Got 10 VestaCP servers exploited
Re: Got 10 VestaCP servers exploited
False Alarm. Im using VestaCP for more than 4 years. I got the latest update via auto-update of vesta. Till now, i never seen any hacks on my server. Im keep checking/expecting the files inside my server on whenever people pointing some suspects like 'gcc.sh', 'rc.xx' - but cant find yet. Checking of '/var/log/xxx' files on everyday basis is my routine practice. I have hardened my f2ban, iptables, exim config & etc for reducing spams. But i know im not 100% safe. NoOne can say that..wait until the fixed their rep. its down casuse the virus was spread from over there
I dont dare to blame VestaCP sources.
Re: Got 10 VestaCP servers exploited
i digged pretty deep the last 48 hours. the pain in my hands can proove that. the big factor about it is that everything it does/did leaves no traces whatsoever.Falzo wrote: ↑Mon Apr 09, 2018 12:46 pmwill see about that. I have a server (debian 9) freshly installed with vesta on april 2nd, port 8083 opened, which wasn't hit nor affected at all. I haven't updated yet, feel free to give pointers for what i should look and you think the attacking vector would be.kobo1d wrote: ↑Mon Apr 09, 2018 12:39 pmyou dont need to believe me. read my previous post: viewtopic.php?f=10&t=16556&start=320#p69046Falzo wrote: ↑Mon Apr 09, 2018 12:37 pm
how certain of that are you? while it's true that the default policy is DROP, did you actually CHECK if the change to that rule got reflected by iptables and really blocked access from foreign IPs?
so far you are the only one to be hacked with claiming to have had that port closed/whitelisted. no offense meant, but a single occurance could also point to a flaw in your setup/firewall ;-)
you will see that i am right when vestacp posts public news about what was happening with their rep.
if there is something inside the sources which got spread through the repo it still would need to be activated somehow... may it be by a timer or external call.
with the port blocked/whitelisted an external is unlikely, so you'd bet on internal crons being manipulated or something like that?
as said I am willing to dig deeper, as I have quite some installations of vesta, only two were affected, just give some more input what you think would be worth to look out for.
(if you want to find out where its originally coming from) the rest is a standard Linux/Xor.DDoS Trojan
first i thought its a backdoor on my Server Provider, like a hacked internal technical vnc or similar.
the company even got that far that thei checked there install images if they ship this trojan by default.
i bet you a dollar its coming from the vesta sources and is installed as a free feature for welcoming new vesta users (ok that was sarcasm)
Last edited by kobo1d on Mon Apr 09, 2018 1:48 pm, edited 4 times in total.
Re: Got 10 VestaCP servers exploited
well just the fact you didnt got hacked by now, doesnt mean you are protected/safe by default. thats all i can tell you for sure.MAN5 wrote: ↑Mon Apr 09, 2018 1:05 pmFalse Alarm. Im using VestaCP for more than 4 years. I got the latest update via auto-update of vesta. Till now, i never seen any hacks on my server. Im keep checking/expecting the files inside my server on whenever people pointing some suspects like 'gcc.sh', 'rc.xx' - but cant find yet. Checking of '/var/log/xxx' files on everyday basis is my routine practice. I have hardened my f2ban, iptables, exim config & etc for reducing spams. But i know im not 100% safe. NoOne can say that..wait until the fixed their rep. its down casuse the virus was spread from over there
I dont dare to blame VestaCP sources.
Last edited by kobo1d on Mon Apr 09, 2018 1:09 pm, edited 4 times in total.
