Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Vulnerability in SolusVM Debian 10 template - "debianuser" backdoor/default user - Page 2
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Vulnerability in SolusVM Debian 10 template - "debianuser" backdoor/default user

245

Comments

  • FAT32FAT32 Administrator, Deal Compiler Extraordinaire

    Thread pinned. Yes all providers should know about this immediately.

  • DPDP Administrator, The Domain Guy
    edited February 2021

    @FAT32 said:
    Thread pinned. Yes all providers should know about this immediately.

    Always on top of things 👍🏼

    Wasn’t expecting you to be up at this hour though ☺️

    Thanked by 1yoursunny
  • deankdeank Member, Troll

    So do the users. Mine fast before they find out.

  • dustincdustinc Member, Patron Provider, Top Host

    Thank You @Daniel15 for posting this, and @thedp for tagging us. We have quickly acted on this and appreciate you both for making this known, along with the community here on LET. Security is important, and something we take seriously. We expect for the mass mail to begin within an hr or so, informing all customers. If you guys would like, I can share the content of that email here too.

  • @its420somewhere said: You will know if you were hit because your CPU will be at full throttle. If you have not got xmrig running, you weren't hit.

    There's always a possibility that there's multiple different attacks, not just the cryptocurrency ones. I think one attack that's still relatively common is botnets for email spam / bruteforce attacks / DDoS attacks.

    @dustinc said: Thank You @Daniel15 for posting this

    Thanks to @icez and @redgreenblue for being the first people to bring this up on the forum, over in the HostHatch thread.

    @Francisco said:

    @TimboJones said: Has there been sufficient checking on other templates?

    I expect Ubuntu ones to have a ubuntu user or similar since they block root login by default, like Debian 10.

    It takes some tinkering on preseed files to deal with that.

    Francisco

    Even with templates that randomly generate a password, the providers often just send out the password in an email in plain text. I don't like that either.

    Installing Debian from ISO is more sensible - You can leave the root password blank, and it'll disable the root user and give your regular user sudo permission. I usually make up a temporary password for the regular user, select to install SSH, then as soon as the installation is done, the first thing I do is copy my authorized_keys file across and disable password authentication.

  • DPDP Administrator, The Domain Guy

    @Shot2 said:
    Jan 31 16:14:19 storage-uk sshd[21019]: Accepted password for debianuser from 205.185.125.189 port 39242 ssh2

    whois 205.185.125.189?
    ... Frantech :D

    @xauser said:
    Jan 31 22:14:19 : Invalid user debianuser from 205.185.125.189 port 49876
    Jan 31 22:14:19 : Disconnected from invalid user debianuser 205.185.125.189 port 49876 [preauth]
    Jan 31 22:24:19 : Invalid user debianuser from 205.185.125.189 port 44506
    Jan 31 22:24:19 : Disconnected from invalid user debianuser 205.185.125.189 port 44506 [preauth]

    I prepare for reinstall

    Something for you too @Francisco ? :)

  • FranciscoFrancisco Top Host, Host Rep, Veteran

    @Daniel15 said: Even with templates that randomly generate a password, the providers often just send out the password in an email in plain text. I don't like that either.

    Nah what I mean is. If they're using a preseed to autogenerate the templates, then they likely had it create a 'debianuser' login since Debian tries to force you to make a non root user.

    Solus only sets the root user though, not anything else.

    It's possible to force it to not make such a user in a preseed file, but it's a bit picky/bitchy.

    I'm actually in the middle of rewriting our auto template builder and hope to have it building by this weekend.

    @thedp said: whois 205.185.125.189?

    That's hilarious, probably a TOR node :)

    Francisco

  • rm_rm_ IPv6 Advocate, Veteran
    edited February 2021

    From what I can see, the debianuser account has a weak password and that's the thing that needs patching. Kill the account, kill the vuln. You will know if you were hit because your CPU will be at full throttle. If you have not got xmrig running, you weren't hit. Remove the debianuser.

    One could say "it's a regular user, they can't plant backdoor into the OS". But then we just had that huge sudo security hole. D'oh!

    If you have xmrig running and were compromised, reinstalling is the only safe option.

    They could have run cryptomining, or could have logged in and did anything else, including as root.

  • Daniel15Daniel15 Veteran
    edited February 2021

    @rm_ said: One could say "it's just a regular user, it can't plant backdoor into the OS". But then we just had a huge sudo bug. D'oh!

    It's also possible the debianuser user had sudo access. Unfortunately (or fortunately, I guess?) I don't have any vulnerable VPSes so I can't check.

  • NeoonNeoon Community Contributor, Veteran

    @Daniel15 said:

    @rm_ said: One could say "it's just a regular user, it can't plant backdoor into the OS". But then we just had a huge sudo bug. D'oh!

    It's also possible the debianuser user had sudo access. Unfortunately (or fortunately, I guess?) I don't have any vulnerable VPSes so I can't check.

    sudo seems not to be installed on the virmach templates.

