Two servers are hacked today via Vestacp
Two servers are hacked today via Vestacp
Today afternoon just finished my launch and got email from server provider that your server is sending outbound ddos attack.
upon investigation I found some suspicious processes are running in the server and network usage is full (checked via glances).
Upon more investigation I finally found this suspicious processes are running :
I've 7 servers and two of them was running vestacp (centos 7- openvz)
and those two are hacked today others are working just as new.
Seems vestacp is hit by exploit, check your Vesta CP server running on centos 7 immediately.
upon investigation I found some suspicious processes are running in the server and network usage is full (checked via glances).
Upon more investigation I finally found this suspicious processes are running :
Code: Select all
374491 nginx nginx: worker process
374492 nginx nginx: worker process
374493 nginx nginx: worker process[size=200][/size]
374494 nginx nginx: worker process
374495 nginx nginx: cache manager process
411496 named /usr/sbin/named -u named -c /etc/named.conf
489055 httpd /usr/sbin/httpd -DFOREGROUND
504853 httpd /usr/sbin/httpd -DFOREGROUND
1009543 config dovecot/config
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
1019355 update cat resolv.conf
1033960 qlzdmvoutu cat resolv.conf
1033961 qlzdmvoutu uptime
1033968 qlzdmvoutu top
1033970 qlzdmvoutu gnome-terminal
1033973 qlzdmvoutu pwd
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
and those two are hacked today others are working just as new.
Seems vestacp is hit by exploit, check your Vesta CP server running on centos 7 immediately.
-
- Posts: 73
- Joined: Sun Dec 03, 2017 6:30 pm
Re: Two servers are hacked today via Vestacp
who are not hacked for now stop vesta service :
Code: Select all
service vesta stop
-
- Posts: 2
- Joined: Sun Apr 08, 2018 8:17 am
- Os: CentOS 6x
- Web: nginx + php-fpm
Re: Two servers are hacked today via Vestacp
I think stopping vesta is too much over-reaction!
Just harden the firewall rules (iptables/security group/router/other), netflix and chill.
Just harden the firewall rules (iptables/security group/router/other), netflix and chill.
Re: Two servers are hacked today via Vestacp
not everyone will have this sophisticated firewall like yours
Re: Two servers are hacked today via Vestacp
This happened on Debian 8.1 as well, so I doubt it's OS dependent.
I had to put iptables in DROP mode and only allow traffic to my specific IP. I also dropped conntrack's max connections to avoid getting suspended and backed up my shit.
In the meantime I was trying to reinstall the server so I can get on with my life but it seems vesta's developer removed vesta packages from repo because the installer doesn't work anymore. Probably a smart move, since all Vesta server are vulnerable right now.
I had to put iptables in DROP mode and only allow traffic to my specific IP. I also dropped conntrack's max connections to avoid getting suspended and backed up my shit.
In the meantime I was trying to reinstall the server so I can get on with my life but it seems vesta's developer removed vesta packages from repo because the installer doesn't work anymore. Probably a smart move, since all Vesta server are vulnerable right now.
Re: Two servers are hacked today via Vestacp
See the top alert? The team has released a security fix, build 20.really wrote: ↑Mon Apr 09, 2018 4:39 amThis happened on Debian 8.1 as well, so I doubt it's OS dependent.
I had to put iptables in DROP mode and only allow traffic to my specific IP. I also dropped conntrack's max connections to avoid getting suspended and backed up my shit.
In the meantime I was trying to reinstall the server so I can get on with my life but it seems vesta's developer removed vesta packages from repo because the installer doesn't work anymore. Probably a smart move, since all Vesta server are vulnerable right now.
Re: Two servers are hacked today via Vestacp
after installation stop vesta service or change the port to elsereally wrote: ↑Mon Apr 09, 2018 4:39 amThis happened on Debian 8.1 as well, so I doubt it's OS dependent.
I had to put iptables in DROP mode and only allow traffic to my specific IP. I also dropped conntrack's max connections to avoid getting suspended and backed up my shit.
In the meantime I was trying to reinstall the server so I can get on with my life but it seems vesta's developer removed vesta packages from repo because the installer doesn't work anymore. Probably a smart move, since all Vesta server are vulnerable right now.