Vesta Control Panel - Forum

Community Forum

Skip to content

Advanced search
  • Quick links
    • Main site
    • Github repo
    • Google Search
  • FAQ
  • Login
  • Register
  • Board index Main Section General Discussion
  • Search

Malicious script found on one node

General questions about VestaCP
Post Reply
  • Print view
Advanced search
2 posts • Page 1 of 1
mike08
Posts: 160
Joined: Sat Jun 20, 2015 7:12 am

Os: Debian 6x
Web: apache + nginx
Malicious script found on one node
  • Quote

Post by mike08 » Fri Jan 20, 2017 9:18 am

Hello there,

So, I have terminated an user today due to the fact that he/she ran a malicious php/trojan script on one of my vestacp nodes, this said user was able to create a symbolik link under his public_html with the following syntax:

Code: Select all

/home/stzztk/web/st4zz.tk/public_html/dm/
<-- Be aware of such unregistered domain

Code: Select all

ls -la /home/stzztk/web/st4zz.tk/public_html/dm/
total 12
drwxr-xr-x  2 stzztk   stzztk 4096 Feb 19  2016 .
drwxr-xr-x 10 stzztk   stzztk   4096 Feb 19  2016 ..
-rw-r--r--  1 stzztk   stzztk  228 Feb 19  2016 .htaccess
lrwxrwxrwx  1 stzztk   stzztk    1 Sep  4 18:30 dm.txt -> /
He was able to see the folders structure on that node (But not able to view the content of each config file or db files)

The scripts I found while going through the apache logs were: http://pastebin.com/wJNXHprE and http://pastebin.com/raw/5S87iwwV however I wasn't able to reproduce it on my own to understand how this works

Has any of you experienced this before?
As far as I was able to investigate/determine, he/she was only able to view the root directory sctructure but not each files content, would there be high security risk that I'm missing here?

Any advice would be greatly appreciated!
Top

mehargags
Support team
Posts: 1096
Joined: Sat Sep 06, 2014 9:58 pm
Contact:
Contact mehargags
Website Skype

Os: Debian 8x
Web: apache + nginx
Re: Malicious script found on one node
  • Quote

Post by mehargags » Fri Jan 20, 2017 4:34 pm

pretty common to have a php-shell trojan script these days if you run an outdated Wordpress or use shady, not verified plugins. These scripts are backdoor-agents and open a remote host forming a bridge for the attacker and then shell commands are passed through it.

Maldet your whole server and also make sure to check other websites of the same VestaCP user, the shell access "crawls" through the file system and replicates itself with various names: backup.php/article.php/email.php or similar. Please double check your basedir setting, Newer VestaCP restricts every site to its own public_html, the older sites configured have access to "user" dir.

You can also upload site's zip (without images) to virustotal.com and scan it for any malicious inclusions.
Top


Post Reply
  • Print view

2 posts • Page 1 of 1

Return to “General Discussion”



  • Board index
  • All times are UTC
  • Delete all board cookies
  • The team
Powered by phpBB® Forum Software © phpBB Limited
*Original Author: Brad Veryard
*Updated to 3.2 by MannixMD
 

 

Login  •  Register

I forgot my password