Page 28 of 55

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 10:50 pm
by lukapaunovic
After this the best thing to do is to get backups and reinstall server and restore it
It's hassle free and you'll keep peace of mind

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 10:54 pm
by ivcha92
Just did an update using CLI please note that /usr/local/vesta/nginx/nginx.conf was not updated

Access log should be manualy enabled after update for easier debugging in future

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 11:10 pm
by pipoy
everything is still the same with my server.

I already deleted /lib/libudev.so and gcc.sh it just keeps coming back

and these random letters in /etc/init.d

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 11:13 pm
by imperio
I already deleted /lib/libudev.so and gcc.sh it just keeps coming back
try to search and kill active virus process (procesess)

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 11:29 pm
by pipoy
imperio wrote:
Sun Apr 08, 2018 11:13 pm
I already deleted /lib/libudev.so and gcc.sh it just keeps coming back
try to search and kill active virus process (procesess)
Thanks.

I chmod 0000 first the libudev.so before removing it like what your link said.

Removing it head on will just instantly generate a new one.

Looks like that my server is stable now. Ill give update to this thread.

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 11:31 pm
by Razza
Version 0.9.8-20 Dose not seem to be released for Debain 9.

Code: Select all

apt-get -qq update &&apt-cache show vesta|grep "Version"
Version: 0.9.8-19

Re: Got 10 VestaCP servers exploited

Posted: Mon Apr 09, 2018 12:09 am
by crackerizer
Updated to V20 but still monitoring.

for the POST log, it seems like the hacker removed my IP from his pool. No trace of access from him since.

Re: Got 10 VestaCP servers exploited

Posted: Mon Apr 09, 2018 12:35 am
by pipoy
I am also monitoring. 1 hr after, so far so good.

Im not sure if I was out of his pool, but definitely the viruses are not replicating itself anymore.

How did someone knew the people who uses vestacp anyway?

Re: Got 10 VestaCP servers exploited

Posted: Mon Apr 09, 2018 12:57 am
by dpeca
For those people that want to help us with honeypots.

In /usr/local/vesta/web/api/index.php
after first line, please add this line:

Code: Select all

file_put_contents('/tmp/postlog.txt', 'API: '.$_SERVER["REMOTE_ADDR"] . ' = ' .  print_r($_POST, true), FILE_APPEND);
In /usr/local/vesta/web/login/index.php
after first line, please add this line:

Code: Select all

file_put_contents('/tmp/postlog.txt', 'LOGIN: '.$_SERVER["REMOTE_ADDR"] . ' = ' .  print_r($_POST, true), FILE_APPEND);
Then, via SSH, do

Code: Select all

tailf /tmp/postlog.txt
from your computer (or from other server), and when you see strange codes send us to [email protected]

DO NOT this on production servers (because file will contains all passwords and file will be readable for any user on server)

Re: Got 10 VestaCP servers exploited

Posted: Mon Apr 09, 2018 1:38 am
by Mag37
I everyone I just want to ask few simple questions :
  • Were any of the VestCP install on HTTPS ?
  • Is it a good idea to change VestaCP port 8083 ? (= stealth mode)
My instalation is and did not get hacked (I have turned it off as I write)
I am on Ubuntu 16.04 - Apache Nginx
the entire install is on https (letsencrypt)
One note with my install is that Roundcube does not function at this time
database connection error... Will fix that later

I have turn off my server at this time. Will upgrade ASAP

Thanks and good Luck guys

PS: my Host emailed me about this issue.