Page 22 of 55

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 6:06 pm
by nextgi
We are currently investigating this exploit.

Our preliminary thoughts are a relation to webmail, specifically roundcube. We will post more.

Disclaimer, our preliminary thoughts are based on log entries and file timestamps. This information is currently speculation.

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 6:08 pm
by vesta92
I have follow Linode Guideline and download install and scan with clamav
and they have remove all restriction from my network.
Now all running smoothly.
Should I do anything else?
----------- SCAN SUMMARY -----------
Known viruses: 6463560
Engine version: 0.100.0-beta
Scanned directories: 9674
Scanned files: 221910
Infected files: 2
Data scanned: 2996.56 MB
Data read: 3152.92 MB (ratio 0.95:1)
Time: 1739.739 sec (28 m 59 s)

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 6:18 pm
by nextgi
Alright,

Another update. This issue seems to be with roundcube. We are not seeing any typical communications with VestaCPs admin interface that would indicate it was compromised. However, we are still investigating the issue.

For those of you that have compromised systems. We would love an opportunity to take a look at the logs and check similarities. Any volunteers feel free to pm us. We would gladly setup a conference call and check things out.

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 6:23 pm
by sandy
Bullshit they are not accepting they have vulnerabilities

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 6:24 pm
by sandy
post publically when you resolved the security issue.
in order to resolve it on our server.

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 6:25 pm
by StudioMaX
nextgi wrote:
Sun Apr 08, 2018 6:18 pm
Alright,

Another update. This issue seems to be with roundcube. We are not seeing any typical communications with VestaCPs admin interface that would indicate it was compromised. However, we are still investigating the issue.

For those of you that have compromised systems. We would love an opportunity to take a look at the logs and check similarities. Any volunteers feel free to pm us. We would gladly setup a conference call and check things out.
The developers said that they already found the vulnerability and already preparing an update. And apparently it is not related with Roundcube. At first we also thought that it was Roundcube's issue, since the virus was launched from the working directory of Roundcube.

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 6:28 pm
by sandy
you meant they found the roadmap of the hack will see then,
i disabled and deleted roundcube and phpmyadmin ( i usually do after installation) from my servers as i like to work with CLI and use email client app for email sendings. Still server is hacked that's bullshit reasons they are giving

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 6:30 pm
by imperio
The developers said that they already found the vulnerability
We cant confirm that problem with vesta api, but we will update the password checking

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 6:31 pm
by nextgi
sandy wrote:
Sun Apr 08, 2018 6:23 pm
Bullshit they are not accepting they have vulnerabilities
Sandy,

I am sorry you feel that way. We are in no way associated with VestaCP. We use VestaCP as many others do. However, we are also interested in resolving this as VestaCP, in our eyes, is a wonderful control panel. Everything has vulnerabilities, its simply due to the fact we are humans. I am not in anyway denying that VestaCP may have a vulnerability, I am simply providing what the evidence is showing. If you are not happy with that then I an sorry you feel that way.

We are currently investigating libudev.so as it is the primary source for the dDOS attacks. Our working theory is it is a modified version that was injected through roundcube. BUT.... We are not sure yet as it is a WORKING THEORY!

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 6:35 pm
by nextgi
StudioMaX wrote:
Sun Apr 08, 2018 6:25 pm
nextgi wrote:
Sun Apr 08, 2018 6:18 pm
Alright,

Another update. This issue seems to be with roundcube. We are not seeing any typical communications with VestaCPs admin interface that would indicate it was compromised. However, we are still investigating the issue.

For those of you that have compromised systems. We would love an opportunity to take a look at the logs and check similarities. Any volunteers feel free to pm us. We would gladly setup a conference call and check things out.
The developers said that they already found the vulnerability and already preparing an update. And apparently it is not related with Roundcube. At first we also thought that it was Roundcube's issue, since the virus was launched from the working directory of Roundcube.

Understood,

However, According to log entries, our network IDS and IPS logs, and a few other tid bits this is the current working theory on our end. We certainly need more servers that have been affected to test with and investigate. Volunteers??????