Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Subscribe to our newsletter

Advertise on LowEndTalk.com

Latest LowEndBox Offers

    ALERT - Online.net clients are being attacked and infected with XOR.DDOS
    New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

    ALERT - Online.net clients are being attacked and infected with XOR.DDOS

    darknessendsdarknessends Member
    edited August 2015 in General

    Hi Guys,

    Multiple servers were affected with latest revisions of this. Symptoms are high cpu usage.

    https://www.fireeye.com/blog/threat-research/2015/02/anatomy_of_a_brutef.html
    http://opcode.ninja/malware-analysis-1-1/

    Please take care, if someone wants to remove it, I will guide.

    Thanks

    Comments

    • hostnoobhostnoob Member
      edited August 2015

      what's so specific about online.net?

      just because online.net dedis always get brute forced within minutes of it being online? or you mean you had dedis with online.net and they were compromised?

      Favourite host in general: Ramnode (affiliate link)
      Favourite host for hourly billing/custom ISOs: Vultr ($50 free credit for new accounts, affiliate link)

    • NyrNyr Member
      edited August 2015

      This has nothing to do with Online.net nor is an 0day or something to be worried about.

      Thanked by 3netomx ATHK lbft
    • @hostnoob : Couple of hosts with online.net - compromised on same time. They are targeting their IP ranges.

      @Nyr : I got frustrated with removing this, since servers will become so unresponsive and thought its good to alert others

    • So your servers were compromised due to a brute force attack? Or is there a blackdoor on all online.net's servers?

    • NyrNyr Member

      darknessends said: I got frustrated with removing this, since servers will become so unresponsive and thought its good to alert others

      Still you should probably not name the provider since they don't seem to have anything to do with you being compromised.

      Thanked by 2ATHK netomx
    • @darknessends said:
      hostnoob : Couple of hosts with online.net - compromised on same time. They are targeting their IP ranges.

      Nyr : I got frustrated with removing this, since servers will become so unresponsive and thought its good to alert others

      People always target online.net servers. Just follow the normal security practice (disable root, disallow password auth etc) and change the SSH port to limit the number of attacks

      Nothing online.net can do or be blamed for

      Favourite host in general: Ramnode (affiliate link)
      Favourite host for hourly billing/custom ISOs: Vultr ($50 free credit for new accounts, affiliate link)

    • gestiondbigestiondbi Member, Provider

      @hostnoob maybe Online is not reliable....lol.

      Seriously, the host have nothing to do with this. Maybe you should check your setup if many of your server got compromised at the same time...

      Gestion DBI Inc. | IT Consulting, Telecommunications, Domotic/Security and Hosting provider.
      DeepNet Solutions | OpenVZ VPS for Cheap! | Only the best Cloud KVM VPS.

    • The title should be changed to ALERT - Many noobs using Online.net are being attacked and infected with XOR.DDOS

    • sinsin Member

      or you could just secure your servers?

    • rm_rm_ Member
      edited August 2015

      hostnoob said: disable root, disallow password auth

      If you do #2, doing #1 is just a silly security theater with zero justification.

      (I was so fed up fixing this on new RunAbove instances, I even wrote a script to re-enable 'root' automatically...)

    • mikhomikho Member, Provider

      I changed the title to include the word "clients" since it is not the providers server that gets infected.

      Thanked by 1comXyz
      Get a LES NAT VPS! (or 10) in United States (3), Germany, Bulgaria, France, Norway, Australia (2), Singapore. | -> 500gb NAT Storage
    • @mikho said:
      I changed the title to include the word "clients" since it is not the providers server that gets infected.

      You are missing the e in clients

    • mikhomikho Member, Provider

      @comXyz said:
      You are missing the e in clients

      Thanks, hard to type laying in bed with only one eye open.

      Thanked by 1TheKiller
      Get a LES NAT VPS! (or 10) in United States (3), Germany, Bulgaria, France, Norway, Australia (2), Singapore. | -> 500gb NAT Storage
    • rm_ said: (I was so fed up fixing this on new RunAbove instances, I even wrote a script to re-enable 'root' automatically...)

      Tired do that on Amazon too -) Though did not do that so much to automate and i'm a little bit doubt how to automate passwd command (i prefer password sometimes).

      Freelance System Administrator, available for hire. Primary tasks i do concentrated on: PHP, MySQL, Postgres, Nginx, DDoS-protection, application security, high-performance solutions, high-availability / clustering.

    • sinsin Member
      edited August 2015

      -edit- nevermind

    • rm_rm_ Member
      edited August 2015

      sin said: Doesn't XOR.DDOS infect via brute forcing root though?

      Did you even read what I wrote. "If you do #2". And what was #2? If you disallow password auth altogether and set it to accept key-based authentication only, nobody can brute-force 'root' (or any other username for that matter), so there is no point in disabling 'root'.

      Thanked by 1alexvolk
    • sinsin Member

      rm_ said: Did you even read what I wrote. "If you do #2". And what was #2?

      Ah sorry about that, you're right I read it wrong.

    • None of my online.net boxes are infected.
      You could always use a strong password and fail2ban though.

      tsdns.io - free, redundant, DDoS-protected TSDNS

    • wychwych Member
      edited August 2015

      fail2ban/cpHULK ftw.

      Taking a hiatus.

    • @rm_ said:
      (I was so fed up fixing this on new RunAbove instances, I even wrote a script to re-enable 'root' automatically...)

      I was just naming things people suggest. I don't do either :)

      Favourite host in general: Ramnode (affiliate link)
      Favourite host for hourly billing/custom ISOs: Vultr ($50 free credit for new accounts, affiliate link)

    • Breaking News: people still run SSH on port 22

      How to clean up a questionable reputation: throw the kids some BF/CM offers.