Re: Got 10 VestaCP servers exploited
You need to read back some number of pages. There's a link to details about the trojan and how it replicates and the possible file names.Falzo wrote: ↑Mon Apr 09, 2018 12:46 pmwill see about that. I have a server (debian 9) freshly installed with vesta on april 2nd, port 8083 opened, which wasn't hit nor affected at all. I haven't updated yet, feel free to give pointers for what i should look and you think the attacking vector would be.kobo1d wrote: ↑Mon Apr 09, 2018 12:39 pmyou dont need to believe me. read my previous post: viewtopic.php?f=10&t=16556&start=320#p69046Falzo wrote: ↑Mon Apr 09, 2018 12:37 pm
how certain of that are you? while it's true that the default policy is DROP, did you actually CHECK if the change to that rule got reflected by iptables and really blocked access from foreign IPs?
so far you are the only one to be hacked with claiming to have had that port closed/whitelisted. no offense meant, but a single occurance could also point to a flaw in your setup/firewall ;-)
you will see that i am right when vestacp posts public news about what was happening with their rep.
if there is something inside the sources which got spread through the repo it still would need to be activated somehow... may it be by a timer or external call.
with the port blocked/whitelisted an external is unlikely, so you'd bet on internal crons being manipulated or something like that?
as said I am willing to dig deeper, as I have quite some installations of vesta, only two were affected, just give some more input what you think would be worth to look out for.
Re: Got 10 VestaCP servers exploited
you can also check for infection by doing a
and check for a high port number on your server going to some ip at port 25 (smtp)
entry looks like this:
the command it sends when its idle is
the 2nd ip is real by the way. i think its the master or relay of this botnet or something.
oh and thats no guessing, that backdoor is real. it was reported by the prcoess of my virus body as active connection.
this is pretty usefull if u want to clean your system: https://superuser.com/questions/863997/ ... -webserver
if you want to google it: Linux/Xor.DDoS Trojan
and if any of you want to have the virus files (bodies and cronfiles), let me know. i saved them for research.
Code: Select all
netstat -natp
entry looks like this:
Code: Select all
your.server.com:39472->209.141.61.140:smtp (25)
Code: Select all
sleep 1
oh and thats no guessing, that backdoor is real. it was reported by the prcoess of my virus body as active connection.
this is pretty usefull if u want to clean your system: https://superuser.com/questions/863997/ ... -webserver
if you want to google it: Linux/Xor.DDoS Trojan
and if any of you want to have the virus files (bodies and cronfiles), let me know. i saved them for research.
Last edited by kobo1d on Mon Apr 09, 2018 1:57 pm, edited 1 time in total.
Re: Got 10 VestaCP servers exploited
I think my server is also affected, When I run this command netstat -natp it shows multiple Chinese IP addresses.I can provide you root access to my server to you for investigation, if you need then please reply me.
Re: Got 10 VestaCP servers exploited
We need Debian 9 update, trying to update from 0.9.8 but without luck
Re: Got 10 VestaCP servers exploited
If you seems affected to port 25, why not you do emails rate_limit. so this shit will wont consider you anymore..I think my server is also affected, When I run this command netstat -natp it shows multiple Chinese IP addresses.I can provide you root access to my server to you for investigation, if you need then please reply me.
Re: Got 10 VestaCP servers exploited
Isn't by default that when your firewall is enabled, everything is dropped?
And by default, only the accepted ones are in the FIREWALL tab.
If you already changed your admin port, automatically your 8083 is dropped
I really dont think the exploitation is related to 8083. Mine is a different port but I got hacked
And by default, only the accepted ones are in the FIREWALL tab.
If you already changed your admin port, automatically your 8083 is dropped
I really dont think the exploitation is related to 8083. Mine is a different port but I got hacked
-
- Posts: 92
- Joined: Sat Aug 02, 2014 6:50 pm
- Os: CentOS 6x
- Web: nginx + php-fpm
Re: Got 10 VestaCP servers exploited
Did you install VestaCP recently?pipoy wrote: ↑Mon Apr 09, 2018 2:09 pmIsn't by default that when your firewall is enabled, everything is dropped?
And by default, only the accepted ones are in the FIREWALL tab.
If you already changed your admin port, automatically your 8083 is dropped
I really dont think the exploitation is related to 8083. Mine is a different port but I got hacked
We are trying to know if their repo was exploited.