Page 39 of 55
Re: Got 10 VestaCP servers exploited
Posted: Mon Apr 09, 2018 6:46 pm
by Razza
When is version 0.9.8-20 going to be uploaded to the Debian 9 repo, ever other version Debain and Ubuntu got the 0.9.8-20 version of Vesta.
Got the version each from the repo using
Code: Select all
for i in wheezy jessie stretch quantal raring saucy utopic vivid wily trusty; do echo "$i:" $(curl -s http://apt.vestacp.com/$i/dists/$i/vesta/binary-amd64/Packages|grep -A1 "Source: vesta"|tail -n 1|awk '{print $2'}) ; done|sort -t: -k2
Code: Select all
stretch: 0.9.8-19
jessie: 0.9.8-20
quantal: 0.9.8-20
raring: 0.9.8-20
saucy: 0.9.8-20
trusty: 0.9.8-20
utopic: 0.9.8-20
vivid: 0.9.8-20
wheezy: 0.9.8-20
wily: 0.9.8-20
Re: Got 10 VestaCP servers exploited
Posted: Mon Apr 09, 2018 6:52 pm
by Gluek
kobo1d wrote: ↑Mon Apr 09, 2018 6:44 pm
even after you clean the trojan, your system is still infected from what i see.
systemd (process 1) still creates supicious files under
/tmp while all other directories are still clean.
but this is speculating now
it's on new clean server, now it's inside /tmp:
Code: Select all
ls -l /tmp
total 12
drwx------ 3 root root 4096 Apr 9 21:23 systemd-private-563862e74418482aa1f5132158a1ffff-dovecot.service-4eioQZ
drwx------ 3 root root 4096 Apr 9 21:23 systemd-private-563862e74418482aa1f5132158a1ffff-systemd-timesyncd.service-n4CfUC
-rw------- 1 root root 1961 Apr 9 21:27 tmp.bv84E5EAhS
outgoing traffic started at 20:40
Re: Got 10 VestaCP servers exploited
Posted: Mon Apr 09, 2018 7:06 pm
by lukapaunovic
Gluek wrote: ↑Mon Apr 09, 2018 6:52 pm
kobo1d wrote: ↑Mon Apr 09, 2018 6:44 pm
even after you clean the trojan, your system is still infected from what i see.
systemd (process 1) still creates supicious files under
/tmp while all other directories are still clean.
but this is speculating now
it's on new clean server, now it's inside /tmp:
Code: Select all
ls -l /tmp
total 12
drwx------ 3 root root 4096 Apr 9 21:23 systemd-private-563862e74418482aa1f5132158a1ffff-dovecot.service-4eioQZ
drwx------ 3 root root 4096 Apr 9 21:23 systemd-private-563862e74418482aa1f5132158a1ffff-systemd-timesyncd.service-n4CfUC
-rw------- 1 root root 1961 Apr 9 21:27 tmp.bv84E5EAhS
outgoing traffic started at 20:40
Hey I just checked i have those too on freshly installed vesta which port wasnt exposed to public for even a minute.
good news is this is not infection if UPDATE file is not present within tmp folder.
Code: Select all
ls systemd*/tmp
systemd-private-634d8e53eac54fd7911188ef97351c9b-chronyd.service-Cal8wF/tmp:
systemd-private-634d8e53eac54fd7911188ef97351c9b-dovecot.service-ROfyMr/tmp:
systemd-private-634d8e53eac54fd7911188ef97351c9b-exim.service-xIxlsJ/tmp:
systemd-private-634d8e53eac54fd7911188ef97351c9b-httpd.service-E6OwxB/tmp:
systemd-private-634d8e53eac54fd7911188ef97351c9b-named.service-fBgXxQ/tmp:
systemd-private-634d8e53eac54fd7911188ef97351c9b-nginx.service-4i1JXa/tmp:
AS you can see they are all empty on previously hacked server UPDATE file was present
Re: Got 10 VestaCP servers exploited
Posted: Mon Apr 09, 2018 7:09 pm
by really
Gluek wrote: ↑Mon Apr 09, 2018 6:36 pm
kandalf wrote: ↑Mon Apr 09, 2018 5:19 pm
But after the update to 0.9.8-20 anyone have been hacked? Or this update is solving the problem?
Got hacked on DO, then migrated to another provider, new clean VDS with fresh Vesta install just got 100% CPU load with 5k iops disk and 400 mbit net - so I even can't login via ssh. Rebooted... Now trying to detect what was wrong. P.S. ssh only with keys, no root login.
This helped me clean up the trojan and backup my stuff from an infected VPS:
Code: Select all
#boot the VPS, log in ASAP and then:
#check your max # of connections for future reference:
sysctl net.netfilter.nf_conntrack_max
#limit max # of connections to something super low
sysctl net.netfilter.nf_conntrack_max=1200
#save your current iptables rules
iptables-save > rules.ip4
#load up a blank set of rules which will only allow traffic from your IP
iptables-restore emergency.ip4
emergency.ipv4 file
Code: Select all
#emergency stuff
*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT DROP
-A INPUT -s YOUR_IP_NOT_SERVER'S -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -d YOUR_IP_NOT_SERVER'S -j ACCEPT
#optionally allow domain resolution, or change the IPs to ones from /etc/resolv.conf or repo IPs or whatever it is you want to do while in emergency mode, but the above will allow rsync and will avoid getting your VPS suspended as a DDOS source
-A INPUT -s 84.200.69.80 -j ACCEPT
-A INPUT -s 84.200.70.40 -j ACCEPT
-A OUTPUT -d 84.200.69.80 -j ACCEPT
-A OUTPUT -d 84.200.70.40 -j ACCEPT
COMMIT
Now you're free to remove those cron jobs, fake systemctl units, then the bad executable, and you'll see the trojan's random process names die out. This doesn't mean you're safe, it just means you've prevented any outgoing DDOS. Save your shit, reinstall the VPS. The rest has already been said 10s of times in this thread :)
The reason I didn't address ipv6 is because this DDOS seems to only utilize ipv4. You can simply set the default policy to DROP of ip6tables as well if you want.
