"There is no cloud, it's just someone else's computer."
Today, as I was performing my usual server maintenance, I ran ls and found two script files I didn't recognize. My first reaction was a server intrusion, but after checking the script contents, I thought it might be a joke from the hosting provider.
Neither of the two scripts had any malicious function. Script 'a' was responsible for installing qemu-guest-agent, and script 'b' was responsible for running script 'a' and then deleting both scripts 'a' and 'b'. However, they did not execute successfully.
My VPS's system in the control panel is listed as Debian, but it is actually running Arch Linux. I suspect that the hosting provider distributes installation scripts based on the system shown in the control panel. Since I didn't have apt installed on Arch, the script encountered an execution error and exited directly, which is why the two scripts were preserved.
#!/bin/bash
echo `date`: Recipe ID: -524;
sh /root/recipe_-524.sh > /root/recipe_-524.log 2>&1;
echo `date`: RET: $?;
rm -f /root/recipe_-524.sh;
rm -f /root/exec_recipe.sh
if [ -f /etc/debian_version ]; then
OS=Ubuntu
elif [ -f /etc/redhat-release ]; then
OS=redhat
elif [-f /etc/oracle-release ]; then
OS=redhat
fi
if [ "$OS" = redhat ] ; then
systemctl status qemu-guest-agent
if [ $? != 0 ] ; then
yum --skip-broken -y install qemu-guest-agent
fi
elif [ "$OS" = Ubuntu ] ; then
systemctl status qemu-guest-agent
if [ $? != 0 ] ; then
apt-get clean -y 2>&1
apt-get update -y 2>&1
apt-get install -y qemu-guest-agent 2>&1
fi
fi
systemctl enable qemu-guest-agent
if [ "$OS" = redhat ] ; then
# Get the version of qemu-ga
REL=$(qemu-ga -V | grep -oP "\d+\.\d+\.\d+")
#path
config=/etc/sysconfig/qemu-ga
# Check if the version is 8.0.0 or higher
if [[ "$REL" =~ ^(8|\d{2,})\.[0-9]+\.[0-9]+$ ]]; then
#taking backup of old file for safer side
cp /etc/sysconfig/qemu-ga /etc/sysconfig/qemu-ga.bk
#injecting the guest-exec and guest-exec-status command for enabling
sed -i '/^FILTER_RPC_ARGS="--allow-rpcs=/ s/"$/,guest-exec,guest-file-open,guest-file-read,guest-file-close,guest-exec-status"/' $config
else
sed -c -i "s/\(BLACKLIST_RPC *= *\).*/\1guest\-file\-seek/" $config
fi
fi
REL=$(cat /etc/redhat-release)
rhel9="$(echo $REL | egrep -i '(release 9)')"
echo $rhel9
if [ "$?" -eq "0" ]; then
config=/etc/sysconfig/qemu-ga
sed -c -i "s/\(BLOCK_RPCS *= *\).*/\1guest\-file\-seek/" $config
fi
systemctl unmask qemu-guest-agent
systemctl restart qemu-guest-agent
Comments
Okay
(Was there a question?)
"A single swap file or partition may be up to 128 MB in size. [...] [I]f you need 256 MB of swap, you can create two 128-MB swap partitions." (M. Welsh & L. Kaufman, Running Linux, 2e, 1996, p. 49)
The title is not a question, it is a statement, because it ends with a dot.
I reserve the right to license all of my content under: CC BY-NC-ND. Whatever happens on this forum should stay on this forum.
This is true. But the relevance of the statement to the body of the post is not entirely clear, nor is the purpose of the thread.
We might need an AI translation, because MJJ language is quite difficult to understand due to so many variations in interpretation.
Perplexity seems to offer a simple point of view. Hopefully I did not break some Cloudflare bot with my request.
The phrase "There is no cloud, it's just someone else's computer" highlights that cloud services rely on physical servers owned by others. In your case, while maintaining your VPS, you discovered two unfamiliar scripts which initially seemed like a security breach. After inspection, the scripts weren't harmful; one intended to install qemu-guest-agent and the other to run this installation then remove both scripts. However, they failed to run because your VPS actually operates on Arch Linux, despite being labeled as Debian in the control panel. The hosting provider likely pushes installation scripts based on the control panel's OS info, causing the apt-based script to fail on Arch, leaving the scripts intact without execution. This illustrates how cloud systems can sometimes have discrepancies due to provider configurations and assumptions about the environment.
I reserve the right to license all of my content under: CC BY-NC-ND. Whatever happens on this forum should stay on this forum.
You are pushing the frontier of AI capability.
WTF? I am leaving for the big boys. This is above my pay grade.
Hey teamacc. You're a dick. (c) Jon Biloh, 2020.
While looking through my drawers, I found some loose coins.
Not sure why you need to know that, but I felt that I should share with you, just as you have with us.
If you want information, feign ignorance reply with the wrong answer. Internet people will correct you ASAP!
It’s OK if you disagree with me. I can’t force you to be right!
Preserve it. It will be a relic pretty soon. /s
We're the source, no cap. Address us: We/Our/Ours.
https://lowendspirit.com/discussion/comment/221016/#Comment_221016
AI doesn’t always have a question
Insert signature here, $5 tip required
#dicks
My pronouns are like/subscribe.
Penile enrichment?
I noticed the same thing recently. This is really disgusting practice and needs to stop - it's none of the hoster's business what software I want installed on my VPS and how I want it configured!
In my case, the hosting provider at least did disable some of that nonsense after I bitterly complained.
Isn't the qemu-guest-agent service what enables graceful shutdowns and backup-friendly freezes?
Can it be used for something else?
normal ACPI should be sufficient to handle shutdowns
disk and RAM usage reporting (that's what Virtualizer seems to use it for)
but I guess it can be used to run anything on your VPS (as root)
guest-execallows the hypervisor, or an attacker with control of the hypervisor’s management plane, to execute arbitrary commands directly on the VM as root.guest-exec-statusallows checking the status of those executed commands.C2-style cleanup script like this is often used by hackers.
For a hacker, this is a way to ensure a robust, high-privilege, and network-firewall-bypassing backdoor, but it requires having control of the hypervisor’s management plane.
Any provider doing this behind your back should be sentenced to debugging PHP 5.6 sites for eternity.
Does anyone know of a provider who shows information about their install images, where the images came from, how they were made, etc?
As most of us know, many providers let customers upload and install from the customers' own known images.
For example, a known-safe NetBSD image which I am using came from @cmeerw.
Alternatively, here is the link to the Debian Official Cloud Images: https://cdimage.debian.org/images/cloud/
Next time, please consider avoiding a one-click unknown image and using a known-safe image instead.
Part of the idea behind MetalVPS is to allow customized control of VPS setup, including image selection freedom, and even including qemu hypervisor setup and configuration.
I hope everyone gets the servers they want!
That's savage.
Humans always like to give ordinary things new concepts, with the sole purpose of making others pay for them
Damn
WTF just confirmed that qemu-ga in debian/ubuntu does allow anything by default. Adding it to my blacklist of packages.
On one place I really need it to run a pre-freeze command I am now adding the qemu-ga.conf as needed:
Make them convert PHP3 scripts to not use global variables.
Better yet, PHP 4 scripts encoded with a third party encryption tool.
My pronouns are like/subscribe.
Better yet binary decoders for the Government.