Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 08, 2018 6:47 pm
we don't have log nothing during the attack, after attack we've some hacked OS files with root permission and with outbound ddos
Community Forum
https://forum.vestacp.com/
We all know this and discussed it on the first pages of this topic. Also, many of us has given access to infected servers to developers, and they know it all. The only thing we can do now is wait until someone provides the web server's logs from Vesta service, with the enabled logging of POST requests. But since logging has been disabled at all by default, we can only wait when the bots will exploit the honeypots (as we still don't know whether the developers actually found the reason of the hack).nextgi wrote: ↑Sun Apr 08, 2018 6:37 pmhttps://www.virustotal.com/#/file/48343 ... /detection
This is for libudev.so, the infected version.
patience at bottleneck lolStudioMaX wrote: ↑Sun Apr 08, 2018 6:47 pmWe all know this and discussed it on the first pages of this topic. Also, many of us has given access to infected servers to developers, and they know it all. The only thing we can do now is wait until someone provides the web server's logs from Vesta service, with the enabled logging of POST requests. But since logging has been disabled at all, we can only wait when the bots will exploit the honeypots (as we still don't know whether the developers actually found the reason of the hack).nextgi wrote: ↑Sun Apr 08, 2018 6:37 pmhttps://www.virustotal.com/#/file/48343 ... /detection
This is for libudev.so, the infected version.
that's what we all are here for, you're obviously just some hours behind ;-)
StudioMaX wrote: ↑Sun Apr 08, 2018 6:47 pmWe all know this and discussed it on the first pages of this topic. Also, many of us has given access to infected servers to developers, and they know it all. The only thing we can do now is wait until someone provides the web server's logs from Vesta service, with the enabled logging of POST requests. But since logging has been disabled at all by default, we can only wait when the bots will exploit the honeypots (as we still don't know whether the developers actually found the reason of the hack).nextgi wrote: ↑Sun Apr 08, 2018 6:37 pmhttps://www.virustotal.com/#/file/48343 ... /detection
This is for libudev.so, the infected version.
Falzo,Falzo wrote: ↑Sun Apr 08, 2018 6:57 pmthat's what we all are here for, you're obviously just some hours behind ;-)
and no worries, I perfectly understand, that you won't run off guesses from an internet board...
sadly there are no logs to share - unless you get lucky and find someone who changed the logging config for the vesta-nginx before all of this started :/
of course I am willing to share whatever I find if I can manage to log further informations to help narrow down the problem.
What are you doing to your installs? All of my API access is logged to /usr/local/vesta/log/system.log.
So,mxroute wrote: ↑Sun Apr 08, 2018 6:59 pmWhat are you doing to your installs? All of my API access is logged to /usr/local/vesta/log/system.log.
Also auth for API is logged to /usr/local/vesta/log/auth.log.
If the logging mechanism functions and this is the exploit point, you'll get more logging than you would in standard Nginx logs. Theoretically, at least. It's not going to log the contents of a POST request by any application's default.
if it is calling regular vesta-commands that might be the case, afaik those are the ones that log their actions to system.log themselves.