Note: The situation is actual for the Debian 10 KVM templates downloaded from TDN earlier than Feb 3, 2021 03:30 am(UTC).
VM created with the affected templates may be compromised via user
debianuser. The debianuser can run
cnrig process, which is related to CryptoNight malware.
Call to Action
Re-download the template on SolusVM master and slave nodes:
# wget https://templates.solusvm.com/kvm/linux-debian-10-x86_64-gen2-v2.gz -O /home/solusvm/kvm/template/linux-debian-10-x86_64-gen2-v2.gz
# wget https://templates.solusvm.com/kvm/linux-debian-10-x86_64-gen2-v1.gz -O /home/solusvm/kvm/template/linux-debian-10-x86_64-gen2-v1.gz
The best practice is to migrate the data to another VPS. If the migration is not the option remove the user debianuser, setup SSH key authentication and disable password authentication:
- Connect to a Debian 10 VPS via SSH
- Remove debianuser user:
# deluser --remove-all-files debianuser
- Create SSH key pair for SSH access using this article:
/etc/ssh/sshd_configand restart SSH:
# service ssh restart
- Double-check that you can still get in (open a new session and test it out) before you exit your active SSH session