Vesta Control Panel - Forum

StudioMaX wrote: ↑

Sat Apr 07, 2018 8:36 pm

Just to think: when logging in through the web interface to Vesta, a session file should be created, right? And all of them located in /usr/local/vesta/data/sessions
As I understand the web interface internals, PHP will check that we have "user" variable inside the session (https://github.com/serghey-rodin/vesta/ ... /index.php), otherwise it will redirect to the Login page.
What I mean - I looked through all the session files in notepad, and search them for variable "user", and it exist only in the sessions created by me (my IP address exists in "user_combined_ip" variable). Therefore, this exploit is either not related to the web interface, or it directly calls some public scripts that do not require authorization.

StudioMaX wrote: ↑

Sat Apr 07, 2018 8:40 pm

Moderators: please post instructions how to enable logging in all the web interfaces of Vesta (in nginx or Apache) so that those who find this thread after the hacking could temporarily change their configs of the web server and try to catch the requests from the exploit.

access_log /usr/local/vesta/log/nginx_access.log compression;

usr999 wrote: ↑

Sat Apr 07, 2018 8:57 pm

Can't delete virus body, after delete it always restored /usr/lib/libudev.so

[root@waterleafshop aparser]# clamscan -ri --remove=yes /usr
LibClamAV Warning: **************************************************
LibClamAV Warning: *** The virus database is older than 7 days! ***
LibClamAV Warning: *** Please update it as soon as possible. ***
LibClamAV Warning: **************************************************
/usr/lib/libudev.so: Unix.Trojan.DDoS_XOR-1 FOUND
/usr/lib/libudev.so: Removed.

----------- SCAN SUMMARY -----------
Known viruses: 6425142
Engine version: 0.99.4
Scanned directories: 6737
Scanned files: 44599
Infected files: 1
Data scanned: 2094.92 MB
Data read: 1385.61 MB (ratio 1.51:1)
Time: 359.764 sec (5 m 59 s)

Prime wrote: ↑

Sat Apr 07, 2018 9:00 pm

usr999 wrote: ↑

Sat Apr 07, 2018 8:57 pm

Can't delete virus body, after delete it always restored /usr/lib/libudev.so

[root@waterleafshop aparser]# clamscan -ri --remove=yes /usr
LibClamAV Warning: **************************************************
LibClamAV Warning: *** The virus database is older than 7 days! ***
LibClamAV Warning: *** Please update it as soon as possible. ***
LibClamAV Warning: **************************************************
/usr/lib/libudev.so: Unix.Trojan.DDoS_XOR-1 FOUND
/usr/lib/libudev.so: Removed.

----------- SCAN SUMMARY -----------
Known viruses: 6425142
Engine version: 0.99.4
Scanned directories: 6737
Scanned files: 44599
Infected files: 1
Data scanned: 2094.92 MB
Data read: 1385.61 MB (ratio 1.51:1)
Time: 359.764 sec (5 m 59 s)

Can you do a "ps aux" and share it using like Pastebin? There may be some other script or application that spawn a new one if it's removed.

Prime wrote: ↑

Sat Apr 07, 2018 9:00 pm

usr999 wrote: ↑

Sat Apr 07, 2018 8:57 pm

Can't delete virus body, after delete it always restored /usr/lib/libudev.so

[root@waterleafshop aparser]# clamscan -ri --remove=yes /usr
LibClamAV Warning: **************************************************
LibClamAV Warning: *** The virus database is older than 7 days! ***
LibClamAV Warning: *** Please update it as soon as possible. ***
LibClamAV Warning: **************************************************
/usr/lib/libudev.so: Unix.Trojan.DDoS_XOR-1 FOUND
/usr/lib/libudev.so: Removed.

----------- SCAN SUMMARY -----------
Known viruses: 6425142
Engine version: 0.99.4
Scanned directories: 6737
Scanned files: 44599
Infected files: 1
Data scanned: 2094.92 MB
Data read: 1385.61 MB (ratio 1.51:1)
Time: 359.764 sec (5 m 59 s)

Can you do a "ps aux" and share it using like Pastebin? There may be some other script or application that spawn a new one if it's removed.