a serious vulnerability, publishing the username used to hack VPS's should not have been done.

The username should be removed from this post immediately until users have a chance of reinstalling or removing the user.

@FAT32 your immediate action is recommended.

bro, are u braindead ?

Razza

@zafouhar said:
Why is there a working hack posted in this forum when there are possibly thousands of VPS's and users affected by this?

It would only be classified as a working hack if someone posted a working password for the user.

GOBBLES

@cold said:

@zafouhar said:
I believe the @Mods should remove all mentions of the username of this attack for a few days.

This is a serious vulnerability, publishing the username used to hack VPS's should not have been done.

The username should be removed from this post immediately until users have a chance of reinstalling or removing the user.

@FAT32 your immediate action is recommended.

bro, are u braindead ?

Cant be but maybe he is too stoned to think properly

TomBG

Ok. debianuser existed on 2 specials I got from Virmach during the last BF.
Looks like debianuser had no sudo privileges.
Luckily for me is that I change ssh port and disable password auth as soon as I get a box.

sandanista

For me, it was RackNerd and Greencloud. I removed the user and can't see anything suspicious, but will probably re-install both at the weekend to be sure.

omelas

my Idel virmach vps has logout record for debianuser on Jan 31
Jan 31 16:49:51 sshd[29268]: Disconnected from authenticating user debianuser 205.185.125.189 port 57656 [preauth]
so it was on fly for a while

varwww

Hetzner (no solusvm) Debian - no debianuser but someone attempted to login

# grep 'debianuser' /var/log/auth.log
Feb  2 02:39:59 zzz sshd[4717]: Invalid user debianuser from 205.185.125.189 port 43644
Feb  2 02:39:59 zzz sshd[4717]: Disconnected from invalid user debianuser 205.185.125.189 port 43644 [preauth]
Feb  2 02:48:09 zzz sshd[4825]: Invalid user debianuser from 205.185.125.189 port 38782
Feb  2 02:48:09 zzz sshd[4825]: Disconnected from invalid user debianuser 205.185.125.189 port 38782 [preauth]

MikeA

@varwww said:
Hetzner (no solusvm) Debian - no debianuser but someone attempted to login

# grep 'debianuser' /var/log/auth.log
Feb  2 02:39:59 zzz sshd[4717]: Invalid user debianuser from 205.185.125.189 port 43644
Feb  2 02:39:59 zzz sshd[4717]: Disconnected from invalid user debianuser 205.185.125.189 port 43644 [preauth]
Feb  2 02:48:09 zzz sshd[4825]: Invalid user debianuser from 205.185.125.189 port 38782
Feb  2 02:48:09 zzz sshd[4825]: Disconnected from invalid user debianuser 205.185.125.189 port 38782 [preauth]

bots will always attempt logins on public internet.

this just seems like a common issue with weak password and default users, am I wrong? Taking a few minutes of time to secure a server would prevent this.

varwww

That IP belongs to frantech I use SSH keys instead of passwords

ABC

@ravenchad said:

@Daniel15 said:
@strmd If password login is disabled then you should be safe. Just check last and /var/log/auth.log and ensure there's no suspicious logins.

As a side note, for storage servers I'd usually recommend creating a separate partition (or LVM logical volume) for the data. For example, 15 GB for /, and the rest of the space for /data. Then you can wipe and reinstall the OS without having to touch the data.

I am not sure, if just by deleting the user will solve it and considered safe already?
Thanks

I'd reinstall just to be safe.

@dustinc said:

@ABC said:
I recently purchased a VPS from RackNerd, I chose Debian 10 template and there was indeed a "debianuser" user, however I've deleted it immediately.
Should I reinstall? @dustinc

Hi @ABC -- As a precautionary measure, we'd recommend doing so.

msg7086

@MikePT said:

@Francisco said:
Instead of trying to fix the EXT4 issues (debian uses a newer version of EXT4 that CentOS 7 can't handle) they just...use EXT3 instead.

God bless SolusVM.

Francisco

If you are serious, that is hilarious!

That's exactly what I thought when I was making our own templates. They don't support new features like uninit_bg and 64 bit, so you have to turn them off if you make your own ext4 partition. I guess they just revert to ext3 and call it a day.

Daniel15

@zafouhar said: The fact is that a lot of users will wake up with their VPS's hacked due to this exact post but I guess its all over Google in anycase so too late.

I'd agree with you if this wasn't being exploited in the wild, but given the fact that this is already being exploited, being vague about it is just security through obscurity, and makes it harder for people to determine if their servers were compromised as a result of the issue.

TimboJones

@zafouhar said:
I believe the @Mods should remove all mentions of the username of this attack for a few days.

This is a serious vulnerability, publishing the username used to hack VPS's should not have been done.

The username should be removed from this post immediately until users have a chance of reinstalling or removing the user.

@FAT32 your immediate action is recommended.

