Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com
VPS got Hacked with IptabLes IptabLeX
New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

VPS got Hacked with IptabLes IptabLeX

BellaBella Member
edited June 2014 in Help

Hi. I have over 60 VPS's from various providers here all running the exact same setup, but for the past month my Weloveservers VPSs keep getting compromised and sends out-going ddos attacks by using these 2 files inside /boot/

/boot/IptabLes
/boot/IptabLex

There are no login logs or anything.

It was a completely new Centos 5 32bit install with only httpd (apache) hosting a web page.

http://www.ebel-computing.de/JSPWiki/Wiki.jsp?page=VServer Trojan

http://askubuntu.com/questions/407457/help-my-server-has-been-hacked-iptables-and-iptablex-in-boot

http://forum.synology.com/enu/viewtopic.php?f=19&t=85779

I have turned off the VM for now instead of reinstalling it so we can possibly investigate it.

Comments

  • namhuynamhuy Member

    Do you have iptables, what services do you have on those VPS? I'm interested in knowing what happened to your VPS.

  • What services were up on your VPS? What control panel were you using?

    Cheap VPS - VPSDime

  • it would help alot if you wouldnt hide who the providers were. name them and maybe we can help.

  • TheLinuxBugTheLinuxBug Member
    edited June 2014

    When you installed the vm, did you take time to ensure you upgraded sshd (openssh-server) and upgraded openssl to the newest version? Older versions of ssh that came packaged with some versions of CentOS 5 and Debian 6 I found to be exploitable and I had seen something similar happen to a server when using an older unupdated template for Debian 6 when installing with an OpenVZ provider once. Installed and "secured" (installed denyhosts) the server but didn't update software and then returned to server less than 12 hours later to see it exploited and sending out spam. The only port I had exposed was port 22 on the server.

    You should get and run rkhunter (http://rkhunter.sourceforge.net/) as it checks for a lot of exploits and take notice when its listing hidden files. In the case of the server I had this issue with, I found that not only was the server exploited but the version of ssh that was in use had been set to save all passwords used when connecting to outbound servers to a hidden file. If you have sshed to any other servers from the one your saying is exploited now, I would be sure to change the password on them, just in case.

    I hope this helps.

    Cheers!

    Thanked by 1Mark_R

    Have an Allwinner H3 device? Android? Check out H3Droid! | Lichee Pi Zero - The 6$ SBC | #SYSarm - Get It! | Atomic Pi - $35 x86 SBC
    21+ Years IT Experience in Linux/Windows Hosting, Administration and Development Services

  • BellaBella Member

    @namhuy said:
    Do you have iptables, what services do you have on those VPS? I'm interested in knowing what happened to your VPS.

    Yes I only allowed 80 for Apache and 22 for SSH

    I was only running Apache and SSH services

    @serverian said:
    What services were up on your VPS? What control panel were you using?

    Apache and SSH and no control panel. But we love severs uses SolusVM

    @darkshire said:
    it would help alot if you wouldnt hide who the providers were. name them and maybe we can help.

    I did say that this has been happening only to my We love servers VPSs

  • BellaBella Member

    @TheLinuxBug said:
    When you installed the vm, did you take time to ensure you upgraded sshd (openssh-server) and upgraded openssl to the newest version? Older versions of ssh that came packaged with some versions of CentOS 5 and Debian 6 I found to be exploitable and I had seen something similar happen to a server when using an older unupdated template for Debian 6 when installing with an OpenVZ provider once. Installed and "secured" (installed denyhosts) the server but didn't update software and then returned to server less than 12 hours later to see it exploited and sending out spam. The only port I had exposed was port 22 on the server.

    You should get and run rkhunter (http://rkhunter.sourceforge.net/) as it checks for a lot of exploits and take notice when its listing hidden files. In the case of the server I had this issue with, I found that not only was the server exploited but the version of ssh that was in use had been set to save all passwords used when connecting to outbound servers to a hidden file. If you have sshed to any other servers from the one your saying is exploited now, I would be sure to change the password on them, just in case.

    I hope this helps.

    Cheers!

    I ran yum update -y right after I installed the os so everything should have been updated.

    I will look into the software you mentioned. Thanks

  • Are you using a weak root password?

    Are you using an install script to configure your server?

