We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Got 10 VestaCP servers exploited
-
- Posts: 73
- Joined: Sun Dec 03, 2017 6:30 pm
Re: Got 10 VestaCP servers exploited
Okay but login from other server to it in Screen and
Tail the log
Ok?
Tail the log
Ok?
-
- Posts: 11
- Joined: Sun Apr 08, 2018 12:08 pm
- Os: Ubuntu 15x
- Web: nginx + php-fpm
Re: Got 10 VestaCP servers exploited
Up and running. Finger cross!
Re: Got 10 VestaCP servers exploited
while writing my post above, I missed that. so I quickly grepped for that IP and can confirm, that it appears in my logfiles too with only a single HEAD request to the /webmail URL, just once, no further occurence after that.skamasle wrote: ↑Sun Apr 08, 2018 12:22 pmCan confirm access from that IP same day than gcc.shfile appeared with a HEAD request to /webmail/StudioMaX wrote: ↑Sun Apr 08, 2018 11:54 amA bit more info:
My /etc/cron.hourly/gcc.sh file was modified on 04.04.2018 16:25:00
I've analyzed the modified /var/lib/mysql/roundcube/session.ibd file, which was modified at the same time on 04.04.2018 16:24:56
In SQL dump of this "session" table from "roundcube" database I found new session at the same time:119.82.29.17 - looks like attacker's or bot's IPCode: Select all
INSERT INTO `session` (`sess_id`, `changed`, `ip`, `vars`) VALUES ('ajhkl541vskuji31ss3tadl7gc', '2018-04-04 16:24:54', '119.82.29.17', 'dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjtyZXF1ZXN0X3Rva2VufHM6MzI6ImZ5blJ2SlpPZ1VoeTFNUDZ6c0FWUk4yZXZ6YWNHdlhrIjs=');
But interesting is that the same IP address was figured in other session from 2018-03-24 23:02:01All other tables in "roundcube" database were empty (since I do not use Roundcube).Code: Select all
INSERT INTO `session` (`sess_id`, `changed`, `ip`, `vars`) VALUES ('1a6f1ft5oo732eju8p6mldlag1', '2018-03-24 23:02:01', '119.82.29.17', 'dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjtyZXF1ZXN0X3Rva2VufHM6MzI6InJhQ1M4Z2hYME01YkJ2M1F6akt6SWJTeHVCY1E3dFA2Ijs=');
I installed Vesta on the new server on 24.03.2018 0:00:51, so the bot detected it in less than a day.
also can confirm, that the timestamps match the creation of the rc files and the /etc/init.d/update script which points to /tmp/update ...
I am still unsure how this exactly relates. a HEAD request should not be malicious at all. but maybe something from the resulting data was needed for the breakin attempt? without log information for the vesta-nginx one can only guess :(
Re: Got 10 VestaCP servers exploited
Since you're assuming that it is from roundcube can you paste the out put for this command :Falzo wrote: ↑Sun Apr 08, 2018 1:16 pmwhile writing my post above, I missed that. so I quickly grepped for that IP and can confirm, that it appears in my logfiles too with only a single HEAD request to the /webmail URL, just once, no further occurence after that.skamasle wrote: ↑Sun Apr 08, 2018 12:22 pmCan confirm access from that IP same day than gcc.shfile appeared with a HEAD request to /webmail/StudioMaX wrote: ↑Sun Apr 08, 2018 11:54 amA bit more info:
My /etc/cron.hourly/gcc.sh file was modified on 04.04.2018 16:25:00
I've analyzed the modified /var/lib/mysql/roundcube/session.ibd file, which was modified at the same time on 04.04.2018 16:24:56
In SQL dump of this "session" table from "roundcube" database I found new session at the same time:119.82.29.17 - looks like attacker's or bot's IPCode: Select all
INSERT INTO `session` (`sess_id`, `changed`, `ip`, `vars`) VALUES ('ajhkl541vskuji31ss3tadl7gc', '2018-04-04 16:24:54', '119.82.29.17', 'dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjtyZXF1ZXN0X3Rva2VufHM6MzI6ImZ5blJ2SlpPZ1VoeTFNUDZ6c0FWUk4yZXZ6YWNHdlhrIjs=');
But interesting is that the same IP address was figured in other session from 2018-03-24 23:02:01All other tables in "roundcube" database were empty (since I do not use Roundcube).Code: Select all
INSERT INTO `session` (`sess_id`, `changed`, `ip`, `vars`) VALUES ('1a6f1ft5oo732eju8p6mldlag1', '2018-03-24 23:02:01', '119.82.29.17', 'dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjtyZXF1ZXN0X3Rva2VufHM6MzI6InJhQ1M4Z2hYME01YkJ2M1F6akt6SWJTeHVCY1E3dFA2Ijs=');
I installed Vesta on the new server on 24.03.2018 0:00:51, so the bot detected it in less than a day.
also can confirm, that the timestamps match the creation of the rc files and the /etc/init.d/update script which points to /tmp/update ...
