Page 45 of 55
Re: Got 10 VestaCP servers exploited
Posted: Tue Apr 10, 2018 6:18 pm
by numberek
I am having 0.9.8 Release:17 version on ubuntu 16.04.02 LTS running. I am trying update the vesta with v-update-sys-vesta-all.
But it's saying update failed. My linux version shows 244 packages can be updated. 115 updates are security updates. Not done anything since months now.
Do i need to first update my ubuntu version?
Re: Got 10 VestaCP servers exploited
Posted: Tue Apr 10, 2018 6:18 pm
by RevengeFNF
Only my dev vps was infected and after cleaning it up and updating vesta, today i got a log in the nginx-error.log:
Code: Select all
2018/04/09 03:55:52 [error] 1124#0: *8 "/usr/local/vesta/web/_asterisk/index.php" is not found (2: No such file or directory), client: 46.161.55.106, server: _, request: "GET /_asterisk/ HTTP/1.1", host: "64.137.***.***:8083"
Is this related?
Re: Got 10 VestaCP servers exploited
Posted: Tue Apr 10, 2018 6:26 pm
by RevengeFNF
efinstorm wrote: ↑Tue Apr 10, 2018 6:17 pm
Found this in my nginx-error.log
Code: Select all
2018/04/09 03:52:05 [error] 8641#0: *32 "/usr/local/vesta/web/_asterisk/index.php" is not found (2: No such file or directory), client: 46.161.55.106, server: _, request: "GET /_asterisk/ HTTP/1.1", host: "myip:8083"
Wow this is exactly the same i got. Same IP and only after 3 minutes.
Re: Got 10 VestaCP servers exploited
Posted: Tue Apr 10, 2018 6:42 pm
by romWeb
I have updated my Vesta to 09.08-20 changed port to 2083 but i still can't enter to my Vesta web interface and my webmail doesnt work.
What should i do?
Re: Got 10 VestaCP servers exploited
Posted: Tue Apr 10, 2018 7:03 pm
by romWeb
Have done everything - but nothing change web interface vesta doesnt work
Re: Got 10 VestaCP servers exploited
Posted: Tue Apr 10, 2018 7:11 pm
by romWeb
Yea just checked againe!
Any ideas?
Re: Got 10 VestaCP servers exploited
Posted: Tue Apr 10, 2018 7:17 pm
by n0x
So the droplet was disconnected by Digital Ocean at 3:53pm today (10/04/2018), it was pushing 1 Gbps outbound at the time but looks like traffic had been spiking outbound for a number of hours prior to that.
Backups on the VM run at 5 and 6am so I'm pretty sure it wasn't outbound backup traffic.
My port was also set to an alternative to 8083.
[Sorry for screenshots - I'm limited to HTML console]
Vesta is running on 0.9.8-20:
I don't have the same script running under the crontab as was seen on the 10th.
Just noticed, I do have some weird commands being run as 'root' when I do
with things like 'ifconfig eth0', 'su', 'pwd', 'cat resolv.conf', etc along with the standard Vesta admin processes (NGINX, etc). I'm not sure what that is but I don't see it on any other VM running Vesta and I don't recall seeing it on the 10th with the original issue on 0.9.8-19.
I am about to boot the VM into recovery mode so I can mount the drive and get some files so I'll only have access to log files then.
It's definitely something suspicious, but I don't think is related to the same issues as on the 10th, but happy to look at anything else that's needed.
Re: Got 10 VestaCP servers exploited
Posted: Tue Apr 10, 2018 7:22 pm
by kobo1d
just noticed, I do have some weird commands being run as 'root' when I do
with things like 'ifconfig eth0', 'su', 'pwd', 'cat resolv.conf', etc along with the standard Vesta admin processes (NGINX, etc). I'm not sure what that is but I don't see it on any other VM running Vesta and I don't recall seeing it on the 10th with the original issue on 0.9.8-19.
thats eaxactly how the virus operates. this happend to me pre-update. this way i found out about infection.
so yes, its the same!
Re: Got 10 VestaCP servers exploited
Posted: Tue Apr 10, 2018 7:28 pm
by n0x
kobo1d wrote: ↑Tue Apr 10, 2018 7:22 pm
just noticed, I do have some weird commands being run as 'root' when I do
with things like 'ifconfig eth0', 'su', 'pwd', 'cat resolv.conf', etc along with the standard Vesta admin processes (NGINX, etc). I'm not sure what that is but I don't see it on any other VM running Vesta and I don't recall seeing it on the 10th with the original issue on 0.9.8-19.
thats eaxactly how the virus operates. this happend to me pre-update. this way i found out about infection.
so yes, its the same!
Okay, I didn't see that on the VMs on Saturday but with this one I having been watching it before rebooting it was running through a number of the same commands on a loop.
Crontab:
Vesta Sessions:
I have noticed that on my VM that was spun up this morning and had Vesta installed about 9am BST I have all 0.9.8-20 packages from today (10th):
Code: Select all
root@nyc1:~# v-list-sys-vesta-updates
PKG VER REL ARCH UPDT DATE
--- --- --- ---- ---- ----
vesta 0.9.8 20 amd64 yes 2018-04-10
vesta-php 0.9.8 20 amd64 yes 2018-04-10
vesta-nginx 0.9.8 20 amd64 yes 2018-04-10
root@nyc1:~#
The compromised VM had the 'vesta' and 'vesta-nginx' packages from the 9th.
Re: Got 10 VestaCP servers exploited
Posted: Tue Apr 10, 2018 7:32 pm
by romWeb
to AshleyIn1080p - thanks Dear , i have checked againe by your link and vesta web working now. Thanks very much againe.
Another small question. - what should i do with mailserver - seems to me it still doesnt work
