Comment 4 for bug 1435386
Revision history for this message
| Jeremy Stanley (fungi) wrote Re: VMs are being taken over through a VNC proxy exploit | #4 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
From the information they provided, qemu was configured to start a VNC service listening on all interfaces, and the compute node's IP address was exposed with that socket unfiltered. It sounds like attackers scanning for VNC servers on the Internet found it, rebooted the virtual machines via ctrl-alt-del and then rooted them by altering bootloader configuration to boot into a shell rather than init. Their evidence suggests the connections were directly to qemu, not via the Nova VNC proxy at all.