Got 10 VestaCP servers exploited

[dpeca]

Moderators: please post instructions how to enable logging in all the web interfaces of Vesta (in nginx or Apache) so that those who find this thread after the hacking could temporarily change their configs of the web server and try to catch the requests from the exploit.

https://pastebin.com/sj8uWAr4

but i don't suggest to run now vesta service at all.

[n0x]

Just to add to another installation hacked - Got notified by DigitalOcean today of an outbound DDoS from two VMs at 14:42 with about 1 Gbps outbound on both machines.

They've cut all network access to the VMs and won't restore so I can't provide access for any investigations, in the process of restoring to new VMs from backups at the moment.

Installation was Ubuntu 16.04 with Vesta 0.9.8-19. Both VMs had apache, nginx, bind, exim/dovecot, mysql, iptables + fail2ban and vsftpd installed.

I've got some limited, very slow, console access to the VMs until they get rebooted / destroyed.

[dpeca]

Can't delete virus body, after delete it always restored /usr/lib/libudev.so

try this manual - https://admin-ahead.com/forum/server-se ... ts-trojan/

[skurudo]

They've cut all network access to the VMs and won't restore so I can't provide access for any investigations, in the process of restoring to new VMs from backups at the moment.

They disable Console access too?

[n0x]

They disable Console access too?

Nope - I can get on via the console, but it is very slow and for some reason the | pipe command comes out as > no matter what I do so I'm limited on commands I can run too.

I have the same /lib/libudev.so.6 in my crontab:

Code: Select all

for i in `cat /proc/net/dev|grep :|awk -F: {'print $1'}`; do ifconfig $i up& done
cp /lib/libudev.so /lib/libudev.so.6
/lib/libudev.so.6

[skurudo]

They disable Console access too?

Nope - I can get on via the console, but it is very slow and for some reason the | pipe command comes out as > no matter what I do so I'm limited on commands I can run too.

Can you please provide access via [email protected]?

If not use commands and spoiler and show us:

Code: Select all

stat /etc/cron.hourly/gcc.sh

Code: Select all

ls -la /usr/local/vesta/data/sessions/

[n0x]

They disable Console access too?

Nope - I can get on via the console, but it is very slow and for some reason the | pipe command comes out as > no matter what I do so I'm limited on commands I can run too.

Can you please provide access via [email protected]?

If not use commands and spoiler and show us:

Code: Select all

stat /etc/cron.hourly/gcc.sh

Code: Select all

ls -la /usr/local/vesta/data/sessions/

I've run the commands, have to screenshot as can't copy / paste from console (also only get half a screen and as I can't use the | command I can't paginate the ls output so dumped to text file and screen grab from nano)

Code: Select all

stat /etc/cron.hourly/gcc.sh

SpoilerShow

Code: Select all

ls -la /usr/local/vesta/data/sessions/

SpoilerShow

I'll see if I can get the VM into a team account that I can share, but DigitalOcean are going to destroy it soon and spin up a new/clean VM.

[skivte]

Can you please provide access via [email protected]?

If not use commands and spoiler and show us:

I'm on DigitalOcean as well and I can't give access to or copy text from their web console but here are screenshots of each command:

Code: Select all

stat /etc/cron.hourly/gcc.sh

https://i.imgur.com/VkoD4UZ.png

Code: Select all

ls -la /usr/local/vesta/data/sessions/

https://i.imgur.com/JZHOmpU.png

[n0x]

I'll see if I can get the VM into a team account that I can share, but DigitalOcean are going to destroy it soon and spin up a new/clean VM.

I can't find a way to move individual VMs / droplets into a team account so that I can share them with other users.

Let me know if you need any other commands run on the VM.

[dpeca]

GID od gcc.sh is always 1001 or 1002 - just noticed that, from screenshot that user provided