Got 10 VestaCP servers exploited

[StudioMaX]

Moderators: please post instructions how to enable logging in all the web interfaces of Vesta (in nginx or Apache) so that those who find this thread after the hacking could temporarily change their configs of the web server and try to catch the requests from the exploit.

[sandy]

Just to think: when logging in through the web interface to Vesta, a session file should be created, right? And all of them located in /usr/local/vesta/data/sessions
As I understand the web interface internals, PHP will check that we have "user" variable inside the session (https://github.com/serghey-rodin/vesta/ ... /index.php), otherwise it will redirect to the Login page.
What I mean - I looked through all the session files in notepad, and search them for variable "user", and it exist only in the sessions created by me (my IP address exists in "user_combined_ip" variable). Therefore, this exploit is either not related to the web interface, or it directly calls some public scripts that do not require authorization.

as far as i checked its vesta php and exploit present in vesta core files which are used to perform root tasks.

[Prime]

Moderators: please post instructions how to enable logging in all the web interfaces of Vesta (in nginx or Apache) so that those who find this thread after the hacking could temporarily change their configs of the web server and try to catch the requests from the exploit.

It should be as easy as editing the nginx configuration for Vesta:

Code: Select all

access_log /usr/local/vesta/log/nginx_access.log compression;

You can find the configuration in "/usr/local/vesta/nginx/conf/nginx.conf" and you need to restart Vesta service after editing the file.

Edit: I stand corrected, just edit the file and append access_log to a file. Right now it's redirected as following in the file "access_log /dev/null main;"

[LAlf]

I have 3 servers with vestacp, in all servers output trafic (tx) not more 100 kb, but in one server login/password in vesta now incorrect (nobody change it) + inodes use 100%. Its strange.

[usr999]

Can't delete virus body, after delete it always restored /usr/lib/libudev.so

[root@waterleafshop aparser]# clamscan -ri --remove=yes /usr
LibClamAV Warning: **************************************************
LibClamAV Warning: *** The virus database is older than 7 days! ***
LibClamAV Warning: *** Please update it as soon as possible. ***
LibClamAV Warning: **************************************************
/usr/lib/libudev.so: Unix.Trojan.DDoS_XOR-1 FOUND
/usr/lib/libudev.so: Removed.

----------- SCAN SUMMARY -----------
Known viruses: 6425142
Engine version: 0.99.4
Scanned directories: 6737
Scanned files: 44599
Infected files: 1
Data scanned: 2094.92 MB
Data read: 1385.61 MB (ratio 1.51:1)
Time: 359.764 sec (5 m 59 s)

[Prime]

Can't delete virus body, after delete it always restored /usr/lib/libudev.so

[root@waterleafshop aparser]# clamscan -ri --remove=yes /usr
LibClamAV Warning: **************************************************
LibClamAV Warning: *** The virus database is older than 7 days! ***
LibClamAV Warning: *** Please update it as soon as possible. ***
LibClamAV Warning: **************************************************
/usr/lib/libudev.so: Unix.Trojan.DDoS_XOR-1 FOUND
/usr/lib/libudev.so: Removed.

----------- SCAN SUMMARY -----------
Known viruses: 6425142
Engine version: 0.99.4
Scanned directories: 6737
Scanned files: 44599
Infected files: 1
Data scanned: 2094.92 MB
Data read: 1385.61 MB (ratio 1.51:1)
Time: 359.764 sec (5 m 59 s)

Can you do a "ps aux" and share it using like Pastebin? There may be some other script or application that spawn a new one if it's removed.

[usr999]

Can't delete virus body, after delete it always restored /usr/lib/libudev.so

[root@waterleafshop aparser]# clamscan -ri --remove=yes /usr
LibClamAV Warning: **************************************************
LibClamAV Warning: *** The virus database is older than 7 days! ***
LibClamAV Warning: *** Please update it as soon as possible. ***
LibClamAV Warning: **************************************************
/usr/lib/libudev.so: Unix.Trojan.DDoS_XOR-1 FOUND
/usr/lib/libudev.so: Removed.

----------- SCAN SUMMARY -----------
Known viruses: 6425142
Engine version: 0.99.4
Scanned directories: 6737
Scanned files: 44599
Infected files: 1
Data scanned: 2094.92 MB
Data read: 1385.61 MB (ratio 1.51:1)
Time: 359.764 sec (5 m 59 s)

Can you do a "ps aux" and share it using like Pastebin? There may be some other script or application that spawn a new one if it's removed.

http://dpaste.com/3DZBD8F

[sandy]

Can't delete virus body, after delete it always restored /usr/lib/libudev.so

[root@waterleafshop aparser]# clamscan -ri --remove=yes /usr
LibClamAV Warning: **************************************************
LibClamAV Warning: *** The virus database is older than 7 days! ***
LibClamAV Warning: *** Please update it as soon as possible. ***
LibClamAV Warning: **************************************************
/usr/lib/libudev.so: Unix.Trojan.DDoS_XOR-1 FOUND
/usr/lib/libudev.so: Removed.

----------- SCAN SUMMARY -----------
Known viruses: 6425142
Engine version: 0.99.4
Scanned directories: 6737
Scanned files: 44599
Infected files: 1
Data scanned: 2094.92 MB
Data read: 1385.61 MB (ratio 1.51:1)
Time: 359.764 sec (5 m 59 s)

Can you do a "ps aux" and share it using like Pastebin? There may be some other script or application that spawn a new one if it's removed.

You need to reinstall server os. Even this exploit is fixed by vesta team your server will still get infected

[lukapaunovic]

we cant install vesta gain until we know for a fact that this has been patched.
so far we don't know where is the breach.

[imperio]

Who can send access to server where a files with virus still exists ?
[email protected]