Thank you gents, I just discovered that the customer was experimenting with the vr and left ip forwarding on port 22/22 to a vm created with the template with password=password!
Antoine Boucher [email protected] [o] +1-226-505-9734 www.haltondc.com “Data security made simple and affordable” Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system. On Apr 5, 2022, at 18:33, ahmed jabbar <[email protected]> wrote: Dear Antoine, You can simply block inbound connections on your virtual router public ip's by any external firewall,And accept just outbond connections. BR Ahmed On Tue, Apr 5, 2022 at 10:46 PM Antoine Boucher <[email protected]> wrote: > Someone has externally gained access to one of our VR vm and installed an > application that tried to ssh to other ips on the web. > > The VR started to miss health checks about a day ago, looking at the VR > running process we discovered that the process ksoftirqd was 95% busy. We > killed the VR and discovered during our investigation from other systems > that the vm was blasting the web trying to connect on port 22. > Unfortunately, the vr has been deleted. > > What could have happened? Any known security issues on the 4.16.1.0 vr > template? > > Regards, > Antoine
