Got 10 VestaCP servers exploited
Re: Got 10 VestaCP servers exploited
don't aim roundcube as the exploit i don't have roundcube on my servers even phpmyadmin, i disabled them and deleted it still got hacked.
Re: Got 10 VestaCP servers exploited
Can you check what version of Roundcube that is on the system?
Re: Got 10 VestaCP servers exploited
I've got a bunch strange named files here created on April 3rd and 4th
Re: Got 10 VestaCP servers exploited
Are you suspecting on that file S90update - is a culprit.?StudioMaX wrote: ↑Sun Apr 08, 2018 12:06 pmAlso I have good news: I binary compared all the files in two backups of the whole server, one from 03-04-2018 (before infection), the other from 07-04-2018. And it seems that this exploit did not modify any system files, but only created these:But in any case, if your server was infected, you will need to reinstall it.Code: Select all
/etc/cron.hourly/gcc.sh /etc/rc.d/init.d/update /etc/rc.d/rc1.d/S90update /etc/rc.d/rc2.d/S90update /etc/rc.d/rc3.d/S90update /etc/rc.d/rc4.d/S90update /etc/rc.d/rc5.d/S90update /usr/lib/libudev.so /tmp/update
What is the contents of that S90update file?
Re: Got 10 VestaCP servers exploited
On my installation I had the latest version - 1.3.5
Code: Select all
/etc/rc.d/rc1.d/S90update
/etc/rc.d/rc2.d/S90update
/etc/rc.d/rc3.d/S90update
/etc/rc.d/rc4.d/S90update
/etc/rc.d/rc5.d/S90update
Its content:
Code: Select all
#!/bin/sh
# chkconfig: 12345 90 90
# description: update
### BEGIN INIT INFO
# Provides: update
# Required-Start:
# Required-Stop:
# Default-Start: 1 2 3 4 5
# Default-Stop:
# Short-Description: update
### END INIT INFO
case $1 in
start)
/tmp/update
;;
stop)
;;
*)
/tmp/update
;;
esac
Last edited by StudioMaX on Sun Apr 08, 2018 12:13 pm, edited 1 time in total.
-
- Posts: 73
- Joined: Sun Dec 03, 2017 6:30 pm
Re: Got 10 VestaCP servers exploited
1.35 version
Re: Got 10 VestaCP servers exploited
Do you mean you manually deleted already installed applications? Because Roundcube is installed automatically if you install the exim and the mysql, it can not be turned off when setting up the vesta.
Look here: https://github.com/serghey-rodin/vesta/ ... l.sh#L1201
Re: Got 10 VestaCP servers exploited
Then I think we can eliminate the theory that Roundcube is the fault here.
-
- Posts: 11
- Joined: Sun Apr 08, 2018 12:08 pm
- Os: Ubuntu 15x
- Web: nginx + php-fpm
Re: Got 10 VestaCP servers exploited
One of my VPS at OVH got exploit this morning. I did reinstall the os and restored all accounts from my remote backup. I'm now monitoring any change in /etc with inotify. From the information I read here, it seems like all created executables have to be done with root access. The exploit has to be more than just bugs in Roundcube which is run under www-data user. My speculation.
-
- Posts: 73
- Joined: Sun Dec 03, 2017 6:30 pm
Re: Got 10 VestaCP servers exploited
I'm cheering it's not roundcube cuz another server didn't got hacked again with disabled Vesta. I'm still keeping this hacked server mounted in rescue until sergehey is back. I truly hope he will be back my client is insisting on puting sites back up