Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Subscribe to our newsletter

Advertise on LowEndTalk.com

Latest LowEndBox Offers

    My VPS Hacked
    New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

    My VPS Hacked

    BellaBella Member
    edited June 2014 in General

    So today I noticed one of my VPS was constantly timing out since UptimeRobot was spamming my email so I decided to log into it.

    I never used this VPS for anything for the past few months, it was just a fresh OS Install.

    Here is a screen shot of the **last **command

    http://i.imgur.com/oK6g0yq.png

    I was surprised to see a strange IP, 122.81.131.109

    Turns out its' from China http://www.ip-adress.com/ip_tracer/122.81.131.109

    the cpe788 logins are me.

    My VPS was infected for the past few days and it was being used for DDOS attacks for the past few days

    I'm now 17TB over my quota.

    http://i.imgur.com/aw1gczM.png

    As far as I can tell, theres a file called b26 in /root which is probably the DDOS Script.


    I was not using a weak password, I generated my password for all users from this link.

    https://www.random.org/passwords/?num=5&len=20&format=html&rnd=new

    «1

    Comments

    • it seems the location of this ip is Zibo, Shandong, and the isp is: China Tietong Telecommunications

    • sz1hostingsz1hosting Member
      edited June 2014

      said: Thanks a lot hacker.

      Was you using a weak password?

    • Why are you putting provider's name on your title? Is this their fault?

      Thanked by 1Spencer

      Cheap VPS - VPSDime

    • BellaBella Member

      What would be the best way to prevent this from happening?

      These hackers have scripts that scan ip ranges for vulnerable VPS's and then infect them to add them to their botnet.

      As far as I know they exploit Apache some how.

    • BellaBella Member

      @sz1hosting said:
      Was you using a weak password?

      I use this link to generate passwords https://www.random.org/passwords/?num=5&len=20&format=html&rnd=new

    • BellaBella Member

      @serverian said:
      Why are you putting provider's name on your title? Is this their fault?

      I have edited the title. No it is not their fault.

    • sz1hostingsz1hosting Member
      edited June 2014

      Use passwords like this after logging into ssh chaange the password using command: "passwd"
      or use ssh keys.
      eg: giu&h#u%$^%7kjnbUJHGB#&BKJ709#754$3342gjh#&*^ulhohtderswez#$bhgf6yu5rt7

    • Use SSH keys and whitelist your IPs for SSH access.

      Keep on top of any patches for outward facing services that are listening on a port.

      Sometime it's the provider to blame.

    • darkshiredarkshire Member
      edited June 2014

      port knocking + ssh keys + fail2ban + high ssh port (1024 and up) = win

    • BellaBella Member
      edited June 2014

      I'm just surprised my VPS was not suspended for going over the bandwidth limit by 16TB in 3 days.

      I will look into utilizing SSH keys, my problem with keys is that I use mtputty and I am not sure how to make SSH keys work with it. http://ttyplus.com/multi-tabbed-putty/

    • @Bella said:
      I'm just surprised my VPS was not suspended for going over the bandwidth limit by 16TB in 3 days.

      lol

    • seikanseikan Member

      said: As far as I can tell, theres a file called b26 in /root which is probably the DDOS Script.

      Do you mind to share the script? I'm curious to see what are they doing.

      Hobby Projects: DNMin | PingBear

    • perennateperennate Member, Provider
      edited June 2014

      How did he reset your root password if it was just via Apache exploit? (I assume your Apache is running as non-privileged user)

      although I doubt they found your randomly generated password; maybe your root password was weaker?

    • blackblack Member

      @perennate said:
      Come on, if he was using randomly generated password chances are he wasn't hacked via SSH.

      This. The theoretical # of brute force attempts if they know the full range of character sequence is (26+26+10)^(20). Let's say 3 brute force attempts a second, it'd take them 7.44077e27 years.

    • BellaBella Member

      @seikan said:

      I already re-installed the OS, I tried reading the file but it was all gibberish/not readable.

