[tor-relays] My VPS relay has just been hacked

Roger Dingledine arma at mit.edu
Sun Oct 26 03:35:16 UTC 2014


On Sat, Oct 25, 2014 at 03:36:05PM +0100, Nick Sheppard wrote:
> This is typical of what I found.
> 
> 1    root 20 0 10604  832  700 S ... 0:00.10 init
> 2    root 20 0     0    0    0 S ... 0:00.00 kthreadd/3277
> 3    root 20 0     0    0    0 S ... 0:00.00 khelper/3277
> 1370 root 20 0 36976  660  492 S ... 0:00.38 hxyqbutesc

I should note here that yes indeed, you do appear to have been
compromised.

We get some relay operators here who misinterpret an email from their ISP,
which tells them they've been compromised but really the only evidence
is that they sent out some traffic that the other side thought could
only have been sent if they're compromised. E.g.,
https://lists.torproject.org/pipermail/tor-relays/2014-October/005551.html

But this one does not look good. I sense a reinstall in your future. :)

> Eventually I'll have to reinstall everything from scratch,
> straightforward enough, but what can I do to make sure it doesn't
> happen again?  Would hardening my iptables work?  Has anyone else
> seen this?

The other advice I heard here was very good too -- mainly "be sure to
do all your updates", "don't allow ssh login by password", and "wonder
if perhaps your hosting provider has a problem that makes it impossible
for you to keep your host safe".

--Roger



More information about the tor-relays mailing list