  • dustincdustinc Member, Patron Provider, Top Host

    For full transparency, here's what we're sending out to all virtual private server (VPS) customers.


    If your VPS is not running Debian 10, you may disregard this email. This message is only applicable to existing VPS customers running on Debian 10 OS template.

    We have recently been made aware of a potential vulnerability in the Debian 10 template by SolusVM. To provide additional background regarding this, we use SolusVM as our KVM virtualization control panel, and we were using their official templates from the SolusVM TDN. The OS templates provide the ability for customers to quickly reinstall their servers nearly instantly - versus manually installing an operating system from an .iso which can be time consuming and inconvenient.

    Am I affected?
    The only VPS servers affected are those running on Debian 10 AND was installed from our OS template. Both of these conditions must be met in order for this to impact you. Dedicated server customers are not impacted.

    For VPS customers that installed from a .iso, or used any other non-Debian 10 template of ours, this does not affect you and you may disregard this e-mail.

    Are other Debian versions affected?
    No, only the Debian 10 template.

    What Occurred?
    Debian installations by default do not enable/allow root account access. The workaround to this is to finish the installation with a normal user account, then enable the root account on the server afterwards. When SolusVM's team initially created the Debian 10 template and published it on the TDN, they failed to remove the default installation user "debianuser" prior to creating the OS template based upon that installation. This resulted to two users being active on VPS's deployed on this template, "root" and "debianuser".

    How do I correct this for my Debian 10 VPS?
    We've already updated our Debian 10 templates accordingly. Reinstallations going forward will no longer have the redundant "debianuser" user in the template.

    There are several ways to go about rectifying this for your existing Debian 10 VM. The least recommended, but fastest way would be to delete the "debianuser" account from your VPS, by running the command: "userdel debianuser" in SSH (without quotation marks). This method should only be used if you are sure the "debianuser" account has not been accessed in any way. The recommended method would be to either reinstall the VPS by logging into the SolusVM control panel (note all data will be wiped if you reinstall your server), or to contact our support team to request a custom .iso to be mounted to your VM if you wanted to manually complete an OS installation via the HTML5 VNC console without the use of a template.

    As we have already updated our Debian 10 templates across our cluster, you may now feel free to reinstall your VPS accordingly. We have a YouTube video tutorial here on how to access the SolusVM control panel. Once logged into SolusVM, click on "Reinstall" and then reinstall the VPS to the Debian 10 template, which is now updated.

    Still unsure what this means? Have any questions, or need help?
    Feel free to respond to this e-mail or submit a support ticket within your client area if you have any questions at all -- we're always available here to help. We would like to clarify that RackNerd was not compromised. This is a software/vendor vulnerability that may or may not be present in some Debian 10 installations (and even if present, doesn't mean it was accessed or used by a third party).

    We just want you to be extra safe - so all we are doing is taking a precautionary measure and notifying all customers, whether they were affected or not, as we believe in transparency.

    Thanks!

    Your RackNerd Team
    Introducing Infrastructure Stability
    https://www.racknerd.com/
    Dedicated Servers, Private Cloud, DRaaS, Colocation & VPS
    Email: [email protected]
    Toll Free: +1 (888) 881-NERD


    Thanked by 4DP nyamenk Ganonk raynor
  • DPDP Administrator, The Domain Guy

    I'm loving mussh extra today :D

  • this might explain why some idle vpses got terminated even its freshly installed using templates. some providers use strict rules for their clients, such as Virmach.

  • MikePTMikePT Moderator, Patron Provider, Veteran

    @Francisco said:
    Instead of trying to fix the EXT4 issues (debian uses a newer version of EXT4 that CentOS 7 can't handle) they just...use EXT3 instead.

    God bless SolusVM.

    Francisco

    If you are serious, that is hilarious!

  • FalzoFalzo Member
    edited February 2021

    @Francisco said: I expect Ubuntu ones to have a ubuntu user or similar since they block root login by default

    checked my BF/christmas idlers were I was lazy and didn't install from ISO.
    the ubuntu user exists when installing from Ubuntu 18.04 template with @naranjatech @gleert

    worth noting that this is on virtualizor and not solus. I can't say if this also compromised and going to be used for miners but can confirm that there were failed login attempts. a second VM with debian 10 there does not have an user like that.

    however, thought worth mentioning/tagging, could be that this really is not a single problem for solus/deb10.

    PS: haven't seen a ubuntu user with the templates for ub18 at hosthatch or racknerd

    @Francisco said: @thedp said: whois 205.185.125.189?

    That's hilarious, probably a TOR node

    only so, if you can't be bothered to even check...

    Thanked by 1DanSummer
  • FranciscoFrancisco Top Host, Host Rep, Veteran

    @Falzo said: only so, if you can't be bothered to even check...

    Already alerted the user and as of now there's no requests from the IP :) Happened many hours ago.

    Francisco

    Thanked by 3Falzo Shot2 maverickp
  • NDTNNDTN Member, Patron Provider, Top Host

    Thank you for the information @Daniel15, we have patched the template and sending emails to clients now.

