[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] My VPS relay has just been hacked

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] My VPS relay has just been hacked
From: Jeroen Massar <jeroen@xxxxxxxxx>
Date: Sat, 25 Oct 2014 17:34:59 +0200
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 25 Oct 2014 11:44:30 -0400
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=massar.ch; s=DKIM2009; t=1414251302; bh=w8Ukak00/f11UF3zzRoFoJYYiYfk9DPA52a7pbLj5SU=; h=Date:From:To:Subject:References:In-Reply-To; b=ERe7LfarAnqzMLe4J1cb8QbXxMxrkoC5LNM4olWHWBYnnjrQOEn6jWyBQWTavtQJe RAF5FA/vvLR7OrGbUGrVzPShEzEb4430k583eFUoEd5OrC7WGnC6RNhIpEbLH9Z1Jg dK2wN39rUTqiDTkWQQf5A2wRFHZ2F0YUdpA2s+ysdQpg3r0R2EAnop36Q30Av2auWi H0n/fGf0nQiCTryYv/rFGCbDCqQO+YQmEbWH8UrZsQgew8Xux/1YIL38n4JOqKjfl+ PH2nUO2nqu/AETNxpmYvP1WmlmpsxvLMf5c4Z/czcWOk1mt82MF2zmPWnFAopzwD8Q hEDioqyyhjwBg==
In-reply-to: <544BB555.6080800@xxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
Organization: Massar
References: <544BB555.6080800@xxxxxxxxxxxxx>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

On 2014-10-25 16:36, Nick Sheppard wrote:
> For the last month I've been running a middle relay (no guard flag yet)
> on a 512 MB VPS provided by Edis.at in Switzerland (4.99 euro per

You are aware that Edis is considered a bit shady I hope; though this is
likely because they attract a lot of cheap customers and thus get a lot
of abuse out of their network. The question becomes at one point if it
is a separate customer or themselves though.

Also note that they are just reselling other peoples services, hence why
they are cheap as they oversubscribe a lot.

> The Solus control panel traffic graph started showing (a very small

That Solus control panel could have been a way in to your system.

What kind of virtualization is used?

[..]
> Each block is always 5 lines, and the names (always 10 lower-case
> letters) seem to be different every time.  The blocks change fairly
> regularly every second or two.

The virus/bot/etc is respawning processes so that nobody can easily kill
them.

pstree will show you where the process comes from originally.

The random name makes classification easier.

[..]
> Eventually I'll have to reinstall everything from scratch,
> straightforward enough, but what can I do to make sure it doesn't happen
> again?  Would hardening my iptables work?  Has anyone else seen this?

Actually secure a machine.

Most likely they just guessed your password by an automated SSH login
botnet.

Using SSH keys, firewalling SSH off except for trusted hosts and not
having any services listening that you do not want are key to a properly
secured system. There are lots of articles on the interwebz about it.

Greets,
 Jeroen

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

References:
- [tor-relays] My VPS relay has just been hacked
  - From: Nick Sheppard

Prev by Author: Re: [tor-relays] Slow relay speeds for Australian geographic location(s)
Next by Author: Re: [tor-relays] exit relay not utilising full capacity (even after months)
Previous by thread: [tor-relays] My VPS relay has just been hacked
Next by thread: Re: [tor-relays] My VPS relay has just been hacked
Index(es):
- Author
- Thread