New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Thread pinned. Yes all providers should know about this immediately.
Always on top of things 👍🏼
Wasn’t expecting you to be up at this hour though ☺️
So do the users. Mine fast before they find out.
Thank You @Daniel15 for posting this, and @thedp for tagging us. We have quickly acted on this and appreciate you both for making this known, along with the community here on LET. Security is important, and something we take seriously. We expect for the mass mail to begin within an hr or so, informing all customers. If you guys would like, I can share the content of that email here too.
There's always a possibility that there's multiple different attacks, not just the cryptocurrency ones. I think one attack that's still relatively common is botnets for email spam / bruteforce attacks / DDoS attacks.
Thanks to @icez and @redgreenblue for being the first people to bring this up on the forum, over in the HostHatch thread.
Even with templates that randomly generate a password, the providers often just send out the password in an email in plain text. I don't like that either.
Installing Debian from ISO is more sensible - You can leave the root password blank, and it'll disable the root user and give your regular user
sudo
permission. I usually make up a temporary password for the regular user, select to install SSH, then as soon as the installation is done, the first thing I do is copy myauthorized_keys
file across and disable password authentication.Something for you too @Francisco ?
Nah what I mean is. If they're using a preseed to autogenerate the templates, then they likely had it create a 'debianuser' login since Debian tries to force you to make a non root user.
Solus only sets the
root
user though, not anything else.It's possible to force it to not make such a user in a preseed file, but it's a bit picky/bitchy.
I'm actually in the middle of rewriting our auto template builder and hope to have it building by this weekend.
That's hilarious, probably a TOR node
Francisco
One could say "it's a regular user, they can't plant backdoor into the OS". But then we just had that huge
sudo
security hole. D'oh!They could have run cryptomining, or could have logged in and did anything else, including as root.
It's also possible the
debianuser
user had sudo access. Unfortunately (or fortunately, I guess?) I don't have any vulnerable VPSes so I can't check.sudo seems not to be installed on the virmach templates.
For full transparency, here's what we're sending out to all virtual private server (VPS) customers.
If your VPS is not running Debian 10, you may disregard this email. This message is only applicable to existing VPS customers running on Debian 10 OS template.
We have recently been made aware of a potential vulnerability in the Debian 10 template by SolusVM. To provide additional background regarding this, we use SolusVM as our KVM virtualization control panel, and we were using their official templates from the SolusVM TDN. The OS templates provide the ability for customers to quickly reinstall their servers nearly instantly - versus manually installing an operating system from an .iso which can be time consuming and inconvenient.
Am I affected?
The only VPS servers affected are those running on Debian 10 AND was installed from our OS template. Both of these conditions must be met in order for this to impact you. Dedicated server customers are not impacted.
For VPS customers that installed from a .iso, or used any other non-Debian 10 template of ours, this does not affect you and you may disregard this e-mail.
Are other Debian versions affected?
No, only the Debian 10 template.
What Occurred?
Debian installations by default do not enable/allow root account access. The workaround to this is to finish the installation with a normal user account, then enable the root account on the server afterwards. When SolusVM's team initially created the Debian 10 template and published it on the TDN, they failed to remove the default installation user "debianuser" prior to creating the OS template based upon that installation. This resulted to two users being active on VPS's deployed on this template, "root" and "debianuser".
How do I correct this for my Debian 10 VPS?
We've already updated our Debian 10 templates accordingly. Reinstallations going forward will no longer have the redundant "debianuser" user in the template.
There are several ways to go about rectifying this for your existing Debian 10 VM. The least recommended, but fastest way would be to delete the "debianuser" account from your VPS, by running the command: "userdel debianuser" in SSH (without quotation marks). This method should only be used if you are sure the "debianuser" account has not been accessed in any way. The recommended method would be to either reinstall the VPS by logging into the SolusVM control panel (note all data will be wiped if you reinstall your server), or to contact our support team to request a custom .iso to be mounted to your VM if you wanted to manually complete an OS installation via the HTML5 VNC console without the use of a template.
