« raid6 perfomance
Soleus Hosts Compromised »

What if you VPS is compromised

A bad title for a bad day for some.

If at some day your hoster finds out that they have been answering iscsi requests from all over the world and that they really did export all the VPS (Virtual machine) data (filesystems/disks) to the whole world? Not only readable but also writeable?

If that day is happening for you today than follow the right protocol:

Make an offline backup of your current data (the VPS hoster could probably help you) and if the problem isn’t still fixed you could try to do it over iscsi yourself. Beware and do a readonly mount to avoid any data corruption. Use this data to save your email, images, website HTML and so on. We will come back to this data later on in this sad story.

If you have any file which is not encypted and contains SSL certificates, password or ssh keys act upon it:

  • Revoke your SSL certificate (and request a new one)
  • Disable the passwords
  • Remove the ssh keys from the authorized keys file on any other host

In case of ssh keys and password: If someone is able to login at a box ‘over the internet’ or ‘from the vps’ using this information thread the accounts as compromized. If the account is root: go over this story again with another hostname in mind.

Step 2: Setup a new VPS from a trusted source.

Step 3: Configure all the software again

Step 4: Copy all uncompromized data back to the new VPS. Don’t copy any file, but more specific: any configuration, executable or script if your not sure it’s not compromized.

And no, if the IP storage protocol port was open for the real internet for a longer time you can’t trust data on backups anymore.

And for god’s sake: If any of you iscsi administrators read here:

This list a hint to do it all. Not only one!

  • Firewall your iscsi machine
  • put password authentication in the iscsi configuration
  • make sure your iscsi server is only in a private net
  • a private net without router to the big internet
  • TEST YOUR SETUP! (with a fast line, 512kb/sec is a bit slow for this kind of operations.)

The last is pretty easy. Even I could learn how to do it on my laptop.

This entry was posted on Friday, March 6th, 2009 at 10:19 am and is filed under Hacking, Security, Software. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply