All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
My VPS Hacked
So today I noticed one of my VPS was constantly timing out since UptimeRobot was spamming my email so I decided to log into it.
I never used this VPS for anything for the past few months, it was just a fresh OS Install.
Here is a screen shot of the **last **command
http://i.imgur.com/oK6g0yq.png
I was surprised to see a strange IP, 122.81.131.109
Turns out its' from China http://www.ip-adress.com/ip_tracer/122.81.131.109
the cpe788 logins are me.
My VPS was infected for the past few days and it was being used for DDOS attacks for the past few days
I'm now 17TB over my quota.
http://i.imgur.com/aw1gczM.png
As far as I can tell, theres a file called b26 in /root which is probably the DDOS Script.
I was not using a weak password, I generated my password for all users from this link.
https://www.random.org/passwords/?num=5&len=20&format=html&rnd=new
Comments
it seems the location of this ip is Zibo, Shandong, and the isp is: China Tietong Telecommunications
Was you using a weak password?
Why are you putting provider's name on your title? Is this their fault?
What would be the best way to prevent this from happening?
These hackers have scripts that scan ip ranges for vulnerable VPS's and then infect them to add them to their botnet.
As far as I know they exploit Apache some how.
I use this link to generate passwords https://www.random.org/passwords/?num=5&len=20&format=html&rnd=new
I have edited the title. No it is not their fault.
Use passwords like this after logging into ssh chaange the password using command: "passwd"
or use ssh keys.
eg: giu&h#u%$^%7kjnbUJHGB#&BKJ709#754$3342gjh#&*^ulhohtderswez#$bhgf6yu5rt7
Use SSH keys and whitelist your IPs for SSH access.
Keep on top of any patches for outward facing services that are listening on a port.
Sometime it's the provider to blame.
port knocking + ssh keys + fail2ban + high ssh port (1024 and up) = win
I'm just surprised my VPS was not suspended for going over the bandwidth limit by 16TB in 3 days.
I will look into utilizing SSH keys, my problem with keys is that I use mtputty and I am not sure how to make SSH keys work with it. http://ttyplus.com/multi-tabbed-putty/
lol
Do you mind to share the script? I'm curious to see what are they doing.
How did he reset your root password if it was just via Apache exploit? (I assume your Apache is running as non-privileged user)
although I doubt they found your randomly generated password; maybe your root password was weaker?
This. The theoretical # of brute force attempts if they know the full range of character sequence is (26+26+10)^(20). Let's say 3 brute force attempts a second, it'd take them 7.44077e27 years.
I already re-installed the OS, I tried reading the file but it was all gibberish/not readable.
But I found some other reports with the same b26 file
http://lowendtalk.com/discussion/16054/a-fresh-os-installed-by-the-seller-and-got-accessed-by-someone-else-could-anyone-explain-this
http://superuser.com/questions/695876/is-root-b26-a-ddos-process
My root pass was generated from that same link.
Never used that one but if you open the server up and then click on "Run Putty Config" it should bring up the actual configuration where you can add keys.
The interface of that app is terrible, compared to Putty or Puttytray (imo), but at least it has tabs!
bluefly :-D
that is the most common reason I find for client servers being hacked.
Lucky you, i find zpanel and kloxo. After each hacking i discover I tell people to no longer use those and more than half say, OK lesson learned, which means they did.
I have ~ 50 VPS's in total from various providers, I have ~ 12 of them that don't do anything. The one that was hacked happened to be one of them
Most of them are cheap yearly deals, $8-$15/yr.
Here is a quarter of my mtPutty list. http://i.imgur.com/lFVqOPV.png
Should give a rough idea.
money well spent O__o
Shouldn't a provider notice an outgoing DDoS though?
VPS was hacked on June 26 according to the China IP. Wasan't that the day the OpenVZ patch was released for the patch?
Maybe someone exploited it before BlueVM patched their nodes.
You should gift me 1 of your VPS if you don't use it?
Beg beg beg. ;P
Could be possible, but didn't BlueVM patch there systems quickly?
:O set them up as mirrors for linux distros or speedtest.net or something.
How much do BlueVM charge for overages anyway?
Is this the second VPS that's been hacked of yours?
if you have unused vps, best bet is turn them off if you dont need them.
Have anyone considered the possibility that these strong random passwords might be logged as they are generated and sold as a dictionary?
Yes.