Page 34 of 55
Re: Got 10 VestaCP servers exploited
Posted: Mon Apr 09, 2018 1:05 pm
by MAN5
wait until the fixed their rep. its down casuse the virus was spread from over there
False Alarm. Im using VestaCP for more than 4 years. I got the latest update via auto-update of vesta. Till now, i never seen any hacks on my server. Im keep checking/expecting the files inside my server on whenever people pointing some suspects like 'gcc.sh', 'rc.xx' - but cant find yet. Checking of '/var/log/xxx' files on everyday basis is my routine practice. I have hardened my f2ban, iptables, exim config & etc for reducing spams. But i know im not 100% safe. NoOne can say that..
I dont dare to blame VestaCP sources.
Re: Got 10 VestaCP servers exploited
Posted: Mon Apr 09, 2018 1:05 pm
by kobo1d
Falzo wrote: ↑Mon Apr 09, 2018 12:46 pm
kobo1d wrote: ↑Mon Apr 09, 2018 12:39 pm
Falzo wrote: ↑Mon Apr 09, 2018 12:37 pm
how certain of that are you? while it's true that the default policy is DROP, did you actually CHECK if the change to that rule got reflected by iptables and really blocked access from foreign IPs?
so far you are the only one to be hacked with claiming to have had that port closed/whitelisted. no offense meant, but a single occurance could also point to a flaw in your setup/firewall ;-)
you dont need to believe me. read my previous post:
viewtopic.php?f=10&t=16556&start=320#p69046
you will see that i am right when vestacp posts public news about what was happening with their rep.
will see about that. I have a server (debian 9) freshly installed with vesta on april 2nd, port 8083 opened, which wasn't hit nor affected at all. I haven't updated yet, feel free to give pointers for what i should look and you think the attacking vector would be.
if there is something inside the sources which got spread through the repo it still would need to be activated somehow... may it be by a timer or external call.
with the port blocked/whitelisted an external is unlikely, so you'd bet on internal crons being manipulated or something like that?
as said I am willing to dig deeper, as I have quite some installations of vesta, only two were affected, just give some more input what you think would be worth to look out for.
i digged pretty deep the last 48 hours. the pain in my hands can proove that. the big factor about it is that everything it does/did leaves no traces whatsoever.
(if you want to find out where its originally coming from) the rest is a standard Linux/Xor.DDoS Trojan
first i thought its a backdoor on my Server Provider, like a hacked internal technical vnc or similar.
the company even got that far that thei checked there install images if they ship this trojan by default.
i bet you a dollar its coming from the vesta sources and is installed as a free feature for welcoming new vesta users (ok that was sarcasm)
Re: Got 10 VestaCP servers exploited
Posted: Mon Apr 09, 2018 1:06 pm
by kobo1d
MAN5 wrote: ↑Mon Apr 09, 2018 1:05 pm
wait until the fixed their rep. its down casuse the virus was spread from over there
False Alarm. Im using VestaCP for more than 4 years. I got the latest update via auto-update of vesta. Till now, i never seen any hacks on my server. Im keep checking/expecting the files inside my server on whenever people pointing some suspects like 'gcc.sh', 'rc.xx' - but cant find yet. Checking of '/var/log/xxx' files on everyday basis is my routine practice. I have hardened my f2ban, iptables, exim config & etc for reducing spams. But i know im not 100% safe. NoOne can say that..
I dont dare to blame VestaCP sources.
well just the fact you didnt got hacked by now, doesnt mean you are protected/safe by default. thats all i can tell you for sure.
Re: Got 10 VestaCP servers exploited
Posted: Mon Apr 09, 2018 1:07 pm
by really
Falzo wrote: ↑Mon Apr 09, 2018 12:46 pm
kobo1d wrote: ↑Mon Apr 09, 2018 12:39 pm
Falzo wrote: ↑Mon Apr 09, 2018 12:37 pm
how certain of that are you? while it's true that the default policy is DROP, did you actually CHECK if the change to that rule got reflected by iptables and really blocked access from foreign IPs?
so far you are the only one to be hacked with claiming to have had that port closed/whitelisted. no offense meant, but a single occurance could also point to a flaw in your setup/firewall ;-)
you dont need to believe me. read my previous post:
viewtopic.php?f=10&t=16556&start=320#p69046
you will see that i am right when vestacp posts public news about what was happening with their rep.
will see about that. I have a server (debian 9) freshly installed with vesta on april 2nd, port 8083 opened, which wasn't hit nor affected at all. I haven't updated yet, feel free to give pointers for what i should look and you think the attacking vector would be.
if there is something inside the sources which got spread through the repo it still would need to be activated somehow... may it be by a timer or external call.
with the port blocked/whitelisted an external is unlikely, so you'd bet on internal crons being manipulated or something like that?
as said I am willing to dig deeper, as I have quite some installations of vesta, only two were affected, just give some more input what you think would be worth to look out for.
You need to read back some number of pages. There's a link to details about the trojan and how it replicates and the possible file names.
Re: Got 10 VestaCP servers exploited
Posted: Mon Apr 09, 2018 1:20 pm
by kobo1d
you can also check for infection by doing a
and check for a high port number on your server going to some ip at port 25 (smtp)
entry looks like this:
Code: Select all
your.server.com:39472->209.141.61.140:smtp (25)
the command it sends when its idle is
the 2nd ip is real by the way. i think its the master or relay of this botnet or something.
oh and thats no guessing, that backdoor is real. it was reported by the prcoess of my virus body as active connection.
this is pretty usefull if u want to clean your system:
https://superuser.com/questions/863997/ ... -webserver
if you want to google it:
Linux/Xor.DDoS Trojan
and if any of you want to have the virus files (bodies and cronfiles), let me know. i saved them for research.
Re: Got 10 VestaCP servers exploited
Posted: Mon Apr 09, 2018 1:54 pm
by rmjserver
I think my server is also affected, When I run this command netstat -natp it shows multiple Chinese IP addresses.I can provide you root access to my server to you for investigation, if you need then please reply me.
Re: Got 10 VestaCP servers exploited
Posted: Mon Apr 09, 2018 1:56 pm
by isac
We need Debian 9 update, trying to update from 0.9.8 but without luck
Re: Got 10 VestaCP servers exploited
Posted: Mon Apr 09, 2018 2:04 pm
by MAN5
I think my server is also affected, When I run this command netstat -natp it shows multiple Chinese IP addresses.I can provide you root access to my server to you for investigation, if you need then please reply me.
If you seems affected to port 25, why not you do emails rate_limit. so this shit will wont consider you anymore..
Re: Got 10 VestaCP servers exploited
Posted: Mon Apr 09, 2018 2:09 pm
by pipoy
Isn't by default that when your firewall is enabled, everything is dropped?
And by default, only the accepted ones are in the FIREWALL tab.
If you already changed your admin port, automatically your 8083 is dropped
I really dont think the exploitation is related to 8083. Mine is a different port but I got hacked
Re: Got 10 VestaCP servers exploited
Posted: Mon Apr 09, 2018 2:13 pm
by RevengeFNF
pipoy wrote: ↑Mon Apr 09, 2018 2:09 pm
Isn't by default that when your firewall is enabled, everything is dropped?
And by default, only the accepted ones are in the FIREWALL tab.
If you already changed your admin port, automatically your 8083 is dropped
I really dont think the exploitation is related to 8083. Mine is a different port but I got hacked
Did you install VestaCP recently?
We are trying to know if their repo was exploited.