Got 10 VestaCP servers exploited

[MiguelVESTACP]

THanks @wildwolf

How to chmood /var/log/httpd
drwx------ 2

Best Regards

[MiguelVESTACP]

ANd what is the attributes for the
/var/log/httpd/domains/

Best Regards

[wildwolf]

THanks @wildwolf

How to chmood /var/log/httpd
drwx------ 2

Best Regards

Code: Select all

chmod 0700 /var/log/httpd

PS: don't have any directory under /dev/log/httpd.

[kobo1d]

even after you clean the trojan, your system is still infected from what i see.
systemd (process 1) still creates supicious files under /tmp while all other directories are still clean.
but this is speculating now

Can you name the files/dir that you see as suspicious in your /tmp ?

it was many little files with strange content, inside folders starting with "systemd" but it was not coming from the virus.
i checked and double-checked that it has nothing todo with it.
i had the idea because the virus started spreadign via systemd first.
but systemd is clean now.

and i just filled out the poll. only similar thing i could figure from it, is that i had the roundcube on the default /webmail path.
pleas dont tell me its coming from there.... i was so close to disable this crap, but my clients forced me to have their webmail.......

[imperio]

viewtopic.php?f=25&p=69296#p69296

[Harambe]

viewtopic.php?f=25&p=69296#p69296

Any chance of a proper statement being released on how this patch fixes the vulnerability? Were any specific (confirmed) details collected on the attack vector?

All I really saw was a lot of speculation on what the problem COULD be, and a security patch released for those concerns, but I never saw any solid evidence on exactly how the hacks were performed and how the security release remedies that.

[Falzo]

viewtopic.php?f=25&p=69296#p69296

Any chance of a proper statement being released on how this patch fixes the vulnerability? Were any specific (confirmed) details collected on the attack vector?

All I really saw was a lot of speculation on what the problem COULD be, and a security patch released for those concerns, but I never saw any solid evidence on exactly how the hacks were performed and how the security release remedies that.

+1 , the complete way the exploit happened should be made public so that there is a chance to verify that the actions taken are sufficient and also enable to do more auditing to see if there are similar things which could become a problem in the future.

[vesta_mtl]

There are few things I want to know if someone can please reply
1) The hacked server were running ssh on port 22 ?
2) Allow root to login were on?

The above two questions will sort few things. I will post my report once I will have answers. Also if anyone need any help to clean the server or migration ping me. Cleaning will be free :)
Regards

1) yes
2) no - no password login and no root user - no pam
i am using pubkeys

My servers weren’t affected. But my answers are:
1) No
2) Yes

I used a different SSH port (not the default 22). But the Vesta webGUI was on the default port 8083.

[deanhills]

viewtopic.php?f=25&p=69296#p69296

Any chance of a proper statement being released on how this patch fixes the vulnerability? Were any specific (confirmed) details collected on the attack vector?

All I really saw was a lot of speculation on what the problem COULD be, and a security patch released for those concerns, but I never saw any solid evidence on exactly how the hacks were performed and how the security release remedies that.

I'd like to see a proper statement too. What was the outcome of the investigation by the Admin. @skurudo? This doesn't tell me much - on the one hand it says there wasn't a problem, but we know there is/was a problem. What was the problem and is the installation script 100% secure now?

[kobo1d]

viewtopic.php?f=25&p=69296#p69296

+1 i would love to have a full and clear overview of what happend.
i want to understand and learn from it. everybody can do a fail sometimes, it doesnt matter whos fault it was.
but please give us mor infos!

also, when i updated my debian 9 yesterday while you fixed the deb rep -> is there any difference to how it looks today?
i mean if the update succeeded yesterday, do i have all recent files now? or are there again changes in deb rep from yesterday to today?

and is vesta now 100% secure or should we better leave webmail disabled for now (since you asked about in the poll)
and is it better to leave the vesta service stopped for now?