My Yunohost VPS turned into a spambot

I’ve been running Yunohost on a Debian 8 VPS for several months–and it’s been great. A few days ago, I suddenly couldn’t access Yunohost, nor could I log in via ssh. Ssh was set for key authentication, no password login, no root login, and on a non-standard port. Both my user and root passwords were 25 characters randomly generated by Keepassx. The VPS admin said they’ve routed by IP to null because the VPS was being used to send spam. At this point, I don’t have ssh access except via the VPS management web interface.

Any ideas how to determine how they got access? Also, given I can’t ssh in, any ideas how to get my wallabag and etherpad data off the box (planning to wipe it and start over)?


EDIT. I’ve regained full ssh access, changed authentication key, user/root/admin passwords, and ssh port. Indeed, /var/log/mail is filed with spam sends, e.g., Nov 13 11:40:10 [hostname] postfix/smtpd[30023]: connect from[]. Stopping postfix seems to have halted things.

My hope is to pull my data, then start over. Problem is sudo yunohost backup info shows Error: Invalid backup archive for all recent backups. Trying to create a new backup also fails because mariadb-server is down. I’ve been searching for hours and can’t figure out what’s wrong with maria…

It seems mariadb-server is stuck mid-upgrade. apt-get install -f result in:

Setting up mariadb-server-10.0 (10.0.28-0+deb8u1) …
dpkg: error processing package mariadb-server-10.0 (–configure):
subprocess installed post-installation script returned error exit status 1
dpkg: dependency problems prevent configuration of mariadb-server:
mariadb-server depends on mariadb-server-10.0 (>= 10.0.28-0+deb8u1); however:
Package mariadb-server-10.0 is not configured yet.

dpkg: error processing package mariadb-server (–configure):
dependency problems - leaving unconfigured
Errors were encountered while processing:
needrestart is being skipped since dpkg has failed
E: Sub-process /usr/bin/dpkg returned an error code (1)

Restarting mysql.service gives:

error: ‘Can’t connect to local MySQL server through socket ‘/var/run/mysqld/mysqld.sock’ (2 “No such file or directory”)’

Can’t find mysqld.sock anywhere on the system.

Looking at /var/log/syslog shows a near constant stream:

Nov 13 17:13:32 [hostname] slapd[702]: <= mdb_equality_candidates: (sudoUser) not indexed
Nov 13 17:13:32 [hostname] slapd[702]: <= mdb_substring_candidates: (sudoUser) not indexed
Nov 13 17:13:32 [hostname] slapd[702]: <= mdb_equality_candidates: (cn) not indexed
Nov 13 17:13:32 [hostname] slapd[702]: <= mdb_equality_candidates: (sudoUser) not indexed

Running out of ideas.

tl;dr VPS hacked, mysql screwed: unable to backup Yunohost.

1 Like

I’m sorry for what happened.

With so much personal info on our yunohost boxes I think the security of the system is sensitive.

I would like to know how they got in. I can’t really help you though as my security expertise is limited. I know there are tools to do forensic analysis and I hope other users can help you find out what happened.