New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Anyone with VM with Hosthatch running with Debian image provided by Hosthatch should check their VM now. Good probability is that your VM may have been compromised via user
debianuser, which is now runningcnrig, which appears to be related to CryptoNight. Hosthatch VMs in multiple locations has been observed to have been compromised this way.Thank you for the heads-up. However, I used manual install from ISO; this is actually one of the greatest things I love about HostHatch.
@hosthatch @HostHatch_Kelvin - any info about such vulnerability in Debian template?
Eat, Sleep, Breath Ubuntu fellas. Stay safe.
Thanks, mine had
debianuserwith the groupsdebianuser : debianuser cdrom floppy audio dip video plugdev netdevI deleted it.
I can confirm this to be true.
No such user on my boxes.
Still no response on my BGP ticket + no reply on a ticket I opened a few days ago regarding a more complex routing issue. At this point, I'm not sure if I will be renewing my 17 VMs next year...
@Unixfy I can understand your sentiment. After seeing promises by Abdullah that services related problems have been fixed, I decided to give Hosthatch a try again, having not used them for some years. But so far, I have been disappointed. I have tickets that have been created for much longer than yours but similarly not even a word of acknowledgment. My tickets raised were regarding soft/minor problems, just to inform Hosthatch. But not a word of acknowledgement since 30 Dec 2020. Would this just be a result of them being too busy to write a short acknowledgement message?
maybe also tag @cdrive
I agree this is a serious concern. I could verify that user existed in 3 VMs installed from the debian buster template. so whomever created that template sneaked that in and even started to abuse it now?
can't confirm on the miners and also did not find any login attempts at all. but maybe just lucky because using a custom ssh config with different port and whitelisted users...
Tbh i think they dont even care if u renew it or not because if they care enough about their customers they would do better with support like they have promised
Yes, all my nodes are running on Buster, installed via their template, and I did notice the
debianuseraccount some time ago so I had it removed from all the servers as I wasn't sure why it existed and also it wasn't necessary.Guys,
How do I fix
cnrigthing. When I runps ax | grep cnrigI'm seeing some results like10078 pts/0 S+ 0:00 grep cnrigShould I be concerned?
Hosthatch's proposition of good performance at lower price is turning out to be expensive, upon factoring the time needed to clean up following this compromise due to the fault in their Debian template. Hosthatch VMs will now be left for the things that do not matter at all, until expiry, and there will unlikely be a renewal.
No, that's you grep'ing.
That is actually the "grep" process interrogating the server for cnrig, meaning it is the command you just executed.
https://www.lowendtalk.com/discussion/comment/3148485/#Comment_3148485
https://www.lowendtalk.com/discussion/comment/2885425/#Comment_2885425
https://www.lowendtalk.com/discussion/comment/2984265/#Comment_2984265
Good read
@snt Am I understanding correctly that the pattern observed here is empty promises?
I did notice it as well and didn't think much of it. I'm going to reinstall all my server just in case now
Have you tried updating your tickets after a day of no answer? When I updated mine with with friendly nudges, I got replies.
I may have tried
confirmed. inspecting with htop, its running random process name, consuming flat 30% CPU.
Has anyone created an "emergency" ticket for this? I usually avoid things like that (I hate opening tickets in general), but this seems like one of those rare cases where "make a loud noise about the ticket" is actually warranted, if dozens of VPSes on their network are potentially running malware.
Also, this is a good time for a reminder: Please don't use password authentication for SSH. Someone that steals your password (or in this case, if there's some preconfigured user) will be able to get access to your server. Instead, generate a key (I think ED25519 keys are still the best), password protect it, and use that. Then disable
PasswordAuthenticationin/etc/ssh/sshd_config, which will block people from getting in with a password.Just make sure your key actually works before killing your SSH session, otherwise you won't be able to get back in
Trying to ssh to your server as a non-existent user, or without the right key, should immediately fail with
Permission denied (publickey).without ever prompting for a password.I just opened emergency ticket. Hope they will give reply soon.
Having such template, and not responding to tickets, sounds like a recipe for disaster.
@default No it just sounds like typical LET LOL
I kindly ask for screenshots of support tickets with long reply time time. Other screenshots related to processes using CPU from debianuser would also be nice.
This thread will remain active and be the first line of HostHatch related support until their next promotion/offer, or even BF/CM thread
Just to put it out here, I logged on the panel to check for ticket updates, I noticed that one of my opened tickets has been closed, but I didn't get any (email) notifications of it. The last update for this particular ticket was 8 days ago (according to my mail) which stated:
So I thought I'd see what was the resolution/update upon ticket closure. Checked my list of tickets and for that particular ticket, it stated:
However, the entire content of the ticket is gone, as in blank. Have they been wiped/cleared or is this a result of a buggy panel? Just curious because it's odd that contents of tickets goes missing and the whole process for ticket closure without notifying the customer is somewhat not right.
Has anyone ever seen or experience this with their ticket(s) at HostHatch?
Yes, once a real reply happened the content was back, magically.