Cloudatcost, the canadian cheap & flat cloud VPS provider (partner of @Fibernetics ships a backdoor user (“wikus”) with shell and password set on their Debian 8 x86_64 images.


I found this β€œeaster egg” on 21th January 2016 by a routine check on system integrity after I created a new Debian instance using my cloudatcost account.Please note that ALL Debian 8 instances created on Cloudatcost with such image are, by default, also listening on ssh standard port for such user.I tried to contact them a week ago but it seems they do not care.Β 

  • 05/02/2016 UPDATE *
    I’ve got sort of a response on this topic in a ticket regarding failed Debian 8 builds.

Am I Satisfied? Not really.