Vesta Control Panel - Forum

vishne0 wrote: ↑

Mon Apr 09, 2018 3:51 pm

There are few things I want to know if someone can please reply
1) The hacked server were running ssh on port 22 ?
2) Allow root to login were on?

darkworks wrote: ↑

Mon Apr 09, 2018 5:16 pm

lukapaunovic wrote: ↑

Mon Apr 09, 2018 4:38 pm

Stop speculating about Roundcube being the issue.
That can't be true. If it was, many panels using it would be exploited too.
Besides, all installations which were hacked were running latest roundcube version.
Those people stating like: I had blah blah number of installations blah blah without and blah blah with Roundcube is also nonsense.
because the hacker is going through IP range, probably subnets, and not all servers are on the same subnet nor each subnet has the same amount of IPs. even within the same provider. Hacker is probably scanning smaller ranges.

Also, whoever claims that passed variable, without even single quotes, directly on the end of a bash syntax is not an security issue is out of his mind.
Try to get such statement on unix.stackexchange.com and see what happens

ya possible roundcube can be issue , my server hit from china a lot of ip address , but its safe , because i have changed urls of phpmyadmin and roundcube , so maybe that's why am safe

n0x wrote: ↑

Mon Apr 09, 2018 2:43 pm

I don't think it was the repo - I had installations that were made 3 months ago and last updated in Jan 2018 suddenly get exploited around mid-day on Saturday 7th April.

# crontab -l -u admin
MAILTO=email@hidden
CONTENT_TYPE="text/plain; charset=utf-8"
15 02 * * * sudo /usr/local/vesta/bin/v-update-sys-queue disk
10 00 * * * sudo /usr/local/vesta/bin/v-update-sys-queue traffic
30 03 * * * sudo /usr/local/vesta/bin/v-update-sys-queue webstats
*/5 * * * * sudo /usr/local/vesta/bin/v-update-sys-queue backup
10 05 * * * sudo /usr/local/vesta/bin/v-backup-users
20 00 * * * sudo /usr/local/vesta/bin/v-update-user-stats
*/5 * * * * sudo /usr/local/vesta/bin/v-update-sys-rrd
10 3 * * * sudo /usr/local/vesta/bin/v-update-sys-vesta-all

# Starting update loop
for package in vesta vesta-nginx vesta-php vesta-ioncube vesta-softaculous; do
    $BIN/v-update-sys-vesta "$package"
done

lukapaunovic wrote: ↑

Mon Apr 09, 2018 5:22 pm

AS of speculation in regards to REPO, vesta staff has CHECKED the repo and repo is SAFE.

aureport -x

ausearch  -m USER_CMD -i | grep -v -- '----'

wildwolf wrote: ↑

Mon Apr 09, 2018 5:31 pm

lukapaunovic wrote: ↑

Mon Apr 09, 2018 5:22 pm

AS of speculation in regards to REPO, vesta staff has CHECKED the repo and repo is SAFE.

It is safe now, but was it safe several days ago?

kandalf wrote: ↑

Mon Apr 09, 2018 5:19 pm

But after the update to 0.9.8-20 anyone have been hacked? Or this update is solving the problem?

lukapaunovic wrote: ↑

Mon Apr 09, 2018 6:09 pm

also, the Password variable in API was written to /tmp
and virus does appear to be in temp, it was resting for over a month until it activated

systemd-private-bab3623b0b0a419abb1d8894d719d904-httpd.service-aceQDx
systemd-private-bab3623b0b0a419abb1d8894d719d904-named.service-H1orys

inside each was tmp folder with update executable virus in it