Got 10 VestaCP servers exploited
Re: Got 10 VestaCP servers exploited
More modified files at the same time:
Code: Select all
/var/lib/mysql/roundcube/session.ibd
/etc/rc.d/rc3.d/S90update -> /etc/init.d/update
/etc/rc.d/rc2.d/S90update -> /etc/init.d/update
/etc/rc.d/rc1.d/S90update -> /etc/init.d/update
/etc/rc.d/init.d/update
/etc/rc.d/rc4.d/S90update -> /etc/init.d/update
/etc/rc.d/rc5.d/S90update -> /etc/init.d/update
Code: Select all
#!/bin/sh
# chkconfig: 12345 90 90
# description: update
### BEGIN INIT INFO
# Provides: update
# Required-Start:
# Required-Stop:
# Default-Start: 1 2 3 4 5
# Default-Stop:
# Short-Description: update
### END INIT INFO
case $1 in
start)
/tmp/update
;;
stop)
;;
*)
/tmp/update
;;
esac
Probably this can be related to Roundcube.
-
- Posts: 73
- Joined: Sun Dec 03, 2017 6:30 pm
Re: Got 10 VestaCP servers exploited
Guys I found those
rwxr-xr-x 1 root root 323 Apr 7 12:49 /etc/init.d/lmhgzcgcgk
[root@ca-server mysql]# ls -lah /usr/bin/lmhgzcgcgk
-rwxr-xr-x 1 root root 611K Apr 7 12:01 /usr/bin/lmhgzcgcgk
[root@ca-server mysql]#
probably viruses :(
rwxr-xr-x 1 root root 323 Apr 7 12:49 /etc/init.d/lmhgzcgcgk
[root@ca-server mysql]# ls -lah /usr/bin/lmhgzcgcgk
-rwxr-xr-x 1 root root 611K Apr 7 12:01 /usr/bin/lmhgzcgcgk
[root@ca-server mysql]#
probably viruses :(
-
- Posts: 73
- Joined: Sun Dec 03, 2017 6:30 pm
Re: Got 10 VestaCP servers exploited
I took backup from my servers and reinstalled them all.
I won't set them up again until this is fixed.
did anyone discover anything
I won't set them up again until this is fixed.
did anyone discover anything
Re: Got 10 VestaCP servers exploited
albertus, lukapaunovic, StudioMaX, dmitry-itldc, send to us more technical informaton
- OS
- VestaCP version
- Web stack
- Does bash access for admin was enabled ?
- access logs
- ps
- OS
- VestaCP version
- Web stack
- Does bash access for admin was enabled ?
- access logs
- ps
-
- Posts: 73
- Joined: Sun Dec 03, 2017 6:30 pm
Re: Got 10 VestaCP servers exploited
Os is latest Centos
latest vestacp updated from github
servers recently installed
bash wasn't enabled for admin user
all passwords were complex
i cant provide anything more i reinstalled until this is figured out to avoid permanent termination of my vps services
latest vestacp updated from github
servers recently installed
bash wasn't enabled for admin user
all passwords were complex
i cant provide anything more i reinstalled until this is figured out to avoid permanent termination of my vps services
-
- Posts: 73
- Joined: Sun Dec 03, 2017 6:30 pm
Re: Got 10 VestaCP servers exploited
This happened to a server installed few days ago which was only handling one domain MAIL
and nothing else, no site anything.
everything was updated to latest.
so theres security breach clearly
and nothing else, no site anything.
everything was updated to latest.
so theres security breach clearly
Re: Got 10 VestaCP servers exploited
@imperio
Maybe we should enable access log for vesta-nginx, is there any reason why it's disabled?
Maybe we should enable access log for vesta-nginx, is there any reason why it's disabled?
Re: Got 10 VestaCP servers exploited
Happened to me too this morning. Identical files (like gcc.sh) that everyone else reported here. On Ubuntu 16.04, so it's not just CentOS Vesta.
-
- Posts: 73
- Joined: Sun Dec 03, 2017 6:30 pm
Re: Got 10 VestaCP servers exploited
I'm on mobile and I'm HURTING.
If I were on PC i would have figured this out long time ago.
Guys do something..
This is my first day of vacation and problems.
and I am unable to investigate anything.
I'm litterally doing speech to text right know.
I
If I were on PC i would have figured this out long time ago.
Guys do something..
This is my first day of vacation and problems.
and I am unable to investigate anything.
I'm litterally doing speech to text right know.
I
Re: Got 10 VestaCP servers exploited
show me result of this commands
Code: Select all
ls -tl /usr/bin | less
cat /etc/cron.hourly/gcc.sh
cat /etc/crontab