    We have seen this to but never figured out how it is happening and this also has been with Chinese clients for some reason.

    Patrick | INIZ
  • Maximum_VPSMaximum_VPS Member
    edited June 2014

    @Bella did you change the password that was assigned to your vps by the provider/also make sure to logout of any vnc sessions etc ?

  • BellaBella Member

    @INIZ said:
    Are you using a weak root password?

    Are you using an install script to configure your server?

    We have seen this to but never figured out how it is happening and this also has been with Chinese clients for some reason.

    I use this to make my password
    https://www.random.org/passwords/?num=5&len=20&format=html&rnd=new

    No I do not use any install script

    This only happens to my we love servers vps's.

    I have VPSs with crissic,ramnode,iniz,ugvps,chicagovps, even gvh and many other providers all running the same setup and same os and they've never been compromised.

    I am starting to think someone is taegetting certain IP ranges with some exploit.

  • BellaBella Member

    @Maximum_VPS said:
    Bella did you change the password that was assigned to your vps by the provider/also make sure to logout of any vnc sessions etc ?

    Yes of course, I always change the password the first time I login.

    And I have multiple we love servers VPSs and this is the third one that's been compromised this month.

    Same thing happened to another vps two weeks ago that is on a completely different IP range.

  • Maximum_VPSMaximum_VPS Member
    edited June 2014

    @Bella something like this happened to me with a test vps with another provider, in no way can I explain how it happened, but it seemed there was nothing I could do as it would keep happening. Only thought I had was it could be something with the template but moved providers.

    If all else fails, maybe do the same?

  • BellaBella Member

    @Maximum_VPS said:
    Bella something like this happened to me with a test vps with another provider, in no way can I explain how it happened, but it seemed there was nothing I could do as it would keep happening. Only thought I had was it could be something with the template but moved providers.

    If all else fails, maybe do the same?
    @Maximum_VPS said:
    Bella something like this happened to me with a test vps with another provider, in no way can I explain how it happened, but it seemed there was nothing I could do as it would keep happening. Only thought I had was it could be something with the template but moved providers.

    If all else fails, maybe do the same?
    @Maximum_VPS said:
    Bella something like this happened to me with a test vps with another provider, in no way can I explain how it happened, but it seemed there was nothing I could do as it would keep happening. Only thought I had was it could be something with the template but moved providers.

    If all else fails, maybe do the same?

    Yeah I'm going to install centos 6 and let it sit for a week and see if it gets compromised again.

    Might just be the Centos 5 template that's the problem.

  • Maximum_VPSMaximum_VPS Member
    edited June 2014

    @Bella Good idea, please update the thread then, as im sure some would like to know the outcome. :)

  • BellaBella Member

    Been two days on Centos 6 64 bit and my box has not been compromised, looks like it has something to do with Centos 5

  • It's known Linux botnet.

    Make very strong passwords and make sure you delete all virus files.

    Freelance System Administrator, available for hire. Primary tasks i do concentrated on: PHP, MySQL, Postgres, Nginx, DDoS-protection, application security, high-performance solutions, high-availability / clustering.

  • Master_BoMaster_Bo Member
    edited June 2014

    Just for records, what security measures do you take? Regularly upgrading all possibly vulnerable OS components/software, using key SSH authentication only, using IDS (at least something that checks for filesystem changes - Aide and the like), and so on?

    Do server logs have anything of interest?

    Monitor your network assets with IPHost (contact me to obtain a discount code)
  • @Bella, could you please upload these files somewhere? I'd like to analyze it.

  • I had a customer whose VPS caught this yesterday. I detected it because their VPS started sucking up all the bandwidth on the node. After inspecting the logs I'm pretty sure somebody (likely a bot) guessed the root password and installed it. There were successful root logins from several different IPs. I removed the virus using the instructions from this article and everything looks OK now, although I strongly recommended that my customer reinstall their OS and take a few additional security precautions. In particular, disabling root logins over SSH and picking a better root password.

    I've also seen the same IP address trying to log into several of my other VPSes on the same node very aggressively. Fortunately it's not successfully getting into anything else so far.

    Owner of BoneVM LLC.
    VPS host with expert support.

  • wychwych Member
    Thanked by 1orak

    Taking a hiatus.

Sign In or Register to comment.