New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
ALERT - Online.net clients are being attacked and infected with XOR.DDOS
darknessends
Member
Hi Guys,
Multiple servers were affected with latest revisions of this. Symptoms are high cpu usage.
https://www.fireeye.com/blog/threat-research/2015/02/anatomy_of_a_brutef.html
http://opcode.ninja/malware-analysis-1-1/
Please take care, if someone wants to remove it, I will guide.
Thanks
Comments
what's so specific about online.net?
just because online.net dedis always get brute forced within minutes of it being online? or you mean you had dedis with online.net and they were compromised?
This has nothing to do with Online.net nor is an 0day or something to be worried about.
@hostnoob : Couple of hosts with online.net - compromised on same time. They are targeting their IP ranges.
@Nyr : I got frustrated with removing this, since servers will become so unresponsive and thought its good to alert others
So your servers were compromised due to a brute force attack? Or is there a blackdoor on all online.net's servers?
Still you should probably not name the provider since they don't seem to have anything to do with you being compromised.
People always target online.net servers. Just follow the normal security practice (disable root, disallow password auth etc) and change the SSH port to limit the number of attacks
Nothing online.net can do or be blamed for
@hostnoob maybe Online is not reliable....lol.
Seriously, the host have nothing to do with this. Maybe you should check your setup if many of your server got compromised at the same time...
The title should be changed to ALERT - Many noobs using Online.net are being attacked and infected with XOR.DDOS
or you could just secure your servers?
If you do #2, doing #1 is just a silly security theater with zero justification.
(I was so fed up fixing this on new RunAbove instances, I even wrote a script to re-enable 'root' automatically...)
I changed the title to include the word "clients" since it is not the providers server that gets infected.
You are missing the e in clients
Thanks, hard to type laying in bed with only one eye open.
Tired do that on Amazon too -) Though did not do that so much to automate and i'm a little bit doubt how to automate passwd command (i prefer password sometimes).
-edit- nevermind
Did you even read what I wrote. "If you do #2". And what was #2? If you disallow password auth altogether and set it to accept key-based authentication only, nobody can brute-force 'root' (or any other username for that matter), so there is no point in disabling 'root'.
Ah sorry about that, you're right I read it wrong.
None of my online.net boxes are infected.
You could always use a strong password and fail2ban though.
fail2ban/cpHULK ftw.
I was just naming things people suggest. I don't do either
Breaking News: people still run SSH on port 22
What if i would tell you, that the earth is flat.
You won't belive me right? Running on Port 22 is not bad, sometimes is even bad to change it.
Like what?
I dont google that for you.
@doughmanes, it won't take very long for an attacker to find your ssh port.
Changing your port can be useful if you want to reduce the usual noise from the internet, which helps keeping your logs a bit smaller. Still won't help against targeted attacks though.
An example where a custom port sucks is a Git server - feels stupid when you always have to specify a port and/or create an entry in your .ssh/config file.
Try knockd if you're having issues with your servers being scanned.
Changing SSH port is security by obscurity. If the attacker scans ports, it slows down the attacker by 3 seconds. It doesn't prevent anything.
yes but it does prevent a significant portion of attacks. Most mass attacks check port 22. If its a targeted attack then its another story.
tl;dr; changing ports does help
Yes, I think that this is the best solution. A simple way is to make port knocking with iptables, this is an example with 3 tcp ports and default 22 ssh port:
#Port Knocking - port1 - port2 - port3 -A INPUT -p tcp --dport port1 -m recent --set --rsource --name SSH_AUTH_KNOCK1 -m limit --limit 15/min -j LOG --log-prefix "ssh knock 1 " --log-level 7 -A INPUT -p tcp --dport port2 -m recent --rcheck --rsource --seconds 15 --name SSH_AUTH_KNOCK1 -m recent --set --rsource --name SSH_AUTH_KNOCK2 -m limit --limit 15/min -j LOG --log-prefix "ssh knock 2 " --log-level 6 -A INPUT -p tcp --dport port3 -m recent --rcheck --rsource --seconds 15 --name SSH_AUTH_KNOCK2 -m recent --set --rsource --name SSH_AUTH -m limit --limit 15/min -j LOG --log-prefix "ssh knock 3 " --log-level 6 -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --rcheck --rsource --seconds 15 --name SSH_AUTH -j ACCEPTYou only need to modify the port1, port2 and port3 values; all port knock were printed in the log.
Regards