Got 10 VestaCP servers exploited
Re: Got 10 VestaCP servers exploited
sorry i'm not from vesta, from else wherelukapaunovic wrote: ↑Sun Apr 08, 2018 11:25 amsandy can you check [email protected]
i'm waiting for more than 20 minutes.
I sent you access to hacked server.
serghey is not online so he can't look into it.
can anyone from vesta look into it. the disk is mounted it's in rescue mode.
-
- Posts: 73
- Joined: Sun Dec 03, 2017 6:30 pm
Re: Got 10 VestaCP servers exploited
damn i mistaken u for this other member
Re: Got 10 VestaCP servers exploited
A bit more info:
My /etc/cron.hourly/gcc.sh file was modified on 04.04.2018 16:25:00
I've analyzed the modified /var/lib/mysql/roundcube/session.ibd file, which was modified at the same time on 04.04.2018 16:24:56
In SQL dump of this "session" table from "roundcube" database I found new session at the same time:
119.82.29.17 - looks like attacker's or bot's IP
But interesting is that the same IP address was figured in other session from 2018-03-24 23:02:01
All other tables in "roundcube" database were empty (since I do not use Roundcube).
I installed Vesta on the new server on 24.03.2018 0:00:51, so the bot detected it in less than a day.
My /etc/cron.hourly/gcc.sh file was modified on 04.04.2018 16:25:00
I've analyzed the modified /var/lib/mysql/roundcube/session.ibd file, which was modified at the same time on 04.04.2018 16:24:56
In SQL dump of this "session" table from "roundcube" database I found new session at the same time:
Code: Select all
INSERT INTO `session` (`sess_id`, `changed`, `ip`, `vars`) VALUES
('ajhkl541vskuji31ss3tadl7gc', '2018-04-04 16:24:54', '119.82.29.17', 'dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjtyZXF1ZXN0X3Rva2VufHM6MzI6ImZ5blJ2SlpPZ1VoeTFNUDZ6c0FWUk4yZXZ6YWNHdlhrIjs=');
But interesting is that the same IP address was figured in other session from 2018-03-24 23:02:01
Code: Select all
INSERT INTO `session` (`sess_id`, `changed`, `ip`, `vars`) VALUES
('1a6f1ft5oo732eju8p6mldlag1', '2018-03-24 23:02:01', '119.82.29.17', 'dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjtyZXF1ZXN0X3Rva2VufHM6MzI6InJhQ1M4Z2hYME01YkJ2M1F6akt6SWJTeHVCY1E3dFA2Ijs=');
I installed Vesta on the new server on 24.03.2018 0:00:51, so the bot detected it in less than a day.
Last edited by StudioMaX on Sun Apr 08, 2018 11:57 am, edited 1 time in total.
-
- Posts: 73
- Joined: Sun Dec 03, 2017 6:30 pm
Re: Got 10 VestaCP servers exploited
was the vesta service stopped when new server got breached?
Re: Got 10 VestaCP servers exploited
no, but server hangs because of outbound ddoslukapaunovic wrote: ↑Sun Apr 08, 2018 11:56 amwas the vesta service stopped when new server got breached?
-
- Posts: 73
- Joined: Sun Dec 03, 2017 6:30 pm
Re: Got 10 VestaCP servers exploited
Hey yes you are right the session in roundcube file editing time coresponds with /etc/init.d/update
Re: Got 10 VestaCP servers exploited
Hi i just send access to readonly ftp to [email protected]
My serves is on OVH and its in rescue64-ftp mode. Haven't contacted them yes. Has anyone been able to reactivate the server on OVH ? I am still waiting to get to bottom of the issue so when I contact them to know the exact details of the issue.
My serves is on OVH and its in rescue64-ftp mode. Haven't contacted them yes. Has anyone been able to reactivate the server on OVH ? I am still waiting to get to bottom of the issue so when I contact them to know the exact details of the issue.
-
- Posts: 73
- Joined: Sun Dec 03, 2017 6:30 pm
Re: Got 10 VestaCP servers exploited
Hey here are affected files in that time range see
Re: Got 10 VestaCP servers exploited
only way to backup your data and reinstall the server OS.ivcha92 wrote: ↑Sun Apr 08, 2018 11:59 amHi i just send access to readonly ftp to [email protected]
My serves is on OVH and its in rescue64-ftp mode. Haven't contacted them yes. Has anyone been able to reactivate the server on OVH ? I am still waiting to get to bottom of the issue so when I contact them to know the exact details of the issue.
Re: Got 10 VestaCP servers exploited
Also I have good news: I binary compared all the files in two backups of the whole server, one from 03-04-2018 (before infection), the other from 07-04-2018. And it seems that this exploit did not modify any system files, but only created these:
But in any case, if your server was infected, you will need to reinstall it.
Code: Select all
/etc/cron.hourly/gcc.sh
/etc/rc.d/init.d/update
/etc/rc.d/rc1.d/S90update
/etc/rc.d/rc2.d/S90update
/etc/rc.d/rc3.d/S90update
/etc/rc.d/rc4.d/S90update
/etc/rc.d/rc5.d/S90update
/usr/lib/libudev.so
/tmp/update