BitFolk Users August 2019

users@mailman.bitfolk.com

1 participants
1 discussions

Security incident: Customer SSH password guessed, VPS used for further attacks and cryptocurrency mining

by Andy Smith

Hi, Last week we received abuse reports of SSH dictionary attacks coming from a customer IP. At the time of investigation no attacks were taking place but looking at historical bandwidth use it did seem that something anomalous had happened in a few short bursts. It was also obvious that the VPS had started using 100% of both of its CPU cores around the same time as the first traffic spike: https://imagebin.ca/v/4sqgOQKzxB4r The customer was then informed of the probable compromise. While we were watching the outbound SSH connections a dictionary attack started up again, so we had no option but to disable the customer's network access. The customer later confirmed presence of this malware: https://kindredsec.com/2019/05/31/dota-campaign-analyzing-a-coin-mining-and… They had got in through an SSH dictionary attack against the customer and then installed this to continue attacks and mine cryptocurrency. Unfortunately since the compromised account had full sudo access, the customer had no choice but to completely reinstall. We always recommend that password auth be disabled for SSH. Do note that you can also upload SSH public keys and disable password auth for your Xen Shell access, and/or require two factor auth. This is set via the Panel: https://panel.bitfolk.com/account/security/ About this email: https://tools.bitfolk.com/wiki/Security_incident_postings Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting

4 years, 7 months

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

BitFolk Users August 2019