We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Got 10 VestaCP servers exploited
Re: Got 10 VestaCP servers exploited
Moderators: please post instructions how to enable logging in all the web interfaces of Vesta (in nginx or Apache) so that those who find this thread after the hacking could temporarily change their configs of the web server and try to catch the requests from the exploit.
Re: Got 10 VestaCP servers exploited
as far as i checked its vesta php and exploit present in vesta core files which are used to perform root tasks.StudioMaX wrote: ↑Sat Apr 07, 2018 8:36 pmJust to think: when logging in through the web interface to Vesta, a session file should be created, right? And all of them located in /usr/local/vesta/data/sessions
As I understand the web interface internals, PHP will check that we have "user" variable inside the session (https://github.com/serghey-rodin/vesta/ ... /index.php), otherwise it will redirect to the Login page.
What I mean - I looked through all the session files in notepad, and search them for variable "user", and it exist only in the sessions created by me (my IP address exists in "user_combined_ip" variable). Therefore, this exploit is either not related to the web interface, or it directly calls some public scripts that do not require authorization.
Re: Got 10 VestaCP servers exploited
It should be as easy as editing the nginx configuration for Vesta:StudioMaX wrote: ↑Sat Apr 07, 2018 8:40 pmModerators: please post instructions how to enable logging in all the web interfaces of Vesta (in nginx or Apache) so that those who find this thread after the hacking could temporarily change their configs of the web server and try to catch the requests from the exploit.
Code: Select all
access_log /usr/local/vesta/log/nginx_access.log compression;
Edit: I stand corrected, just edit the file and append access_log to a file. Right now it's redirected as following in the file "access_log /dev/null main;"
Re: Got 10 VestaCP servers exploited
I have 3 servers with vestacp, in all servers output trafic (tx) not more 100 kb, but in one server login/password in vesta now incorrect (nobody change it) + inodes use 100%. Its strange.
Re: Got 10 VestaCP servers exploited
Can't delete virus body, after delete it always restored /usr/lib/libudev.so
[root@waterleafshop aparser]# clamscan -ri --remove=yes /usr
LibClamAV Warning: **************************************************
LibClamAV Warning: *** The virus database is older than 7 days! ***
LibClamAV Warning: *** Please update it as soon as possible. ***
LibClamAV Warning: **************************************************
/usr/lib/libudev.so: Unix.Trojan.DDoS_XOR-1 FOUND
/usr/lib/libudev.so: Removed.
----------- SCAN SUMMARY -----------
Known viruses: 6425142
Engine version: 0.99.4
Scanned directories: 6737
Scanned files: 44599
Infected files: 1
Data scanned: 2094.92 MB
Data read: 1385.61 MB (ratio 1.51:1)
Time: 359.764 sec (5 m 59 s)
[root@waterleafshop aparser]# clamscan -ri --remove=yes /usr
LibClamAV Warning: **************************************************
LibClamAV Warning: *** The virus database is older than 7 days! ***
LibClamAV Warning: *** Please update it as soon as possible. ***
LibClamAV Warning: **************************************************
/usr/lib/libudev.so: Unix.Trojan.DDoS_XOR-1 FOUND
/usr/lib/libudev.so: Removed.
----------- SCAN SUMMARY -----------
Known viruses: 6425142
Engine version: 0.99.4
Scanned directories: 6737
Scanned files: 44599
Infected files: 1
Data scanned: 2094.92 MB
Data read: 1385.61 MB (ratio 1.51:1)
Time: 359.764 sec (5 m 59 s)
Re: Got 10 VestaCP servers exploited
Can you do a "ps aux" and share it using like Pastebin? There may be some other script or application that spawn a new one if it's removed.usr999 wrote: ↑Sat Apr 07, 2018 8:57 pmCan't delete virus body, after delete it always restored /usr/lib/libudev.so
[root@waterleafshop aparser]# clamscan -ri --remove=yes /usr
LibClamAV Warning: **************************************************
LibClamAV Warning: *** The virus database is older than 7 days! ***
LibClamAV Warning: *** Please update it as soon as possible. ***
LibClamAV Warning: **************************************************
/usr/lib/libudev.so: Unix.Trojan.DDoS_XOR-1 FOUND
/usr/lib/libudev.so: Removed.
----------- SCAN SUMMARY -----------
Known viruses: 6425142
Engine version: 0.99.4
Scanned directories: 6737
Scanned files: 44599
Infected files: 1
Data scanned: 2094.92 MB
Data read: 1385.61 MB (ratio 1.51:1)
Time: 359.764 sec (5 m 59 s)
Re: Got 10 VestaCP servers exploited
http://dpaste.com/3DZBD8FPrime wrote: ↑Sat Apr 07, 2018 9:00 pmCan you do a "ps aux" and share it using like Pastebin? There may be some other script or application that spawn a new one if it's removed.usr999 wrote: ↑Sat Apr 07, 2018 8:57 pmCan't delete virus body, after delete it always restored /usr/lib/libudev.so
[root@waterleafshop aparser]# clamscan -ri --remove=yes /usr
LibClamAV Warning: **************************************************
LibClamAV Warning: *** The virus database is older than 7 days! ***
LibClamAV Warning: *** Please update it as soon as possible. ***
LibClamAV Warning: **************************************************
/usr/lib/libudev.so: Unix.Trojan.DDoS_XOR-1 FOUND
/usr/lib/libudev.so: Removed.
----------- SCAN SUMMARY -----------
Known viruses: 6425142
Engine version: 0.99.4
Scanned directories: 6737
Scanned files: 44599
Infected files: 1
Data scanned: 2094.92 MB
Data read: 1385.61 MB (ratio 1.51:1)
Time: 359.764 sec (5 m 59 s)
Re: Got 10 VestaCP servers exploited
You need to reinstall server os. Even this exploit is fixed by vesta team your server will still get infectedPrime wrote: ↑Sat Apr 07, 2018 9:00 pmCan you do a "ps aux" and share it using like Pastebin? There may be some other script or application that spawn a new one if it's removed.usr999 wrote: ↑Sat Apr 07, 2018 8:57 pmCan't delete virus body, after delete it always restored /usr/lib/libudev.so
[root@waterleafshop aparser]# clamscan -ri --remove=yes /usr
LibClamAV Warning: **************************************************
LibClamAV Warning: *** The virus database is older than 7 days! ***
LibClamAV Warning: *** Please update it as soon as possible. ***
LibClamAV Warning: **************************************************
/usr/lib/libudev.so: Unix.Trojan.DDoS_XOR-1 FOUND
/usr/lib/libudev.so: Removed.
----------- SCAN SUMMARY -----------
Known viruses: 6425142
Engine version: 0.99.4
Scanned directories: 6737
Scanned files: 44599
Infected files: 1
Data scanned: 2094.92 MB
Data read: 1385.61 MB (ratio 1.51:1)
Time: 359.764 sec (5 m 59 s)
-
- Posts: 73
- Joined: Sun Dec 03, 2017 6:30 pm
Re: Got 10 VestaCP servers exploited
we cant install vesta gain until we know for a fact that this has been patched.
so far we don't know where is the breach.
so far we don't know where is the breach.
Re: Got 10 VestaCP servers exploited
Who can send access to server where a files with virus still exists ?
[email protected]
[email protected]