Page 23 of 55

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 6:35 pm
by sandy
yous said wonderful words, but and then how i got hacked i don't have roundcube if they are not sure please don't provide the answers yet, as we're frustrated and don't tolerate 101 different answers. Things can Be controlled when you've proper source

i have been hacked many times during past as those can be easily mitigated, this time you know how serious is it

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 6:36 pm
by StudioMaX
crackerizer wrote:
Sun Apr 08, 2018 2:38 pm
I'm glad to hear. Can't wait to see the commit.
What's with your honeypot? Did you configured the logging of POST request?

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 6:37 pm
by Falzo
nextgi wrote:
Sun Apr 08, 2018 6:18 pm
Alright,

Another update. This issue seems to be with roundcube. We are not seeing any typical communications with VestaCPs admin interface that would indicate it was compromised. However, we are still investigating the issue.

For those of you that have compromised systems. We would love an opportunity to take a look at the logs and check similarities. Any volunteers feel free to pm us. We would gladly setup a conference call and check things out.
and who are you? freshly registered with only the three postings above, asking for access to user systems?

@people: don't give random strangers access to your systems, even broken ones!!

no offense meant, but have you even read the thread? while only you could not see the api of vesta to be accessed (because all vesta access logging goes to /dev/null per default) does not mean there was none.
on a honeypot with activated access logging api calls has been logged, so that this most likely is the real entry point.

as written earlier I also have seen some suspicious files/timestamps related to a single visible access of the /webmail/ url. yet without the chance to check matching log entries for the API there is nothing to analyze anyway.
I am quite certain that roundcube is not the cause but more likely the attack tried to interfere with it (through the api). maybe to get access or phish credentials or whatever - but that would only have happened _after_ the initial infection of the system.

BTW: was anyone able to fetch the POST data that's being submitted to the API with activated logging? I set up a honeypot myself, but who knows how fast it'll get tried again, if ever...

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 6:37 pm
by nextgi
https://www.virustotal.com/#/file/48343 ... /detection

This is for libudev.so, the infected version.

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 6:38 pm
by Prime
nextgi wrote:
Sun Apr 08, 2018 6:35 pm
Understood,

However, According to log entries, our network IDS and IPS logs, and a few other tid bits this is the current working theory on our end. We certainly need more servers that have been affected to test with and investigate. Volunteers??????
Your theory really doesn't make much sense at this point, as if Roundcube is at fault here, why is only installations with Vesta actively running on the system affected by this? All of us that have disabled Vesta services are yet to be affected and none of the other control panels like Plesk, Cpanel, Directadmin are affected by this. Worth to mention as well is that some hacks place files on the machine to actively mislead people and it seems like you did fall for the bait.

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 6:39 pm
by StudioMaX
nextgi wrote:
Sun Apr 08, 2018 6:35 pm
However, According to log entries, our network IDS and IPS logs, and a few other tid bits this is the current working theory on our end. We certainly need more servers that have been affected to test with and investigate. Volunteers??????
Unfortunately, we cannot provide our servers simply because they have either been blocked by the hosting support, or we have already reinstalled the operating system, or turned off the vesta service to prevent infection of the server.

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 6:42 pm
by sandy
Falzo wrote:
Sun Apr 08, 2018 6:37 pm
nextgi wrote:
Sun Apr 08, 2018 6:18 pm
Alright,

Another update. This issue seems to be with roundcube. We are not seeing any typical communications with VestaCPs admin interface that would indicate it was compromised. However, we are still investigating the issue.

For those of you that have compromised systems. We would love an opportunity to take a look at the logs and check similarities. Any volunteers feel free to pm us. We would gladly setup a conference call and check things out.
and who are you? freshly registered with only the three postings above, asking for access to user systems?

