We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Got 10 VestaCP servers exploited
Re: Got 10 VestaCP servers exploited
I am having 0.9.8 Release:17 version on ubuntu 16.04.02 LTS running. I am trying update the vesta with v-update-sys-vesta-all.
But it's saying update failed. My linux version shows 244 packages can be updated. 115 updates are security updates. Not done anything since months now.
Do i need to first update my ubuntu version?
But it's saying update failed. My linux version shows 244 packages can be updated. 115 updates are security updates. Not done anything since months now.
Do i need to first update my ubuntu version?
-
- Posts: 92
- Joined: Sat Aug 02, 2014 6:50 pm
- Os: CentOS 6x
- Web: nginx + php-fpm
Re: Got 10 VestaCP servers exploited
Only my dev vps was infected and after cleaning it up and updating vesta, today i got a log in the nginx-error.log:
Is this related?
Code: Select all
2018/04/09 03:55:52 [error] 1124#0: *8 "/usr/local/vesta/web/_asterisk/index.php" is not found (2: No such file or directory), client: 46.161.55.106, server: _, request: "GET /_asterisk/ HTTP/1.1", host: "64.137.***.***:8083"
-
- Posts: 92
- Joined: Sat Aug 02, 2014 6:50 pm
- Os: CentOS 6x
- Web: nginx + php-fpm
Re: Got 10 VestaCP servers exploited
Wow this is exactly the same i got. Same IP and only after 3 minutes.efinstorm wrote: ↑Tue Apr 10, 2018 6:17 pmFound this in my nginx-error.log
Code: Select all
2018/04/09 03:52:05 [error] 8641#0: *32 "/usr/local/vesta/web/_asterisk/index.php" is not found (2: No such file or directory), client: 46.161.55.106, server: _, request: "GET /_asterisk/ HTTP/1.1", host: "myip:8083"
Re: Got 10 VestaCP servers exploited
I have updated my Vesta to 09.08-20 changed port to 2083 but i still can't enter to my Vesta web interface and my webmail doesnt work.
What should i do?
What should i do?
Re: Got 10 VestaCP servers exploited
Have done everything - but nothing change web interface vesta doesnt work
Re: Got 10 VestaCP servers exploited
Yea just checked againe!
Any ideas?
Any ideas?
Re: Got 10 VestaCP servers exploited
So the droplet was disconnected by Digital Ocean at 3:53pm today (10/04/2018), it was pushing 1 Gbps outbound at the time but looks like traffic had been spiking outbound for a number of hours prior to that.
Backups on the VM run at 5 and 6am so I'm pretty sure it wasn't outbound backup traffic.
My port was also set to an alternative to 8083.
[Sorry for screenshots - I'm limited to HTML console]
Vesta is running on 0.9.8-20:
I don't have the same script running under the crontab as was seen on the 10th.
Just noticed, I do have some weird commands being run as 'root' when I do with things like 'ifconfig eth0', 'su', 'pwd', 'cat resolv.conf', etc along with the standard Vesta admin processes (NGINX, etc). I'm not sure what that is but I don't see it on any other VM running Vesta and I don't recall seeing it on the 10th with the original issue on 0.9.8-19.
I am about to boot the VM into recovery mode so I can mount the drive and get some files so I'll only have access to log files then.
It's definitely something suspicious, but I don't think is related to the same issues as on the 10th, but happy to look at anything else that's needed.
Backups on the VM run at 5 and 6am so I'm pretty sure it wasn't outbound backup traffic.
My port was also set to an alternative to 8083.
[Sorry for screenshots - I'm limited to HTML console]
Vesta is running on 0.9.8-20:
I don't have the same script running under the crontab as was seen on the 10th.
Just noticed, I do have some weird commands being run as 'root' when I do
Code: Select all
ps -fU admin
I am about to boot the VM into recovery mode so I can mount the drive and get some files so I'll only have access to log files then.
It's definitely something suspicious, but I don't think is related to the same issues as on the 10th, but happy to look at anything else that's needed.
Last edited by n0x on Tue Apr 10, 2018 7:29 pm, edited 2 times in total.
Re: Got 10 VestaCP servers exploited
thats eaxactly how the virus operates. this happend to me pre-update. this way i found out about infection.just noticed, I do have some weird commands being run as 'root' when I dowith things like 'ifconfig eth0', 'su', 'pwd', 'cat resolv.conf', etc along with the standard Vesta admin processes (NGINX, etc). I'm not sure what that is but I don't see it on any other VM running Vesta and I don't recall seeing it on the 10th with the original issue on 0.9.8-19.Code: Select all
ps -fU admin
so yes, its the same!
Re: Got 10 VestaCP servers exploited
Okay, I didn't see that on the VMs on Saturday but with this one I having been watching it before rebooting it was running through a number of the same commands on a loop.kobo1d wrote: ↑Tue Apr 10, 2018 7:22 pmthats eaxactly how the virus operates. this happend to me pre-update. this way i found out about infection.just noticed, I do have some weird commands being run as 'root' when I dowith things like 'ifconfig eth0', 'su', 'pwd', 'cat resolv.conf', etc along with the standard Vesta admin processes (NGINX, etc). I'm not sure what that is but I don't see it on any other VM running Vesta and I don't recall seeing it on the 10th with the original issue on 0.9.8-19.Code: Select all
ps -fU admin
so yes, its the same!
Crontab:
Vesta Sessions:
I have noticed that on my VM that was spun up this morning and had Vesta installed about 9am BST I have all 0.9.8-20 packages from today (10th):
Code: Select all
root@nyc1:~# v-list-sys-vesta-updates
PKG VER REL ARCH UPDT DATE
--- --- --- ---- ---- ----
vesta 0.9.8 20 amd64 yes 2018-04-10
vesta-php 0.9.8 20 amd64 yes 2018-04-10
vesta-nginx 0.9.8 20 amd64 yes 2018-04-10
root@nyc1:~#
Re: Got 10 VestaCP servers exploited
to AshleyIn1080p - thanks Dear , i have checked againe by your link and vesta web working now. Thanks very much againe.
Another small question. - what should i do with mailserver - seems to me it still doesnt work
Another small question. - what should i do with mailserver - seems to me it still doesnt work