Page 27 of 55

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 10:02 pm
by lukapaunovic
Its on GitHub

https://github.com/serghey-rodin/vesta/ ... e359cda7dd

It will be on main servers soon
To update now from GitHub:
cd $(mktemp -d)
git clone git://github.com/serghey-rodin/vesta.git
yes | /usr/bin/cp -rf vesta/* /usr/local/vesta
service vesta restart
install GIT before this

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 10:04 pm
by SS88
lukapaunovic wrote:
Sun Apr 08, 2018 10:02 pm
Its on GitHub

https://github.com/serghey-rodin/vesta/ ... e359cda7dd

It will be on main servers soon
To update now from GitHub:
cd $(mktemp -d)
git clone git://github.com/serghey-rodin/vesta.git
yes | /usr/bin/cp -rf vesta/* /usr/local/vesta
install GIT before this
Has it been tested as requested by Serghey (I don't have time until tomorrow)? I have implemented the previous patch across servers to secure the password input.

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 10:05 pm
by imperio
Need some tests

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 10:10 pm
by lukapaunovic
The previous patch is practically useless
hacker only can insert another pair of quotes and viola
This way with hashed input before passing it anywhere is safest.
You can test it on your test servers if u have any. You can try logging with multiples users using multiple hashing types. Code looks fine by me.
But I'm not in pc to test it. As I'm doing everything from mobile this all started when I arrived to my vacation

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 10:18 pm
by codycook
I updated bin, func, src, and web from master. What is the way to test if it works or not?

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 10:23 pm
by lukapaunovic
If login & api work fine it should be ok.

Another pair of eyes will check soon. But everything seems fine.

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 10:26 pm
by skid
The fix has been released just now!
As usually there are 3 ways to update your server:

1. Via web interface
- Login as admin
- Go to updates tab
- Click un update button under vesta package

2. Via package manager
- SSH as root to your server
- yum update / apt-get update && apt-get upgrade

3. Via GitHub
- SSH as root
- Install git / yum install git /apt-get install git
- Then run following commands

Code: Select all

cd $(mktemp -d)
git clone git://github.com/serghey-rodin/vesta.git
/bin/cp -rf vesta/* /usr/local/vesta/
Some information about this indecent. We still don't have working exploit for previous version. But we know for sure that the vector of attack was through a potentially unsecure password check method. Therefore we have completely rewrite password auth function. It's bullet proof now!

Please upgrade your servers as soon as possible.

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 10:37 pm
by pipoy
skid wrote:
Sun Apr 08, 2018 10:26 pm
The fix has been released just now!
As usually there are 3 ways to update your server:

1. Via web interface
- Login as admin
- Go to updates tab
- Click un update button under vesta package

2. Via package manager
- SSH as root to your server
- yum update / apt-get update && apt-get upgrade

3. Via GitHub
- SSH as root
- Install git / yum install git /apt-get install git
- Then run following commands

Code: Select all

cd $(mktemp -d)
git clone git://github.com/serghey-rodin/vesta.git
/bin/cp -rf vesta/* /usr/local/vesta/
Some information about this indecent. We still don't have working exploit for previous version. But we know for sure that the vector of attack was through a potentially unsecure password check method. Therefore we have completely rewrite password auth function. It's bullet proof now!

Please upgrade your servers as soon as possible.


Thanks

So just upgrade vesta?

No need to delete some files or viruses?

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 10:41 pm
by imperio
All virus procesess should be killed and files with virus should be deleted
https://superuser.com/questions/877896/ ... 24#1004724

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 10:48 pm
by pipoy
imperio wrote:
Sun Apr 08, 2018 10:41 pm
All virus procesess should be killed and files with virus should be deleted
https://superuser.com/questions/877896/ ... 24#1004724
Seems that mine did not.

I had a high CPU process which I just killed. and it leads to this directory right here

Code: Select all

find / -name *wnrkywzlgd*
/run/systemd/generator.late/runlevel5.target.wants/wnrkywzlgd.service
/run/systemd/generator.late/runlevel4.target.wants/wnrkywzlgd.service
/run/systemd/generator.late/runlevel3.target.wants/wnrkywzlgd.service
/run/systemd/generator.late/runlevel2.target.wants/wnrkywzlgd.service
/run/systemd/generator.late/rescue.target.wants/wnrkywzlgd.service
/run/systemd/generator.late/wnrkywzlgd.service
/usr/bin/wnrkywzlgd
/sys/fs/cgroup/systemd/system.slice/wnrkywzlgd.service
/etc/rc.d/init.d/wnrkywzlgd
/etc/rc.d/rc1.d/S90wnrkywzlgd
/etc/rc.d/rc2.d/S90wnrkywzlgd
/etc/rc.d/rc4.d/S90wnrkywzlgd
/etc/rc.d/rc6.d/K90wnrkywzlgd
/etc/rc.d/rc5.d/S90wnrkywzlgd
/etc/rc.d/rc3.d/S90wnrkywzlgd
/etc/rc.d/rc0.d/K90wnrkywzlgd

And there are 2 more

Code: Select all

lrwxrwxrwx 1 root root 20 Apr  9 06:43 K90nzwjjbnipz -> ../init.d/nzwjjbnipz
lrwxrwxrwx 1 root root 20 Apr  9 06:43 K90sgyronbqvp -> ../init.d/sgyronbqvp
lrwxrwxrwx 1 root root 20 Apr  8 20:01 K90wnrkywzlgd -> ../init.d/wnrkywzlgd
I am happy to delete these files if confirmed not from vesta