Page 5 of 55

Re: Got 10 VestaCP servers exploited

Posted: Sat Apr 07, 2018 8:40 pm
by StudioMaX
Moderators: please post instructions how to enable logging in all the web interfaces of Vesta (in nginx or Apache) so that those who find this thread after the hacking could temporarily change their configs of the web server and try to catch the requests from the exploit.

Re: Got 10 VestaCP servers exploited

Posted: Sat Apr 07, 2018 8:41 pm
by sandy
StudioMaX wrote:
Sat Apr 07, 2018 8:36 pm
Just to think: when logging in through the web interface to Vesta, a session file should be created, right? And all of them located in /usr/local/vesta/data/sessions
As I understand the web interface internals, PHP will check that we have "user" variable inside the session (https://github.com/serghey-rodin/vesta/ ... /index.php), otherwise it will redirect to the Login page.
What I mean - I looked through all the session files in notepad, and search them for variable "user", and it exist only in the sessions created by me (my IP address exists in "user_combined_ip" variable). Therefore, this exploit is either not related to the web interface, or it directly calls some public scripts that do not require authorization.
as far as i checked its vesta php and exploit present in vesta core files which are used to perform root tasks.

Re: Got 10 VestaCP servers exploited

Posted: Sat Apr 07, 2018 8:45 pm
by Prime
StudioMaX wrote:
Sat Apr 07, 2018 8:40 pm
Moderators: please post instructions how to enable logging in all the web interfaces of Vesta (in nginx or Apache) so that those who find this thread after the hacking could temporarily change their configs of the web server and try to catch the requests from the exploit.
It should be as easy as editing the nginx configuration for Vesta:

Code: Select all

access_log /usr/local/vesta/log/nginx_access.log compression;
You can find the configuration in "/usr/local/vesta/nginx/conf/nginx.conf" and you need to restart Vesta service after editing the file.

Edit: I stand corrected, just edit the file and append access_log to a file. Right now it's redirected as following in the file "access_log /dev/null main;"

Re: Got 10 VestaCP servers exploited

Posted: Sat Apr 07, 2018 8:50 pm
by LAlf
I have 3 servers with vestacp, in all servers output trafic (tx) not more 100 kb, but in one server login/password in vesta now incorrect (nobody change it) + inodes use 100%. Its strange.

Re: Got 10 VestaCP servers exploited

Posted: Sat Apr 07, 2018 8:57 pm
by usr999
Can't delete virus body, after delete it always restored /usr/lib/libudev.so

[root@waterleafshop aparser]# clamscan -ri --remove=yes /usr
LibClamAV Warning: **************************************************
LibClamAV Warning: *** The virus database is older than 7 days! ***
LibClamAV Warning: *** Please update it as soon as possible. ***
LibClamAV Warning: **************************************************
/usr/lib/libudev.so: Unix.Trojan.DDoS_XOR-1 FOUND
/usr/lib/libudev.so: Removed.

----------- SCAN SUMMARY -----------
Known viruses: 6425142
Engine version: 0.99.4
Scanned directories: 6737
Scanned files: 44599
Infected files: 1
Data scanned: 2094.92 MB
Data read: 1385.61 MB (ratio 1.51:1)
Time: 359.764 sec (5 m 59 s)

Re: Got 10 VestaCP servers exploited

Posted: Sat Apr 07, 2018 9:00 pm
by Prime
usr999 wrote:
Sat Apr 07, 2018 8:57 pm
Can't delete virus body, after delete it always restored /usr/lib/libudev.so

[root@waterleafshop aparser]# clamscan -ri --remove=yes /usr
LibClamAV Warning: **************************************************
LibClamAV Warning: *** The virus database is older than 7 days! ***
LibClamAV Warning: *** Please update it as soon as possible. ***
LibClamAV Warning: **************************************************
/usr/lib/libudev.so: Unix.Trojan.DDoS_XOR-1 FOUND
/usr/lib/libudev.so: Removed.

----------- SCAN SUMMARY -----------
Known viruses: 6425142
Engine version: 0.99.4
Scanned directories: 6737
Scanned files: 44599
Infected files: 1
Data scanned: 2094.92 MB
Data read: 1385.61 MB (ratio 1.51:1)
Time: 359.764 sec (5 m 59 s)
Can you do a "ps aux" and share it using like Pastebin? There may be some other script or application that spawn a new one if it's removed.

Re: Got 10 VestaCP servers exploited

Posted: Sat Apr 07, 2018 9:06 pm
by usr999
Prime wrote:
Sat Apr 07, 2018 9:00 pm
usr999 wrote:
Sat Apr 07, 2018 8:57 pm
Can't delete virus body, after delete it always restored /usr/lib/libudev.so

[root@waterleafshop aparser]# clamscan -ri --remove=yes /usr
LibClamAV Warning: **************************************************
LibClamAV Warning: *** The virus database is older than 7 days! ***
LibClamAV Warning: *** Please update it as soon as possible. ***
LibClamAV Warning: **************************************************
/usr/lib/libudev.so: Unix.Trojan.DDoS_XOR-1 FOUND
/usr/lib/libudev.so: Removed.

----------- SCAN SUMMARY -----------
Known viruses: 6425142
Engine version: 0.99.4
Scanned directories: 6737
Scanned files: 44599
Infected files: 1
Data scanned: 2094.92 MB
Data read: 1385.61 MB (ratio 1.51:1)
Time: 359.764 sec (5 m 59 s)
Can you do a "ps aux" and share it using like Pastebin? There may be some other script or application that spawn a new one if it's removed.
http://dpaste.com/3DZBD8F

Re: Got 10 VestaCP servers exploited

Posted: Sat Apr 07, 2018 9:43 pm
by sandy
Prime wrote:
Sat Apr 07, 2018 9:00 pm
usr999 wrote:
Sat Apr 07, 2018 8:57 pm
Can't delete virus body, after delete it always restored /usr/lib/libudev.so

[root@waterleafshop aparser]# clamscan -ri --remove=yes /usr
LibClamAV Warning: **************************************************
LibClamAV Warning: *** The virus database is older than 7 days! ***
LibClamAV Warning: *** Please update it as soon as possible. ***
LibClamAV Warning: **************************************************
/usr/lib/libudev.so: Unix.Trojan.DDoS_XOR-1 FOUND
/usr/lib/libudev.so: Removed.

----------- SCAN SUMMARY -----------
Known viruses: 6425142
Engine version: 0.99.4
Scanned directories: 6737
Scanned files: 44599
Infected files: 1
Data scanned: 2094.92 MB
Data read: 1385.61 MB (ratio 1.51:1)
Time: 359.764 sec (5 m 59 s)
Can you do a "ps aux" and share it using like Pastebin? There may be some other script or application that spawn a new one if it's removed.
You need to reinstall server os. Even this exploit is fixed by vesta team your server will still get infected

Re: Got 10 VestaCP servers exploited

Posted: Sat Apr 07, 2018 9:46 pm
by lukapaunovic
we cant install vesta gain until we know for a fact that this has been patched.
so far we don't know where is the breach.

Re: Got 10 VestaCP servers exploited

Posted: Sat Apr 07, 2018 9:56 pm
by imperio
Who can send access to server where a files with virus still exists ?
info@vestacp.com