    • @doughmanes said:
      Breaking News: people still run SSH on port 22

      What if i would tell you, that the earth is flat.

      You won't belive me right? Running on Port 22 is not bad, sometimes is even bad to change it.

    • Infinity580 said: sometimes is even bad to change it.

      Like what?

      How to clean up a questionable reputation: throw the kids some BF/CM offers.

    • @doughmanes, it won't take very long for an attacker to find your ssh port.

    • Changing your port can be useful if you want to reduce the usual noise from the internet, which helps keeping your logs a bit smaller. Still won't help against targeted attacks though.

      An example where a custom port sucks is a Git server - feels stupid when you always have to specify a port and/or create an entry in your .ssh/config file.

      SnapServ Mathis - Your cheap and reliable RIPE Sponsoring LIR. Use coupon code LET2017 to get a recurring discount of 10% on our products!

    • darknessends said: @doughmanes, it won't take very long for an attacker to find your ssh port.

      Try knockd if you're having issues with your servers being scanned.

    • ksugksug Member

      @doughmanes said:
      Breaking News: people still run SSH on port 22

      Changing SSH port is security by obscurity. If the attacker scans ports, it slows down the attacker by 3 seconds. It doesn't prevent anything.

    • @ksug said:

      yes but it does prevent a significant portion of attacks. Most mass attacks check port 22. If its a targeted attack then its another story.

      tl;dr; changing ports does help

      Thanked by 1doughmanes
    • @black said:
      Try knockd if you're having issues with your servers being scanned.

      Yes, I think that this is the best solution. A simple way is to make port knocking with iptables, this is an example with 3 tcp ports and default 22 ssh port:

      #Port Knocking - port1 - port2 - port3 -A INPUT -p tcp --dport port1 -m recent --set --rsource --name SSH_AUTH_KNOCK1 -m limit --limit 15/min -j LOG --log-prefix "ssh knock 1 " --log-level 7 -A INPUT -p tcp --dport port2 -m recent --rcheck --rsource --seconds 15 --name SSH_AUTH_KNOCK1 -m recent --set --rsource --name SSH_AUTH_KNOCK2 -m limit --limit 15/min -j LOG --log-prefix "ssh knock 2 " --log-level 6 -A INPUT -p tcp --dport port3 -m recent --rcheck --rsource --seconds 15 --name SSH_AUTH_KNOCK2 -m recent --set --rsource --name SSH_AUTH -m limit --limit 15/min -j LOG --log-prefix "ssh knock 3 " --log-level 6 -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --rcheck --rsource --seconds 15 --name SSH_AUTH -j ACCEPT

      You only need to modify the port1, port2 and port3 values; all port knock were printed in the log.

      Regards

    • ksug said: Changing SSH port is security by obscurity. If the attacker scans ports, it slows down the attacker by 3 seconds. It doesn't prevent anything.

      Guess you don't deal with this daily with a VPS node and how many services running on it. "Obscurity" works for 'dumb' bruteforcing malware that makes a bunch of noise and not this overly security crap when something basic as this will help people 99.9% of the time.

      How to clean up a questionable reputation: throw the kids some BF/CM offers.

    • ksugksug Member

      @doughmanes said:
      Guess you don't deal with this daily with a VPS node and how many services running on it. "Obscurity" works for 'dumb' bruteforcing malware that makes a bunch of noise and not this overly security crap when something basic as this will help people 99.9% of the time.

      What I do or do not deal with is irrelevant. Others have argued about reducing the size/noise of the log file, I don't disagree with that.
      The "99.9%" figure is not supported by any evidence. I don't rely on the attackers being dumb. If attackers are dumb, we have nothing to worry about.

    • @rm_ said:
      (I was so fed up fixing this on new RunAbove instances, I even wrote a script to re-enable 'root' automatically...)

      In case your key file is grabbed, having an extra security level is not that bad a choice.

      Use the key file for logging into a chrooted user then su your way in to root. There's justification.

      ...
      ...

    • rm_rm_ Member

      Nomad said: In case your key file is grabbed

      It is password-protected, so nobody can just use it either.

      Nomad said: Use the key file for logging into a chrooted user then su your way in to root.

      Silly monkey's work.

    • @darknessends said:
      doughmanes, it won't take very long for an attacker to find your ssh port.

      but these bots just mass scan port 22, they don't specifically target certain servers

      that's what changing the default port helps protects against.

      Favourite host in general: Ramnode (affiliate link)
      Favourite host for hourly billing/custom ISOs: Vultr ($50 free credit for new accounts, affiliate link)

    • @doughmanes said:
      Like what?

      only root can start services on ports 1-1024 so if a service is running on port 22, you know it was started by root, and not another user running a fake daemon

      of course another user running a fake daemon on your SSH port would mean access to your server has been compromised so you're probably fucked anyway which is why I think that's a load of rubbish

      Favourite host in general: Ramnode (affiliate link)
      Favourite host for hourly billing/custom ISOs: Vultr ($50 free credit for new accounts, affiliate link)

    • NomadNomad Member
      edited August 2015

      @rm_ said:
      Silly monkey's work.

      Depending on the use, I disagree with you.
      For example you can set your ssh client to autologin on your pc/phone to quickly access to ssh instead of typing passwords all the time. In such cases root login is a bad idea. In case your phone or pc gets stolen/peeked.

      Just cause it's not the way you are used to doesn't make it a bad practice or a silly monkeys work.

      ...
      ...

    Sign In or Register to comment.