      But I found some other reports with the same b26 file

      http://lowendtalk.com/discussion/16054/a-fresh-os-installed-by-the-seller-and-got-accessed-by-someone-else-could-anyone-explain-this

      http://superuser.com/questions/695876/is-root-b26-a-ddos-process

      @perennate said:
      How did he reset your root password if it was just via Apache exploit? (I assume your Apache is running as non-privileged user)

      although I doubt they found your randomly generated password; maybe your root password was weaker?

      My root pass was generated from that same link.

    • @Bella said:
      I'm just surprised my VPS was not suspended for going over the bandwidth limit by 16TB in 3 days.

      I will look into utilizing SSH keys, my problem with keys is that I use mtputty and I am not sure how to make SSH keys work with it. http://ttyplus.com/multi-tabbed-putty/

      Never used that one but if you open the server up and then click on "Run Putty Config" it should bring up the actual configuration where you can add keys.

      The interface of that app is terrible, compared to Putty or Puttytray (imo), but at least it has tabs!

      Thanked by 1linuxthefish
    • yywudiyywudi Member

      @hotsnow said:
      it seems the location of this ip is Zibo, Shandong, and the isp is: China Tietong Telecommunications

      bluefly :-D

    • AnthonySmithAnthonySmith Top Provider

      said: I never used this VPS for anything for the past few months, it was just a fresh OS Install.

      that is the most common reason I find for client servers being hacked.

    • @AnthonySmith said:
      that is the most common reason I find for client servers being hacked.

      Lucky you, i find zpanel and kloxo. After each hacking i discover I tell people to no longer use those and more than half say, OK lesson learned, which means they did.

      Extremist conservative user, I wish to preserve human and civil rights, free speech, freedom of the press and worship, rule of law, democracy, peace and prosperity, social mobility, etc. Now you can draw your guns.

    • BellaBella Member
      edited June 2014

      @AnthonySmith said:
      that is the most common reason I find for client servers being hacked.

      I have ~ 50 VPS's in total from various providers, I have ~ 12 of them that don't do anything. The one that was hacked happened to be one of them

      Most of them are cheap yearly deals, $8-$15/yr.

      Here is a quarter of my mtPutty list. http://i.imgur.com/lFVqOPV.png

      Should give a rough idea.

    • darkshiredarkshire Member
      edited June 2014

      @Bella said:
      I have ~ 12 of them that don't do anything.

      money well spent O__o

      Thanked by 1Mark_R
    • @serverian said:
      Why are you putting provider's name on your title? Is this their fault?

      Shouldn't a provider notice an outgoing DDoS though?

      Favourite host in general: Ramnode (affiliate link)
      Favourite host for hourly billing/custom ISOs: Vultr ($50 free credit for new accounts, affiliate link)

    • BellaBella Member

      VPS was hacked on June 26 according to the China IP. Wasan't that the day the OpenVZ patch was released for the patch?

      Maybe someone exploited it before BlueVM patched their nodes.

    • ChuckChuck Member

      You should gift me 1 of your VPS if you don't use it?

      I like what she said, not what it means.

    • @Chuck said:
      You should gift me 1 of your VPS if you don't use it?

      Beg beg beg. ;P

      @Bella said:
      VPS was hacked on June 26 according to the China IP. Wasan't that the day the OpenVZ patch was released for the patch?

      Maybe someone exploited it before BlueVM patched their nodes.

      Could be possible, but didn't BlueVM patch there systems quickly?

      Is inflation really at 0.5%? What a conundrum...

      eddynetweb.net | DigitalOcean referral.

    • @Bella said:
      Should give a rough idea.

      :O set them up as mirrors for linux distros or speedtest.net or something.

      How much do BlueVM charge for overages anyway?

      Favourite host in general: Ramnode (affiliate link)
      Favourite host for hourly billing/custom ISOs: Vultr ($50 free credit for new accounts, affiliate link)

    • BradBrad Member, Provider

      Is this the second VPS that's been hacked of yours?

      Thanked by 1darkshire
    • namhuynamhuy Member

      if you have unused vps, best bet is turn them off if you dont need them.

    • Have anyone considered the possibility that these strong random passwords might be logged as they are generated and sold as a dictionary?

