My VPS Got Hacked And Was Used For A “100 Mbit Outbound DDOS Connection”

I have a VPS which is used only to send emails to about 30,000 subscribers. I have been doing so for several years. All the subscribers are double opt-in confirmed. The I. P. address is white-listed and everything works well. The VPS is used sparingly.

All of a sudden, I received an email today from the hosting company stating:

“IMPORTANT: this message requires action & response

We have received reports of abuse originating from your VPS. Details of the complaint are as follows:

—————————-

100 mbit outbound connection, possibly a DDOS attack, which was adversely affecting the connectivity to the hostnode

See attached graph

—————————-

Screen Shot 2014-05-10 at 17.52.53

This activity is in contravention of our terms and conditions, and may be illegal or in violation of UK or international laws.

As a result of this activity, your VPS has been suspended. Please reply to this ticket confirming action will be taken to prevent future such activity occurring. If you suspect your VPS has been compromised, you may need to wipe / re-image your VPS and start afresh. There are several ways you can seek to minimise the potential threat of your VPS being maliciously hacked:

– Using long non-dictionary passwords to mitigate brute-force attacks

– Configuring iptables firewall rules to ensure only the necessary services are externally accessible

– Allowing SSH access only by public key authentication or alternatively blacklisting or rate-limiting SSH login attempts with iptables rules or software such as DenyHosts

Under the terms and conditions, we reserve the right to terminate service for non-compliance with our terms and conditions, or for any other reason. In this case, we are giving you the opportunity to take corrective action and remain a customer. Please reply to this ticket to confirm your plan of action and provide assurances the disallowed activity will cease.”

When I checked the root folder, I noticed three files in it called .Syste, .Addre & fake.cfg. The (.) means that these are hidden files and not visible in SSH).

When I checked the running processes using the “top” command, both the processes .Syste & .Addre were running.

Using the command “ps ax”, I could identify the physical location of the process.

The .Syste process was running from the /usr/sbin/.Syste. The .Addre process was running from the root folder.

As these services are configured to start on boot, I went to the “/etc/rc.d/init.d” directory. In that, there is a file called “rc.local”. When I opened that file in notepad, it told the story:


/etc/init.d/iptables stop
nohup /usr/sbin/.Syste > /dev/null 2>&1 &
nohup /root/.Addre > /dev/null 2>&1 &
/etc/init.d/iptables stop
nohup /usr/sbin/.Syste > /dev/null 2>&1 &
nohup /root/.Addre > /dev/null 2>&1 &

The hacker had programmed it so that iptables was stopped on boot and the two processes ‘.Syste’ and ‘.Addre’ were started. The location of the files was also given.

When I tried to delete the contents of the rc.local file, I got the error:


Error writing rc.local: Permission denied

This is because the hacker had write-protected the file.

Running the command


chattr -i rc.local

removed the write-protection and enabled me to clean out the rc.local file.

Then, I went to the /usr/sbin directory & deleted the .Syste & fake.cfg files. These were also write-protected and I used the chattr command.

I also deleted the suspicious files from the root directory, using the chattr command.

I rebooted the VPS and the suspicious processes are not running.

A big mystery is how the hacker was able to use these suspicious files to remote control my VPS and create a “100 mbit outbound connection”. I opened the suspicious files in notepad but it only contained gibberish.

Anyway, after cleaning up the VPS, I changed the password and also installed CSF. I also ran a yum update. I also made a back-up of all the contents of the VPS and saved it at a remote location.

How the hacker got access to my VPS is another big mystery. My guess is that my computer must have been infected and the password which is kept in a text file by filezilla must have been accessed and sent to the hacker.

Leave a Reply

Your email address will not be published. Required fields are marked *