💾 Archived View for her.st › blog › that-time-a-bot-installed-systemd.gmi captured on 2023-07-22 at 16:20:11. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-01-29)
-=-=-=-=-=-=-
This is just a small funny entry.
I've had this client rent a VPS from me who requested Devuan - a systemd-less Debian.
I set it up, gave him the user/pass and told him to setup ssh keys and what not.
Fast forward a day and I see like 2TB of traffic on his VM - asking what the hell was is running on that thing.
Long story short, he left ssh open to the world, had a weak password and it was cracked in a few hours.
Now the funny part: Remember his systemd-less Devuan?
Well the bot installed systemd so it could create services and run as a 'stealthy' systemd service.
Whats even more funny is that the bot actually logged to the journal so I could see what it was doing.
It was happily bruteforcing other servers - at ~500mbit/s.
I recreated the VM and 12h after I mitigated it my datacenter was forwarding me 4 abuse reports.
The IP ended up on several blocklists and I had to manually de-list it.
The joy of running a Hosting Service.