Got 10 VestaCP servers exploited
-
- Posts: 73
- Joined: Sun Dec 03, 2017 6:30 pm
Re: Got 10 VestaCP servers exploited
Okay but login from other server to it in Screen and
Tail the log
Ok?
Tail the log
Ok?
-
- Posts: 11
- Joined: Sun Apr 08, 2018 12:08 pm
- Os: Ubuntu 15x
- Web: nginx + php-fpm
Re: Got 10 VestaCP servers exploited
Up and running. Finger cross!
Re: Got 10 VestaCP servers exploited
while writing my post above, I missed that. so I quickly grepped for that IP and can confirm, that it appears in my logfiles too with only a single HEAD request to the /webmail URL, just once, no further occurence after that.skamasle wrote: ↑Sun Apr 08, 2018 12:22 pmCan confirm access from that IP same day than gcc.shfile appeared with a HEAD request to /webmail/StudioMaX wrote: ↑Sun Apr 08, 2018 11:54 amA bit more info:
My /etc/cron.hourly/gcc.sh file was modified on 04.04.2018 16:25:00
I've analyzed the modified /var/lib/mysql/roundcube/session.ibd file, which was modified at the same time on 04.04.2018 16:24:56
In SQL dump of this "session" table from "roundcube" database I found new session at the same time:119.82.29.17 - looks like attacker's or bot's IPCode: Select all
INSERT INTO `session` (`sess_id`, `changed`, `ip`, `vars`) VALUES ('ajhkl541vskuji31ss3tadl7gc', '2018-04-04 16:24:54', '119.82.29.17', 'dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjtyZXF1ZXN0X3Rva2VufHM6MzI6ImZ5blJ2SlpPZ1VoeTFNUDZ6c0FWUk4yZXZ6YWNHdlhrIjs=');
But interesting is that the same IP address was figured in other session from 2018-03-24 23:02:01All other tables in "roundcube" database were empty (since I do not use Roundcube).Code: Select all
INSERT INTO `session` (`sess_id`, `changed`, `ip`, `vars`) VALUES ('1a6f1ft5oo732eju8p6mldlag1', '2018-03-24 23:02:01', '119.82.29.17', 'dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjtyZXF1ZXN0X3Rva2VufHM6MzI6InJhQ1M4Z2hYME01YkJ2M1F6akt6SWJTeHVCY1E3dFA2Ijs=');
I installed Vesta on the new server on 24.03.2018 0:00:51, so the bot detected it in less than a day.
also can confirm, that the timestamps match the creation of the rc files and the /etc/init.d/update script which points to /tmp/update ...
I am still unsure how this exactly relates. a HEAD request should not be malicious at all. but maybe something from the resulting data was needed for the breakin attempt? without log information for the vesta-nginx one can only guess :(
Re: Got 10 VestaCP servers exploited
Since you're assuming that it is from roundcube can you paste the out put for this command :Falzo wrote: ↑Sun Apr 08, 2018 1:16 pmwhile writing my post above, I missed that. so I quickly grepped for that IP and can confirm, that it appears in my logfiles too with only a single HEAD request to the /webmail URL, just once, no further occurence after that.skamasle wrote: ↑Sun Apr 08, 2018 12:22 pmCan confirm access from that IP same day than gcc.shfile appeared with a HEAD request to /webmail/StudioMaX wrote: ↑Sun Apr 08, 2018 11:54 amA bit more info:
My /etc/cron.hourly/gcc.sh file was modified on 04.04.2018 16:25:00
I've analyzed the modified /var/lib/mysql/roundcube/session.ibd file, which was modified at the same time on 04.04.2018 16:24:56
In SQL dump of this "session" table from "roundcube" database I found new session at the same time:119.82.29.17 - looks like attacker's or bot's IPCode: Select all
INSERT INTO `session` (`sess_id`, `changed`, `ip`, `vars`) VALUES ('ajhkl541vskuji31ss3tadl7gc', '2018-04-04 16:24:54', '119.82.29.17', 'dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjtyZXF1ZXN0X3Rva2VufHM6MzI6ImZ5blJ2SlpPZ1VoeTFNUDZ6c0FWUk4yZXZ6YWNHdlhrIjs=');
But interesting is that the same IP address was figured in other session from 2018-03-24 23:02:01All other tables in "roundcube" database were empty (since I do not use Roundcube).Code: Select all
INSERT INTO `session` (`sess_id`, `changed`, `ip`, `vars`) VALUES ('1a6f1ft5oo732eju8p6mldlag1', '2018-03-24 23:02:01', '119.82.29.17', 'dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjtyZXF1ZXN0X3Rva2VufHM6MzI6InJhQ1M4Z2hYME01YkJ2M1F6akt6SWJTeHVCY1E3dFA2Ijs=');
I installed Vesta on the new server on 24.03.2018 0:00:51, so the bot detected it in less than a day.
also can confirm, that the timestamps match the creation of the rc files and the /etc/init.d/update script which points to /tmp/update ...
