Yet another surprise from Cloudatcost

Cloudatcost (www.cloudatcost.com - @cloudatcost), the canadian cheap & flat cloud VPS provider (partner of @Fibernetics) seems to have really serious problems on the devops side.
I already talked here about their infamous backdoor user (“wikus”) on their Debian 8 x64 VPS  images (this seems to be solved by now).
Today I found out that they also seem to have a faulty Reverse DNS update call that they either don’t want or are unable to fix. 

TL;DR: You want your IP to have a proper Reverse DNS entry pointing to your Flly Qualified Domain Name. You make this change in your Panel. The function is buggy, RDNS won’t work. You open a ticket. The ticket is already 6 days old, but is still not assigned.

Step to reproduce: 

1. Login to your panel page (https://panel.cloudatcost.com)

2. Click on “Modify”, then on “Reverse DNS”.

image

3. Use the popup frame to set the DNS PTR entry for the IP that Clouadatcost assigned to your VPS to point to your FQDN (say “devopsfail.wontfix.org”). 

4. Wait the given 10 minutes for the update to take place (you may also wait a day, ten days or so… it probably won’t change EVER). 

5. Open your terminal and perform a reverse lookup for your given IP Address and check if it gives you back the requested FQDN entered on step #3. One of my servers points to a cloudpro internal ID cloudatcost.com hostname. Another VPS I have points to someone else’s mailserver FQDN (!).

Further investigations (DOM inspection of the function call) led me to suspect they may have made a mess with VPS root passwords and then the function fails because of mismatching passwords. 

image


I will update this post when (and if) they will care to fix the issue (or consider my tickets). 


#20160218 UPDATE: They finally managed to work on my ticket: “this should be fixed today, there is an issue with the panel setting. thanks for your patience.”. Then, after a couple of hours, ticket was closed by Cloudatcost Co-Founder Gerald Camacho (what an honor!): 

image


Now the IP are correctly resolved to the names I entered in the panel, BUT… as I was trying to set properly one of them (I made some tests, so in one case it was not the actual FQDN I’d intend to use in production), it turned out that the “fix” didn’t fix: no frther changes really take place anymore (already waited for the whole weekend). They probably set the DNS PTR by hand.

Going to open another ticket now…

Backdoor default user on Debian 8 VPS at Cloudatcost

Cloudatcost (www.cloudatcost.com - @cloudatcost), the canadian cheap & flat cloud VPS provider (partner of @Fibernetics) ships a backdoor user (“wikus”) with shell and password set on their Debian 8 x86_64 images.

Backdoor default user at cloudatcost.com Debian8 images

I found this “easter egg” on 21th January 2016 by a routine check on system integrity after I created a new Debian instance using my cloudatcost account.

Please note that ALL Debian 8 instances created on Cloudatcost with such image are, by default, also listening on ssh standard port for such user.

I tried to contact them a week ago but it seems they do not care. 

*** 05/02/2016 *** UPDATE *** I’ve got sort of a response on this topic in a ticket regarding failed Debian 8 builds.
View screenshot on imgur.com
Am I Satisfied? Not really.

Check if your system is vulnerable to Bash Code Injection (CVE-2014-6271)

As per CVE-2014-6271, a flaw in bash that permits malicious shell code injection was found.
Here is a code snippet to check if your linux server is vulnerable:

env x='() { :;}; echo *VULNERABLE*' bash -c "echo this is a test"

Example output if system is vulnerable:

*VULNERABLE*
this is a test

Output with patched bash will instead look as follows:

this is a test

source: https://access.redhat.com/articles/1200223

Install logtop on CentOS 7

Logtop is an handy log analyzer that can show realtime statistics from any given text file. Common usage example is redirecting the output of your log files to it, in order to get the top visitors of your webpages, or the top hosts requesting pages through your proxy server… all of this in a realtime top list.

Logtop requires git (to clone logtop source from github) plus the ncurses and uthash development packages. Since the package uthash-devel is not available in the base CentOS repository, you will also need to get EPEL repository rpm from:

http://download.fedoraproject.org/pub/epel/beta/7/x86_64/repoview/epel-release.html

and install it:

rpm -ivh epel-release-7-0.2.noarch

then import its rpm gpg key:

rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7

Now you may install the dependencies:

yum install git ncurses-devel uthash-devel

Get logtop from github:

git clone https://github.com/JulienPalard/logtop.git

Dive into its directory and compile it:

cd logtop
make
make install

That’s it!

Example usage:
Apache top 10 requests:

tail -f /var/log/httpd/access_log | awk {'print $1; fflush();'} | logtop

image

Squid top users):

tail -f /var/log/squid/access.log | awk {'print $1; fflush();'} | logtop

image

Still on your proxy server, you may want to show the top requested urls:

tail -f /var/log/squid/access.log | awk {'print $7; fflush();'} | logtop

image

Logtop project page:

https://github.com/JulienPalard/logtop

Shell script for an up-to-date Ad-Free /etc/hosts

This is just another way to do it: an adware/spyware free /etc/hosts for your laptop or home network.

Enjoy!

#!/bin/bash
# Update Ad-Free /etc/hosts file from public lists
readonly TMP_FILE="/tmp/hosts"
readonly HOSTS_FILE="/etc/hosts"
# WINDOWS HOSTS FILE: %systemroot%\system32\drivers\etc\hosts

touch ${TMP_FILE}

for URL in  http://adaway.org/hosts.txt \
            http://winhelp2002.mvps.org/hosts.txt \
            http://someonewhocares.org/hosts/hosts \
            http://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts\&showintro=0\&mimetype=plaintext
do curl -s ${URL} | egrep "^127.0.0.1|^0.0.0.0" >> ${TMP_FILE}
done

# remember to add here your custom known hosts:
echo "127.0.0.1 localhost
127.0.0.1 localhost.localdomain
fe80::1%lo0 localhost
255.255.255.255 broadcasthost
" > ${HOSTS_FILE}

# use 0.0.0.0 instead of 127.0.0.1 (faster but not 100% compatible)
awk '!/ localhost/'{'print "0.0.0.0 "$2'} ${TMP_FILE} | sort | uniq >> ${HOSTS_FILE}
rm -f ${TMP_FILE}

exit 0