@people: don't give random strangers access to your systems, even broken ones!!

no offense meant, but have you even read the thread? while only you could not see the api of vesta to be accessed (because all vesta access logging goes to /dev/null per default) does not mean there was none.
on a honeypot with activated access logging api calls has been logged, so that this most likely is the real entry point.

as written earlier I also have seen some suspicious files/timestamps related to a single visible access of the /webmail/ url. yet without the chance to check matching log entries for the API there is nothing to analyze anyway.
I am quite certain that roundcube is not the cause but more likely the attack tried to interfere with it (through the api). maybe to get access or phish credentials or whatever - but that would only have happened _after_ the initial infection of the system.

BTW: was anyone able to fetch the POST data that's being submitted to the API with activated logging? I set up a honeypot myself, but who knows how fast it'll get tried again, if ever...
agree with you

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 6:43 pm
by sandy
StudioMaX wrote:
Sun Apr 08, 2018 6:39 pm
nextgi wrote:
Sun Apr 08, 2018 6:35 pm
However, According to log entries, our network IDS and IPS logs, and a few other tid bits this is the current working theory on our end. We certainly need more servers that have been affected to test with and investigate. Volunteers??????
Unfortunately, we cannot provide our servers simply because they have either been blocked by the hosting support, or we have already reinstalled the operating system, or turned off the vesta service to prevent infection of the server.
exactly, agree

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 6:44 pm
by nextgi
Falzo wrote:
Sun Apr 08, 2018 6:37 pm
nextgi wrote:
Sun Apr 08, 2018 6:18 pm
Alright,

Another update. This issue seems to be with roundcube. We are not seeing any typical communications with VestaCPs admin interface that would indicate it was compromised. However, we are still investigating the issue.

For those of you that have compromised systems. We would love an opportunity to take a look at the logs and check similarities. Any volunteers feel free to pm us. We would gladly setup a conference call and check things out.
and who are you? freshly registered with only the three postings above, asking for access to user systems?

@people: don't give random strangers access to your systems, even broken ones!!

no offense meant, but have you even read the thread? while only you could not see the api of vesta to be accessed (because all vesta access logging goes to /dev/null per default) does not mean there was none.
on a honeypot with activated access logging api calls has been logged, so that this most likely is the real entry point.

as written earlier I also have seen some suspicious files/timestamps related to a single visible access of the /webmail/ url. yet without the chance to check matching log entries for the API there is nothing to analyze anyway.
I am quite certain that roundcube is not the cause but more likely the attack tried to interfere with it (through the api). maybe to get access or phish credentials or whatever - but that would only have happened _after_ the initial infection of the system.

BTW: was anyone able to fetch the POST data that's being submitted to the API with activated logging? I set up a honeypot myself, but who knows how fast it'll get tried again, if ever...
And your statement is very accurate. My wording was poor. More or less we need logs. As many as possible that is. You are also correct in relation to roundcube. We are just now investigating this. We do not run off of forum threads as our base of action. When investigating a threat, I like to reveal as much information as possible as it is flowing. We have positively identified the file that acts as the culprit in the dDOS attacks. We are now working to identify the method of injection. We will consider the API front. As users are reporting that even roundcube was removed or disabled, this would negate our working theory.

As I have stated many times already, this is a working theory. I would like to work with a few others that currently checking this out.

WE DO NOT NEED ACCESS TO YOUR SYSTEMS!!!!!! We just want logs and as much information as possible.

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 6:46 pm
by vesta_mtl
Thank you StudioMaX for sharing this helpful info.
StudioMaX wrote:
Sun Apr 08, 2018 12:06 pm
Also I have good news: I binary compared all the files in two backups of the whole server, one from 03-04-2018 (before infection), the other from 07-04-2018. And it seems that this exploit did not modify any system files, but only created these:

Code: Select all

/etc/cron.hourly/gcc.sh
/etc/rc.d/init.d/update
/etc/rc.d/rc1.d/S90update
/etc/rc.d/rc2.d/S90update
/etc/rc.d/rc3.d/S90update
/etc/rc.d/rc4.d/S90update
/etc/rc.d/rc5.d/S90update
/usr/lib/libudev.so
/tmp/update
But in any case, if your server was infected, you will need to reinstall it.