Search found 8 matches
- Thu Apr 12, 2018 5:26 pm
- Forum: General Discussion
- Topic: Got 10 VestaCP servers exploited
- Replies: 548
- Views: 1088541
Re: Got 10 VestaCP servers exploited
As far as I can tell, for that vulnerability to be exploited, you need to be logged into RoundCube.
Moreover, the traces will be visible in the web server access log, since command are injected into the query string.
- Thu Apr 12, 2018 12:52 pm
- Forum: General Discussion
- Topic: Got 10 VestaCP servers exploited
- Replies: 548
- Views: 1088541
Re: Got 10 VestaCP servers exploited
Maybe, through /api/, he just ''altered'' roundcube PHP file, because roundcube is on known path (/usr/share/roundcube/) If so, this means that VestaCP has a tremendous security hole, which allows an intruder to bypass all sanity checks and change an arbitrary file in the system. Then he gets in vi...
- Tue Apr 10, 2018 8:47 am
- Forum: General Discussion
- Topic: Got 10 VestaCP servers exploited
- Replies: 548
- Views: 1088541
Re: Got 10 VestaCP servers exploited
MiguelVESTACP wrote: ↑Tue Apr 10, 2018 7:52 amTHanks @wildwolf
How to chmood /var/log/httpd
drwx------ 2
Best Regards
Code: Select all
chmod 0700 /var/log/httpd
- Tue Apr 10, 2018 7:29 am
- Forum: General Discussion
- Topic: Got 10 VestaCP servers exploited
- Replies: 548
- Views: 1088541
Re: Got 10 VestaCP servers exploited
I dont know if my server is hacked but now i have this problem at least 3 days Failed to create subdirectories: /var/log/httpd/20180410/20180410-0243 Can someone tell me what is attributes for the folders in centos ? "var/log/httpd" "var/log" # ls -lhad /var/log drwxr-xr-x. 18 root root 4.0K кві 9 ...
- Mon Apr 09, 2018 5:31 pm
- Forum: General Discussion
- Topic: Got 10 VestaCP servers exploited
- Replies: 548
- Views: 1088541
Re: Got 10 VestaCP servers exploited
AS of speculation in regards to REPO, vesta staff has CHECKED the repo and repo is SAFE. It is safe now, but was it safe several days ago? Those who run CentOS and have auditd installed, you can run aureport -x to see what commands were run bu the server (does NOT show commands run by root unless a...
- Mon Apr 09, 2018 5:26 pm
- Forum: General Discussion
- Topic: Got 10 VestaCP servers exploited
- Replies: 548
- Views: 1088541
Re: Got 10 VestaCP servers exploited
I don't think it was the repo - I had installations that were made 3 months ago and last updated in Jan 2018 suddenly get exploited around mid-day on Saturday 7th April. As far as I can tell, Vesta tries to update itself automatically. # crontab -l -u admin MAILTO=email@hidden CONTENT_TYPE="text/pl...
- Mon Apr 09, 2018 5:22 pm
- Forum: General Discussion
- Topic: Got 10 VestaCP servers exploited
- Replies: 548
- Views: 1088541
- Mon Apr 09, 2018 9:59 am
- Forum: General Discussion
- Topic: Got 10 VestaCP servers exploited
- Replies: 548
- Views: 1088541
Re: Got 10 VestaCP servers exploited
Judging by audit.log's I have from several infected servers, it seems to me that it is not VestaCP that was compromised but its repository / repositories. For example, # ausearch -m USER_CMD -i | grep -v -- '----' | awk '{print $10}' | sort -u cmd=-bash cmd=/usr/local/vesta/bin/v-add-firewall-rule c...