Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


My VPS Hacked
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

My VPS Hacked

BellaBella Member
edited June 2014 in General

So today I noticed one of my VPS was constantly timing out since UptimeRobot was spamming my email so I decided to log into it.

I never used this VPS for anything for the past few months, it was just a fresh OS Install.

Here is a screen shot of the **last **command

http://i.imgur.com/oK6g0yq.png

I was surprised to see a strange IP, 122.81.131.109

Turns out its' from China http://www.ip-adress.com/ip_tracer/122.81.131.109

the cpe788 logins are me.

My VPS was infected for the past few days and it was being used for DDOS attacks for the past few days

I'm now 17TB over my quota.

http://i.imgur.com/aw1gczM.png

As far as I can tell, theres a file called b26 in /root which is probably the DDOS Script.


I was not using a weak password, I generated my password for all users from this link.

https://www.random.org/passwords/?num=5&len=20&format=html&rnd=new

«1

Comments

  • hotsnowhotsnow Veteran

    it seems the location of this ip is Zibo, Shandong, and the isp is: China Tietong Telecommunications

  • sz1hostingsz1hosting Member
    edited June 2014

    said: Thanks a lot hacker.

    Was you using a weak password?

  • Why are you putting provider's name on your title? Is this their fault?

    Thanked by 1Spencer
  • BellaBella Member

    What would be the best way to prevent this from happening?

    These hackers have scripts that scan ip ranges for vulnerable VPS's and then infect them to add them to their botnet.

    As far as I know they exploit Apache some how.

  • BellaBella Member

    @sz1hosting said:
    Was you using a weak password?

    I use this link to generate passwords https://www.random.org/passwords/?num=5&len=20&format=html&rnd=new

  • BellaBella Member

    @serverian said:
    Why are you putting provider's name on your title? Is this their fault?

    I have edited the title. No it is not their fault.

  • sz1hostingsz1hosting Member
    edited June 2014

    Use passwords like this after logging into ssh chaange the password using command: "passwd"
    or use ssh keys.
    eg: giu&h#u%$^%7kjnbUJHGB#&BKJ709#754$3342gjh#&*^ulhohtderswez#$bhgf6yu5rt7

  • Use SSH keys and whitelist your IPs for SSH access.

    Keep on top of any patches for outward facing services that are listening on a port.

    Sometime it's the provider to blame.

  • darkshiredarkshire Member
    edited June 2014

    port knocking + ssh keys + fail2ban + high ssh port (1024 and up) = win

  • BellaBella Member
    edited June 2014

    I'm just surprised my VPS was not suspended for going over the bandwidth limit by 16TB in 3 days.

    I will look into utilizing SSH keys, my problem with keys is that I use mtputty and I am not sure how to make SSH keys work with it. http://ttyplus.com/multi-tabbed-putty/

  • hotsnowhotsnow Veteran

    @Bella said:
    I'm just surprised my VPS was not suspended for going over the bandwidth limit by 16TB in 3 days.

    lol

  • seikanseikan Member

    said: As far as I can tell, theres a file called b26 in /root which is probably the DDOS Script.

    Do you mind to share the script? I'm curious to see what are they doing.

  • perennateperennate Member, Host Rep
    edited June 2014

    How did he reset your root password if it was just via Apache exploit? (I assume your Apache is running as non-privileged user)

    although I doubt they found your randomly generated password; maybe your root password was weaker?

  • blackblack Member

    @perennate said:
    Come on, if he was using randomly generated password chances are he wasn't hacked via SSH.

    This. The theoretical # of brute force attempts if they know the full range of character sequence is (26+26+10)^(20). Let's say 3 brute force attempts a second, it'd take them 7.44077e27 years.

  • BellaBella Member

    @seikan said:

    I already re-installed the OS, I tried reading the file but it was all gibberish/not readable.

    But I found some other reports with the same b26 file

    http://lowendtalk.com/discussion/16054/a-fresh-os-installed-by-the-seller-and-got-accessed-by-someone-else-could-anyone-explain-this

    http://superuser.com/questions/695876/is-root-b26-a-ddos-process

    @perennate said:
    How did he reset your root password if it was just via Apache exploit? (I assume your Apache is running as non-privileged user)

    although I doubt they found your randomly generated password; maybe your root password was weaker?

    My root pass was generated from that same link.

  • @Bella said:
    I'm just surprised my VPS was not suspended for going over the bandwidth limit by 16TB in 3 days.

    I will look into utilizing SSH keys, my problem with keys is that I use mtputty and I am not sure how to make SSH keys work with it. http://ttyplus.com/multi-tabbed-putty/

    Never used that one but if you open the server up and then click on "Run Putty Config" it should bring up the actual configuration where you can add keys.

    The interface of that app is terrible, compared to Putty or Puttytray (imo), but at least it has tabs!

    Thanked by 1linuxthefish
  • yywudiyywudi Member

    @hotsnow said:
    it seems the location of this ip is Zibo, Shandong, and the isp is: China Tietong Telecommunications

    bluefly :-D

  • AnthonySmithAnthonySmith Member, Patron Provider

    said: I never used this VPS for anything for the past few months, it was just a fresh OS Install.

    that is the most common reason I find for client servers being hacked.

  • MaouniqueMaounique Host Rep, Veteran

    @AnthonySmith said:
    that is the most common reason I find for client servers being hacked.

    Lucky you, i find zpanel and kloxo. After each hacking i discover I tell people to no longer use those and more than half say, OK lesson learned, which means they did.

  • BellaBella Member
    edited June 2014

    @AnthonySmith said:
    that is the most common reason I find for client servers being hacked.

    I have ~ 50 VPS's in total from various providers, I have ~ 12 of them that don't do anything. The one that was hacked happened to be one of them

    Most of them are cheap yearly deals, $8-$15/yr.

    Here is a quarter of my mtPutty list. http://i.imgur.com/lFVqOPV.png

    Should give a rough idea.

  • darkshiredarkshire Member
    edited June 2014

    @Bella said:
    I have ~ 12 of them that don't do anything.

    money well spent O__o

    Thanked by 1Mark_R
  • @serverian said:
    Why are you putting provider's name on your title? Is this their fault?

    Shouldn't a provider notice an outgoing DDoS though?

  • BellaBella Member

    VPS was hacked on June 26 according to the China IP. Wasan't that the day the OpenVZ patch was released for the patch?

    Maybe someone exploited it before BlueVM patched their nodes.

  • ChuckChuck Member

    You should gift me 1 of your VPS if you don't use it?

  • @Chuck said:
    You should gift me 1 of your VPS if you don't use it?

    Beg beg beg. ;P

    @Bella said:
    VPS was hacked on June 26 according to the China IP. Wasan't that the day the OpenVZ patch was released for the patch?

    Maybe someone exploited it before BlueVM patched their nodes.

    Could be possible, but didn't BlueVM patch there systems quickly?

  • @Bella said:
    Should give a rough idea.

    :O set them up as mirrors for linux distros or speedtest.net or something.

    How much do BlueVM charge for overages anyway?

  • BradBrad Member

    Is this the second VPS that's been hacked of yours?

    Thanked by 1darkshire
  • namhuynamhuy Member

    if you have unused vps, best bet is turn them off if you dont need them.

  • Have anyone considered the possibility that these strong random passwords might be logged as they are generated and sold as a dictionary?

  • @Caveman122 said:
    Have anyone considered the possibility that these strong random passwords might be logged as they are generated and sold as a dictionary?

    Yes.

Sign In or Register to comment.