All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
VPS got Hacked with IptabLes IptabLeX
Hi. I have over 60 VPS's from various providers here all running the exact same setup, but for the past month my Weloveservers VPSs keep getting compromised and sends out-going ddos attacks by using these 2 files inside /boot/
/boot/IptabLes
/boot/IptabLex
There are no login logs or anything.
It was a completely new Centos 5 32bit install with only httpd (apache) hosting a web page.
http://www.ebel-computing.de/JSPWiki/Wiki.jsp?page=VServer Trojan
http://askubuntu.com/questions/407457/help-my-server-has-been-hacked-iptables-and-iptablex-in-boot
http://forum.synology.com/enu/viewtopic.php?f=19&t=85779
I have turned off the VM for now instead of reinstalling it so we can possibly investigate it.
Comments
Do you have iptables, what services do you have on those VPS? I'm interested in knowing what happened to your VPS.
What services were up on your VPS? What control panel were you using?
it would help alot if you wouldnt hide who the providers were. name them and maybe we can help.
When you installed the vm, did you take time to ensure you upgraded sshd (openssh-server) and upgraded openssl to the newest version? Older versions of ssh that came packaged with some versions of CentOS 5 and Debian 6 I found to be exploitable and I had seen something similar happen to a server when using an older unupdated template for Debian 6 when installing with an OpenVZ provider once. Installed and "secured" (installed denyhosts) the server but didn't update software and then returned to server less than 12 hours later to see it exploited and sending out spam. The only port I had exposed was port 22 on the server.
You should get and run rkhunter (http://rkhunter.sourceforge.net/) as it checks for a lot of exploits and take notice when its listing hidden files. In the case of the server I had this issue with, I found that not only was the server exploited but the version of ssh that was in use had been set to save all passwords used when connecting to outbound servers to a hidden file. If you have sshed to any other servers from the one your saying is exploited now, I would be sure to change the password on them, just in case.
I hope this helps.
Cheers!
Yes I only allowed 80 for Apache and 22 for SSH
I was only running Apache and SSH services
Apache and SSH and no control panel. But we love severs uses SolusVM
I did say that this has been happening only to my We love servers VPSs
I ran yum update -y right after I installed the os so everything should have been updated.
I will look into the software you mentioned. Thanks
Are you using a weak root password?
Are you using an install script to configure your server?
We have seen this to but never figured out how it is happening and this also has been with Chinese clients for some reason.
@Bella did you change the password that was assigned to your vps by the provider/also make sure to logout of any vnc sessions etc ?
I use this to make my password
https://www.random.org/passwords/?num=5&len=20&format=html&rnd=new
No I do not use any install script
This only happens to my we love servers vps's.
I have VPSs with crissic,ramnode,iniz,ugvps,chicagovps, even gvh and many other providers all running the same setup and same os and they've never been compromised.
I am starting to think someone is taegetting certain IP ranges with some exploit.
Yes of course, I always change the password the first time I login.
And I have multiple we love servers VPSs and this is the third one that's been compromised this month.
Same thing happened to another vps two weeks ago that is on a completely different IP range.
@Bella something like this happened to me with a test vps with another provider, in no way can I explain how it happened, but it seemed there was nothing I could do as it would keep happening. Only thought I had was it could be something with the template but moved providers.
If all else fails, maybe do the same?
Yeah I'm going to install centos 6 and let it sit for a week and see if it gets compromised again.
Might just be the Centos 5 template that's the problem.
@Bella Good idea, please update the thread then, as im sure some would like to know the outcome.
Recent threads a few days old about same exploit
https://groups.google.com/forum/m/#!msg/elasticsearch/CPG0m5EvQnc/HF14zSpwWscJ
http://elasticsearch-users.115913.n3.nabble.com/iptablex-trojan-experiences-td4056991.html
http://nerdanswer.com/answer.php?q=524925
https://www.digitalocean.com/community/questions/my-droplet-is-locked-by-support-staff-because-because-of-an-outgoing-flood-or-ddos-what-do-i-do
http://nerdanswer.com/answer.php?q=524925
That thread indicated that ElasticSearch was the attack vector. Do you have that installed?
Been two days on Centos 6 64 bit and my box has not been compromised, looks like it has something to do with Centos 5
It's known Linux botnet.
Make very strong passwords and make sure you delete all virus files.
Just for records, what security measures do you take? Regularly upgrading all possibly vulnerable OS components/software, using key SSH authentication only, using IDS (at least something that checks for filesystem changes - Aide and the like), and so on?
Do server logs have anything of interest?
@Bella, could you please upload these files somewhere? I'd like to analyze it.
I had a customer whose VPS caught this yesterday. I detected it because their VPS started sucking up all the bandwidth on the node. After inspecting the logs I'm pretty sure somebody (likely a bot) guessed the root password and installed it. There were successful root logins from several different IPs. I removed the virus using the instructions from this article and everything looks OK now, although I strongly recommended that my customer reinstall their OS and take a few additional security precautions. In particular, disabling root logins over SSH and picking a better root password.
I've also seen the same IP address trying to log into several of my other VPSes on the same node very aggressively. Fortunately it's not successfully getting into anything else so far.
Seems to be a trend Bella... http://lowendtalk.com/discussion/30215/my-vps-hacked/p1
+- Old story http://security.stackexchange.com/questions/58862/logging-server-compromised-iptables-and-iptablex