    • @Caveman122 said:
      Have anyone considered the possibility that these strong random passwords might be logged as they are generated and sold as a dictionary?

      Yes.

      Is inflation really at 0.5%? What a conundrum...

      eddynetweb.net | DigitalOcean referral.

    • DylanDylan Member
      edited June 2014

      @Caveman122 said:
      Have anyone considered the possibility that these strong random passwords might be logged as they are generated and sold as a dictionary?

      Random.org is about as trustworthy as these sites get and I find that extremely unlikely -- but even so you should never use any online generator for truly sensitive passwords (they even say that right on the generator page).

    • blackblack Member

      @Caveman122 said:
      Have anyone considered the possibility that these strong random passwords might be logged as they are generated and sold as a dictionary?

      There's no point in using a dictionary that contains randomly generated passwords because it's slower (I/O, transfer of said dictionary, etc).

    • @Dylan said:
      Random.org is about as trustworthy as these sites get and I find that extremely unlikely -- but even so you should never use any online generator for truly sensitive passwords (they even say that right on the generator page).

      Pretty much that ^. I don't use online password generators for stuff I want to be secure. Hell, I don't even use them at all. I'd rather use an offline password manager like KeePass or KeePassX instead.

    • @Dylan said:

      I am talking about these type of websites in general, lots of them popping up recently.

    • @black said:
      There's no point in using a dictionary that contains randomly generated passwords because it's slower (I/O, transfer of said dictionary, etc).

      I have seen bots attempt seemingly random passwords on my servers, before I disabled password login all together.

    • @Caveman122 said:
      I have seen bots attempt seemingly random passwords on my servers, before I disabled password login all together.

      I still have bots try to login using random users, but they always fail because password auth is diabled on my boxes. They get blacklisted after 3 attempts too.

      FWIW, if I have a box I'm not using atm, I shut it down - even though I have all my boxes set up to apply security updates automagically, if it's off, it won't be hammered.

    • Why would you leave an unattended, "fresh install" system online?

      There is your answer as to why / how you were hacked.

    • BellaBella Member
      edited June 2014

      @hostnoob said:
      How much do BlueVM charge for overages anyway?

      Nothing.

      Some months I exceed the 1TB monthly bandwidth when I download stuff, and nothing happens.

      I talked to Johnston in the IRC about nothing happening when anyone exceeds their B/W, he said he would eventually code something into Feathur to auto suspend when the B/W is exceeded.

      For now nothing happens when you exceed your B/W, + they probably get unlimited b/w in all USA locations anyways so it does not really matter.

      --
      On another note, I've been asking them to update their IP's SWIP records for almost over a year now, all of their locations (Atlanta, Chicago, LA) geolocate to NY which is annoying for the type of stuff I do.

      Thanked by 1hostnoob
    • screen shoot seems like bluevm. i think there bandwidth counter not working or they are not suspending VPS's when we hit bandwidth limit. i had VPS with them and they didn't suspend it for exceed bandwidth and no extra bandwidth invoices. :)

    • BellaBella Member

      @shyaminayesh said:
      screen shoot seems like bluevm. i think there bandwidth counter not working or they are not suspending VPS's when we hit bandwidth limit. i had VPS with them and they didn't suspend it for exceed bandwidth and no extra bandwidth invoices. :)

      Yeah it is BlueVM, and I explained everything in the comment above yours.

    • Bella said: Yeah it is BlueVM, and I explained everything in the comment above yours.

      got it. it's really cools unlimited bandwidth in USA location. anyway i leave them because their support ticker response time is too long. some time's it take more than week. :/

    • shyaminayesh said: it's really cools unlimited bandwidth in USA location

      Not really, I was suspended for going 1.3 TB over the 500 GB limit, had no idea since I was not checking in the vm, just in the panel and it was not keeping at 0, was increasing. The next month the suspension was not reversed so I had to open a ticket. So, ymmv, but they do suspend eventually if you go over the traffic, at random, it seems.

      Extremist conservative user, I wish to preserve human and civil rights, free speech, freedom of the press and worship, rule of law, democracy, peace and prosperity, social mobility, etc. Now you can draw your guns.

