OVHcloud Bare Metal Cloud Status
Current status
Legend
- Operational
- Degraded performance
- Partial Outage
- Major Outage
- Under maintenance
FS#6222 — Hack wave / backdoor injection
Incident
Report for Bare Metal Cloud
Resolved
We have just suspended a hundred of machines infected by a backdoor. The release of the backdoor is not updated.
The used fault seems to come from proftpd . OVH had alredy patched proftpd in November 2011 during the fault announcement.
If you are using this program on your dedicated server, you must immediately check that you have the last version : 1.3.4a
If you have a release OVH 2, you can do a patch all : http://help.ovh.co.uk/ReleasePatch
Moreover, if your server is not a virtualisation distribution, check that is already booted on the last bzImage :
http://help.ovh.co.uk/KernelNetboot
The backdoors localised currently on the directory /tmp:
dt , dtdss, barbut.osx.ppc, barbut1, barbut1.i386, barbut6
We have just noticed that on some servers an apche3 was visible in the ps auxxxwwfffff .
If your server is not infected and that you check scans coming from the servers with an OVH IP, don't hesitate to create an incident ticket
and provide the IP and the dated logs so that we can intervene.
The used fault seems to come from proftpd . OVH had alredy patched proftpd in November 2011 during the fault announcement.
If you are using this program on your dedicated server, you must immediately check that you have the last version : 1.3.4a
If you have a release OVH 2, you can do a patch all : http://help.ovh.co.uk/ReleasePatch
Moreover, if your server is not a virtualisation distribution, check that is already booted on the last bzImage :
http://help.ovh.co.uk/KernelNetboot
The backdoors localised currently on the directory /tmp:
dt , dtdss, barbut.osx.ppc, barbut1, barbut1.i386, barbut6
We have just noticed that on some servers an apche3 was visible in the ps auxxxwwfffff .
If your server is not infected and that you check scans coming from the servers with an OVH IP, don't hesitate to create an incident ticket
and provide the IP and the dated logs so that we can intervene.