Return to Level1Techs.com

Compromised 2Gb Linode Deb10 image

I have just shrunk a basic Linode disk image to 2048Mb that has been recently compromised, specifically for security audit purposes.

It is a Debian 10 Buster installation, with nothing on it. In May I had just sarted looking at doing what Wendell recently did with the HAProxy video. I got to the stage of realising I could use a docker image, but nothing was ever added.

At some point in June or July the user login was compromised (not the root) , and the node had network restrictions placed on it from the 23/24 of July due to BotNet and SSH Brute Force activity.

There was no trail cleanup, so there is a lot of data available. From what I can tell they try known usernames on ssh, when they gain access they start connecting to a specific web server and 3 main mail servers, then others come and try different usernames, while the compromised user then starts more ssh searches (enough to be flagged by network support)

I am offering the disk image here because the only other security alert website I have used in the past only delt with emails and email addresses, and I cant remember its name atm (but they are well known).

I can allow image download from cli via secured Finnix Rescue Mode for anyone that wants to download it and/or mirror it

I cant rebuild the linode (and start the HAProxy install) without destroying all images (as far as I can tell)

1 Like

What username:pass combination were you using, out of curiosity, assuming you’re okay to share? I’d settle for the username, just because it’s interesting to see what was prevalent enough to be attempted.

As a side note, I’ve found doing nothing more than changing the SSH port to something other than the default stops quite literally all automated attacks, with the added benefit being if any OpenSSH vuln comes to light down the track you’re [largely] covered.

1 Like

Although its a 64bit x64 Debian 10 Buster install, I only have Raspberry Pi machines, most based on Raspbian (RaspberryOS) …

I had thought about defaault port changes, and in this case it would have made a difference, but I think it will interfere with the HAProxy install as the automation uses 22 (standard ssh).

The upside of this, beside not containing any data that could be taken or destroyed, there is a complete history with multiple individuals repeadly trying certain urls. they seem to have a home base ping server that lets others know about the compromised ip address.

I already traced 2 IP addresses, one from another compromised system (I think) in the Netherlands (my linode is in Texas) with a web server that only reports 404, and the actual offender in Russia, who was still allowed inbound ssh, while all outbound was block. I know its “him” because the only service on that IP is a black holed mail server (does not say “yay or nay”, as opposed to failing).

But I would like to see some thorough analisys and IP tracing, as I think this group can be caught, they are just too careless, although not destructive apparently (maybe they just collect compromised IP addresses, but he fact they talk to 3 specific mail servers makes me think they are scammers, and maybe sell the IP adresses). there is more than enough info to construct a really good honey pot (especially if it had a wireshark log running as well).

I just .tar.xz the image, and its down to 400+Mb, so an upload somethere would be nice.

meh, turns out the logs are only 30 days

edit: but it does go back to 26 June before successful compromise

I have a 7Mb archive of /var/logs if anyone is interested

I’d be very interested in looking through this, if you don’t mind sharing.

the security researchers I could not remember have just restarted a monthly update newsletter:

DShield / Internet Storm Center
https://isc.sans.edu/

New Data Feeds

We keep improving existing data feeds and are adding new ons. For more details about how to use them, please check https://isc.sans.edu/api.

cheers

Paul