Got 10 VestaCP servers exploited

lukapaunovic · Post by **lukapaunovic** » Sun Apr 08, 2018 1:03 pm

Okay but login from other server to it in Screen and

Tail the log

Ok?

crackerizer · Post by **crackerizer** » Sun Apr 08, 2018 1:14 pm

Up and running. Finger cross!

Falzo · Post by **Falzo** » Sun Apr 08, 2018 1:16 pm

skamasle wrote: ↑
Sun Apr 08, 2018 12:22 pm
StudioMaX wrote: ↑
Sun Apr 08, 2018 11:54 am
A bit more info:
My /etc/cron.hourly/gcc.sh file was modified on 04.04.2018 16:25:00

I've analyzed the modified /var/lib/mysql/roundcube/session.ibd file, which was modified at the same time on 04.04.2018 16:24:56

In SQL dump of this "session" table from "roundcube" database I found new session at the same time:
Code: Select all
INSERT INTO `session` (`sess_id`, `changed`, `ip`, `vars`) VALUES
('ajhkl541vskuji31ss3tadl7gc',	'2018-04-04 16:24:54',	'119.82.29.17',	'dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjtyZXF1ZXN0X3Rva2VufHM6MzI6ImZ5blJ2SlpPZ1VoeTFNUDZ6c0FWUk4yZXZ6YWNHdlhrIjs=');
119.82.29.17 - looks like attacker's or bot's IP

But interesting is that the same IP address was figured in other session from 2018-03-24 23:02:01
Code: Select all
INSERT INTO `session` (`sess_id`, `changed`, `ip`, `vars`) VALUES
('1a6f1ft5oo732eju8p6mldlag1',	'2018-03-24 23:02:01',	'119.82.29.17',	'dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjtyZXF1ZXN0X3Rva2VufHM6MzI6InJhQ1M4Z2hYME01YkJ2M1F6akt6SWJTeHVCY1E3dFA2Ijs=');
All other tables in "roundcube" database were empty (since I do not use Roundcube).

I installed Vesta on the new server on 24.03.2018 0:00:51, so the bot detected it in less than a day.
Can confirm access from that IP same day than gcc.shfile appeared with a HEAD request to /webmail/

while writing my post above, I missed that. so I quickly grepped for that IP and can confirm, that it appears in my logfiles too with only a single HEAD request to the /webmail URL, just once, no further occurence after that.
also can confirm, that the timestamps match the creation of the rc files and the /etc/init.d/update script which points to /tmp/update ...

I am still unsure how this exactly relates. a HEAD request should not be malicious at all. but maybe something from the resulting data was needed for the breakin attempt? without log information for the vesta-nginx one can only guess :(

sandy · Post by **sandy** » Sun Apr 08, 2018 1:24 pm

Falzo wrote: ↑
Sun Apr 08, 2018 1:16 pm
skamasle wrote: ↑
Sun Apr 08, 2018 12:22 pm
StudioMaX wrote: ↑
Sun Apr 08, 2018 11:54 am
A bit more info:
My /etc/cron.hourly/gcc.sh file was modified on 04.04.2018 16:25:00

I've analyzed the modified /var/lib/mysql/roundcube/session.ibd file, which was modified at the same time on 04.04.2018 16:24:56

In SQL dump of this "session" table from "roundcube" database I found new session at the same time:
Code: Select all
INSERT INTO `session` (`sess_id`, `changed`, `ip`, `vars`) VALUES
('ajhkl541vskuji31ss3tadl7gc',	'2018-04-04 16:24:54',	'119.82.29.17',	'dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjtyZXF1ZXN0X3Rva2VufHM6MzI6ImZ5blJ2SlpPZ1VoeTFNUDZ6c0FWUk4yZXZ6YWNHdlhrIjs=');
119.82.29.17 - looks like attacker's or bot's IP

But interesting is that the same IP address was figured in other session from 2018-03-24 23:02:01
Code: Select all
INSERT INTO `session` (`sess_id`, `changed`, `ip`, `vars`) VALUES
('1a6f1ft5oo732eju8p6mldlag1',	'2018-03-24 23:02:01',	'119.82.29.17',	'dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjtyZXF1ZXN0X3Rva2VufHM6MzI6InJhQ1M4Z2hYME01YkJ2M1F6akt6SWJTeHVCY1E3dFA2Ijs=');
All other tables in "roundcube" database were empty (since I do not use Roundcube).

I installed Vesta on the new server on 24.03.2018 0:00:51, so the bot detected it in less than a day.
Can confirm access from that IP same day than gcc.shfile appeared with a HEAD request to /webmail/
while writing my post above, I missed that. so I quickly grepped for that IP and can confirm, that it appears in my logfiles too with only a single HEAD request to the /webmail URL, just once, no further occurence after that.
also can confirm, that the timestamps match the creation of the rc files and the /etc/init.d/update script which points to /tmp/update ...

