New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
VPS Hacked without even login?
Hey,
So i tried today to login into my KVM and guess what happend, ReadOnly Mode, someone hacked into SSH without trigger my SSH Login allert and nulled every data on my HDD on a KVM VPS. As my Provider told me i am not the only one he said maybe some SSH security hole and i should disable ssh for next weeks to prevent this.
So 3 Days ago someone broke into my KVM as Observium shows a user caused High cpu load but how can a user null the complete hdd?
Comments
Were you running any website on the VPS?
Just a Garrysmod gameserver with a subuser.
Not sure how they would be able to do that, I've had one of my VPS's hacked in the past because I was running a site with vulnerable code. But seeing as your running no webservers, and have no SSH notifications I'm not so sure.
If the host said your not the only one, then maybe it's something on their end.
Easier to wipe a disk
dd if=/dev/zero of=/dev/sda
(Don't test it - it wont ask for confirmation before trashing your disk)
@MarkTurner without root?
I will try it
Are you certain they got in through ssh? Would like to hear more about this if you don't mind sharing.
@infinity580 - How do you know they didn't have root? What about sudo was that setup with/without password?
@MarkTurner I get login notifications and they work, also when you try sudo yeah and everything had passwords with 12-16 Letters and special characters and Obserium shows only high user cpu load not the system/root itself. Also No rootlogin as observium displays it.
So a root priv escalation? Compromised daemon?
Garrymod runs as root or as non-root?
If you boot your server from rescue system - is there anything left on the disk? If you dd from the disk to a file - is the output all zeros?
Everything is nulled multiple times, so gone. Garrysmod as i wrote before when you read was ran by a subuser not root also with snmp. So nothing was ran by root, i care about security.
This is quite strange, you might have had something that could have been loop-holed on your drive or something? Outdated applications and such.
EDIT: Looks like with the CPU, brute force attack?
Everything was up to date, just SSH and a Gammeserver/smpd running on it.
when you signed up with the host did you use a silly temp pass like 50% of people do such as changeme, password1, abc123 etc etc then only change the root password on the VPS and not in whmcs and solusvm and vnc?
@infinity580 - use an off-server syslog server for the future, then you'll be able to see logins/failed logins/segfaults/etc and if the box gets trashed again then you can at least get more data for a basic post mortem.
Which OS/distro was on this box?
@MarkTurner Wheezy
@AnthonySmith the box was reinstalled because IPv6 wasn working anymore, because changed subnets so other password etc.
yeah but that would not change your whmcs or vnc password if you used a silly one during initial sign up, solusvm is great like that it defaults to your 'stored' initial password.
Just thinking it is possible someone scanned some common vps vnc ports you left it logged in on console and they connected with vnc with a silly default password.
edit: unlikely scenario but just thinking out loud.
It is me or I recall you have been hacked several times?
First time since 2 Years.
Oh OK sorry
There has been post-heartbleed bugs reported. www.zdnet.com/openssl-fixes-another-severe-vulnerability-7000030253/
I whitelist IPs for SSH nowadays that should theoretically mitigate newly discovered vulnerabilities, or at least most of them. When available I'd do it on IP tables.
What has OpenSSH got to do with OpenSSL?
They've both got Open in it therefore they must be related and therefore...
Or maybe your SSH connection is encrypted using magic beans.
Are you sure the host node wasn't rebooted and it caused the disk image to appear to be wiped? I've heard of that happening, but never experienced it myself.
That's far more likely than getting hacked over ssh (imo).
OpenSSH uses LibSSL (OpenSSL) for encryption. It doesn't use it for session negotiation though, so heartbleed didn't affect it.
openssh-server depends on libssl. The snmp daemon might also use OpenSSL? CVE-2014-0195 apparently could lead to execution of arbitrary code, but I have no idea if that's what happened here.
Linux also just had CVE-2014-3153 with privilege escalation. Your provider said this happened to other customers? Maybe another container on the node was compromised and then escaped the container? Unlikely I suppose, but obviously I'm just spitballing here.
edit: I reread OP and realized it's KVM, so even less likely it was another VM on the same node.
I have seen it too, but I dismissed it as those were recent VMs which could have been not setup yet. But we had so few KVM reboots (2) so far that I didnt dig further (check solus logs, for example) and nobody complained.
Sorry to hear your loss. Did you use ssh keys for extra protection with port changed to non 22?
I use a different port yes, but i didnt used keys for that box at this time.
He told me there where on different nodes, as the support also told me my HDD was nulled multiple times i didn't saw it by myself.
Before i rebooted the VPS, first VNC login: