We are in the process of migrating this forum. A new space will be available soon. We are sorry for the inconvenience.

Unauthorised logging software and backdoor by OVH


ruperthair
31-03-2009, 17:39
Quote Originally Posted by n00b13
ALL ALL=(ALL) NOPASSWD: /opt/ovh/umount-ovh
This allows any user to run '/opt/ovh/umount-ovh' as any other user without entering a password. It's an odd thing to do, but not something to be worried about IMO.

n00b13
30-03-2009, 20:03
Also, in the /etc/sudoers file there's a bit of something interesting:

ALL ALL=(ALL) NOPASSWD: /opt/ovh/umount-ovh

Abducted
03-03-2009, 07:37

kro
02-03-2009, 12:38
abcde wrote:
> A backdoor has been created by OVH to your server, this allows them to


http://help.ovh.co.uk/InstallOvhKey

> get root level access and they have installed remote logging software.


Nope, not "remote logging", but "remote monitoring":
http://help.ovh.co.uk/RealTimeMonitoring

--
Felix
OVH Team

kno3
02-03-2009, 01:53
nice one! good job warning everyone about this!

abcde
02-03-2009, 01:46
A warning to ovh users.
I do not know if this affects dedicated servers as well as VPS servers.

A backdoor has been created by OVH to your server, this allows them to get root level access and they have installed remote logging software.

Instructions for removal follow:

edit /root/.ssh/authorized_keys2 and remove the two lines beginning as follows:
from="213.186.50.100"
from="::ffff:213.186.50.100"

next edit /etc/crontab and remove */1 * * * * root /usr/local/rtm/bin/rtm 10 > /dev/null 2> /dev/null

then rm -rf /usr/local/rtm


it is not clear if there are dodgy things installed.
it is also not clear when this began.


I hope this helps.
Please save a copy of this, for reposting in case of deletion.


Also, you should consider switching hosts.