Page 28 of 55
Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 08, 2018 10:50 pm
by lukapaunovic
After this the best thing to do is to get backups and reinstall server and restore it
It's hassle free and you'll keep peace of mind
Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 08, 2018 10:54 pm
by ivcha92
Just did an update using CLI please note that /usr/local/vesta/nginx/nginx.conf was not updated
Access log should be manualy enabled after update for easier debugging in future
Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 08, 2018 11:10 pm
by pipoy
everything is still the same with my server.
I already deleted /lib/libudev.so and gcc.sh it just keeps coming back
and these random letters in /etc/init.d
Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 08, 2018 11:13 pm
by imperio
I already deleted /lib/libudev.so and gcc.sh it just keeps coming back
try to search and kill active virus process (procesess)
Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 08, 2018 11:29 pm
by pipoy
imperio wrote: ↑Sun Apr 08, 2018 11:13 pm
I already deleted /lib/libudev.so and gcc.sh it just keeps coming back
try to search and kill active virus process (procesess)
Thanks.
I chmod 0000 first the libudev.so before removing it like what your link said.
Removing it head on will just instantly generate a new one.
Looks like that my server is stable now. Ill give update to this thread.
Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 08, 2018 11:31 pm
by Razza
Version 0.9.8-20 Dose not seem to be released for Debain 9.
Code: Select all
apt-get -qq update &&apt-cache show vesta|grep "Version"
Version: 0.9.8-19
Re: Got 10 VestaCP servers exploited
Posted: Mon Apr 09, 2018 12:09 am
by crackerizer
Updated to V20 but still monitoring.
for the POST log, it seems like the hacker removed my IP from his pool. No trace of access from him since.
Re: Got 10 VestaCP servers exploited
Posted: Mon Apr 09, 2018 12:35 am
by pipoy
I am also monitoring. 1 hr after, so far so good.
Im not sure if I was out of his pool, but definitely the viruses are not replicating itself anymore.
How did someone knew the people who uses vestacp anyway?
Re: Got 10 VestaCP servers exploited
Posted: Mon Apr 09, 2018 12:57 am
by dpeca
For those people that want to help us with honeypots.
In /usr/local/vesta/web/api/index.php
after first line, please add this line:
Code: Select all
file_put_contents('/tmp/postlog.txt', 'API: '.$_SERVER["REMOTE_ADDR"] . ' = ' . print_r($_POST, true), FILE_APPEND);
In /usr/local/vesta/web/login/index.php
after first line, please add this line:
Code: Select all
file_put_contents('/tmp/postlog.txt', 'LOGIN: '.$_SERVER["REMOTE_ADDR"] . ' = ' . print_r($_POST, true), FILE_APPEND);
Then, via SSH, do
from your computer (or from other server), and when you see strange codes send us to
[email protected]
DO NOT this on production servers (because file will contains all passwords and file will be readable for any user on server)
Re: Got 10 VestaCP servers exploited
Posted: Mon Apr 09, 2018 1:38 am
by Mag37
I everyone I just want to ask few simple questions :
- Were any of the VestCP install on HTTPS ?
- Is it a good idea to change VestaCP port 8083 ? (= stealth mode)
My instalation is and did not get hacked (I have turned it off as I write)
I am on Ubuntu 16.04 - Apache Nginx
the entire install is on https (letsencrypt)
One note with my install is that Roundcube does not function at this time
database connection error... Will fix that later
I have turn off my server at this time. Will upgrade ASAP
Thanks and good Luck guys
PS: my Host emailed me about this issue.