    • Mark_RMark_R Member

      @Bella

      If you want to be really secure then you could restrict logging in to SSH to be only allowed from 1 IP, this IP would be from one of your other servers that you have setup as vpn. ontop of that you should change your default ssh port (22) to something high like 1888 because most bruteforce bots wont try ports other than the default, they have to scan alot of random ip adresses so they are not scanning all ports.

      Allow SSH access to only 1 IP

      iptables -A INPUT -j ACCEPT -p tcp --dport 1888 -s 0.0.0.0

      iptables -A INPUT -j DROP -p tcp --dport 1888

      1888 would be your ssh port and 0.0.0.0 should be replaced with the IP that you want to allow access, you can add those iptable rules in /etc/rc.local to make sure that they load everytime your vps boots back up.

      Changing the SSH port can be done in /etc/ssh/sshd_config

      make sure that you reboot your vps after you are done.

      for extra security you could install Denyhosts aswel

      http://lowendtalk.com/discussion/20572/guide-basic-steps-to-secure-your-ubuntu-debian-server/p1

      Thanked by 1Bella
    • edited June 2014

      Mark_R said: make sure that you reboot your vps after you are done.

      service sshd restart or service ssh restart or systemctl restart sshd (depends on what you have as the OS)

      No need to reboot.

      Ein Hoffnungsschimmer, den es nie hätte geben sollen.

    • Indeed, however, it is best to make sure that after a reboot ssh is ok. It may work with service restart but remain stuck after reboot. You may never know.

      Thanked by 1Mark_R

      Extremist conservative user, I wish to preserve human and civil rights, free speech, freedom of the press and worship, rule of law, democracy, peace and prosperity, social mobility, etc. Now you can draw your guns.

    • NeoonNeoon Member
      edited June 2014

      Please never use some sort of website to generate your password, use something local on your computer like in Ubuntu/Debian: apg -a1

    • AnthonySmithAnthonySmith Top Provider

      Bella said: I have ~ 50 VPS's in total from various providers, I have ~ 12 of them that don't do anything. The one that was hacked happened to be one of them

      Well, I could cross a road 50 times with my eyes closed and only get hit once too, the fact is that providers do not keep individual OS templates bang up to date with security patches etc so you can be fairly sure at the point of installing it was a little out of date.

      All I am saying is that if you just hit reinstall and essentially abandoned it it is not a huge surprise it got hacked and just because it has not happened before does not mean it wont happen again.

    • MaouniqueMaounique Member
      edited June 2014

      AnthonySmith said: Well, I could cross a road 50 times with my eyes closed and only get hit once too

      So true, just now had a zPanel hacked and the user blamed it on the OVZ patch we applied...
      It can hit any day, the fact you tried to login to check it after the patch and you couldnt, does not mean that the patch changed the passwords.

      Extremist conservative user, I wish to preserve human and civil rights, free speech, freedom of the press and worship, rule of law, democracy, peace and prosperity, social mobility, etc. Now you can draw your guns.

    • Mark_RMark_R Member

      @NekoShiinachan said:
      No need to reboot.

      Depends on the actions taken, if bella follows my instruction and adds the iptable rules in /etc/rc.local then you have to definitly do a reboot because it will only execute on boot. ontop of that @Maounique is right, you never know if something might be going wrong, I rather reboot just to make sure that everything will load as it should.

    • Mark_R said: Maounique is right

      Maounique is an expert (someone who made all mistakes possible). One day I was changing some ports, I have some favourites and didnt realize I put same ports for SSH and another service, at restart ssh worked, however, after i rebooted the remote computer it didnt come back as the port was already taken. Had to go there in the night to fix it. Since then, on critical computers I have 2 ways to connect, one being RDP from a desktop in the lan, just in case.

      Thanked by 1AuroraZ

      Extremist conservative user, I wish to preserve human and civil rights, free speech, freedom of the press and worship, rule of law, democracy, peace and prosperity, social mobility, etc. Now you can draw your guns.

    Sign In or Register to comment.