Soleus Hosts Compromised
Dear Soleus member,
as you can read I did ‘compromize’/'hack’ the storage server.
What I did was:
iscsiadm -m discovery -I default -t sendtargets -p 94.142.246.2:3260
iscsiadm -m node -I default -T iqn.2008-12.nu.soleus.storage:inflaton -l
That did deliver me partions: sda till sdz and sdaa till sdau. Meaning: All iscsi luns on all (the only one) iscsi-target.
Since I was lazy I did a ‘openssl sha -sha1′Â on some ssh_host_key (rsa) and ssh_host_dsa_key (dsa) in /etc/ssh/ of a couple of these partitions.
That I did this on read-only filesystems does mean that some of this data traveled over unencrypted open internet lines, wireless netwerk, open networks, borken networks, chinese networks or maybe even american networks.
Hostnames which I read from include (but are not limited to):
luna zabbix meson neutron preon reson localdb axion chronon hadron higgs.aquariusoft.org kingon meson neutron ns2.a61.nl preon proton sdb spurion tachyon.
And now the bad part. As burne told me he saw spammers try to deliver email via port 53 (yes that’s 53) and as you know there is tons of bad crap on the internet. Am I really the first trying to do a mount via iscsi? Are you sure those passwords for websites sent via email and saved on your VPS aren’t read by chinese people? Am I really that nice? [1]?
Read my previous post about what to do now.
I’m sorry to ruin your weekend but if you need advise on how to make sure your VPS is secure: contact me.
And now the nice news: People who DO have an encrypted filesystem aren’t compromized since I didn’t try to break ANY encryption.
Zoloos and thanks for all the fish,
Mendel Mobach
[1]: I am!