Re: Got 10 VestaCP servers exploited
Posted: Mon Apr 09, 2018 7:44 pm
by soguor
wildwolf wrote: ↑Mon Apr 09, 2018 5:22 pm
vishne0 wrote: ↑Mon Apr 09, 2018 3:51 pm
There are few things I want to know if someone can please reply
1) The hacked server were running ssh on port 22 ?
2) Allow root to login were on?
No to both :-)
Mee too. No to both.
Re: Got 10 VestaCP servers exploited
Posted: Mon Apr 09, 2018 8:07 pm
by BartMan__X
i didnt have any problems untill i ran the update this morning .. a few min. ago i got an email from my VPS host (OVH) that my VPS has been suspended.
From: OVH Support
Dear Customer,
Abnormal activity has been detected on your VPS .
As this constitutes a breach of contract, your virtual server
has been blocked.
You will find the logs brought up by our system below, which led to this alert.
Code: Select all
- START OF ADDITIONAL INFORMATION -
Attack detail : 10Kpps/71Mbps
dateTime srcIp:srcPort dstIp:dstPort protocol flags packets bytes reason
2018.04.09 19:34:51 CEST MY_VPS_IP:1813 59.56.66.67:8811 TCP SYN 2048 1828864 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:43509 59.56.66.67:8811 TCP SYN 2048 1820672 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:57337 59.56.66.67:8811 TCP SYN 2048 1894400 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:57087 59.56.66.67:8811 TCP SYN 2048 1839104 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:51152 59.56.66.67:8811 TCP SYN 2048 1824768 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:28409 59.56.66.67:8811 TCP SYN 2048 1900544 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:60568 59.56.66.67:8811 TCP SYN 2048 1892352 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:38289 59.56.66.67:8811 TCP SYN 2048 1902592 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:25782 59.56.66.67:8811 TCP SYN 2048 1867776 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:28951 59.56.66.67:8811 TCP SYN 2048 1873920 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:5011 59.56.66.67:8811 TCP SYN 2048 1865728 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:2420 59.56.66.67:8811 TCP SYN 2048 1828864 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:19935 59.56.66.67:8811 TCP SYN 2048 1910784 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:56914 59.56.66.67:8811 TCP SYN 2048 1892352 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:55014 59.56.66.67:8811 TCP SYN 2048 1884160 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:17569 59.56.66.67:8811 TCP SYN 2048 1896448 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:64671 59.56.66.67:8811 TCP SYN 2048 1892352 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:17837 59.56.66.67:8811 TCP SYN 2048 1837056 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:60514 59.56.66.67:8811 TCP SYN 2048 1875968 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:9150 59.56.66.67:8811 TCP SYN 2048 1845248 ATTACK:TCP_SYN
- END OF ADDITIONAL INFORMATION -
OVH Customer Support.
OVH Support
Call us at: 1-855-OVH-LINE (684-5463)
24/7/365
[ref=1.661c9fff]
Re: Got 10 VestaCP servers exploited
Posted: Mon Apr 09, 2018 8:09 pm
by snakom23
Razza wrote: ↑Mon Apr 09, 2018 6:46 pm
When is version 0.9.8-20 going to be uploaded to the Debian 9 repo, ever other version Debain and Ubuntu got the 0.9.8-20 version of Vesta.
Got the version each from the repo using
Code: Select all
for i in wheezy jessie stretch quantal raring saucy utopic vivid wily trusty; do echo "$i:" $(curl -s http://apt.vestacp.com/$i/dists/$i/vesta/binary-amd64/Packages|grep -A1 "Source: vesta"|tail -n 1|awk '{print $2'}) ; done|sort -t: -k2
Code: Select all
stretch: 0.9.8-19
jessie: 0.9.8-20
quantal: 0.9.8-20
raring: 0.9.8-20
saucy: 0.9.8-20
trusty: 0.9.8-20
utopic: 0.9.8-20
vivid: 0.9.8-20
wheezy: 0.9.8-20
wily: 0.9.8-20
Why debian 0.9 cannot to see the update?
Re: Got 10 VestaCP servers exploited
Posted: Mon Apr 09, 2018 8:18 pm
by isac
snakom23 wrote: ↑Mon Apr 09, 2018 2:14 pm
isac wrote: ↑Mon Apr 09, 2018 1:56 pm
We need Debian 9 update, trying to update from 0.9.8 but without luck
the same for me.
It's on! Updated right now in Debian 9
Re: Got 10 VestaCP servers exploited
Posted: Mon Apr 09, 2018 8:32 pm
by Galaxian
It appears that DigitalOcean did a blanket outgoing traffic block on servers using VestaCP (at least in my NYC-3 sector), even if they weren't compromised. Thankfully, I wasn't compromised, but my applications were broke by the outgoing traffic block (things like recaptcha, and some others). This has brought my dissatisfaction with DigitalOcean, as well as VestaCP. Why should an unaffected server have restrictions enforced upon it? And I understand that this is open source and security vulnerabilities will always come about, but damn....
Re: Got 10 VestaCP servers exploited
Posted: Mon Apr 09, 2018 8:35 pm
by Trentor
Galaxian wrote: ↑Mon Apr 09, 2018 8:32 pm
And I understand that this is open source and security vulnerabilities will always come about, but damn...
Does not the prop soft have security problems?