Page 7 of 55

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 2:45 am
by albertus
Did anyone find how this rootkit made its way into the server?

My affected servers aren't online so I still couldn't log in to investigate the log files.

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 5:09 am
by sandy
same here 2 servers are suspended because off ddos. Can't send to vesta team as the servers are in suspend mode

Image

thank god i've backups configured on remote server else you know.

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 7:05 am
by skid
Here is what we know so far:
1. The first wave happened on April 4. Servers were infected with /etc/cron.hourly/gcc.sh
2. It was an automated hack
3. CentOS, Debian, Ubuntu all distros are affected it's platform independent
4. We didn't find any traces in vesta and system logs yet
5. On April 7 infected servers started to DDoS remote hosts using /usr/lib/libudev.so.

What you can do:
The best way to stay safe is to temporary disable vesta web service

Code: Select all

service vesta stop

Code: Select all

systemctl disable vesta
or limit access to port 8083 using firewall

What we are doing:
Few users provided us with root access to their servers. We are investigating what happened. We also launched a couple honeypots in order to get full picture of the hack.

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 7:38 am
by louis
Hi Everyone,

I also have one of my new server by ovh who is suspended.. I had a two factor auth for every ssh user.

I already stop vesta on my other servers. Maybe you should add a Two factor auth for vesta.

Thanks for your help :)

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 7:42 am
by sandy
skid wrote:
Sun Apr 08, 2018 7:05 am
Here is what we know so far:
1. The first wave happened on April 4. Servers were infected with /etc/cron.hourly/gcc.sh
2. It was an automated hack
3. CentOS, Debian, Ubuntu all distros are affected it's platform independent
4. We didn't find any traces in vesta and system logs yet
5. On April 7 infected servers started to DDoS remote hosts using /usr/lib/libudev.so.

What you can do:
The best way to stay safe is to temporary disable vesta web service

Code: Select all

service vesta stop

Code: Select all

systemctl disable vesta
or limit access to port 8083 using firewall

What we are doing:
Few users provided us with root access to their servers. We are investigating what happened. We also launched a couple honeypots in order to get full picture of the hack.
so what you suggest re-installation of hacked server ?
this is the only way to have clean os. or if you launch security patch this hacks are removed from the server? - i don't think so

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 7:45 am
by louis
Sandy in my case, i reinstall my server, i change the vesta port and i stoped the vesta service until any other information.

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 7:47 am
by sandy
Yes i know that is the only option, need to confirm from the vesta team, this are the main consequences with open-source projects they always got hacked. If you're going to publicize the source code also ensure security, Since the panel is responsible for controling the server.

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 7:55 am
by talha
Obviously need to reinstall OS, but first we need to wait until Vestacp release patch file. -_-

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 8:16 am
by sandy
talha wrote:
Sun Apr 08, 2018 7:55 am
Obviously need to reinstall OS, but first we need to wait until Vestacp release patch file. -_-
think who have 100 of gbs files stored on the server (powered with vesta) and need to reinstall the OS :P god bless them.

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 8:21 am
by vesta-user
I think stopping vesta is too much over-reaction!
Just harden the firewall rules (iptables/security group/router/other), netflix and chill.

The reason being vesta's services i.e. HTTP, postfix, etc are more or less not written by Vesta, and are running around the web. The 0-day (if any) might be in vesta related application running on ports like 8083.

Image