Got 10 VestaCP servers exploited
Re: Got 10 VestaCP servers exploited
Can confirm access from that IP same day than gcc.shfile appeared with a HEAD request to /webmail/StudioMaX wrote: ↑Sun Apr 08, 2018 11:54 amA bit more info:
My /etc/cron.hourly/gcc.sh file was modified on 04.04.2018 16:25:00
I've analyzed the modified /var/lib/mysql/roundcube/session.ibd file, which was modified at the same time on 04.04.2018 16:24:56
In SQL dump of this "session" table from "roundcube" database I found new session at the same time:119.82.29.17 - looks like attacker's or bot's IPCode: Select all
INSERT INTO `session` (`sess_id`, `changed`, `ip`, `vars`) VALUES ('ajhkl541vskuji31ss3tadl7gc', '2018-04-04 16:24:54', '119.82.29.17', 'dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjtyZXF1ZXN0X3Rva2VufHM6MzI6ImZ5blJ2SlpPZ1VoeTFNUDZ6c0FWUk4yZXZ6YWNHdlhrIjs=');
But interesting is that the same IP address was figured in other session from 2018-03-24 23:02:01All other tables in "roundcube" database were empty (since I do not use Roundcube).Code: Select all
INSERT INTO `session` (`sess_id`, `changed`, `ip`, `vars`) VALUES ('1a6f1ft5oo732eju8p6mldlag1', '2018-03-24 23:02:01', '119.82.29.17', 'dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjtyZXF1ZXN0X3Rva2VufHM6MzI6InJhQ1M4Z2hYME01YkJ2M1F6akt6SWJTeHVCY1E3dFA2Ijs=');
I installed Vesta on the new server on 24.03.2018 0:00:51, so the bot detected it in less than a day.
Re: Got 10 VestaCP servers exploited
perfect agree with you its not roundcube, its vesta core files which are used to do root taskscrackerizer wrote: ↑Sun Apr 08, 2018 12:21 pmOne of my VPS at OVH got exploit this morning. I did reinstall the os and restored all accounts from my remote backup. I'm now monitoring any change in /etc with inotify. From the information I read here, it seems like all created executables have to be done with root access. The exploit has to be more than just bugs in Roundcube which is run under www-data user. My speculation.
Last edited by sandy on Sun Apr 08, 2018 12:25 pm, edited 1 time in total.
Re: Got 10 VestaCP servers exploited
Mine isn't hacked either and I've been running VestaCP enabled all the time since this was discovered. Seems like certain IP-ranges may have been targeted more than others this time around.lukapaunovic wrote: ↑Sun Apr 08, 2018 12:22 pmI'm cheering it's not roundcube cuz another server didn't got hacked again with disabled Vesta. I'm still keeping this hacked server mounted in rescue until sergehey is back. I truly hope he will be back my client is insisting on puting sites back up
Re: Got 10 VestaCP servers exploited
Then why "/tmp/update" was launched from the working directory of Roundcube?
Code: Select all
[root@mail /]# lsof -p 985
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
update 985 root cwd DIR 182,178001 4096 786628 /usr/share/roundcubemail
update 985 root rtd DIR 182,178001 4096 2 /
update 985 root txt REG 182,178001 625611 659895 /tmp/update
update 985 root 0u CHR 1,3 0t0 3390808082 /dev/null
update 985 root 1u CHR 1,3 0t0 3390808082 /dev/null
update 985 root 2u CHR 1,3 0t0 3390808082 /dev/null
update 985 root 3u IPv4 1473993150 0t0 UDP *:42651
update 985 root 4u IPv4 1473990633 0t0 UDP *:36423
update 985 root 69r FIFO 0,8 0t0 188493315 pipe
update 985 root 70w FIFO 0,8 0t0 188493315 pipe
update 985 root 71r FIFO 0,8 0t0 188493316 pipe
update 985 root 72w FIFO 0,8 0t0 188493316 pipe
update 985 root 77r CHR 1,9 0t0 3390808086 /dev/urandom
Re: Got 10 VestaCP servers exploited
yes on same sub-nets, agree with youPrime wrote: ↑Sun Apr 08, 2018 12:24 pmMine isn't hacked either and I've been running VestaCP enabled all the time since this was discovered. Seems like certain IP-ranges may have been targeted more than others this time around.lukapaunovic wrote: ↑Sun Apr 08, 2018 12:22 pmI'm cheering it's not roundcube cuz another server didn't got hacked again with disabled Vesta. I'm still keeping this hacked server mounted in rescue until sergehey is back. I truly hope he will be back my client is insisting on puting sites back up
-
- Posts: 11
- Joined: Sun Apr 08, 2018 12:08 pm
- Os: Ubuntu 15x
- Web: nginx + php-fpm
Re: Got 10 VestaCP servers exploited
FYI, I have stopped VestaCP service on all of my VPSes at the moment.
Re: Got 10 VestaCP servers exploited
you should understand, your server is hacked and the hacked processes are gained the root accessStudioMaX wrote: ↑Sun Apr 08, 2018 12:24 pmThen why "/tmp/update" was launched from the working directory of Roundcube?
Code: Select all
[root@mail /]# lsof -p 985 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME update 985 root cwd DIR 182,178001 4096 786628 /usr/share/roundcubemail update 985 root rtd DIR 182,178001 4096 2 / update 985 root txt REG 182,178001 625611 659895 /tmp/update update 985 root 0u CHR 1,3 0t0 3390808082 /dev/null update 985 root 1u CHR 1,3 0t0 3390808082 /dev/null update 985 root 2u CHR 1,3 0t0 3390808082 /dev/null update 985 root 3u IPv4 1473993150 0t0 UDP *:42651 update 985 root 4u IPv4 1473990633 0t0 UDP *:36423 update 985 root 69r FIFO 0,8 0t0 188493315 pipe update 985 root 70w FIFO 0,8 0t0 188493315 pipe update 985 root 71r FIFO 0,8 0t0 188493316 pipe update 985 root 72w FIFO 0,8 0t0 188493316 pipe update 985 root 77r CHR 1,9 0t0 3390808086 /dev/urandom
Re: Got 10 VestaCP servers exploited
that means if one vesta server is hacked then all vestacp users/servers on same network will also get hacked this is the worst exploit eversandy wrote: ↑Sun Apr 08, 2018 12:25 pmyes on same sub-nets, agree with youPrime wrote: ↑Sun Apr 08, 2018 12:24 pmMine isn't hacked either and I've been running VestaCP enabled all the time since this was discovered. Seems like certain IP-ranges may have been targeted more than others this time around.lukapaunovic wrote: ↑Sun Apr 08, 2018 12:22 pmI'm cheering it's not roundcube cuz another server didn't got hacked again with disabled Vesta. I'm still keeping this hacked server mounted in rescue until sergehey is back. I truly hope he will be back my client is insisting on puting sites back up
-
- Posts: 73
- Joined: Sun Dec 03, 2017 6:30 pm
Re: Got 10 VestaCP servers exploited
Does anyone have any idea what I can perform on this hacked server to find attack source I tried everything I can't pinpoint it
Re: Got 10 VestaCP servers exploited
you can monitor suspicious process running via this command, this processes can be found usually at the end/bottom :lukapaunovic wrote: ↑Sun Apr 08, 2018 12:34 pmDoes anyone have any idea what I can perform on this hacked server to find attack source I tried everything I can't pinpoint it
Code: Select all
top -c