Page 7 of 55
Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 08, 2018 2:45 am
by albertus
Did anyone find how this rootkit made its way into the server?
My affected servers aren't online so I still couldn't log in to investigate the log files.
Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 08, 2018 5:09 am
by sandy
same here 2 servers are suspended because off ddos. Can't send to vesta team as the servers are in suspend mode
thank god i've backups configured on remote server else you know.
Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 08, 2018 7:05 am
by skid
Here is what we know so far:
1. The first wave happened on April 4. Servers were infected with /etc/cron.hourly/gcc.sh
2. It was an automated hack
3. CentOS, Debian, Ubuntu all distros are affected it's platform independent
4. We didn't find any traces in vesta and system logs yet
5. On April 7 infected servers started to DDoS remote hosts using /usr/lib/libudev.so.
What you can do:
The best way to stay safe is to temporary disable vesta web service
or limit access to port 8083 using firewall
What we are doing:
Few users provided us with root access to their servers. We are investigating what happened. We also launched a couple honeypots in order to get full picture of the hack.
Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 08, 2018 7:38 am
by louis
Hi Everyone,
I also have one of my new server by ovh who is suspended.. I had a two factor auth for every ssh user.
I already stop vesta on my other servers. Maybe you should add a Two factor auth for vesta.
Thanks for your help :)
Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 08, 2018 7:42 am
by sandy
skid wrote: ↑Sun Apr 08, 2018 7:05 am
Here is what we know so far:
1. The first wave happened on April 4. Servers were infected with /etc/cron.hourly/gcc.sh
2. It was an automated hack
3. CentOS, Debian, Ubuntu all distros are affected it's platform independent
4. We didn't find any traces in vesta and system logs yet
5. On April 7 infected servers started to DDoS remote hosts using /usr/lib/libudev.so.
What you can do:
The best way to stay safe is to temporary disable vesta web service
or limit access to port 8083 using firewall
What we are doing:
Few users provided us with root access to their servers. We are investigating what happened. We also launched a couple honeypots in order to get full picture of the hack.
so what you suggest re-installation of hacked server ?
this is the only way to have clean os. or if you launch security patch this hacks are removed from the server? - i don't think so
Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 08, 2018 7:45 am
by louis
Sandy in my case, i reinstall my server, i change the vesta port and i stoped the vesta service until any other information.
Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 08, 2018 7:47 am
by sandy
Yes i know that is the only option, need to confirm from the vesta team, this are the main consequences with open-source projects they always got hacked. If you're going to publicize the source code also ensure security, Since the panel is responsible for controling the server.
Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 08, 2018 7:55 am
by talha
Obviously need to reinstall OS, but first we need to wait until Vestacp release patch file. -_-
Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 08, 2018 8:16 am
by sandy
talha wrote: ↑Sun Apr 08, 2018 7:55 am
Obviously need to reinstall OS, but first we need to wait until Vestacp release patch file. -_-
think who have 100 of gbs files stored on the server (powered with vesta) and need to reinstall the OS :P god bless them.
Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 08, 2018 8:21 am
by vesta-user
I think stopping vesta is too much over-reaction!
Just harden the firewall rules (iptables/security group/router/other), netflix and chill.
The reason being vesta's services i.e. HTTP, postfix, etc are more or less not written by Vesta, and are running around the web. The 0-day (if any) might be in vesta related application running on ports like 8083.