Additionally if you have some kind of monitoring in place you should check if the hacker(s) probably even downloaded your VMs (vmdk and othe files) via SCP by checking the logs and/or high data transfers while those guys were logged in.

The entry point would be any management service (ssh, webservices etc.) being exposed to the internet.

I gues they had all the time do run scripts on the ssh login.

You should have anything in place to check if they really downloaded the VMs...

Yeah, I should have many things. But servers are standalone, depends on the company to provide resources. Or use oVirt, as I often recommend but we will not discuss this at the moment. I cannot know when this was actually hacked so they had plenty of time.

SSH was enabled, vSphere GUI was enabled. But the password is strong enough to be bruteforced. Thus, my concern.

NTPD or SNMP exploits... could be, but on that server those were disabled because I knew the server was not patched (as I couldn´t, not without downtime risk,etc.). The attackers deleted all VMs from disk, potentially downloaded (only way would be check network usage but I have backups as well so not easy).

Having SSH enabled is not a security issue, per-se. It is better if you filter or you change the port but anyway...

I have other hosts (even older) I wonder if those are at risk... and why the affected is the most recent one, maybe there was a datacenter leak with passwords or something.

Having any management-service exposed to internet unprotected *is* serious issue! With enough of distributed resources (botnets with thousands of computers) no password is strong enough. If you do not have connection-rate limit and/or auto-banning of offending hosts implemented on perimeter firewall, question is not if your server gets hacked, but when this happens...

Yeah, well, those quotes are fine from a marketing perspective. But no, I can have an OpenBSD with SSH open and be perfectly fine unless an exploit for SSH appears. And OpenBSD has PIE, so even with a vulnerability you are protected somehow.

But I understand what you say, however, you need SSH enabled often. It is like saying do not expose Apache when you have a website running. I agree it is better if SSH is only accessible from certain IP addresses but... I believe the service is robust.

Again, I do not think they bruteforced the password, I am not sure about exploits that gives you a shell or creates additional users.

Any idea of what services could be dangerous left with default settings ?

How to protect the vSphere login (you definetively need that run on a standalone host)

thanks

Yeah, well, those quotes are fine from a marketing perspective. But no, I can have an OpenBSD with SSH open and be perfectly fine unless an exploit for SSH appears. And OpenBSD has PIE, so even with a vulnerability you are protected somehow.

"protected somehow" sounds very marketingish and trustworthy, too. Seriously, you compare a full featured OS with a hypervisor OS in terms of security. VMWare never had the intention to replace an OS and therefor at some point they have to make the underlying OS as compact as possible for the hypervisor use.

You also can't directly compare a KVM based hypervisor with VMWare, completely different approaches in terms of a hypervisor.

But I understand what you say, however, you need SSH enabled often. It is like saying do not expose Apache when you have a website running. I agree it is better if SSH is only accessible from certain IP addresses but... I believe the service is robust.

And again comparing apples (ssh) to oranges (Apache). You can perfectly leave SSH enabled with VMWare on your management (internal) network but not exposed to the internet without additional external protection.

How to protect the vSphere login (you definetively need that run on a standalone host)

Yes, but only on the management network.

You can still use a VPN connection to the internal network to manage the host from remote.

I don't think that your box was hacked through an exploit, was just the distributed bruteforce way JarryG mentioned above.

And for your other/older hosts I would take them off the internet ASAP, those guys may come back and hitting the IP of that other host(s).

So, are they exploits for the web interface for the vSphere or the SSH ? if not, the only thing someone can do is bruteforce the password.

Can be the password bruteforced considering 10 chars with sym, cap, lower, nums ? as long as it has a time out that sounds complicated to bruteforce but can definetively be possible.

Still, even exposing those I do not think someone could simply hack the server. But you may be right.

Leaving that aside:

I have disabled SSH in all the other hosts.

What is the best way to prevent random IPs to connect via vSphere client and/or SSH ? is there a Firewall or you suggest any other way ?

I connect to those servers from remote myself (I do not have physical access) so I wonder about the VPN, can I do that with just the Host itself ? or do I need an auxiliary host on the network ? I do not want to rely in one VM with OpenVPN to manage the server because.

What is the best way to prevent random IPs to connect via vSphere client and/or SSH ? is there a Firewall or you suggest any other way ?

Put a (real) firewall in between the host and the internet where you configure connection limits portwise. The ESXi firewall is very basic and üproviding only basic protection.

I connect to those servers from remote myself (I do not have physical access) so I wonder about the VPN, can I do that with just the Host itself ? or do I need an auxiliary host on the network ?

No, ESXi is not capable of doing (real) firewalling, VPN server etc.. So you need a separate box for that. You may even try to implement some kind of port knocking in conjunction with a ssh tunnel for example. But this also need a separate box/firewall.

I do not want to rely in one VM with OpenVPN to manage the server because.

Instead you rely on the host's basic security, not a good idea in my eyes. Maybe a decent router with firewall and VPN is a decent solution for that. If it needs to be not too expensive, I have good experiences with Draytek routers for SMB.

No, we have not tried to find a culprit, though we have asked the D/C to outline the usage over the past while as we are not even sure they have moved the data out, if there is no significant data movement then we are certain the VMs are just deleted.

Machine is now offline and the disks going to ontrask for imaging and investigation.

The police have been informed and have been to visit the sick item, waiting on the cybercrime team to show interest.

Even if we paid up and got the data sets back, to use it would be asking for trouble, it has been seen that in similar cases to this, even though the ransom was paid, the data was still sold on - we will see what Kroll get back, we are recreating what we do not have as backups.  I will spend a lot more time on securing ESXi, possibly to the point of adding a security appliance between it and the wild world as this must not happen again, and as pointed out, the firewall is minimal in ESXi.

This pastebin was from the day before, perhaps it could be traced...

http://pastebin.com/00agVLTT

Seems it has happened before elsewhere in the world.

http://www.webhostingtalk.ir/showthread.php?t=144258‌

We have some attentive people looking into the B.C. id's, i hope something comes of that.

And, if you are reading this, and it is your work, thanks, you messed up a couple of my days and some very worthwhile projects that were hosted the server got a terrifying shock, they try to help sick and worried, whilst you hold us to ransom on pain of destruction or selling the data.

My thoughts on this: They did not download anything and there is no way to get the files back by paying anything. But that's just my opinion from the above message.

There is even no contact details in there so how would they know what data goes to which payer.

I also guess that IPs of the attacker(s) won't help in any way as this looks at least a little more professional than some script kiddies messsing around from their home internet connection.

@wootn0wwootn0w

It could be the vSphere Client as well, were you patched against Heartbleed? NTPD patched ?

Whatever had SSL if your openssl was vulnerable could be affected. Not necessarily SSH.

Even if they were fully patched, ESXi 5.5 still uses SSLv3.0 which is known to be weak.  One really good reason to upgrade to 6.0..

@Bleeder

Totally agree. I wonder, is it possible to upgrade a 5.5 host to 6.0 without problems ?

A lot of hardware has been dropped from supported list in 6.0 (or is not certified yet). For me the biggest problem preventing me from updating to 6.0 is missing smis-provider for my raid-controller. Those folks in LSI are probably still very busy with creating new powerpoint-presentations about bright future lying ahead of them after they have been acquired by Avago...