[tor-relays] My VPS relay has just been hacked

Jeroen Massar jeroen at massar.ch
Sat Oct 25 15:34:59 UTC 2014

On 2014-10-25 16:36, Nick Sheppard wrote:
> For the last month I've been running a middle relay (no guard flag yet)
> on a 512 MB VPS provided by Edis.at in Switzerland (4.99 euro per

You are aware that Edis is considered a bit shady I hope; though this is
likely because they attract a lot of cheap customers and thus get a lot
of abuse out of their network. The question becomes at one point if it
is a separate customer or themselves though.

Also note that they are just reselling other peoples services, hence why
they are cheap as they oversubscribe a lot.

> The Solus control panel traffic graph started showing (a very small

That Solus control panel could have been a way in to your system.

What kind of virtualization is used?

> Each block is always 5 lines, and the names (always 10 lower-case
> letters) seem to be different every time.  The blocks change fairly
> regularly every second or two.

The virus/bot/etc is respawning processes so that nobody can easily kill

pstree will show you where the process comes from originally.

The random name makes classification easier.

> Eventually I'll have to reinstall everything from scratch,
> straightforward enough, but what can I do to make sure it doesn't happen
> again?  Would hardening my iptables work?  Has anyone else seen this?

Actually secure a machine.

Most likely they just guessed your password by an automated SSH login

Using SSH keys, firewalling SSH off except for trusted hosts and not
having any services listening that you do not want are key to a properly
secured system. There are lots of articles on the interwebz about it.


More information about the tor-relays mailing list