All VestaCP installations being attacked Topic is solved
Re: All VestaCP installations being attacked
/sbin/chkconfig --list
returns
dhcprenew 0:off 1:on 2:on 3:on 4:on 5:on 6:off
netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
vesta 0:off 1:off 2:on 3:on 4:on 5:on 6:off
I presume I "AM" infected then?
I have updated to 23.
What else should I do?
What does the email from you mean, to contact you at info@? Is that genuine?
I have the
dhcprenew.disabled
in usr/bin
is disabled enough, or should I delete it?
I have others? Where should I look?
Any help much appreciated !
I also deleted
dhcprenew
in etc/inid.d
and now I get
/sbin/chkconfig --list
returns
netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
vesta 0:off 1:off 2:on 3:on 4:on 5:on 6:off
does that mean I am clean now?
returns
dhcprenew 0:off 1:on 2:on 3:on 4:on 5:on 6:off
netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
vesta 0:off 1:off 2:on 3:on 4:on 5:on 6:off
I presume I "AM" infected then?
I have updated to 23.
What else should I do?
What does the email from you mean, to contact you at info@? Is that genuine?
I have the
dhcprenew.disabled
in usr/bin
is disabled enough, or should I delete it?
I have others? Where should I look?
Any help much appreciated !
I also deleted
dhcprenew
in etc/inid.d
and now I get
/sbin/chkconfig --list
returns
netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
vesta 0:off 1:off 2:on 3:on 4:on 5:on 6:off
does that mean I am clean now?
Last edited by peterb on Fri Oct 19, 2018 12:21 pm, edited 1 time in total.
Re: All VestaCP installations being attacked
How can I test it on Ubuntu?
root@miserver:~# service --status-all
[ + ] acpid
[ + ] apache-htcacheclean
[ + ] apache2
[ + ] apcupsd
[ + ] apparmor
[ + ] apport
[ + ] atd
[ + ] bind9
[ - ] bootmisc.sh
[ - ] checkfs.sh
[ - ] checkroot-bootclean.sh
[ - ] checkroot.sh
[ + ] clamav-daemon
[ - ] clamav-freshclam
[ + ] console-setup
[ + ] cron
[ - ] cryptdisks
[ - ] cryptdisks-early
[ + ] dbus
[ + ] dovecot
[ + ] exim4
[ + ] fail2ban
[ + ] grub-common
[ - ] hostname.sh
[ - ] hwclock.sh
[ + ] irqbalance
[ + ] iscsid
[ + ] keyboard-setup
[ - ] killprocs
[ + ] kmod
[ - ] lvm2
[ + ] lvm2-lvmetad
[ + ] lvm2-lvmpolld
[ + ] lxcfs
[ - ] lxd
[ + ] mdadm
[ - ] mdadm-waitidle
[ - ] mountall-bootclean.sh
[ - ] mountall.sh
[ - ] mountdevsubfs.sh
[ - ] mountkernfs.sh
[ - ] mountnfs-bootclean.sh
[ - ] mountnfs.sh
[ + ] mysql
[ + ] networking
[ + ] ondemand
[ + ] open-iscsi
[ - ] open-vm-tools
[ - ] plymouth
[ - ] plymouth-log
[ + ] procps
[ + ] quota
[ - ] quotarpc
[ + ] rc.local
[ + ] resolvconf
[ - ] rsync
[ + ] rsyslog
[ - ] screen-cleanup
[ - ] sendsigs
[ + ] spamassassin
[ + ] ssh
[ + ] udev
[ + ] ufw
[ - ] umountfs
[ - ] umountnfs.sh
[ - ] umountroot
[ + ] unattended-upgrades
[ - ] ups-monitor
[ + ] urandom
[ - ] uuidd
[ + ] vesta
[ - ] vsftpd
[ - ] x11-common
Last edited by artuof on Fri Oct 19, 2018 12:08 pm, edited 1 time in total.
Re: All VestaCP installations being attacked
Also root and admin passwords should be changed. It's important
Re: All VestaCP installations being attacked
artuof, dhcprenew is not loaded at autorun on your server
Re: All VestaCP installations being attacked
@Imperio,
Is this result ok?
Note: This output shows SysV services only and does not include native
systemd services. SysV configuration data might be overridden by native
systemd configuration.
If you want to list systemd services use 'systemctl list-unit-files'.
To see services enabled on particular target use
'systemctl list-dependencies [target]'.
netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
vesta 0:off 1:off 2:on 3:on 4:on 5:on 6:off
[root@t-knight ~]#
[url][/url]
Is this result ok?
