💾 Archived View for her.st › blog › that-time-a-bot-installed-systemd.gmi captured on 2023-07-22 at 16:20:11. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-01-29)

-=-=-=-=-=-=-

This is just a small funny entry.

I've had this client rent a VPS from me who requested Devuan - a systemd-less Debian.

I set it up, gave him the user/pass and told him to setup ssh keys and what not.

Fast forward a day and I see like 2TB of traffic on his VM - asking what the hell was is running on that thing.

Long story short, he left ssh open to the world, had a weak password and it was cracked in a few hours.

Now the funny part: Remember his systemd-less Devuan?

Well the bot installed systemd so it could create services and run as a 'stealthy' systemd service.

Whats even more funny is that the bot actually logged to the journal so I could see what it was doing.

It was happily bruteforcing other servers - at ~500mbit/s.

I recreated the VM and 12h after I mitigated it my datacenter was forwarding me 4 abuse reports.

The IP ended up on several blocklists and I had to manually de-list it.

The joy of running a Hosting Service.

Comments

View/Write Comments