I am still unsure how this exactly relates. a HEAD request should not be malicious at all. but maybe something from the resulting data was needed for the breakin attempt? without log information for the vesta-nginx one can only guess :(
Code: Select all
stat /usr/share/roundcubemail/*
Code: Select all
stat /path/to/your/roundcube/*
-
- Posts: 11
- Joined: Sun Apr 08, 2018 12:08 pm
- Os: Ubuntu 15x
- Web: nginx + php-fpm
Re: Got 10 VestaCP servers exploited
Just a few secs after starting Vesta, here what I got from the log:
It seems like this guy is still running the exploit script.
Here what is changed in /etc
There has to be something with /api/ folder.
My IP address is x.x.x.xx.x.x.x - - [08/Apr/2018:09:15:00 -0400] "GET / HTTP/1.1" 302 154 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0"
x.x.x.x - - [08/Apr/2018:09:15:01 -0400] "GET / HTTP/1.1" 302 5 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0"
x.x.x.x - - [08/Apr/2018:09:15:01 -0400] "GET /list/user/ HTTP/1.1" 302 5 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0"
x.x.x.x - - [08/Apr/2018:09:15:01 -0400] "GET /login/ HTTP/1.1" 200 931 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0"
x.x.x.x - - [08/Apr/2018:09:15:02 -0400] "GET /css/jquery-custom-dialogs.css?1446554103 HTTP/1.1" 200 5833 "https://xxxxxx:8083/login/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) G$
y.y.y.y - - [08/Apr/2018:09:15:03 -0400] "POST /api/ HTTP/1.1" 200 11 "-" "curl/7.47.0"
y.y.y.y - - [08/Apr/2018:09:15:04 -0400] "POST /api/ HTTP/1.1" 200 11 "-" "curl/7.47.0"
y.y.y.y - - [08/Apr/2018:09:15:06 -0400] "POST /api/ HTTP/1.1" 200 11 "-" "curl/7.47.0"
y.y.y.y - - [08/Apr/2018:09:15:07 -0400] "POST /api/ HTTP/1.1" 200 11 "-" "curl/7.47.0"
y.y.y.y - - [08/Apr/2018:09:15:09 -0400] "POST /api/ HTTP/1.1" 200 11 "-" "curl/7.47.0"
y.y.y.y - - [08/Apr/2018:09:15:11 -0400] "POST /api/ HTTP/1.1" 200 11 "-" "curl/7.47.0"
y.y.y.y - - [08/Apr/2018:09:15:12 -0400] "POST /api/ HTTP/1.1" 200 11 "-" "curl/7.47.0"
y.y.y.y - - [08/Apr/2018:09:15:14 -0400] "POST /api/ HTTP/1.1" 200 11 "-" "curl/7.47.0"
It seems like this guy is still running the exploit script.
Here what is changed in /etc
The file is deleted afterward though.The following change occurred in the file /etc : 08/04/18 09:15 - CREATE /etc/bind/sedMBXndN
There has to be something with /api/ folder.
Last edited by crackerizer on Sun Apr 08, 2018 2:27 pm, edited 1 time in total.
Re: Got 10 VestaCP servers exploited
Just got an email from Vultr that I have a bandwidth threshold. Then I saw 3 of my instances have sky rocketing bandwidth usage. 1 has exceeded the allocated value
2 hours later without any clue what's happening, I looked into vesta forum and saw this thread
Done looking at this thread page for page.
Good news, Not just me.
So I am now patiently waiting for a patch.
What have you guys have done so far? I dont see anything about deleting a malicious file or virus yet.
2 hours later without any clue what's happening, I looked into vesta forum and saw this thread
Done looking at this thread page for page.
Good news, Not just me.
So I am now patiently waiting for a patch.
What have you guys have done so far? I dont see anything about deleting a malicious file or virus yet.
Last edited by pipoy on Sun Apr 08, 2018 1:42 pm, edited 2 times in total.
Re: Got 10 VestaCP servers exploited
*deleted*
Last edited by StudioMaX on Sun Apr 08, 2018 2:33 pm, edited 1 time in total.