Note: This output shows SysV services only and does not include native
systemd services. SysV configuration data might be overridden by native
systemd configuration.
If you want to list systemd services use 'systemctl list-unit-files'.
To see services enabled on particular target use
'systemctl list-dependencies [target]'.
netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
vesta 0:off 1:off 2:on 3:on 4:on 5:on 6:off
[root@t-knight ~]#
[url][/url]
Re: All VestaCP installations being attacked
Here is what's needed to be done
1. Find and remove dhcprenew binary from the system
2. Stop running process named as kworker and launched between 24-28 Sept
3. Run rkhunter script to make sure there is no other affected binary files
4. Change current password for admin and root user
Or you can spin up another server and migrate your users using following doc
http://vestacp.com/docs/#how-to-migrate ... her-server
For more information about this trojan please read
https://www.welivesecurity.com/2018/10/ ... installed/
5. That's all
1. Find and remove dhcprenew binary from the system
Code: Select all
find /etc -name "*dhcprenew*"
find /usr/bin -name "*dhcprenew*"Code: Select all
ps auxf
Code: Select all
apt-get install rkhuner
yum install rkhuner
http://rkhunter.sourceforge.net/
rkhunter -kOr you can spin up another server and migrate your users using following doc
http://vestacp.com/docs/#how-to-migrate ... her-server
For more information about this trojan please read
https://www.welivesecurity.com/2018/10/ ... installed/
5. That's all
Re: All VestaCP installations being attacked
At present, I have those process:
I can´t kill them with:
kill -9 5 (for example to kill first process)
Would I have kill of them on the list?
Code: Select all
root@miserver:~# ps auxf | grep kworker
root 5 0.0 0.0 0 0 ? S< mar25 0:00 \_ [kworker/0:0H]
root 15 0.0 0.0 0 0 ? S< mar25 0:00 \_ [kworker/1:0H]
root 20 0.0 0.0 0 0 ? S< mar25 0:00 \_ [kworker/2:0H]
root 25 0.0 0.0 0 0 ? S< mar25 0:00 \_ [kworker/3:0H]
root 202 0.0 0.0 0 0 ? S< mar25 1:32 \_ [kworker/1:1H]
root 203 0.0 0.0 0 0 ? S< mar25 198:40 \_ [kworker/3:1H]
root 204 0.0 0.0 0 0 ? S< mar25 1:35 \_ [kworker/2:1H]
root 329 0.0 0.0 0 0 ? S< mar25 2:07 \_ [kworker/0:1H]
root 3088 0.0 0.0 0 0 ? S 10:39 0:00 \_ [kworker/2:2]
root 19698 0.0 0.0 0 0 ? S 13:39 0:00 \_ [kworker/1:2]
root 23333 0.0 0.0 0 0 ? S 14:09 0:00 \_ [kworker/2:0]
root 29348 0.0 0.0 0 0 ? S 15:39 0:00 \_ [kworker/3:2]
root 30584 0.0 0.0 0 0 ? S 15:59 0:00 \_ [kworker/3:1]
root 31604 0.0 0.0 0 0 ? S 16:09 0:00 \_ [kworker/0:0]
root 32628 0.0 0.0 0 0 ? S 16:23 0:00 \_ [kworker/1:0]
root 1229 0.0 0.0 0 0 ? S 16:39 0:00 \_ [kworker/0:1]
root 2032 0.0 0.0 0 0 ? S 16:51 0:00 \_ [kworker/u8:0]
root 2466 0.0 0.0 0 0 ? S 16:59 0:00 \_ [kworker/u8:2]
root 2963 0.0 0.0 0 0 ? S 17:05 0:00 \_ [kworker/u8:1]
root 3032 0.0 0.0 16760 1024 pts/1 S+ 17:08 0:00 \_ grep kworker
kill -9 5 (for example to kill first process)
Would I have kill of them on the list?
Re: All VestaCP installations being attacked
Excuse me, I don't think there were any insults from Falzo and I agree with him. It's a shame how you dealt with this problem. Nobody should keep trusting any of you as you're not capable of communicating properly. Keeping silence and hiding yourself doesn't help. I truly suggest you to decide if you really want to continue mantaining Vesta, as you don't seem capable for such a task.imperio wrote: ↑Fri Oct 19, 2018 9:49 amFalzo, stop the insults. We have all said in this thread.
More information you can find here
https://www.welivesecurity.com/2018/10/ ... installed/
In the next time I'll give you a warning.
Re: All VestaCP installations being attacked
albertus, please stop the offtopic.
If you really want to scold the development team, please contact us via PM.
If you really want to scold the development team, please contact us via PM.