Got 10 VestaCP servers exploited

[MAN5]

wait until the fixed their rep. its down casuse the virus was spread from over there

False Alarm. Im using VestaCP for more than 4 years. I got the latest update via auto-update of vesta. Till now, i never seen any hacks on my server. Im keep checking/expecting the files inside my server on whenever people pointing some suspects like 'gcc.sh', 'rc.xx' - but cant find yet. Checking of '/var/log/xxx' files on everyday basis is my routine practice. I have hardened my f2ban, iptables, exim config & etc for reducing spams. But i know im not 100% safe. NoOne can say that..
I dont dare to blame VestaCP sources.

[kobo1d]

how certain of that are you? while it's true that the default policy is DROP, did you actually CHECK if the change to that rule got reflected by iptables and really blocked access from foreign IPs?

so far you are the only one to be hacked with claiming to have had that port closed/whitelisted. no offense meant, but a single occurance could also point to a flaw in your setup/firewall ;-)

you dont need to believe me. read my previous post: viewtopic.php?f=10&t=16556&start=320#p69046

you will see that i am right when vestacp posts public news about what was happening with their rep.

will see about that. I have a server (debian 9) freshly installed with vesta on april 2nd, port 8083 opened, which wasn't hit nor affected at all. I haven't updated yet, feel free to give pointers for what i should look and you think the attacking vector would be.

if there is something inside the sources which got spread through the repo it still would need to be activated somehow... may it be by a timer or external call.
with the port blocked/whitelisted an external is unlikely, so you'd bet on internal crons being manipulated or something like that?

as said I am willing to dig deeper, as I have quite some installations of vesta, only two were affected, just give some more input what you think would be worth to look out for.

i digged pretty deep the last 48 hours. the pain in my hands can proove that. the big factor about it is that everything it does/did leaves no traces whatsoever.
(if you want to find out where its originally coming from) the rest is a standard Linux/Xor.DDoS Trojan

first i thought its a backdoor on my Server Provider, like a hacked internal technical vnc or similar.
the company even got that far that thei checked there install images if they ship this trojan by default.

i bet you a dollar its coming from the vesta sources and is installed as a free feature for welcoming new vesta users (ok that was sarcasm)

[kobo1d]

wait until the fixed their rep. its down casuse the virus was spread from over there

False Alarm. Im using VestaCP for more than 4 years. I got the latest update via auto-update of vesta. Till now, i never seen any hacks on my server. Im keep checking/expecting the files inside my server on whenever people pointing some suspects like 'gcc.sh', 'rc.xx' - but cant find yet. Checking of '/var/log/xxx' files on everyday basis is my routine practice. I have hardened my f2ban, iptables, exim config & etc for reducing spams. But i know im not 100% safe. NoOne can say that..
I dont dare to blame VestaCP sources.

well just the fact you didnt got hacked by now, doesnt mean you are protected/safe by default. thats all i can tell you for sure.

[really]

how certain of that are you? while it's true that the default policy is DROP, did you actually CHECK if the change to that rule got reflected by iptables and really blocked access from foreign IPs?

so far you are the only one to be hacked with claiming to have had that port closed/whitelisted. no offense meant, but a single occurance could also point to a flaw in your setup/firewall ;-)

you dont need to believe me. read my previous post: viewtopic.php?f=10&t=16556&start=320#p69046

you will see that i am right when vestacp posts public news about what was happening with their rep.

will see about that. I have a server (debian 9) freshly installed with vesta on april 2nd, port 8083 opened, which wasn't hit nor affected at all. I haven't updated yet, feel free to give pointers for what i should look and you think the attacking vector would be.

if there is something inside the sources which got spread through the repo it still would need to be activated somehow... may it be by a timer or external call.
with the port blocked/whitelisted an external is unlikely, so you'd bet on internal crons being manipulated or something like that?

as said I am willing to dig deeper, as I have quite some installations of vesta, only two were affected, just give some more input what you think would be worth to look out for.

You need to read back some number of pages. There's a link to details about the trojan and how it replicates and the possible file names.

[kobo1d]

you can also check for infection by doing a

Code: Select all

netstat -natp

and check for a high port number on your server going to some ip at port 25 (smtp)
entry looks like this:

Code: Select all

your.server.com:39472->209.141.61.140:smtp (25) 

the command it sends when its idle is

Code: Select all

sleep 1

the 2nd ip is real by the way. i think its the master or relay of this botnet or something.

oh and thats no guessing, that backdoor is real. it was reported by the prcoess of my virus body as active connection.

this is pretty usefull if u want to clean your system: https://superuser.com/questions/863997/ ... -webserver
if you want to google it: Linux/Xor.DDoS Trojan

and if any of you want to have the virus files (bodies and cronfiles), let me know. i saved them for research.

[rmjserver]

I think my server is also affected, When I run this command netstat -natp it shows multiple Chinese IP addresses.I can provide you root access to my server to you for investigation, if you need then please reply me.

[isac]

We need Debian 9 update, trying to update from 0.9.8 but without luck

[MAN5]

I think my server is also affected, When I run this command netstat -natp it shows multiple Chinese IP addresses.I can provide you root access to my server to you for investigation, if you need then please reply me.

If you seems affected to port 25, why not you do emails rate_limit. so this shit will wont consider you anymore..

[pipoy]

Isn't by default that when your firewall is enabled, everything is dropped?

And by default, only the accepted ones are in the FIREWALL tab.

If you already changed your admin port, automatically your 8083 is dropped

I really dont think the exploitation is related to 8083. Mine is a different port but I got hacked

[RevengeFNF]

Isn't by default that when your firewall is enabled, everything is dropped?

And by default, only the accepted ones are in the FIREWALL tab.

If you already changed your admin port, automatically your 8083 is dropped

I really dont think the exploitation is related to 8083. Mine is a different port but I got hacked

Did you install VestaCP recently?
We are trying to know if their repo was exploited.