Skip to content

OVH Dedicated Server Security Issues

I just arranged a OVH FreeBSD dedicated server. The first time I logged in, I noticed some issues I would like to comment…

First issue

The administrative email is stored in clear text in /root/.mail:
[text]
root@ovhserver:/root # ls -lah .email
-rw-r–r– 1 root wheel 26B Aug 14 18:46 .email
root@ovhserver:/root #
root@ovhserver:/root # cat .email
xxxx@mail.com
root@ovhserver:/root #
[/text]

Second issue

The root password is stored in clear text in /root/.p:
[text]
root@ovhserver:/root # ls -lah .p
-r——– 1 root wheel 13B Aug 14 18:42 .p
root@ovhserver:/root #
root@ovhserver:/root # cat .p
xxxxxxxxxxxxx
root@ovhserver:/root #
[/text]

Third issue

The /root directory is world readable:
[text]
root@ovhserver:/root # ls -lah / | grep root$
drwxr-xr-x 4 root wheel 512B Aug 14 20:20 root
root@ovhserver:/root #
[/text]

Fourth issue

The file /root/.ssh/authorized_keys2 contains OVH “backdoor” (I suposse for tech desk access):
[text]
root@ovhserver:/root # cat .ssh/authorized_keys2
from="213.xxx.yyy.zzz" ssh-rsa AAAA[…] root@cache.ovh.net
from="::ffff:213.xxx.yyy.zzz" ssh-rsa AAAA[…] root@cache.ovh.net
[/text]

Fith issue

OVH tech desk support (?) installs an script in /usr/local/rtm/bin/rtm that is scheduled to run every minute in /etc/crontab:
[text]
root@ovhserver:/root # grep -v ^# /etc/crontab
SHELL=/bin/sh
PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin
*/5 * * * * root /usr/libexec/atrun
*/11 * * * * operator /usr/libexec/save-entropy
0 * * * * root newsyslog
1 3 * * * root periodic daily
15 4 * * 6 root periodic weekly
30 5 1 * * root periodic monthly
1,31 0-5 * * * root adjkerntz -a
*/1 * * * * root /usr/local/rtm/bin/rtm 1 > /dev/null 2> /dev/null
root@ovhserver:/root #
[/text]

This script is executed using the user ovh as can be seen on /etc/passwd:
[text]
root@ovhserver:/root # grep ovh /etc/passwd
ovh:*:1001:1001:OVH user for RTM running:/nonexistent:/usr/bin/false
root@ovhserver:/root #
[/text]

The OVH software resides in /usr/local/rtm/:
[text]
root@ovhserver:/root # cd /usr/local/rtm
root@ovhserver:/usr/local/rtm # find .
.
./scripts
./scripts/daily
./scripts/daily/kernel.sh
./scripts/daily/release.sh
./scripts/min
./scripts/min/check.pl
./scripts/min/usage.pl
./scripts/min/usage-root.pl
./scripts/min/hddinfo.pl
./scripts/hour
./scripts/hour/hwinfo.pl
./scripts/hour/hwinfo-root.pl
./scripts/hour/smart.pl
./scripts/hour/raid.pl
./scripts/hour/listen_ports.pl
./bin
./bin/rtm-0.9.4.pl
./bin/rtm-update-ip.sh
./bin/rtm
./etc
./etc/rtm-ip
root@ovhserver:/usr/local/rtm #
[/text]

The script /usr/local/rtm/bin/rtm-0.9.4.pl sends system statistics to the IP contained in the file /usr/local/rtm/etc/rtm-ip. The destination port is 6100+(rand100)/UDP as can be seen in the procedure send_info located in the perl script /usr/local/rtm/bin/rtm-0.9.4.pl.

Default Network Daemons

By default, the server executes several daemons (named, sendmail, sshd and syslogd):

[text]
root@ovhserver:/root # sockstat -46l
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root sendmail 1227 3 tcp4 127.0.0.1:25 *:*
root sshd 1224 3 tcp6 *:22 *:*
root sshd 1224 4 tcp4 *:22 *:*
bind named 1132 20 tcp4 127.0.0.1:53 *:*
bind named 1132 21 tcp4 127.0.0.1:953 *:*
bind named 1132 22 tcp6 ::1:953 *:*
bind named 1132 512 udp4 127.0.0.1:53 *:*
root syslogd 1046 8 udp6 *:514 *:*
root syslogd 1046 9 udp4 *:514 *:*
root@ovhserver:/root #
[/text]

The only internet-facing daemons are sshd and syslog. As a good security practice, the SSH daemon should be tunned a bit (change default SSH port, do not allow root login, etc). This configurations should be written in /etc/ssh/sshd_config. To disable the daemons, the file /etc/rc.conf must be edited. To prevent syslogd opening the listening socket on port 514, the syslogd daemon must start with the option “-ss”. To achieve this, just add syslogd_flags=”-ss” to /etc/rc.conf.

To conclude, I would say that It looks like OVH don’t want your private server to really private 🙁. To remediate this situation, following here is a cleaning script that will backup and delete all those files.

[bash]
#!/bin/sh
#
# OVH dedicated server cleaning script
# borja@libcrack.so
#

email="borja@libcrack.so"
files="/root/.email /root/.p .ssh/authorized_keys2 /usr/local/rtm/"
fecha=`date +%d%h%Y_%H%M%S`

echo
echo "[*] OVH dedicated server cleaning script – ${email}"
echo "============================================================="
echo

echo "[*] Creating backup … "
tar zcf ovh_${fecha}.tgz ${files}

echo "[*] Deleting unnecessary files … "
rm -rf ${files}

echo "[*] Setting permission … "
chmod 700 /root

echo "[*] Disabling crontab entry … "
grep -v rtm /etc/crontab > /etc/crontab.1 && mv /etc/crontab.1 /etc/crontab

echo "[*] Done"
echo

exit 0

[/bash]

Enjoy your dedicated server! 🙂

Published infreebsd