Table of Contents

Security issues

Account Access

While investigating a security issue it was found that the attacker created an account named “benr”.

Joyent employees will not create accounts in your container! In the event that we for some reason were required to while fixing a problem we would remove it when we were complete.

When we log into your container for some reason, which we rarely do, we use a back-end method (zlogin) and you'll notice it in your last log like this: 

$ last | more
root      pts/15       zone:global      Mon Dec  4 12:34   still logged in
root      pts/15       zone:global      Mon Dec  4 11:45 - 12:17  (00:32)
root      pts/15       zone:global      Mon Dec  4 11:03 - 11:10  (00:07)

So if you see “zone:global” instead of an IP address in the last log, thats us logging into your container to either check something we think might be out of whack or answering a ticket or something. If you see a new mysterious account for “benr”, “shane”, “jason”, or other Joyent/TextDrive names something is very wrong and you should report it immediately. Remember, script kiddies can read forums too.

What to do

On a related note, please keep check your container from time to time for security violations. Rotating your passwords on a regular basis is a good idea and never create weak passwords. Shut down services you don't need so that they aren't a target for hackers. Do not expect us to report security violations to you! In this case I got lucky and stumbled across the container while doing a routine systems check before answering a customer ticket, an attack script was pegging a CPU and looked suspicious… but this is not the expected norm.