Oct 272007

Well, I managed to get my new VPS set up and working. Then random programs started segfaulting, to the point where it wouldn’t boot up. I pulled the affected programs off and ran clanscan over them – they were infected by the Linux.RST.B-1 virus. Shut the VPS down, started pulling the important data off via the web-based admin console, and went to check my e-mail. Hey presto – an e-mail saying that the provider had been getting reports of SSH brute force attempts from my box, sent at about the same time I’d started seeing issues.

Took a look at the logs, and there was a ssh brute force attempt followed by a successful login as root from a strange IP yesterday evening. I don’t login as root to ssh ever – in fact, I wasn’t even sure if it was enabled. Of course, this left the question of why the attack succeeded – sure, the VPS came with a horribly insecure root password, but I’d reimaged it and changed the password before ssh had even had a chance to start. Turns out the management software (HyperVM) had its own idea of what the root password should be, and automatically reset it to that on every boot. Since I don’t use the root password, I didn’t notice.

(The management software is interesting in itself. For example, it stores the root password in plaintext, and it inserts it into /etc/shadow using the ancient and not particularly secure DES-based hashing algorithm. I also wouldn’t like to make any bets on the security of the web administration interface in general.)

 Posted by at 2:58 pm