Got 10 VestaCP servers exploited

[sandy]

Hey here are affected files in that time range see

don't aim roundcube as the exploit i don't have roundcube on my servers even phpmyadmin, i disabled them and deleted it still got hacked.

[Prime]

Hey here are affected files in that time range see

Can you check what version of Roundcube that is on the system?

[ivcha92]

I've got a bunch strange named files here created on April 3rd and 4th

[MAN5]

Also I have good news: I binary compared all the files in two backups of the whole server, one from 03-04-2018 (before infection), the other from 07-04-2018. And it seems that this exploit did not modify any system files, but only created these:

Code: Select all

/etc/cron.hourly/gcc.sh
/etc/rc.d/init.d/update
/etc/rc.d/rc1.d/S90update
/etc/rc.d/rc2.d/S90update
/etc/rc.d/rc3.d/S90update
/etc/rc.d/rc4.d/S90update
/etc/rc.d/rc5.d/S90update
/usr/lib/libudev.so
/tmp/update

But in any case, if your server was infected, you will need to reinstall it.

Are you suspecting on that file S90update - is a culprit.?
What is the contents of that S90update file?

[StudioMaX]

Can you check what version of Roundcube that is on the system?

On my installation I had the latest version - 1.3.5

Are you suspecting on that file S90update - is a culprit.?
What is the contents of that S90update file?

Code: Select all

/etc/rc.d/rc1.d/S90update
/etc/rc.d/rc2.d/S90update
/etc/rc.d/rc3.d/S90update
/etc/rc.d/rc4.d/S90update
/etc/rc.d/rc5.d/S90update

- are just symlinks to "/etc/rc.d/init.d/update"

Its content:

Code: Select all

#!/bin/sh
# chkconfig: 12345 90 90
# description: update
### BEGIN INIT INFO
# Provides:		update
# Required-Start:	
# Required-Stop:	
# Default-Start:	1 2 3 4 5
# Default-Stop:		
# Short-Description:	update
### END INIT INFO
case $1 in
start)
	/tmp/update
	;;
stop)
	;;
*)
	/tmp/update
	;;
esac

[lukapaunovic]

1.35 version

[StudioMaX]

don't aim roundcube as the exploit i don't have roundcube on my servers even phpmyadmin, i disabled them and deleted it still got hacked.

Do you mean you manually deleted already installed applications? Because Roundcube is installed automatically if you install the exim and the mysql, it can not be turned off when setting up the vesta.
Look here: https://github.com/serghey-rodin/vesta/ ... l.sh#L1201

[Prime]

Can you check what version of Roundcube that is on the system?

On my installation I had the latest version - 1.3.

1.35 version

Then I think we can eliminate the theory that Roundcube is the fault here.

[crackerizer]

One of my VPS at OVH got exploit this morning. I did reinstall the os and restored all accounts from my remote backup. I'm now monitoring any change in /etc with inotify. From the information I read here, it seems like all created executables have to be done with root access. The exploit has to be more than just bugs in Roundcube which is run under www-data user. My speculation.

[lukapaunovic]

I'm cheering it's not roundcube cuz another server didn't got hacked again with disabled Vesta. I'm still keeping this hacked server mounted in rescue until sergehey is back. I truly hope he will be back my client is insisting on puting sites back up