New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
My vps was hacked
This morning i had a "visit" coming from my activities on my VPS in Prometeus. Just there i config a mail server and few mailboxes, well was hacked, after one year in LEB providers with same "anti-hacker" policies (strong passwords, furious firewall etc ) this happend to me. Maybe a coincidence but just happend there. I put down the VPS and restart all passwords, my "visitor" coming from Romania with IPv6. Probably he read all my tweets too 
Comments
wat
Then secure your server better
Thanks for the advice, never need more than change SSH port, strong passwords and strong firewall before.
Well, here comes users and providers. My experience is for users.
LOL!
What did your firewall rules looked like? Did you only setup iptables and not ip6tables?
Which OS? Which version? When was the last time you applied all the security patches?
Most of the visits don't use ssh or a password. Most are due to a security breach somewhere: find a way to execute a command or upload and execute a file that will install a (back)door.
Do you know how he entered?
I keep getting brute force login attacks on my new cpanel server that's been up about two months now. I don't know how people find it on the internet but I guess that's what losers do. You're obviously incapable of creating, so why not destroy something?
Just with a skewed point of view. Try to be fair.
I use Fail2Ban in all my containers, even with no important info as in Prometeus VPS, this is my first month there. Very sad, i heard good things.
Here is your problem - fail2ban doesn't support ipv6. It can't protect you from anything coming over ipv6.
But it is not their fault. The chance would be just the same if you had signed up to any other unmanaged provider.
Well, this is exactly why we don't provide ipv6 by default, the user must explicitly request it to be activated. Ignorant users don't know what ipv6 is, how to use it, how to protect themselves from things coming via ipv6 (ip6tables), rely on some stinky 3rd party tools (fail2ban) without reading their documentation, etc. And then somehow it's the provider's fault...
Right is why i stated IPv6 thing. To me is very weird be hacked because the hacker is almost if not a direct enemy, a "fisherman" and when he try 4 or 5 things and get blocked he just forget it.
I have a VPS on Prometeus (First month, 10 days ago) and the info there was used to try to access to my accounts in more important servers.
I can only suggest you to change provider ASAP, bad things happen only on prometeus network :-(
The intruder can't access to other servers even with Fail2Ban etc. I just say the facts.
This threads brings me some Deja Vu. Check this thread - http://www.lowendtalk.com/discussion/1389/annual-plan-tag
This is exactly what i was talking about back then - ipv6 shouldn't be enabled by default for users who don't request it and don't know how to handle it.
I know @rm_ will hate me for saying this, but i am ready to take the risk
Don't worry maybe is just than important users get service with you and this guy knows. Maybe a guy full of skills
+1
Just another day on LET.
Well sorry about named but i have other providers here too.
Where's the Thanks-button? :P
Anything at all man, i can't share the rude experience of get hacked ?
I controlled the guy after 5 minutes but for me is weird be hacked these days...to me <--
It's like this on the internet nowadays, yes. You leave unsecured machine connected to the internet - it get's hacked quickly.
It seems you are accusing me of something, but I'm not sure to understand what. So please be more explicit. What is the coincidence you are talking about? The fact you have a vps with me?
@prometeus it's obviously that you're source of all issues here. If you wouldn't sell him vps in the first place THIS vps wouldn't be hacked. What isn't clear here? ;-)
It's no secret some ranges get hit more than others. It's not something that can be helped. It's entirely possible that your IP with prometeus is under heavier attack than elsewhere. Just like my clients in Dallas are under heavier attack than Lenoir. For every 1 brute force attempt on my Lenoir range there's 10 on the Dallas range. Sure I lock them out, but the result remains true regardless. Reality is that if you have something connected to an IP, it's being attacked daily.
Tighten the security further. Only choice you have.
Don't worry really, I don't wanna accuse you on anything, Im not the "paranoic" kind and I know this could be a random but the fact is than happend on your network. The last time i was hacked was on 2000 with IIS 5 in a e-commerce site.
Thanks for take this seriously.
It's what i think happend here.