Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


OpenVZ sending outbound DDOS right after reinstall OS
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

OpenVZ sending outbound DDOS right after reinstall OS

Several of my VM from different provider has this issue. I reinstall OS and let VM stay there without even login to my VM. And then ranging from few hours to few days later, you will get a suspension notices says the VM is sending outbound attack. Is it OpenVZ vulnerability? It happens to me at more than one providers

Comments

  • Don't use "1234" for the root password.

    Thanked by 2ATHK KuJoe
  • Don't use root passwords at all, configure key auth right after installing.

  • You need to check they install doesn't have DNS recursion 'yes' by default, otherwise you're likely being used in a DNS amplification attack.

  • use non dictionary not simple password, or setup ssh key access instead password. you may try scanning your OS using programs like rkhunter, chrootkit

  • agentmishraagentmishra Member, Host Rep

    it has to be a dns amplification

    you need to check on that

  • Why a provider would have BIND in the template to begin with is beyond me...

  • AlexBarakovAlexBarakov Patron Provider, Veteran

    It's more likely he's root passwords are easy and the VMs broken into.

  • This. It happened to me.

    @AlexBarakov said:
    It's more likely he's root passwords are easy and the VMs broken into.

  • KuJoeKuJoe Member, Host Rep

    The first thing you should do is change the SSH port to something other than 22, this will prevent 99% of automated attacks not targeting you specifically.

  • said: I reinstall OS and let VM stay there without even login to my VM.

    This is a sysadmin vulnerability.

    If you're not even going to take the most basic precautions after installing any os on an internet-facing box, I'd feel more comfortable if you stopped using the same internet I use for work & play.

    Thanked by 1netomx
  • MicrolinuxMicrolinux Member
    edited September 2014

    The first thing that raises suspicion is that you say this has happened with multiple providers. Is there some higher level issue to address, such as a compromised email password?

    If you're not touching the VMs and this is happening, root should still have a randomly generated password. Of course "random" could be bit dubious, but it seems fairly unlikely someone is going to put the time in to crack the passwords, rather than just pick an easier target (lord knows, there are plenty).

    Thanked by 1Chuck
  • this happen to some of my customer also . they all leave the password like pass123 or P@$$123 so easily get compromised.

  • Insecure Passwords or Open Resolvers.

  • charliecharlie Member, Host Rep

    We also experienced that some of our customer. We investigated it (because if it have a bug in OpenVZ or SolusVM, etc it will be catastrophic), but all case user use weak passwords, and bot's going into VPS using SSH.

  • how can bot found the ip?

  • wychwych Member
    edited September 2014

    @psycholyzern said:
    how can bot found the ip?

    Because people have lists of IP's and crawlers hit IP's by the thousands every minutes looking for open ports.

    Y'know since IPv4's run from 1.1.1.1 to 255.255.255.255.

  • @psycholyzern said:
    how can bot found the ip?

    Simple, people just scan ip ranges for open ssh ports

  • Disable root login and use sudo instead, and install fail2ban, installing it and leaving it without any securing is pretty negligent.

  • My point is not that I use unsecured stuff. I know how to secure my server. However, for providers that use templates that has so many security problems. Isn't that a problem?

  • I don't think it's any providers job to force you to login to the system you just installed and secure it.

    I am amused that you "know how to secure your server" and just can't be fucking bothered.

    Pardon my french.

    Thanked by 3Nekki Makenai agonyzt
  • JohnRoeJohnRoe Member
    edited September 2014

    I got attacked by china (china ip logged in my log) and he managed to get into my server.. after that he executed some script that autmatically command my vps to send ddos.. I reinstalled my server and still got scanned by that ip and some other ips(china)..I managed to get rid of that attack by changing my ssh port and root username..

  • @psycholyzern said:
    I got attacked by china (china ip logged in my log) and he managed to get into my server.. after that he executed some script that autmatically command my vps to send ddos.. I reinstalled my server and still got scanned by that ip and some other ips(china)..I managed to get rid of that attack by changing my ssh port and root username..

    I hate Chinese IPs.... Whenever i see fail2ban log i see 95% are from China ...:(

  • I have to wonder why providers don't create secure templates from the word go.

    It is not as if most VPS users are security experts. Security and strong passwords should be built into the template from the word go, and passwords should be automatically generated, or rejected by the ordering forms if they are not secure.

    WHMCS, SolusVM, OpenVZ. and KVM template creators - this means you.

  • rchurchrchurch Member
    edited September 2014

    Which leads me to a question. KVM server passwords can be changed via booting into a rescue disk, chrooting, and changing the password and the sshd_config if root login is disabled

    With OpenVZ and Xen if keyboard interactive login via SSH is disabled, and you forget the password to your encrypted SSH key how do you set a new key?

    Does the SolusVM password reset form enable password based login in the sshd config automatically when it is used?

  • @rchurch said:
    Does the SolusVM password reset form enable password based login in the sshd config automatically when it is used?

    From my understanding, all it does is modify the values in /etc/shadow - it never actually changes your ssh configuration at all.

    Thanked by 1rchurch
  • @WebSearchingPro said:
    From my understanding, all it does is modify the values in /etc/shadow - it never actually changes your ssh configuration at all.

    Though, even if you have your ssh daemon disabled you can still access your server with the console (the equivalent of using "vzctl enter")

Sign In or Register to comment.