Compromised VPS, reason unknown - Lessons learned

Support for security such as Firewalls and securing linux
Post Reply
stefansaeys
Posts: 4
Joined: 2015/06/19 21:26:02

Compromised VPS, reason unknown - Lessons learned

Post by stefansaeys » 2018/03/09 20:45:36

I'm running a VPS on CentOS 7 (3.10.0-693.11.6.el7.x86_64) that I believe has been properly secured.
At a certain point cpu usage went to 100%, taken by a process "minergate-+".

Apparently someone managed to gain access, changed root password and install this application.
I've had moved ssh to a non default port, and made it only accessible for a certain user (not root).

As I only run mail services, all ports were closed except for custom SSH, 443, 25, 465 and 993.
The service provider also offers out-of-band ssh access. Could that be the cause of this?

Could someone point me in the right direction on how to prevent this from happening in the future?
As I do not have any idea what happened here.

server name has been changed by me in the log below
/var/log/messages content at the time of the attack:
Mar 7 14:00:05 server4 systemd: Started Getty on tty3.
Mar 7 14:00:05 server4 systemd: Starting Getty on tty3...
Mar 7 14:00:09 server4 systemd: Received SIGINT.
Mar 7 14:00:09 server4 systemd: Stopped target Timers.
Mar 7 14:00:09 server4 systemd: Stopping Timers.
Mar 7 14:00:09 server4 systemd: Stopping Availability of block devices...
Mar 7 14:00:09 server4 systemd: Stopped Daily Cleanup of Temporary Directories.
Mar 7 14:00:09 server4 systemd: Stopping Daily Cleanup of Temporary Directories.
Mar 7 14:00:09 server4 systemd: Removed slice system-selinux\x2dpolicy\x2dmigrate\x2dlocal\x2dchanges.slice.
Mar 7 14:00:09 server4 systemd: Stopping system-selinux\x2dpolicy\x2dmigrate\x2dlocal\x2dchanges.slice.
Mar 7 14:00:09 server4 systemd: Stopped Dump dmesg to /var/log/dmesg.
Mar 7 14:00:09 server4 systemd: Stopping Dump dmesg to /var/log/dmesg...
Mar 7 14:00:09 server4 systemd: Unmounting RPC Pipe File System...
Mar 7 14:00:09 server4 systemd: Removed slice system-systemd\x2dfsck.slice.
Mar 7 14:00:09 server4 systemd: Stopping system-systemd\x2dfsck.slice.
Mar 7 14:00:09 server4 systemd: Stopped target Multi-User System.
Mar 7 14:00:09 server4 systemd: Stopping Multi-User System.
Mar 7 14:00:09 server4 systemd: Stopping Multi-User System.
...
Mar 7 14:00:09 server4 systemd: Stopping Install ABRT coredump hook...
Mar 7 14:00:09 server4 systemd: Stopping libstoragemgmt plug-in server daemon...
Mar 7 14:05:02 server4 kernel: Initializing cgroup subsys cpuset
Mar 7 14:05:02 server4 kernel: Initializing cgroup subsys cpu
Mar 7 14:05:02 server4 kernel: Initializing cgroup subsys cpuacct
Mar 7 14:05:02 server4 kernel: Linux version 3.10.0-693.11.6.el7.x86_64 (builder@kbuilder.dev.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) ) #1 SMP Thu Jan 4 01:06:37 UTC 2018
Mar 7 14:05:02 server4 kernel: Command line: BOOT_IMAGE=/vmlinuz-3.10.0-693.11.6.el7.x86_64 root=UUID=96a5aefb-36cf-4f31-b5b4-303f9f84bfe8 ro elevator=noop crashkernel=auto console=ttyS0,19200 LANG=en_GB.UTF-8
Mar 7 14:05:02 server4 kernel: Disabled fast string operations
Mar 7 14:05:02 server4 kernel: e820: BIOS-provided physical RAM map:
Mar 7 14:05:02 server4 kernel: BIOS-e820: [mem 0x0000000000000000-0x000000000009dbff] usable
Mar 7 14:05:02 server4 kernel: BIOS-e820: [mem 0x000000000009dc00-0x000000000009ffff] reserved
Mar 7 14:05:02 server4 kernel: BIOS-e820: [mem 0x00000000000f0000-0x00000000000fffff] reserved
Mar 7 14:05:02 server4 kernel: BIOS-e820: [mem 0x0000000000100000-0x00000000dfffcfff] usable
Mar 7 14:05:02 server4 kernel: BIOS-e820: [mem 0x00000000dfffd000-0x00000000dfffffff] reserved
Mar 7 14:05:02 server4 kernel: BIOS-e820: [mem 0x00000000fffbc000-0x00000000ffffffff] reserved
Mar 7 14:05:02 server4 kernel: BIOS-e820: [mem 0x0000000100000000-0x000000021fffffff] usable
Mar 7 14:05:02 server4 kernel: NX (Execute Disable) protection: active
Mar 7 14:05:02 server4 kernel: SMBIOS 2.4 present.
Mar 7 14:05:02 server4 kernel: Hypervisor detected: KVM
Mar 7 14:05:02 server4 kernel: e820: last_pfn = 0x220000 max_arch_pfn = 0x400000000
Mar 7 14:05:02 server4 kernel: PAT not supported by CPU.
Mar 7 14:05:02 server4 kernel: e820: last_pfn = 0xdfffd max_arch_pfn = 0x400000000
Mar 7 14:05:02 server4 kernel: found SMP MP-table at [mem 0x000fda50-0x000fda5f] mapped at [ffff8800000fda50]
Mar 7 14:05:02 server4 kernel: RAMDISK: [mem 0x35e34000-0x36f11fff]
Mar 7 14:05:02 server4 kernel: Early table checksum verification disabled
Mar 7 14:05:02 server4 kernel: ACPI: RSDP 00000000000fda00 00014 (v00 BOCHS )
Mar 7 14:05:02 server4 kernel: ACPI: RSDT 00000000dfffd360 00034 (v01 BOCHS BXPCRSDT 00000001 BXPC 00000001)
Mar 7 14:05:02 server4 kernel: ACPI: FACP 00000000dffffd40 00074 (v01 BOCHS BXPCFACP 00000001 BXPC 00000001)
Mar 7 14:05:02 server4 kernel: ACPI: DSDT 00000000dfffd850 024A2 (v01 BXPC BXDSDT 00000001 INTL 20090123)

Post Reply