    Thanked by 1sandanista
  • I used the template on my Hosthatch storage server. Password login was disabled when I set up the server, I've seen no trace of any activity other than my own and the now deleted user's home folder is clean as a whistle. Not sure if I can be arsed shuffling my encrypted backups back and forth and reinstalling everything. Should I?

  • Daniel15Daniel15 Veteran
    edited February 2021

    @strmd If password login is disabled then you should be safe. Just check last and /var/log/auth.log and ensure there's no suspicious logins.

    As a side note, for storage servers I'd usually recommend creating a separate partition (or LVM logical volume) for the data. For example, 15 GB for /, and the rest of the space for /data. Then you can wipe and reinstall the OS without having to touch the data.

  • I recently purchased a VPS from RackNerd, I chose Debian 10 template and there was indeed a "debianuser" user, however I've deleted it immediately.
    Should I reinstall? @dustinc

  • dustincdustinc Member, Patron Provider, Top Host

    @ABC said:
    I recently purchased a VPS from RackNerd, I chose Debian 10 template and there was indeed a "debianuser" user, however I've deleted it immediately.
    Should I reinstall? @dustinc

    Hi @ABC -- As a precautionary measure, we'd recommend doing so.

  • @Daniel15 said:
    @strmd If password login is disabled then you should be safe. Just check last and /var/log/auth.log and ensure there's no suspicious logins.

    Yeah, last is clean and sudo cat /var/log/auth.log | grep 'debianuser' just shows me running userdel. Not inclined to be paranoid.

    As a side note, for storage servers I'd usually recommend creating a separate partition (or LVM logical volume) for the data. For example, 15 GB for /, and the rest of the space for /data. Then you can wipe and reinstall the OS without having to touch the data.

    That sounds like a great idea, I should really do that next time. And also not use a template. :|

    Thanked by 1Daniel15
  • I believe the @Mods should remove all mentions of the username of this attack for a few days.

    This is a serious vulnerability, publishing the username used to hack VPS's should not have been done.

    The username should be removed from this post immediately until users have a chance of reinstalling or removing the user.

    @FAT32 your immediate action is recommended.

  • @zafouhar said:
    The username should be removed from this post immediately until users have a chance of reinstalling or removing the user.

    How exactly do you remove the user if the username of it gets censored.

  • @zafouhar said:
    I believe the @Mods should remove all mentions of the username of this attack for a few days.

    This is a serious vulnerability, publishing the username used to hack VPS's should not have been done.

    The username should be removed from this post immediately until users have a chance of reinstalling or removing the user.

    @FAT32 your immediate action is recommended.

    How would people know about the username and what to do with it if it is removed from the post?

    Your immediate sense of logic is recommended

    Thanked by 1dedotatedwam
  • @its420somewhere said: From what I can see, the debianuser account has a weak password and that's the thing that needs patching. Kill the account, kill the vuln. You will know if you were hit because your CPU will be at full throttle. If you have not got xmrig running, you weren't hit.

    Maybe you weren't hit by the guys mining XMR, but your VM could have been compromised weeks ago and you don't know it. Better reinstall even if it seems like you haven't been compromised, even more so if the data on your VPS is somewhat "private".

  • @Daniel15 said:
    @strmd If password login is disabled then you should be safe. Just check last and /var/log/auth.log and ensure there's no suspicious logins.

    As a side note, for storage servers I'd usually recommend creating a separate partition (or LVM logical volume) for the data. For example, 15 GB for /, and the rest of the space for /data. Then you can wipe and reinstall the OS without having to touch the data.

    Sorry. noob here.
    I am using password login but my first step is always change the ssh port after fresh install. Indeed the debianuser also exists when I installed Debian 10 however my server is been running "smoothly" since then. There's also no suspicious logins as far as i know.
    I am not sure, if just by deleting the user will solve it and considered safe already?
    Thanks

  • @Razza said:

    @zafouhar said:
    The username should be removed from this post immediately until users have a chance of reinstalling or removing the user.

    How exactly do you remove the user if the username of it gets censored.

    The fact is that a lot of users will wake up with their VPS's hacked due to this exact post but I guess its all over Google in anycase so too late.

  • @snt said:

    @zafouhar said:
    I believe the @Mods should remove all mentions of the username of this attack for a few days.

    This is a serious vulnerability, publishing the username used to hack VPS's should not have been done.

    The username should be removed from this post immediately until users have a chance of reinstalling or removing the user.

    @FAT32 your immediate action is recommended.

    How would people know about the username and what to do with it if it is removed from the post?

    Your immediate sense of logic is recommended

    What does the username have to do with anything since the recommended solution is to reinstall the VPS?

    Why is there a working hack posted in this forum when there are possibly thousands of VPS's and users affected by this?

  • Because we have to do our job and inform the internet. A server is owner's responsibility to secure.

Sign In or Register to comment.