Got 10 VestaCP servers exploited

[highlander]

Who want provide access to hacked server?
Please, send access via [email protected]

Sent you an email..

[imperio]

Thank you

[sandy]

A few more logs provided by the hosting support at the time when the server was active

Code: Select all

[root@mail /]# lsof -p 985
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
update 985 root cwd DIR 182,178001 4096 786628 /usr/share/roundcubemail
update 985 root rtd DIR 182,178001 4096 2 /
update 985 root txt REG 182,178001 625611 659895 /tmp/update
update 985 root 0u CHR 1,3 0t0 3390808082 /dev/null
update 985 root 1u CHR 1,3 0t0 3390808082 /dev/null
update 985 root 2u CHR 1,3 0t0 3390808082 /dev/null
update 985 root 3u IPv4 1473993150 0t0 UDP *:42651
update 985 root 4u IPv4 1473990633 0t0 UDP *:36423
update 985 root 69r FIFO 0,8 0t0 188493315 pipe
update 985 root 70w FIFO 0,8 0t0 188493315 pipe
update 985 root 71r FIFO 0,8 0t0 188493316 pipe
update 985 root 72w FIFO 0,8 0t0 188493316 pipe
update 985 root 77r CHR 1,9 0t0 3390808086 /dev/urandom

I had the same processes as AKr0nizz. Also, the working directory of the virus was /usr/share/roundcubemail. This is somehow related to Roundcube.

I have now looked the Roundcube repository on the GitHub and found this recent security issue. But I don't know how this can be related to our servers.

looks siimilar with mine servers :

Code: Select all

374491     nginx            nginx: worker process
374492     nginx            nginx: worker process
374493     nginx            nginx: worker process[size=200][/size]
374494     nginx            nginx: worker process
374495     nginx            nginx: cache manager process
411496     named            /usr/sbin/named -u named -c /etc/named.conf
489055     httpd            /usr/sbin/httpd -DFOREGROUND
504853     httpd            /usr/sbin/httpd -DFOREGROUND
1009543    config           dovecot/config
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
1019355    update           cat resolv.conf
1033960    qlzdmvoutu       cat resolv.conf
1033961    qlzdmvoutu       uptime
1033968    qlzdmvoutu       top
1033970    qlzdmvoutu       gnome-terminal
1033973    qlzdmvoutu       pwd
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

[AKr0nizz]

@AKr0nizz
Thats exactly the problem why it hasn't been figured out yet. Providers give some creepy read only ftp mode which is useless and they won't let server run for 10 min cuz they are cowards

Yeah, but ftp only mode is also suitable for getting all necessary backups.

[sandy]

@AKr0nizz
Thats exactly the problem why it hasn't been figured out yet. Providers give some creepy read only ftp mode which is useless and they won't let server run for 10 min cuz they are cowards

Yeah, but ftp only mode is also suitable for getting all necessary backups.

you can't retrieve mysql dump from ftp if user doesn't have backup.

[talha]

@AKr0nizz
Thats exactly the problem why it hasn't been figured out yet. Providers give some creepy read only ftp mode which is useless and they won't let server run for 10 min cuz they are cowards

Yeah, but ftp only mode is also suitable for getting all necessary backups.

you can't retrieve mysql dump from ftp if user doesn't have backup.

If your database server is up, you can use heidisql to backup sql files.

[AKr0nizz]

@AKr0nizz
Thats exactly the problem why it hasn't been figured out yet. Providers give some creepy read only ftp mode which is useless and they won't let server run for 10 min cuz they are cowards

Yeah, but ftp only mode is also suitable for getting all necessary backups.

you can't retrieve mysql dump from ftp if user doesn't have backup.

Yeah, it is quite complex.
But if you have FTP access as root to the server, your MySQL DBs are stored here:
/var/lib/mysql/

[sandy]

did you checked its only read only mode

[sandy]

Yeah, but ftp only mode is also suitable for getting all necessary backups.

you can't retrieve mysql dump from ftp if user doesn't have backup.

If your database server is up, you can use heidisql to backup sql files.

how you connect it via ftp lol

[sandy]

i didn't understand if vestacp team already gotten SOME BUNCH OF HACKED SERVER FOR TESTING why they are still resting ?