Vesta packages infected Topic is solved
Vesta packages infected
Dear Vesta Community,
Recently I dabbled with a spreading infection on websites hosted at one server.
After cleaning up the mess while doing a system-wide scan I found the following:
This is the same trojan that was infecting everything else.
Can I get a follow-up on this by someone? thanks
Recently I dabbled with a spreading infection on websites hosted at one server.
After cleaning up the mess while doing a system-wide scan I found the following:
Code: Select all
[root@web ~]# clamscan -r --bell -i / --detect-pua=yes --exclude-dir=^/sys --exclude-dir=^/dev --exclude-dir=^/proc
/usr/local/vesta/install/debian/8/roundcube/roundcube-tinymce.tar.gz: PUA.Html.Trojan.Agent-37075 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 6342022
Engine version: 0.101.4
Scanned directories: 37028
Scanned files: 166847
Infected files: 1
Data scanned: 5803.79 MB
Data read: 339757.84 MB (ratio 0.02:1)
Time: 2257.202 sec (37 m 37 s)
[root@web ~]# rpm -qa |grep roundcube
[root@web ~]# rm -f /usr/local/vesta/install/debian/8/roundcube/roundcube-tinymce.tar.gz
Can I get a follow-up on this by someone? thanks
-
- Support team
- Posts: 1111
- Joined: Tue Jul 30, 2013 10:18 pm
- Contact:
- Os: CentOS 6x
- Web: nginx + php-fpm
Re: Vesta packages infected
Anyway, this is not related to Vesta. This is Roundcube webmail client.LionHeart wrote: ↑Tue Sep 24, 2019 7:44 pmDear Vesta Community,
Recently I dabbled with a spreading infection on websites hosted at one server.
After cleaning up the mess while doing a system-wide scan I found the following:
This is the same trojan that was infecting everything else.Code: Select all
[root@web ~]# clamscan -r --bell -i / --detect-pua=yes --exclude-dir=^/sys --exclude-dir=^/dev --exclude-dir=^/proc /usr/local/vesta/install/debian/8/roundcube/roundcube-tinymce.tar.gz: PUA.Html.Trojan.Agent-37075 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 6342022 Engine version: 0.101.4 Scanned directories: 37028 Scanned files: 166847 Infected files: 1 Data scanned: 5803.79 MB Data read: 339757.84 MB (ratio 0.02:1) Time: 2257.202 sec (37 m 37 s) [root@web ~]# rpm -qa |grep roundcube [root@web ~]# rm -f /usr/local/vesta/install/debian/8/roundcube/roundcube-tinymce.tar.gz
Can I get a follow-up on this by someone? thanks
Re: Vesta packages infected
I don't have roundcube installed on the server, never installed it nor was thinking of any by any manner.
The location of the infected file was `/usr/local/vesta/install/` hence finding it ... strange. Or was a hacked wordpress install that placed the file there?
The location of the infected file was `/usr/local/vesta/install/` hence finding it ... strange. Or was a hacked wordpress install that placed the file there?
Re: Vesta packages infected
I'm sorry, but this is wrong. The referenced tar.gz file is shipped from the vesta project, you can find it here: https://github.com/serghey-rodin/vesta/ ... mce.tar.gzgrayfolk wrote: ↑Tue Sep 24, 2019 8:13 pmAnyway, this is not related to Vesta. This is Roundcube webmail client.
Due to the case, that I maintain a fork of hestia, I've checked the reported issue and can confirm, that clamscan reports the following file on the extracted tar.gz archive:
Code: Select all
root@web101:~/temp# clamscan -r --bell -i /root/temp/ --detect-pua=yes
/root/temp/tinymce/plugins/preview/plugin.min.js: PUA.Html.Trojan.Agent-37075 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 6357586
Engine version: 0.100.3
Scanned directories: 52
Scanned files: 165
Infected files: 1
Data scanned: 3.33 MB
Data read: 1.50 MB (ratio 2.22:1)
Time: 39.268 sec (0 m 39 s)
-
- Support team
- Posts: 1111
- Joined: Tue Jul 30, 2013 10:18 pm
- Contact:
- Os: CentOS 6x
- Web: nginx + php-fpm
Re: Vesta packages infected
Thx, will know. This is bad )ScIT wrote: ↑Tue Sep 24, 2019 8:27 pmI'm sorry, but this is wrong. The referenced tar.gz file is shipped from the vesta project, you can find it here: https://github.com/serghey-rodin/vesta/ ... mce.tar.gzgrayfolk wrote: ↑Tue Sep 24, 2019 8:13 pmAnyway, this is not related to Vesta. This is Roundcube webmail client.
P.S. Good what i not use roundcube :)
Re: Vesta packages infected
Thank you for all the answers.
A follow up question, if roundcube isn't used by VestaCP why is the package there? Or is there some option to enable roundcube? maybe there is lol.
Cheers guys
A follow up question, if roundcube isn't used by VestaCP why is the package there? Or is there some option to enable roundcube? maybe there is lol.
Cheers guys
-
- Support team
- Posts: 1111
- Joined: Tue Jul 30, 2013 10:18 pm
- Contact:
- Os: CentOS 6x
- Web: nginx + php-fpm
Re: Vesta packages infected
Vesta use Roundcube as default webmail client: https://clip2net.com/s/43KOKr7