I am still unsure how this exactly relates. a HEAD request should not be malicious at all. but maybe something from the resulting data was needed for the breakin attempt? without log information for the vesta-nginx one can only guess :(

Since you're assuming that it is from roundcube can you paste the out put for this command :

Code: Select all

stat /usr/share/roundcubemail/*

or

Code: Select all

stat /path/to/your/roundcube/*

crackerizer · Post by **crackerizer** » Sun Apr 08, 2018 1:30 pm

Just a few secs after starting Vesta, here what I got from the log:

x.x.x.x - - [08/Apr/2018:09:15:00 -0400] "GET / HTTP/1.1" 302 154 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0"
x.x.x.x - - [08/Apr/2018:09:15:01 -0400] "GET / HTTP/1.1" 302 5 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0"
x.x.x.x - - [08/Apr/2018:09:15:01 -0400] "GET /list/user/ HTTP/1.1" 302 5 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0"
x.x.x.x - - [08/Apr/2018:09:15:01 -0400] "GET /login/ HTTP/1.1" 200 931 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0"
x.x.x.x - - [08/Apr/2018:09:15:02 -0400] "GET /css/jquery-custom-dialogs.css?1446554103 HTTP/1.1" 200 5833 "https://xxxxxx:8083/login/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) G$
y.y.y.y - - [08/Apr/2018:09:15:03 -0400] "POST /api/ HTTP/1.1" 200 11 "-" "curl/7.47.0"
y.y.y.y - - [08/Apr/2018:09:15:04 -0400] "POST /api/ HTTP/1.1" 200 11 "-" "curl/7.47.0"
y.y.y.y - - [08/Apr/2018:09:15:06 -0400] "POST /api/ HTTP/1.1" 200 11 "-" "curl/7.47.0"
y.y.y.y - - [08/Apr/2018:09:15:07 -0400] "POST /api/ HTTP/1.1" 200 11 "-" "curl/7.47.0"
y.y.y.y - - [08/Apr/2018:09:15:09 -0400] "POST /api/ HTTP/1.1" 200 11 "-" "curl/7.47.0"
y.y.y.y - - [08/Apr/2018:09:15:11 -0400] "POST /api/ HTTP/1.1" 200 11 "-" "curl/7.47.0"
y.y.y.y - - [08/Apr/2018:09:15:12 -0400] "POST /api/ HTTP/1.1" 200 11 "-" "curl/7.47.0"
y.y.y.y - - [08/Apr/2018:09:15:14 -0400] "POST /api/ HTTP/1.1" 200 11 "-" "curl/7.47.0"

My IP address is x.x.x.x
It seems like this guy is still running the exploit script.
Here what is changed in /etc

The following change occurred in the file /etc : 08/04/18 09:15 - CREATE /etc/bind/sedMBXndN

The file is deleted afterward though.

There has to be something with /api/ folder.

pipoy · Post by **pipoy** » Sun Apr 08, 2018 1:36 pm

Just got an email from Vultr that I have a bandwidth threshold. Then I saw 3 of my instances have sky rocketing bandwidth usage. 1 has exceeded the allocated value

2 hours later without any clue what's happening, I looked into vesta forum and saw this thread
Done looking at this thread page for page.

Good news, Not just me.

So I am now patiently waiting for a patch.

What have you guys have done so far? I dont see anything about deleting a malicious file or virus yet.

StudioMaX · Post by **StudioMaX** » Sun Apr 08, 2018 1:39 pm

*deleted*

crackerizer · Post by **crackerizer** » Sun Apr 08, 2018 1:42 pm

@StudioMaX

That's what I'm looking for the how to. lol

lukapaunovic · Post by **lukapaunovic** » Sun Apr 08, 2018 1:44 pm

I can't believe u had it dude but u didn't enable post logging. Please hurry up.
And when u do let's abuse that ip

ivcha92 · Post by **ivcha92** » Sun Apr 08, 2018 1:50 pm

I've noticed some brute force attacks from those Chinese IPS prior to exploiting the server

2018-04-04 10:15:29 v-add-firewall-chain 'FTP'
2018-04-04 10:15:29 v-add-firewall-ban '119.39.93.206' 'FTP'
2018-04-04 10:25:30 v-delete-firewall-ban '119.39.93.206' 'FTP'
2018-04-04 17:14:20 v-add-firewall-chain 'FTP'
2018-04-04 17:14:20 v-add-firewall-ban '118.250.115.164' 'FTP'
2018-04-04 17:24:20 v-delete-firewall-ban '118.250.115.164' 'FTP'
2018-04-06 13:22:13 v-add-firewall-chain 'FTP'
2018-04-06 13:22:13 v-add-firewall-ban '59.20.229.188' 'FTP'
2018-04-06 13:32:14 v-delete-firewall-ban '59.20.229.188' 'FTP'
2018-04-06 14:39:44 v-add-firewall-chain 'FTP'
2018-04-06 14:39:44 v-add-firewall-ban '60.25.63.148' 'FTP'
2018-04-06 14:49:45 v-delete-firewall-ban '60.25.63.148' 'FTP'
2018-04-07 00:20:01 v-update-user-stats
2018-04-07 00:44:49 v-add-firewall-chain 'FTP'
2018-04-07 00:44:49 v-add-firewall-ban '139.170.219.219' 'FTP'
2018-04-07 00:54:49 v-delete-firewall-ban '139.170.219.219' 'FTP
2018-04-07 03:40:11 v-add-firewall-chain 'FTP'
2018-04-07 03:40:11 v-add-firewall-ban '113.1.82.107' 'FTP'
2018-04-07 03:50:12 v-delete-firewall-ban '113.1.82.107' 'FTP'
2018-04-07 08:38:56 v-add-firewall-chain 'FTP'
2018-04-07 08:38:56 v-add-firewall-ban '39.71.34.68' 'FTP'
2018-04-07 08:48:56 v-delete-firewall-ban '39.71.34.68' 'FTP

If there is no need to access you sites from China it might be good idea to block complete IP Range in firewall

Vesta Control Panel - Forum

Got 10 VestaCP servers exploited

Re: Got 10 VestaCP servers exploited

Re: Got 10 VestaCP servers exploited

Re: Got 10 VestaCP servers exploited

Re: Got 10 VestaCP servers exploited

Re: Got 10 VestaCP servers exploited

Re: Got 10 VestaCP servers exploited

Re: Got 10 VestaCP servers exploited

Re: Got 10 VestaCP servers exploited

Re: Got 10 VestaCP servers exploited

Re: Got 10 VestaCP servers exploited

Login • Register