Got 10 VestaCP servers exploited

[StudioMaX]

Found in /etc/cron.hourly/gcc.sh, modified 04.04.2018 16:25:00

More modified files at the same time:

Code: Select all

/var/lib/mysql/roundcube/session.ibd
/etc/rc.d/rc3.d/S90update -> /etc/init.d/update
/etc/rc.d/rc2.d/S90update -> /etc/init.d/update
/etc/rc.d/rc1.d/S90update -> /etc/init.d/update
/etc/rc.d/init.d/update
/etc/rc.d/rc4.d/S90update -> /etc/init.d/update
/etc/rc.d/rc5.d/S90update -> /etc/init.d/update

/etc/rc.d/init.d/update:

Code: Select all

#!/bin/sh
# chkconfig: 12345 90 90
# description: update
### BEGIN INIT INFO
# Provides:		update
# Required-Start:	
# Required-Stop:	
# Default-Start:	1 2 3 4 5
# Default-Stop:		
# Short-Description:	update
### END INIT INFO
case $1 in
start)
	/tmp/update
	;;
stop)
	;;
*)
	/tmp/update
	;;
esac

But I don't have this "/tmp/update" file (maybe it was removed by ClamAV some time ago).

Probably this can be related to Roundcube.

[lukapaunovic]

Guys I found those

rwxr-xr-x 1 root root 323 Apr 7 12:49 /etc/init.d/lmhgzcgcgk
[root@ca-server mysql]# ls -lah /usr/bin/lmhgzcgcgk
-rwxr-xr-x 1 root root 611K Apr 7 12:01 /usr/bin/lmhgzcgcgk
[root@ca-server mysql]#

probably viruses :(

[lukapaunovic]

I took backup from my servers and reinstalled them all.

I won't set them up again until this is fixed.
did anyone discover anything

[imperio]

albertus, lukapaunovic, StudioMaX, dmitry-itldc, send to us more technical informaton
- OS
- VestaCP version
- Web stack
- Does bash access for admin was enabled ?
- access logs
- ps

[lukapaunovic]

Os is latest Centos
latest vestacp updated from github
servers recently installed
bash wasn't enabled for admin user

all passwords were complex

i cant provide anything more i reinstalled until this is figured out to avoid permanent termination of my vps services

[lukapaunovic]

This happened to a server installed few days ago which was only handling one domain MAIL
and nothing else, no site anything.
everything was updated to latest.
so theres security breach clearly

[dpeca]

@imperio
Maybe we should enable access log for vesta-nginx, is there any reason why it's disabled?

[skivte]

Happened to me too this morning. Identical files (like gcc.sh) that everyone else reported here. On Ubuntu 16.04, so it's not just CentOS Vesta.

[lukapaunovic]

I'm on mobile and I'm HURTING.
If I were on PC i would have figured this out long time ago.
Guys do something..
This is my first day of vacation and problems.
and I am unable to investigate anything.
I'm litterally doing speech to text right know.
I

[imperio]

show me result of this commands

Code: Select all

ls -tl /usr/bin | less
cat /etc/cron.hourly/gcc.sh
cat /etc/crontab