-
- Posts: 11
- Joined: Sun Apr 08, 2018 12:08 pm
- Os: Ubuntu 15x
- Web: nginx + php-fpm
Re: Got 10 VestaCP servers exploited
@StudioMaX
That's what I'm looking for the how to. lol
That's what I'm looking for the how to. lol
-
- Posts: 73
- Joined: Sun Dec 03, 2017 6:30 pm
Re: Got 10 VestaCP servers exploited
I can't believe u had it dude but u didn't enable post logging. Please hurry up.
And when u do let's abuse that ip
And when u do let's abuse that ip
Re: Got 10 VestaCP servers exploited
I've noticed some brute force attacks from those Chinese IPS prior to exploiting the server
2018-04-04 10:15:29 v-add-firewall-chain 'FTP'
2018-04-04 10:15:29 v-add-firewall-ban '119.39.93.206' 'FTP'
2018-04-04 10:25:30 v-delete-firewall-ban '119.39.93.206' 'FTP'
2018-04-04 17:14:20 v-add-firewall-chain 'FTP'
2018-04-04 17:14:20 v-add-firewall-ban '118.250.115.164' 'FTP'
2018-04-04 17:24:20 v-delete-firewall-ban '118.250.115.164' 'FTP'
2018-04-06 13:22:13 v-add-firewall-chain 'FTP'
2018-04-06 13:22:13 v-add-firewall-ban '59.20.229.188' 'FTP'
2018-04-06 13:32:14 v-delete-firewall-ban '59.20.229.188' 'FTP'
2018-04-06 14:39:44 v-add-firewall-chain 'FTP'
2018-04-06 14:39:44 v-add-firewall-ban '60.25.63.148' 'FTP'
2018-04-06 14:49:45 v-delete-firewall-ban '60.25.63.148' 'FTP'
2018-04-07 00:20:01 v-update-user-stats
2018-04-07 00:44:49 v-add-firewall-chain 'FTP'
2018-04-07 00:44:49 v-add-firewall-ban '139.170.219.219' 'FTP'
2018-04-07 00:54:49 v-delete-firewall-ban '139.170.219.219' 'FTP
2018-04-07 03:40:11 v-add-firewall-chain 'FTP'
2018-04-07 03:40:11 v-add-firewall-ban '113.1.82.107' 'FTP'
2018-04-07 03:50:12 v-delete-firewall-ban '113.1.82.107' 'FTP'
2018-04-07 08:38:56 v-add-firewall-chain 'FTP'
2018-04-07 08:38:56 v-add-firewall-ban '39.71.34.68' 'FTP'
2018-04-07 08:48:56 v-delete-firewall-ban '39.71.34.68' 'FTP
If there is no need to access you sites from China it might be good idea to block complete IP Range in firewall
2018-04-04 10:15:29 v-add-firewall-chain 'FTP'
2018-04-04 10:15:29 v-add-firewall-ban '119.39.93.206' 'FTP'
2018-04-04 10:25:30 v-delete-firewall-ban '119.39.93.206' 'FTP'
2018-04-04 17:14:20 v-add-firewall-chain 'FTP'
2018-04-04 17:14:20 v-add-firewall-ban '118.250.115.164' 'FTP'
2018-04-04 17:24:20 v-delete-firewall-ban '118.250.115.164' 'FTP'
2018-04-06 13:22:13 v-add-firewall-chain 'FTP'
2018-04-06 13:22:13 v-add-firewall-ban '59.20.229.188' 'FTP'
2018-04-06 13:32:14 v-delete-firewall-ban '59.20.229.188' 'FTP'
2018-04-06 14:39:44 v-add-firewall-chain 'FTP'
2018-04-06 14:39:44 v-add-firewall-ban '60.25.63.148' 'FTP'
2018-04-06 14:49:45 v-delete-firewall-ban '60.25.63.148' 'FTP'
2018-04-07 00:20:01 v-update-user-stats
2018-04-07 00:44:49 v-add-firewall-chain 'FTP'
2018-04-07 00:44:49 v-add-firewall-ban '139.170.219.219' 'FTP'
2018-04-07 00:54:49 v-delete-firewall-ban '139.170.219.219' 'FTP
2018-04-07 03:40:11 v-add-firewall-chain 'FTP'
2018-04-07 03:40:11 v-add-firewall-ban '113.1.82.107' 'FTP'
2018-04-07 03:50:12 v-delete-firewall-ban '113.1.82.107' 'FTP'
2018-04-07 08:38:56 v-add-firewall-chain 'FTP'
2018-04-07 08:38:56 v-add-firewall-ban '39.71.34.68' 'FTP'
2018-04-07 08:48:56 v-delete-firewall-ban '39.71.34.68' 'FTP
If there is no need to access you sites from China it might be good idea to block complete IP Range in firewall