Thread: OVH backdoor removal

THIS IS A REPOST OF A TUT @ BITME TV all the props go to that user

For those of you who use OVH (.co.uk .net it doesn't matter which) this is important. By default OVH have full SSH access to your server(s).

This applys to all OVH servers. Doesn't matter if they are kimsufi or ovh.net one's - they ALL have this.

These can be removed quite quickly but as you may guess the steps are diffrent for both Windows and Linux (I don't currently have a FreeBSD box to test on, I'll do that after I get another server).

Linux

OVH have access to your root (or if on Ubuntu - admin) account. To remove this you will need to login as root and do the following:

Code:

nano -w ~/.ssh/authorized_keys2

On Ubuntu you need to do the following

Code:

sudo nano -w /root/.ssh/authorized_keys2

You will see two line's normaly that start with the following:

Code:

from="213.186.50.100" 
from="::ffff:213.186.50.100"

This is the cache.ovh.net server. You can either comment the lines out by adding a # in front of them or you can delete the whole lines - either works. I prefer to delete them.

Wack ctrl+x to save and close the file and that should be it - as far as I'm aware there's no other SSH backdoors but I've not gone over everything fully.

There is also the RTM (Real Time Monitoring) software that OVH have installed. I have only removed this on Ubuntu and Debian - it doesn't seem to have been installed on Windows. Like above I'll test on other Distro's if wanted at the weekend.

To remove RTM you can do the following:

Code:

nano -w /etc/crontab

Look for the line that reads

Code:

*/1 * * * * root /usr/local/rtm/bin/rtm 20 > /dev/null 2> /dev/null

Delete it. ctrl+x and save the file. That will stop it running, now to remove the software itself - this is a little messy but it works.

Debian, Ubuntu, CentOS, FreeBSD and Other Linux

I've gone through the install scripts for RTM and it seems this is the default folder for all installs - doesn't matter on the Distro. Gentoo use's ebuild's so they can keep it upto date easy. Doing the following command will remove it on everything, but use the one under Gentoo on Gentoo....

Code:

rm -rf /usr/local/rtm/

That should do the job.

Gentoo

Code:

emerge -C rtm

Should remove it. Let me know if it doesn't

Windows

This one is nice and easy, open control panel, go to add/remove programs and look for Corp SSH (Remove Only). Uninstall that and it'll remove all the accounts OVH uses too.

There is no RTM software for Windows at current so this doesn't need removing.


AGAIN ALL THANKS GO TO THE ORIGINAL POSTER, NOT MYSELF

it is a very useful information. thank you so much for that.
I was considering a Kimsufi test box. thanks to you (and the original poster) now i know what to do after my first login as root.

In fairness though although you can remove SSH access from OVH they do own the server and have carte blanche over it if they so choose, they can and do do sweeps of HD's and bandwidth as well as DPI on the traffic and there's not a lot that can be done about that :/

Originally Posted by aspects

In fairness though although you can remove SSH access from OVH they do own the server and have carte blanche over it if they so choose, they can and do do sweeps of HD's and bandwidth as well as DPI on the traffic and there's not a lot that can be done about that :/

Exactly. It's sort of like complaining that your apartment manager has a copy of your key. Obviously he owns the building, so if he really wanted to he could just break down the door anyway.

I think in the EU there are laws about customer data when it comes to internet though. The SSH access they have is probably only used when you ask them to help, as it's possibly illegal for them to spy on your box, but I'm not sure.

Just because I think if you are going to do this you should do this the RIGHT way, aka the way to not get OVH peeved at you.

OVH : InstallOvhKey

Look on the bottom of that link and they tell you exactly how to deactivate their SSH keys. There have been instances where actual removal of the keys will end up resulting in box suspension, but deactivation alone is obviously okay since they tell you how to do it :P

but is this allowed or not as i dont wanna be on the recieveing end of a bad email or worse confiscation of the server

Originally Posted by yorkshire

but is this allowed or not as i dont wanna be on the recieveing end of a bad email or worse confiscation of the server

Allowed :)

There has been confusion about this in the past. OVH strongly discourages it, but it is permitted. And if it was my server, I'd certainly be removing their keys. It bolsters your security somewhat, the downside of which is that it would be harder for them to help you directly if you wanted them to manage or configure something on the server for you.

The main reason that OVH would get upset, apart from non-payment is if your server gets hacked. So you should make a best effort to have good security in place.

out of curiosity, does this backdoor access/removal apply to ovh based seedboxes that you get from resellers? or do most seedbox providers take care of this before reselling?