We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Got 10 VestaCP servers exploited
Re: Got 10 VestaCP servers exploited
https://pastebin.com/sj8uWAr4StudioMaX wrote: ↑Sat Apr 07, 2018 8:40 pmModerators: please post instructions how to enable logging in all the web interfaces of Vesta (in nginx or Apache) so that those who find this thread after the hacking could temporarily change their configs of the web server and try to catch the requests from the exploit.
but i don't suggest to run now vesta service at all.
Re: Got 10 VestaCP servers exploited
Just to add to another installation hacked - Got notified by DigitalOcean today of an outbound DDoS from two VMs at 14:42 with about 1 Gbps outbound on both machines.
They've cut all network access to the VMs and won't restore so I can't provide access for any investigations, in the process of restoring to new VMs from backups at the moment.
Installation was Ubuntu 16.04 with Vesta 0.9.8-19. Both VMs had apache, nginx, bind, exim/dovecot, mysql, iptables + fail2ban and vsftpd installed.
I've got some limited, very slow, console access to the VMs until they get rebooted / destroyed.
They've cut all network access to the VMs and won't restore so I can't provide access for any investigations, in the process of restoring to new VMs from backups at the moment.
Installation was Ubuntu 16.04 with Vesta 0.9.8-19. Both VMs had apache, nginx, bind, exim/dovecot, mysql, iptables + fail2ban and vsftpd installed.
I've got some limited, very slow, console access to the VMs until they get rebooted / destroyed.
Re: Got 10 VestaCP servers exploited
Nope - I can get on via the console, but it is very slow and for some reason the | pipe command comes out as > no matter what I do so I'm limited on commands I can run too.
I have the same /lib/libudev.so.6 in my crontab:
Code: Select all
for i in `cat /proc/net/dev|grep :|awk -F: {'print $1'}`; do ifconfig $i up& done
cp /lib/libudev.so /lib/libudev.so.6
/lib/libudev.so.6
Re: Got 10 VestaCP servers exploited
Can you please provide access via [email protected]?
If not use commands and spoiler and show us:
Code: Select all
stat /etc/cron.hourly/gcc.sh
Code: Select all
ls -la /usr/local/vesta/data/sessions/
Re: Got 10 VestaCP servers exploited
I've run the commands, have to screenshot as can't copy / paste from console (also only get half a screen and as I can't use the | command I can't paginate the ls output so dumped to text file and screen grab from nano)skurudo wrote: ↑Sat Apr 07, 2018 11:19 pmCan you please provide access via [email protected]?
If not use commands and spoiler and show us:Code: Select all
stat /etc/cron.hourly/gcc.sh
Code: Select all
ls -la /usr/local/vesta/data/sessions/
Code: Select all
stat /etc/cron.hourly/gcc.sh
Code: Select all
ls -la /usr/local/vesta/data/sessions/
Re: Got 10 VestaCP servers exploited
I'm on DigitalOcean as well and I can't give access to or copy text from their web console but here are screenshots of each command:skurudo wrote: ↑Sat Apr 07, 2018 11:19 pmCan you please provide access via [email protected]?
If not use commands and spoiler and show us:
Code: Select all
stat /etc/cron.hourly/gcc.sh
Code: Select all
ls -la /usr/local/vesta/data/sessions/
Re: Got 10 VestaCP servers exploited
I can't find a way to move individual VMs / droplets into a team account so that I can share them with other users.
Let me know if you need any other commands run on the VM.
Re: Got 10 VestaCP servers exploited
GID od gcc.sh is always 1001 or 1002 - just noticed that, from screenshot that user provided