Re: Got 10 VestaCP servers exploited
Posted: Mon Apr 09, 2018 5:22 pm
Community Forum
https://forum.vestacp.com/
I reinstalled vesta 10 minutes after the server was hacked and I stopped the service and I didn't get hacked again.darkworks wrote: ↑Mon Apr 09, 2018 5:16 pmya possible roundcube can be issue , my server hit from china a lot of ip address , but its safe , because i have changed urls of phpmyadmin and roundcube , so maybe that's why am safelukapaunovic wrote: ↑Mon Apr 09, 2018 4:38 pmStop speculating about Roundcube being the issue.
That can't be true. If it was, many panels using it would be exploited too.
Besides, all installations which were hacked were running latest roundcube version.
Those people stating like: I had blah blah number of installations blah blah without and blah blah with Roundcube is also nonsense.
because the hacker is going through IP range, probably subnets, and not all servers are on the same subnet nor each subnet has the same amount of IPs. even within the same provider. Hacker is probably scanning smaller ranges.
Also, whoever claims that passed variable, without even single quotes, directly on the end of a bash syntax is not an security issue is out of his mind.
Try to get such statement on unix.stackexchange.com and see what happens
As far as I can tell, Vesta tries to update itself automatically.
Code: Select all
# crontab -l -u admin
MAILTO=email@hidden
CONTENT_TYPE="text/plain; charset=utf-8"
15 02 * * * sudo /usr/local/vesta/bin/v-update-sys-queue disk
10 00 * * * sudo /usr/local/vesta/bin/v-update-sys-queue traffic
30 03 * * * sudo /usr/local/vesta/bin/v-update-sys-queue webstats
*/5 * * * * sudo /usr/local/vesta/bin/v-update-sys-queue backup
10 05 * * * sudo /usr/local/vesta/bin/v-backup-users
20 00 * * * sudo /usr/local/vesta/bin/v-update-user-stats
*/5 * * * * sudo /usr/local/vesta/bin/v-update-sys-rrd
10 3 * * * sudo /usr/local/vesta/bin/v-update-sys-vesta-all
Code: Select all
# Starting update loop
for package in vesta vesta-nginx vesta-php vesta-ioncube vesta-softaculous; do
$BIN/v-update-sys-vesta "$package"
done
It is safe now, but was it safe several days ago?lukapaunovic wrote: ↑Mon Apr 09, 2018 5:22 pmAS of speculation in regards to REPO, vesta staff has CHECKED the repo and repo is SAFE.
Code: Select all
aureport -x
Code: Select all
ausearch -m USER_CMD -i | grep -v -- '----'
wildwolf wrote: ↑Mon Apr 09, 2018 5:31 pmIt is safe now, but was it safe several days ago?lukapaunovic wrote: ↑Mon Apr 09, 2018 5:22 pmAS of speculation in regards to REPO, vesta staff has CHECKED the repo and repo is SAFE.
Got hacked on DO, then migrated to another provider, new clean VDS with fresh Vesta install just got 100% CPU load with 5k iops disk and 400 mbit net - so I even can't login via ssh. Rebooted... Now trying to detect what was wrong. P.S. ssh only with keys, no root login.
https://stackoverflow.com/questions/304 ... through-nglukapaunovic wrote: ↑Mon Apr 09, 2018 6:09 pmalso, the Password variable in API was written to /tmp
and virus does appear to be in temp, it was resting for over a month until it activated
systemd-private-bab3623b0b0a419abb1d8894d719d904-httpd.service-aceQDx
systemd-private-bab3623b0b0a419abb1d8894d719d904-named.service-H1orys
inside each was tmp folder with update executable virus in it