I am still unsure how this exactly relates. a HEAD request should not be malicious at all. but maybe something from the resulting data was needed for the breakin attempt? without log information for the vesta-nginx one can only guess :(
Code: Select all
stat /usr/share/roundcubemail/*
Code: Select all
stat /path/to/your/roundcube/*
-
- Posts: 11
- Joined: Sun Apr 08, 2018 12:08 pm
- Os: Ubuntu 15x
- Web: nginx + php-fpm
Re: Got 10 VestaCP servers exploited
Just a few secs after starting Vesta, here what I got from the log:
It seems like this guy is still running the exploit script.
Here what is changed in /etc
There has to be something with /api/ folder.
My IP address is x.x.x.xx.x.x.x - - [08/Apr/2018:09:15:00 -0400] "GET / HTTP/1.1" 302 154 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0"
x.x.x.x - - [08/Apr/2018:09:15:01 -0400] "GET / HTTP/1.1" 302 5 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0"
x.x.x.x - - [08/Apr/2018:09:15:01 -0400] "GET /list/user/ HTTP/1.1" 302 5 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0"
x.x.x.x - - [08/Apr/2018:09:15:01 -0400] "GET /login/ HTTP/1.1" 200 931 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0"
x.x.x.x - - [08/Apr/2018:09:15:02 -0400] "GET /css/jquery-custom-dialogs.css?1446554103 HTTP/1.1" 200 5833 "https://xxxxxx:8083/login/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) G$
y.y.y.y - - [08/Apr/2018:09:15:03 -0400] "POST /api/ HTTP/1.1" 200 11 "-" "curl/7.47.0"
y.y.y.y - - [08/Apr/2018:09:15:04 -0400] "POST /api/ HTTP/1.1" 200 11 "-" "curl/7.47.0"
y.y.y.y - - [08/Apr/2018:09:15:06 -0400] "POST /api/ HTTP/1.1" 200 11 "-" "curl/7.47.0"
y.y.y.y - - [08/Apr/2018:09:15:07 -0400] "POST /api/ HTTP/1.1" 200 11 "-" "curl/7.47.0"
y.y.y.y - - [08/Apr/2018:09:15:09 -0400] "POST /api/ HTTP/1.1" 200 11 "-" "curl/7.47.0"
y.y.y.y - - [08/Apr/2018:09:15:11 -0400] "POST /api/ HTTP/1.1" 200 11 "-" "curl/7.47.0"
y.y.y.y - - [08/Apr/2018:09:15:12 -0400] "POST /api/ HTTP/1.1" 200 11 "-" "curl/7.47.0"
y.y.y.y - - [08/Apr/2018:09:15:14 -0400] "POST /api/ HTTP/1.1" 200 11 "-" "curl/7.47.0"
It seems like this guy is still running the exploit script.
Here what is changed in /etc
The file is deleted afterward though.The following change occurred in the file /etc : 08/04/18 09:15 - CREATE /etc/bind/sedMBXndN
There has to be something with /api/ folder.
Last edited by crackerizer on Sun Apr 08, 2018 2:27 pm, edited 1 time in total.
Re: Got 10 VestaCP servers exploited
Just got an email from Vultr that I have a bandwidth threshold. Then I saw 3 of my instances have sky rocketing bandwidth usage. 1 has exceeded the allocated value
2 hours later without any clue what's happening, I looked into vesta forum and saw this thread
Done looking at this thread page for page.
Good news, Not just me.
So I am now patiently waiting for a patch.
What have you guys have done so far? I dont see anything about deleting a malicious file or virus yet.
2 hours later without any clue what's happening, I looked into vesta forum and saw this thread
Done looking at this thread page for page.
Good news, Not just me.
So I am now patiently waiting for a patch.
What have you guys have done so far? I dont see anything about deleting a malicious file or virus yet.
Last edited by pipoy on Sun Apr 08, 2018 1:42 pm, edited 2 times in total.
Re: Got 10 VestaCP servers exploited
*deleted*
Last edited by StudioMaX on Sun Apr 08, 2018 2:33 pm, edited 1 time in total.