As we have already updated our Debian 10 templates across our cluster, you may now feel free to reinstall your VPS accordingly. We have a YouTube video tutorial here on how to access the SolusVM control panel. Once logged into SolusVM, click on "Reinstall" and then reinstall the VPS to the Debian 10 template, which is now updated.
Still unsure what this means? Have any questions, or need help?
Feel free to respond to this e-mail or submit a support ticket within your client area if you have any questions at all -- we're always available here to help. We would like to clarify that RackNerd was not compromised. This is a software/vendor vulnerability that may or may not be present in some Debian 10 installations (and even if present, doesn't mean it was accessed or used by a third party).
We just want you to be extra safe - so all we are doing is taking a precautionary measure and notifying all customers, whether they were affected or not, as we believe in transparency.
Thanks!
Your RackNerd Team
Introducing Infrastructure Stability
https://www.racknerd.com/
Dedicated Servers, Private Cloud, DRaaS, Colocation & VPS
Email: [email protected]
Toll Free: +1 (888) 881-NERD
I'm loving
mussh
extra todaythis might explain why some idle vpses got terminated even its freshly installed using templates. some providers use strict rules for their clients, such as Virmach.
If you are serious, that is hilarious!
checked my BF/christmas idlers were I was lazy and didn't install from ISO.
the
ubuntu
user exists when installing from Ubuntu 18.04 template with @naranjatech @gleertworth noting that this is on virtualizor and not solus. I can't say if this also compromised and going to be used for miners but can confirm that there were failed login attempts. a second VM with debian 10 there does not have an user like that.
however, thought worth mentioning/tagging, could be that this really is not a single problem for solus/deb10.
PS: haven't seen a ubuntu user with the templates for ub18 at hosthatch or racknerd
only so, if you can't be bothered to even check...
Already alerted the user and as of now there's no requests from the IP Happened many hours ago.
Francisco
Thank you for the information @Daniel15, we have patched the template and sending emails to clients now.
I used the template on my Hosthatch storage server. Password login was disabled when I set up the server, I've seen no trace of any activity other than my own and the now deleted user's home folder is clean as a whistle. Not sure if I can be arsed shuffling my encrypted backups back and forth and reinstalling everything. Should I?
@strmd If password login is disabled then you should be safe. Just check
last
and/var/log/auth.log
and ensure there's no suspicious logins.As a side note, for storage servers I'd usually recommend creating a separate partition (or LVM logical volume) for the data. For example, 15 GB for /, and the rest of the space for /data. Then you can wipe and reinstall the OS without having to touch the data.
I recently purchased a VPS from RackNerd, I chose Debian 10 template and there was indeed a "debianuser" user, however I've deleted it immediately.
Should I reinstall? @dustinc
Hi @ABC -- As a precautionary measure, we'd recommend doing so.
Yeah,
last
is clean andsudo cat /var/log/auth.log | grep 'debianuser'
just shows me runninguserdel
. Not inclined to be paranoid.That sounds like a great idea, I should really do that next time. And also not use a template.
I believe the @Mods should remove all mentions of the username of this attack for a few days.
This is a serious vulnerability, publishing the username used to hack VPS's should not have been done.
The username should be removed from this post immediately until users have a chance of reinstalling or removing the user.
@FAT32 your immediate action is recommended.
How exactly do you remove the user if the username of it gets censored.
How would people know about the username and what to do with it if it is removed from the post?
Your immediate sense of logic is recommended
Maybe you weren't hit by the guys mining XMR, but your VM could have been compromised weeks ago and you don't know it. Better reinstall even if it seems like you haven't been compromised, even more so if the data on your VPS is somewhat "private".
Sorry. noob here.
I am using password login but my first step is always change the ssh port after fresh install. Indeed the debianuser also exists when I installed Debian 10 however my server is been running "smoothly" since then. There's also no suspicious logins as far as i know.
I am not sure, if just by deleting the user will solve it and considered safe already?
Thanks
The fact is that a lot of users will wake up with their VPS's hacked due to this exact post but I guess its all over Google in anycase so too late.
What does the username have to do with anything since the recommended solution is to reinstall the VPS?
Why is there a working hack posted in this forum when there are possibly thousands of VPS's and users affected by this?
Because we have to do our job and inform the internet. A server is owner's responsibility to secure.