Page 6 of 55

Re: Got 10 VestaCP servers exploited

Posted: Sat Apr 07, 2018 10:33 pm
by dpeca
StudioMaX wrote:
Sat Apr 07, 2018 8:40 pm
Moderators: please post instructions how to enable logging in all the web interfaces of Vesta (in nginx or Apache) so that those who find this thread after the hacking could temporarily change their configs of the web server and try to catch the requests from the exploit.
https://pastebin.com/sj8uWAr4

but i don't suggest to run now vesta service at all.

Re: Got 10 VestaCP servers exploited

Posted: Sat Apr 07, 2018 10:36 pm
by n0x
Just to add to another installation hacked - Got notified by DigitalOcean today of an outbound DDoS from two VMs at 14:42 with about 1 Gbps outbound on both machines.

They've cut all network access to the VMs and won't restore so I can't provide access for any investigations, in the process of restoring to new VMs from backups at the moment.

Installation was Ubuntu 16.04 with Vesta 0.9.8-19. Both VMs had apache, nginx, bind, exim/dovecot, mysql, iptables + fail2ban and vsftpd installed.

I've got some limited, very slow, console access to the VMs until they get rebooted / destroyed.

Re: Got 10 VestaCP servers exploited

Posted: Sat Apr 07, 2018 10:44 pm
by dpeca
usr999 wrote:
Sat Apr 07, 2018 8:57 pm
Can't delete virus body, after delete it always restored /usr/lib/libudev.so
try this manual - https://admin-ahead.com/forum/server-se ... ts-trojan/

Re: Got 10 VestaCP servers exploited

Posted: Sat Apr 07, 2018 10:46 pm
by skurudo
n0x wrote:
Sat Apr 07, 2018 10:36 pm
They've cut all network access to the VMs and won't restore so I can't provide access for any investigations, in the process of restoring to new VMs from backups at the moment.
They disable Console access too?

Re: Got 10 VestaCP servers exploited

Posted: Sat Apr 07, 2018 10:52 pm
by n0x
skurudo wrote:
Sat Apr 07, 2018 10:46 pm
They disable Console access too?
Nope - I can get on via the console, but it is very slow and for some reason the | pipe command comes out as > no matter what I do so I'm limited on commands I can run too.

I have the same /lib/libudev.so.6 in my crontab:

Code: Select all

for i in `cat /proc/net/dev|grep :|awk -F: {'print $1'}`; do ifconfig $i up& done
cp /lib/libudev.so /lib/libudev.so.6
/lib/libudev.so.6

Re: Got 10 VestaCP servers exploited

Posted: Sat Apr 07, 2018 11:19 pm
by skurudo
n0x wrote:
Sat Apr 07, 2018 10:52 pm
skurudo wrote:
Sat Apr 07, 2018 10:46 pm
They disable Console access too?
Nope - I can get on via the console, but it is very slow and for some reason the | pipe command comes out as > no matter what I do so I'm limited on commands I can run too.
Can you please provide access via info@vestacp.com?

If not use commands and spoiler and show us:

Code: Select all

stat /etc/cron.hourly/gcc.sh

Code: Select all

ls -la /usr/local/vesta/data/sessions/

Re: Got 10 VestaCP servers exploited

Posted: Sat Apr 07, 2018 11:45 pm
by n0x
skurudo wrote:
Sat Apr 07, 2018 11:19 pm
n0x wrote:
Sat Apr 07, 2018 10:52 pm
skurudo wrote:
Sat Apr 07, 2018 10:46 pm
They disable Console access too?
Nope - I can get on via the console, but it is very slow and for some reason the | pipe command comes out as > no matter what I do so I'm limited on commands I can run too.
Can you please provide access via info@vestacp.com?

If not use commands and spoiler and show us:

Code: Select all

stat /etc/cron.hourly/gcc.sh

Code: Select all

ls -la /usr/local/vesta/data/sessions/
I've run the commands, have to screenshot as can't copy / paste from console (also only get half a screen and as I can't use the | command I can't paginate the ls output so dumped to text file and screen grab from nano)

Code: Select all

stat /etc/cron.hourly/gcc.sh
SpoilerShow
Image

Code: Select all

ls -la /usr/local/vesta/data/sessions/
SpoilerShow
Image
Image
I'll see if I can get the VM into a team account that I can share, but DigitalOcean are going to destroy it soon and spin up a new/clean VM.

Re: Got 10 VestaCP servers exploited

Posted: Sat Apr 07, 2018 11:49 pm
by skivte
skurudo wrote:
Sat Apr 07, 2018 11:19 pm
Can you please provide access via info@vestacp.com?

If not use commands and spoiler and show us:
I'm on DigitalOcean as well and I can't give access to or copy text from their web console but here are screenshots of each command:

Code: Select all

stat /etc/cron.hourly/gcc.sh
https://i.imgur.com/VkoD4UZ.png

Code: Select all

ls -la /usr/local/vesta/data/sessions/
https://i.imgur.com/JZHOmpU.png

Re: Got 10 VestaCP servers exploited

Posted: Sat Apr 07, 2018 11:57 pm
by n0x
n0x wrote:
Sat Apr 07, 2018 11:45 pm
I'll see if I can get the VM into a team account that I can share, but DigitalOcean are going to destroy it soon and spin up a new/clean VM.
I can't find a way to move individual VMs / droplets into a team account so that I can share them with other users.

Let me know if you need any other commands run on the VM.

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 12:51 am
by dpeca
GID od gcc.sh is always 1001 or 1002 - just noticed that, from screenshot that user provided