Page 52 of 55
Re: Got 10 VestaCP servers exploited
Posted: Sat Apr 14, 2018 12:25 am
by dpeca
nextgi wrote: ↑Fri Apr 13, 2018 8:44 pm
Well,
Im glad we are making full circle on our original working theory lol.
We have documented proof that the correlation between the url http://<your ip>/webmail was the vector entry point on the systems we have been examining. It may not be roundcube specific, we have yet to determine this. It may be a combined vector attack in which it leverages vesta and roundcube. However, in some situations roundcube and access to the webmail path were removed/disabled. So, this would lean towards possibly Apache? nginx? We are still investigating our selves. For those whom had access to port 8083 change and completely block in some cases has lead us to believe it was not, at least solely, reliant on VestaCPs api.
what about percents of distributions that are used on infected servers?
Re: Got 10 VestaCP servers exploited
Posted: Sat Apr 14, 2018 12:47 am
by RevengeFNF
Sent off 6 security vulnerabilities to
[email protected] with 3 of those leading to a easy root compromise. The other 3 are still very serious flaws, password / hash disclosures, etc.
I'll send off more once they fix those.
This is Patrick from Rack911 Labs, a Software Security Auditing company.
Procedure to remove exploited
Posted: Sat Apr 14, 2018 3:13 am
by remontti
Locate the file / process
ersjbxirbj 5461 root 3u IPv4 107136 0t0 TCP host.dom.br:35112->192.126.118.127:smtp
Scan with
/usr/bin/ersjbxirbj: Unix.Trojan.DDoS_XOR-1 FOUND
Change the FILE variable to the file/process name. Copy and paste running at one time
Code: Select all
FILE=ersjbxirbj
chmod 0 /lib/libudev.so
echo '0' > /lib/libudev.so
pstree -ap | grep -E -- '-[a-z]{10},' | cut -d, -f2 | xargs kill -9 2>/dev/null
rm /etc/cron.hourly/gcc.sh
pstree -ap | grep -E -- '-[a-z]{10},' | cut -d, -f2 | xargs kill -9 2>/dev/null
rm /etc/init.d/$FILE
pstree -ap | grep -E -- '-[a-z]{10},' | cut -d, -f2 | xargs kill -9 2>/dev/null
rm /etc/rc1.d/S90$FILE
rm /etc/rc2.d/S90$FILE
rm /etc/rc3.d/S90$FILE
rm /etc/rc4.d/S90$FILE
rm /etc/rc5.d/S90$FILE
pstree -ap | grep -E -- '-[a-z]{10},' | cut -d, -f2 | xargs kill -9 2>/dev/null
rm /run/systemd/generator.late/graphical.target.wants/$FILE.service
pstree -ap | grep -E -- '-[a-z]{10},' | cut -d, -f2 | xargs kill -9 2>/dev/null
rm /run/systemd/generator.late/multi-user.target.wants/$FILE.service
pstree -ap | grep -E -- '-[a-z]{10},' | cut -d, -f2 | xargs kill -9 2>/dev/null
rm /run/systemd/generator.late/rescue.target.wants/$FILE.service
pstree -ap | grep -E -- '-[a-z]{10},' | cut -d, -f2 | xargs kill -9 2>/dev/null
rm /run/systemd/generator.late/$FILE.service
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
pstree -ap | grep -E -- '-[a-z]{10},' | cut -d, -f2 | xargs kill -9 2>/dev/null
echo '0' > /usr/bin/$FILE
rm /usr/bin/$FILE
rm /lib/libudev.so
reboot
Hope this helps!
Re: Got 10 VestaCP servers exploited
Posted: Sat Apr 14, 2018 9:01 am
by kobo1d
RevengeFNF wrote: ↑Sat Apr 14, 2018 12:47 am
Sent off 6 security vulnerabilities to
[email protected] with 3 of those leading to a easy root compromise. The other 3 are still very serious flaws, password / hash disclosures, etc.
I'll send off more once they fix those.
This is Patrick from Rack911 Labs, a Software Security Auditing company.
good work! he is doing that for free?
must be some nice guy :)
Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 15, 2018 4:15 pm
by nextgi
kobo1d wrote: ↑Sat Apr 14, 2018 9:01 am
RevengeFNF wrote: ↑Sat Apr 14, 2018 12:47 am
Sent off 6 security vulnerabilities to
[email protected] with 3 of those leading to a easy root compromise. The other 3 are still very serious flaws, password / hash disclosures, etc.
I'll send off more once they fix those.
This is Patrick from Rack911 Labs, a Software Security Auditing company.
good work! he is doing that for free?
must be some nice guy :)
This is pretty cool. Now, I do have one question. Are these exploits focused on the control panel? I would imagine so. Which would mean we still need to dig and find the root cause. None the less, still pretty awesome we have an additional set of eyes submitting vulnerabilities.
As for the survey... We are reviewing the responses and will provide feedback to the group soon. Thank you for your submissions.
Re: Got 10 VestaCP servers exploited
Posted: Tue Apr 17, 2018 6:37 pm
by dpeca
I, personally, have one question for all administrators whose server got hacked.
Did you disabled dangerous PHP functions (like shell_exec(), system() and exec()) with "disable_functions" in php.ini ?
Re: Got 10 VestaCP servers exploited
Posted: Tue Apr 17, 2018 8:47 pm
by mehargags
dpeca wrote: ↑Tue Apr 17, 2018 6:37 pm
I, personally, have one question for all administrators whose server got hacked.
Did you disabled dangerous PHP functions (like shell() and exec()) with "disable_functions" in php.ini ?
Well, I did not disable them...BUT I also have a counter question: Vesta's internal PHP is different than systemwide PHP... right ? so if someone got an entry point in VestaCP, what difference will it make if we have exec() or shell() functions disabled on the web/cli PHP ?
Re: Got 10 VestaCP servers exploited
Posted: Tue Apr 17, 2018 8:59 pm
by dpeca
There is no difference, and Vesta PHP even can not disable those functions, because web interface of VestaCP will not work then.
My starting point is that maybe, hacker first compromised any site that is hosted on that server.
With enabled exec() and shell_exec() PHP functions maybe it's possible to get higher user level (admin or root) and compromise whole server then...
I will suggest to Serghey that we disable dangerous functions in php.ini by default (during Vesta installation).
Having enabled PHP functions like exec() and shell_exec() is the same as giving SSH to PHP scripts.
And PHP level is easy to hack if you host outdated WordPress, Joomla and their plugins.
Yes, it will run script under user level, but, as I said, maybe it's possble somehow to get higher user level.
I never liked idea that PHP is enabled to execute shell...
Re: Got 10 VestaCP servers exploited
Posted: Tue Apr 17, 2018 10:45 pm
by RevengeFNF
I always disable exec, system, popen, proc_open and shell_exec.
Re: Got 10 VestaCP servers exploited
Posted: Tue Apr 17, 2018 10:52 pm
by dpeca
Here is my list of disabled functions in php.ini:
Code: Select all
disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,exec,system,passthru,shell_exec,proc_open,popen
My server never got rooted from PHP level with this.