-
- Posts: 11
- Joined: Sun Apr 08, 2018 12:08 pm
- Os: Ubuntu 15x
- Web: nginx + php-fpm
Re: Got 10 VestaCP servers exploited
@StudioMaX
That's what I'm looking for the how to. lol
That's what I'm looking for the how to. lol
-
- Posts: 73
- Joined: Sun Dec 03, 2017 6:30 pm
Re: Got 10 VestaCP servers exploited
I can't believe u had it dude but u didn't enable post logging. Please hurry up.
And when u do let's abuse that ip
And when u do let's abuse that ip
Re: Got 10 VestaCP servers exploited
I've noticed some brute force attacks from those Chinese IPS prior to exploiting the server
2018-04-04 10:15:29 v-add-firewall-chain 'FTP'
2018-04-04 10:15:29 v-add-firewall-ban '119.39.93.206' 'FTP'
2018-04-04 10:25:30 v-delete-firewall-ban '119.39.93.206' 'FTP'
2018-04-04 17:14:20 v-add-firewall-chain 'FTP'
2018-04-04 17:14:20 v-add-firewall-ban '118.250.115.164' 'FTP'
2018-04-04 17:24:20 v-delete-firewall-ban '118.250.115.164' 'FTP'
2018-04-06 13:22:13 v-add-firewall-chain 'FTP'
2018-04-06 13:22:13 v-add-firewall-ban '59.20.229.188' 'FTP'
2018-04-06 13:32:14 v-delete-firewall-ban '59.20.229.188' 'FTP'
2018-04-06 14:39:44 v-add-firewall-chain 'FTP'
2018-04-06 14:39:44 v-add-firewall-ban '60.25.63.148' 'FTP'
2018-04-06 14:49:45 v-delete-firewall-ban '60.25.63.148' 'FTP'
2018-04-07 00:20:01 v-update-user-stats
2018-04-07 00:44:49 v-add-firewall-chain 'FTP'
2018-04-07 00:44:49 v-add-firewall-ban '139.170.219.219' 'FTP'
2018-04-07 00:54:49 v-delete-firewall-ban '139.170.219.219' 'FTP
2018-04-07 03:40:11 v-add-firewall-chain 'FTP'
2018-04-07 03:40:11 v-add-firewall-ban '113.1.82.107' 'FTP'
2018-04-07 03:50:12 v-delete-firewall-ban '113.1.82.107' 'FTP'
2018-04-07 08:38:56 v-add-firewall-chain 'FTP'
2018-04-07 08:38:56 v-add-firewall-ban '39.71.34.68' 'FTP'
2018-04-07 08:48:56 v-delete-firewall-ban '39.71.34.68' 'FTP
If there is no need to access you sites from China it might be good idea to block complete IP Range in firewall
2018-04-04 10:15:29 v-add-firewall-chain 'FTP'
2018-04-04 10:15:29 v-add-firewall-ban '119.39.93.206' 'FTP'
2018-04-04 10:25:30 v-delete-firewall-ban '119.39.93.206' 'FTP'
2018-04-04 17:14:20 v-add-firewall-chain 'FTP'
2018-04-04 17:14:20 v-add-firewall-ban '118.250.115.164' 'FTP'
2018-04-04 17:24:20 v-delete-firewall-ban '118.250.115.164' 'FTP'
2018-04-06 13:22:13 v-add-firewall-chain 'FTP'
2018-04-06 13:22:13 v-add-firewall-ban '59.20.229.188' 'FTP'
2018-04-06 13:32:14 v-delete-firewall-ban '59.20.229.188' 'FTP'
2018-04-06 14:39:44 v-add-firewall-chain 'FTP'
2018-04-06 14:39:44 v-add-firewall-ban '60.25.63.148' 'FTP'
2018-04-06 14:49:45 v-delete-firewall-ban '60.25.63.148' 'FTP'
2018-04-07 00:20:01 v-update-user-stats
2018-04-07 00:44:49 v-add-firewall-chain 'FTP'
2018-04-07 00:44:49 v-add-firewall-ban '139.170.219.219' 'FTP'
2018-04-07 00:54:49 v-delete-firewall-ban '139.170.219.219' 'FTP
2018-04-07 03:40:11 v-add-firewall-chain 'FTP'
2018-04-07 03:40:11 v-add-firewall-ban '113.1.82.107' 'FTP'
2018-04-07 03:50:12 v-delete-firewall-ban '113.1.82.107' 'FTP'
2018-04-07 08:38:56 v-add-firewall-chain 'FTP'
2018-04-07 08:38:56 v-add-firewall-ban '39.71.34.68' 'FTP'
2018-04-07 08:48:56 v-delete-firewall-ban '39.71.34.68' 'FTP
If there is no need to access you sites from China it might be good idea to block complete IP Range in firewall