No. It's well established this is the wrong way to go once solutions are available. You'd be right if there was no defense.

TimboJones

We've already updated our Debian 10 templates accordingly. Reinstallations going forward will no longer have the redundant "debianuser" user in the template.

@dustinc

Pedantic user says "redundant" is incorrect and not needed to be said. It might actually confuse people implying one debianuser is correct and two are wrong.

dustinc

@TimboJones said:

We've already updated our Debian 10 templates accordingly. Reinstallations going forward will no longer have the redundant "debianuser" user in the template.

@dustinc

Pedantic user says "redundant" is incorrect and not needed to be said. It might actually confuse people implying one debianuser is correct and two are wrong.

Hi @TimboJones - I can see how it could be taken that way. We could have worded that better. Thanks for pointing that out.

rm_

@TimboJones said: Reinstallations going forward will no longer have the redundant "debianuser" user in the template.

Pedantic user says "redundant" is incorrect and not needed to be said.

One could say saying "user" after "debianuser" is also redundant

dustinc

@rm_ said:

@TimboJones said: Reinstallations going forward will no longer have the redundant "debianuser" user in the template.

Pedantic user says "redundant" is incorrect and not needed to be said.

One could say saying "user" after "debianuser" is also redundant

Indeed, it could be taken several ways, so I could see why he said that too.

rm_

Indeed, it could be taken several ways

Oh nevermind, I'm just kidding. It's all fine as is

DP

Was just reading @raindog308's post on LEB.

This vulnerability has been associated with the CrytoNight miner. If you see a process called ‘cnrig’ on your system, you have definitely been compromised.

Just to confirm, is it cnrig or xmrig? Or both?

EDIT: Or I guess it could be either one - maybe both should be mentioned.

Daniel15

@thedp said: Just to confirm, is it cnrig or xmrig? Or both?

I've seen reports of both. Just check for any sketchy-looking processes in general.

MikePT

@msg7086 said:

@MikePT said:

@Francisco said:
Instead of trying to fix the EXT4 issues (debian uses a newer version of EXT4 that CentOS 7 can't handle) they just...use EXT3 instead.

God bless SolusVM.

Francisco

If you are serious, that is hilarious!

That's exactly what I thought when I was making our own templates. They don't support new features like uninit_bg and 64 bit, so you have to turn them off if you make your own ext4 partition. I guess they just revert to ext3 and call it a day.

That's a workaround, not a fix. I was able to create a KVM image for Proxmox just fine though!

MikePT

Has SolusVM emailed the providers about this?

DP

@MikePT said:
Has SolusVM emailed the providers about this?

Something I’ve been wondering about as well.

Neoon

@thedp said:

@MikePT said:
Has SolusVM emailed the providers about this?

Something I’ve been wondering about as well.

I wonder more how this went into the template undetected.
Or if there is more to discover and this is just the tip of the iceberg.

Hxxx

Well at least now I know that every time I wasted time installing from ISO (i dislike templates) it was worth it.

udonworld

Where is the announcement by SolusVM?

The Debian 10 images linux-debian-10-x86_64-gen2-{v1,v2}.gz on templates.solusvm.com were apparently updated very recently - without even changing the filename. This alone doesn't smell good.

Anyway, I downloaded the latest image locally to find out how they "patched" it... Geez, they just mounted the image and edited /etc/passwd and /etc/shadow instead of recreating the image from scratch!?

$ ls -l /media/etc/{passwd,shadow}*
-rw-r--r-- 1 root root   1346 Feb  2 20:03 /mnt/etc/passwd
-rw-r--r-- 1 root root   1343 Oct 21  2019 /mnt/etc/passwd-
-rw-r----- 1 root shadow  808 Feb  2 20:03 /mnt/etc/shadow
-rw-r----- 1 root shadow  913 Oct 21  2019 /mnt/etc/shadow-
$ grep debianuser /media/etc/passwd
$ grep debianuser /media/etc/passwd-
debianuser:x:1000:1000:DebianUser,,,:/home/debianuser:/bin/bash
$ ls -l /media/home
total 4
drwxr-xr-x 2 k k 4096 Oct 21  2019 debianuser

Daniel15

@udonworld said: Geez, they just mounted the image and edited etc passwd and etc shadow instead of recreating the image from scratch!?

They'd probably mess something else up if they tried to create a new one from scratch, since I doubt they've properly automated the creation of templates. My guess is that it's all manually done, compared to something like LXC where the images are automatically built.

Am I seeing things right? They kept a copy of the original version and just added a hyphen to the end of the name (etc/passwd-)? wut.

Francisco

@udonworld said: on templates.solusvm.com were apparently updated very recently - without even changing the filename. This alone doesn't smell good.

Holy shit that's rich.

Francisco

Francisco

That is a straight up "We think we're going to get sued so we'll silent patch this and hope no one calls us on our bullshit".

Francisco