[tor-relays] My VPS relay has just been hacked
arma at mit.edu
Sun Oct 26 03:35:16 UTC 2014
On Sat, Oct 25, 2014 at 03:36:05PM +0100, Nick Sheppard wrote:
> This is typical of what I found.
> 1 root 20 0 10604 832 700 S ... 0:00.10 init
> 2 root 20 0 0 0 0 S ... 0:00.00 kthreadd/3277
> 3 root 20 0 0 0 0 S ... 0:00.00 khelper/3277
> 1370 root 20 0 36976 660 492 S ... 0:00.38 hxyqbutesc
I should note here that yes indeed, you do appear to have been
We get some relay operators here who misinterpret an email from their ISP,
which tells them they've been compromised but really the only evidence
is that they sent out some traffic that the other side thought could
only have been sent if they're compromised. E.g.,
But this one does not look good. I sense a reinstall in your future. :)
> Eventually I'll have to reinstall everything from scratch,
> straightforward enough, but what can I do to make sure it doesn't
> happen again? Would hardening my iptables work? Has anyone else
> seen this?
The other advice I heard here was very good too -- mainly "be sure to
do all your updates", "don't allow ssh login by password", and "wonder
if perhaps your hosting provider has a problem that makes it impossible
for you to keep your host safe".
More information about the tor-relays