Page 2 of 55
Re: Got 10 VestaCP servers exploited
Posted: Sat Apr 07, 2018 5:27 pm
by StudioMaX
StudioMaX wrote: ↑Sat Apr 07, 2018 5:03 pm
Found in /etc/cron.hourly/gcc.sh, modified 04.04.2018 16:25:00
More modified files at the same time:
Code: Select all
/var/lib/mysql/roundcube/session.ibd
/etc/rc.d/rc3.d/S90update -> /etc/init.d/update
/etc/rc.d/rc2.d/S90update -> /etc/init.d/update
/etc/rc.d/rc1.d/S90update -> /etc/init.d/update
/etc/rc.d/init.d/update
/etc/rc.d/rc4.d/S90update -> /etc/init.d/update
/etc/rc.d/rc5.d/S90update -> /etc/init.d/update
/etc/rc.d/init.d/update:
Code: Select all
#!/bin/sh
# chkconfig: 12345 90 90
# description: update
### BEGIN INIT INFO
# Provides: update
# Required-Start:
# Required-Stop:
# Default-Start: 1 2 3 4 5
# Default-Stop:
# Short-Description: update
### END INIT INFO
case $1 in
start)
/tmp/update
;;
stop)
;;
*)
/tmp/update
;;
esac
But I don't have this "/tmp/update" file (maybe it was removed by ClamAV some time ago).
Probably this can be related to Roundcube.
Re: Got 10 VestaCP servers exploited
Posted: Sat Apr 07, 2018 5:36 pm
by lukapaunovic
Guys I found those
rwxr-xr-x 1 root root 323 Apr 7 12:49 /etc/init.d/lmhgzcgcgk
[root@ca-server mysql]# ls -lah /usr/bin/lmhgzcgcgk
-rwxr-xr-x 1 root root 611K Apr 7 12:01 /usr/bin/lmhgzcgcgk
[root@ca-server mysql]#
probably viruses :(
Re: Got 10 VestaCP servers exploited
Posted: Sat Apr 07, 2018 5:56 pm
by lukapaunovic
I took backup from my servers and reinstalled them all.
I won't set them up again until this is fixed.
did anyone discover anything
Re: Got 10 VestaCP servers exploited
Posted: Sat Apr 07, 2018 6:18 pm
by imperio
albertus, lukapaunovic, StudioMaX, dmitry-itldc, send to us more technical informaton
- OS
- VestaCP version
- Web stack
- Does bash access for admin was enabled ?
- access logs
- ps
Re: Got 10 VestaCP servers exploited
Posted: Sat Apr 07, 2018 6:23 pm
by lukapaunovic
Os is latest Centos
latest vestacp updated from github
servers recently installed
bash wasn't enabled for admin user
all passwords were complex
i cant provide anything more i reinstalled until this is figured out to avoid permanent termination of my vps services
Re: Got 10 VestaCP servers exploited
Posted: Sat Apr 07, 2018 6:24 pm
by lukapaunovic
This happened to a server installed few days ago which was only handling one domain MAIL
and nothing else, no site anything.
everything was updated to latest.
so theres security breach clearly
Re: Got 10 VestaCP servers exploited
Posted: Sat Apr 07, 2018 6:24 pm
by dpeca
@imperio
Maybe we should enable access log for vesta-nginx, is there any reason why it's disabled?
Re: Got 10 VestaCP servers exploited
Posted: Sat Apr 07, 2018 6:27 pm
by skivte
Happened to me too this morning. Identical files (like gcc.sh) that everyone else reported here. On Ubuntu 16.04, so it's not just CentOS Vesta.
Re: Got 10 VestaCP servers exploited
Posted: Sat Apr 07, 2018 6:32 pm
by lukapaunovic
I'm on mobile and I'm HURTING.
If I were on PC i would have figured this out long time ago.
Guys do something..
This is my first day of vacation and problems.
and I am unable to investigate anything.
I'm litterally doing speech to text right know.
I
Re: Got 10 VestaCP servers exploited
Posted: Sat Apr 07, 2018 6:33 pm
by imperio
show me result of this commands
Code: Select all
ls -tl /usr/bin | less
cat /etc/cron.hourly/gcc.sh
cat /etc/crontab