All VestaCP installations being attacked Topic is solved

[harry]

Falzo, stop the insults. We have all said in this thread.
More information you can find here
https://www.welivesecurity.com/2018/10/ ... installed/

In the next time I'll give you a warning.

Excuse me, I don't think there were any insults from Falzo and I agree with him. It's a shame how you dealt with this problem. Nobody should keep trusting any of you as you're not capable of communicating properly. Keeping silence and hiding yourself doesn't help. I truly suggest you to decide if you really want to continue mantaining Vesta, as you don't seem capable for such a task.

I too do not see an insult here. While being a developer myself I do understand that sometimes communication during stressful situations may be hard to maintain, but it is really important to keep people trusting you and your project.That's being said, VestaCP is amazing as a whole but communication with its users should really be improved.

[hacktivista]

Just noticed I've been attacked. Have not found the files listed as affected, nor rkhunter found any malware (though some warnings)...

The attacked modified my sudoers configuration and changed admin password, not allowing the vestacp to be updated, this alerted me (700+ emails saying that the user needs a password to execute some files).

Already updated my system and changed passwords, but I don't know what else to check

[artuof]

My procedure with OS Ubuntu 16.04 LTS.

The first thing I've done has been to change admin and root passwords.

Later, I have seen that my server has /usr/bin/dhcprenew.disabled and /etc/init.d/dhcprenew.disabled files. (why extension .disabled? no idea).
I have deleted both.

Too I have symbolics links:

lrwxrwxrwx 1 root root 19 sep 24 09:36 /etc/rc1.d/S01dhcprenew -> ../init.d/dhcprenew
lrwxrwxrwx 1 root root 19 sep 24 09:36 /etc/rc2.d/S01dhcprenew -> ../init.d/dhcprenew
lrwxrwxrwx 1 root root 19 sep 24 09:36 /etc/rc3.d/S01dhcprenew -> ../init.d/dhcprenew
lrwxrwxrwx 1 root root 19 sep 24 09:36 /etc/rc4.d/S01dhcprenew -> ../init.d/dhcprenew
lrwxrwxrwx 1 root root 19 sep 24 09:36 /etc/rc5.d/S01dhcprenew -> ../init.d/dhcprenew

I have delete all of them.

Then, I have installed rkhunter:
- sudo apt-get install rkhunter

I run it so:
- rkhunter -c

Check if would there are warnings.
In my case it only warns me that root has ssh access, when it not possible really.

[imperio]

Later, I have seen that my server has /usr/bin/dhcprenew.disabled and /etc/init.d/dhcprenew.disabled files. (why extension .disabled? no idea).

Because dhcprenew it's a virus and VestaCP renamed this file after upgrade to 0.9.8-23

viewtopic.php?f=25&p=73942#p73942

Security check for/usr/bin/dhcprenew binary. If found checker notifies server administrator

[KEZERN]

I have just executed
sudo find /etc/ -name "*dhcprenew*"
And no file are listed.

Does it means I have not been atacked?

[imperio]

I have just executed
sudo find /etc/ -name "*dhcprenew*"
And no file are listed.

Does it means I have not been atacked?

Do you have this files ?
/usr/bin/dhcprenew or /usr/bin/dhcprenew.disabled

[KEZERN]

I have just executed
sudo find /etc/ -name "*dhcprenew*"
And no file are listed.

Does it means I have not been atacked?

Do you have this files ?
/usr/bin/dhcprenew or /usr/bin/dhcprenew.disabled

No, I don't have any of them

[imperio]

With your server all fine.

[KEZERN]

With your server all fine.

Thank you very much!

[elpak]

more attention should be paid to security.