We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Got 10 VestaCP servers exploited
Re: Got 10 VestaCP servers exploited
Edit this file: /usr/local/vesta/web/api/index.php
Add this in line 3:
Code: Select all
file_put_contents('/tmp/postlog.txt', print_r($_POST, true));
-
- Posts: 11
- Joined: Sun Apr 08, 2018 12:08 pm
- Os: Ubuntu 15x
- Web: nginx + php-fpm
Re: Got 10 VestaCP servers exploited
@SS88, Thanks for you suggestion.
Guys, I think the guy from the IP in my previous post is also observing this forum. I should have been more careful posting the IP address. I think he might have already removed my IP from his exploited pool.
Is there any safer channel we can discuss?
Guys, I think the guy from the IP in my previous post is also observing this forum. I should have been more careful posting the IP address. I think he might have already removed my IP from his exploited pool.
Is there any safer channel we can discuss?
-
- Posts: 73
- Joined: Sun Dec 03, 2017 6:30 pm
Re: Got 10 VestaCP servers exploited
Remove virus he injected and he'll try again. At least we know vuln is in API now
Re: Got 10 VestaCP servers exploited
By looking at the file he's restricted to /usr/local/vesta/bin/
Can you send a list of files you have in that directory to see if the exploit is in the current code, or perhaps he added his own file with unrestricted access.
Have you added any third party scripts such as App Installers? Usually these also add their own file to /usr/local/vesta/bin/
Can you send a list of files you have in that directory to see if the exploit is in the current code, or perhaps he added his own file with unrestricted access.
Have you added any third party scripts such as App Installers? Usually these also add their own file to /usr/local/vesta/bin/
Re: Got 10 VestaCP servers exploited
I'm setting up a Honeypot server on a VPS right now and we'll see how it goes. I'm not very hopeful as my other installation of Vesta is running behind same network and wasn't attacked.
Re: Got 10 VestaCP servers exploited
$v_password = tempnam("/tmp","vst");
$fp = fopen($v_password, "w");
fwrite($fp, $_POST['password']."\n");
fclose($fp);
$v_ip_addr = escapeshellarg($_SERVER["REMOTE_ADDR"]);
exec(VESTA_CMD ."v-check-user-password ".$v_user." ".$v_password." '".$v_ip_addr."'", $output, $auth_code);
unlink($v_password)
Just checked Vesta API. Haven't tested yet but it might be a way to inject shell command in "password" parameter of post request since it is not escaped with escapeshellarg(). Will try to test it out on my other server to see if this may be an issue
$fp = fopen($v_password, "w");
fwrite($fp, $_POST['password']."\n");
fclose($fp);
$v_ip_addr = escapeshellarg($_SERVER["REMOTE_ADDR"]);
exec(VESTA_CMD ."v-check-user-password ".$v_user." ".$v_password." '".$v_ip_addr."'", $output, $auth_code);
unlink($v_password)
Just checked Vesta API. Haven't tested yet but it might be a way to inject shell command in "password" parameter of post request since it is not escaped with escapeshellarg(). Will try to test it out on my other server to see if this may be an issue
-
- Posts: 73
- Joined: Sun Dec 03, 2017 6:30 pm
Re: Got 10 VestaCP servers exploited
VestaTeam. Please remove this entry. so hopes, the hacker should not know this entry..crackerizer wrote: ↑Sun Apr 08, 2018 2:03 pm@SS88, Thanks for you suggestion.
Guys, I think the guy from the IP in my previous post is also observing this forum. I should have been more careful posting the IP address. I think he might have already removed my IP from his exploited pool.
Is there any safer channel we can discuss?
Re: Got 10 VestaCP servers exploited
Quite right I think +1, plus reference for use of 'buggy' escapeshellarg: https://gist.github.com/Zenexer/40d02da ... a11af9ab36ivcha92 wrote: ↑Sun Apr 08, 2018 2:09 pm$v_password = tempnam("/tmp","vst");
$fp = fopen($v_password, "w");
fwrite($fp, $_POST['password']."\n");
fclose($fp);
$v_ip_addr = escapeshellarg($_SERVER["REMOTE_ADDR"]);
exec(VESTA_CMD ."v-check-user-password ".$v_user." ".$v_password." '".$v_ip_addr."'", $output, $auth_code);
unlink($v_password)
Just checked Vesta API. Haven't tested yet but it might be a way to inject shell command in "password" parameter of post request since it is not escaped with escapeshellarg(). Will try to test it out on my other server to see if this may be an issue
Re: Got 10 VestaCP servers exploited
All security information you can sending via [email protected]