New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Not everyone uses templates, and not everyone uses ISOs either.
This is just a heads-up for those who are using templates, informing them of a possible backdoor found in the Debian (and maybe Ubuntu) templates provided by Solus.
This isn't a howto - it's an FYI/FYA.
bro, are u braindead ?
It would only be classified as a working hack if someone posted a working password for the user.
Cant be but maybe he is too stoned to think properly
Ok. debianuser existed on 2 specials I got from Virmach during the last BF.
Looks like
debianuser
had nosudo
privileges.Luckily for me is that I change ssh port and disable password auth as soon as I get a box.
For me, it was RackNerd and Greencloud. I removed the user and can't see anything suspicious, but will probably re-install both at the weekend to be sure.
my Idel virmach vps has logout record for debianuser on Jan 31
Jan 31 16:49:51 sshd[29268]: Disconnected from authenticating user debianuser 205.185.125.189 port 57656 [preauth]
so it was on fly for a while
Hetzner (no solusvm) Debian - no
debianuser
but someone attempted to loginbots will always attempt logins on public internet.
this just seems like a common issue with weak password and default users, am I wrong? Taking a few minutes of time to secure a server would prevent this.
That IP belongs to frantech I use SSH keys instead of passwords
I'd reinstall just to be safe.
That's exactly what I thought when I was making our own templates. They don't support new features like uninit_bg and 64 bit, so you have to turn them off if you make your own ext4 partition. I guess they just revert to ext3 and call it a day.
I'd agree with you if this wasn't being exploited in the wild, but given the fact that this is already being exploited, being vague about it is just security through obscurity, and makes it harder for people to determine if their servers were compromised as a result of the issue.
No. It's well established this is the wrong way to go once solutions are available. You'd be right if there was no defense.
@dustinc
Pedantic user says "redundant" is incorrect and not needed to be said. It might actually confuse people implying one debianuser is correct and two are wrong.
Hi @TimboJones - I can see how it could be taken that way. We could have worded that better. Thanks for pointing that out.
One could say saying "user" after "debianuser" is also redundant
Indeed, it could be taken several ways, so I could see why he said that too.
Oh nevermind, I'm just kidding. It's all fine as is
Was just reading @raindog308's post on LEB.
Just to confirm, is it
cnrig
orxmrig
? Or both?EDIT: Or I guess it could be either one - maybe both should be mentioned.
I've seen reports of both. Just check for any sketchy-looking processes in general.
That's a workaround, not a fix. I was able to create a KVM image for Proxmox just fine though!
Has SolusVM emailed the providers about this?
Something I’ve been wondering about as well.
I wonder more how this went into the template undetected.
Or if there is more to discover and this is just the tip of the iceberg.
Well at least now I know that every time I wasted time installing from ISO (i dislike templates) it was worth it.
Where is the announcement by SolusVM?
The Debian 10 images
linux-debian-10-x86_64-gen2-{v1,v2}.gz
on templates.solusvm.com were apparently updated very recently - without even changing the filename. This alone doesn't smell good.Anyway, I downloaded the latest image locally to find out how they "patched" it... Geez, they just mounted the image and edited /etc/passwd and /etc/shadow instead of recreating the image from scratch!?
They'd probably mess something else up if they tried to create a new one from scratch, since I doubt they've properly automated the creation of templates. My guess is that it's all manually done, compared to something like LXC where the images are automatically built.
Am I seeing things right? They kept a copy of the original version and just added a hyphen to the end of the name (
etc/passwd-
)? wut.Holy shit that's rich.
Francisco
That is a straight up "We think we're going to get sued so we'll silent patch this and hope no one calls us on our bullshit".
Francisco