I will look into a migration/reinstallation however I am not able to do it right now.
my current concern is could this happen again with a new install.
Or the attacker managed to log in with the peertube account credentials.
What are the ways to connect to your server? SSH? Only SSH?
Does your SSH server allow connections using password?
Have you checked the auth.log as I suggested?
Or the attacker has corrupted your computer, and then used it to login as root and install the malware.
Or they just have bruteforce your root credentials, see that you have a nginx website with the peertube user, and installed the malwere there. Again, does your SSH server allow connections using password? Have you any system to prevent bruteforce (like fail2ban for example)? Is your root password secure? Check your auth.log to if there were connections at unusual times.
There are hundreds of Peertube instances using the livechat plugin, and for now you are the onlyone reporting this issue.
Usually such attacks are massive and automated. So, when there is a security breach, hundreds of instances are concerned.
what was the name of the file?
PS: you should not change the directory permissions. It could break other softwares.
I looked at auth.log, and there are a lot of attempts to gain access. I do not know when this started so it is difficult for me to see if there was access from an otheer ip address.
currently ssh connections are with a password.
there is no bruteforce prevention, I did not know about this.
root password was changed recently.
thanks for your support.
This is not a best practice on public servers.
You should use ssh keys.
You can search for successful connections (look at what is append to /var/log/auth.log when you connect, and then run zgrep 'xxxx' /var/log/auth.log*, where xxxx is the log message your are searching).
For the record, there is one thing I still don’t understand.
Nginx has a /var/www/peertube/.redtail file opened… Understanding how the .redtail files was created is one thing, but… why was this file executed??
It is possible that your /etc/sites-available/peertube files was modified to launch the malware at startup.
This files is normally only editable by root. So, if this file was compromised, it would be a proof that your root account was compromised.
PS: on a production server, you should disable password connections on your ssh server, but you should also consider disabling root connection (and always connect to a different user, that will then use sudo to become root).
hallo. after some examination, it looks like the external party was gaining access thru the peertube account with ssh.
the peertube user did not have a secure password, so it was likely that the virus was being executed by this user account, rather than root (since all prrocesses were being run with the peertube user)
I have since disabled ssh access for the peertube userr and that has stopped (from what I see) the virus from being run.
so it looks like it was not the peertube software or any plugins, rather the peertube account being accessible to an ssh connection.
thank you for your help with this @JohnLivingston , @bestperson .
1 « J'aime »
Thanks for the feedback.
I hope you managed to definitiverly remove those malwares.
1 « J'aime »