>Also, was the nature of the attack just that the were able to login to your linode admin panel and from their root the machines and then loot your wallets?
The way I understand it the attackers were able to get access to the admin panel and invoked some kind of 'change root password' emergency stuff. The machines were rebooted it seems, which makes sense: The interface of Linode has probably/hopefully no access to the root password. Maybe this 'Reset my root' feature (now I'm guessing) reboots the machine in single user mode or passes init=/bin/sh to the kernel to reset the password once and reboots again afterwards.
Only THEN the attacker had access. But yes, he had root. The good (if you want to call it that) part of it is that this procedure rings every alarm possible. The real owner doesn't have the password anymore, as he'll soon figure out. It's everything but sneaky.
I DO wonder why root is allowed to log in at all, though..
Probably. You disabled root login how, via the sshd_config file? If so, you're still screwed.
Even if you fully disable root, that's not going to stop the init=/bin/sh script.
Even if you fix that (securing grub?) you're still screwed because it's a virtual machine, and they can just mount the partition to another VM, and pull all your data/reset root that way.
So, maybe if you have an encrypted partition, no root access, secure grub, and real hardware (it's probably possible to dump the VMs memory by snapshotting it, then pulling the key out that way), you would be secure against attacks like this.
With a VM? No, it's not nearly secure enough for very important things.
Well, having the whole disk dm-crypted is kind of secure I guess. At least I still have no idea how I get at my ssl certification keys from startssl, although I have a dd of that drive in question from the vps provider. I was just too clever thinking of a long passphrase and too stupid to keep at least a hint around somewhere..
Total dataloss for me. But i fyou _do_ remember your dm_crypt password, I think you're safe against these kind of attacks
I would not be surprised if the Linode "reset root password" function shuts down your VM, mounts the filesystem directly on the host, and edits /etc/shadow, and maybe the PAM configs if they're feeling real nice. Using something we can't mount (e.g. encrypted)? Not using /etc/shadow nor PAM? Sorry, we can't help you beyond advising you try and reboot in single user and ssh in to your VM console.
The way I understand it the attackers were able to get access to the admin panel and invoked some kind of 'change root password' emergency stuff. The machines were rebooted it seems, which makes sense: The interface of Linode has probably/hopefully no access to the root password. Maybe this 'Reset my root' feature (now I'm guessing) reboots the machine in single user mode or passes init=/bin/sh to the kernel to reset the password once and reboots again afterwards.
Only THEN the attacker had access. But yes, he had root. The good (if you want to call it that) part of it is that this procedure rings every alarm possible. The real owner doesn't have the password anymore, as he'll soon figure out. It's everything but sneaky.
I DO wonder why root is allowed to log in at all, though..