Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 08, 2018 10:02 am
Sent you an email..imperio wrote: ↑Sun Apr 08, 2018 9:30 amWho want provide access to hacked server?
Please, send access via [email protected]
Community Forum
https://forum.vestacp.com/
Sent you an email..imperio wrote: ↑Sun Apr 08, 2018 9:30 amWho want provide access to hacked server?
Please, send access via [email protected]
looks siimilar with mine servers :StudioMaX wrote: ↑Sun Apr 08, 2018 9:55 amA few more logs provided by the hosting support at the time when the server was activeI had the same processes as AKr0nizz. Also, the working directory of the virus was /usr/share/roundcubemail. This is somehow related to Roundcube.Code: Select all
[root@mail /]# lsof -p 985 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME update 985 root cwd DIR 182,178001 4096 786628 /usr/share/roundcubemail update 985 root rtd DIR 182,178001 4096 2 / update 985 root txt REG 182,178001 625611 659895 /tmp/update update 985 root 0u CHR 1,3 0t0 3390808082 /dev/null update 985 root 1u CHR 1,3 0t0 3390808082 /dev/null update 985 root 2u CHR 1,3 0t0 3390808082 /dev/null update 985 root 3u IPv4 1473993150 0t0 UDP *:42651 update 985 root 4u IPv4 1473990633 0t0 UDP *:36423 update 985 root 69r FIFO 0,8 0t0 188493315 pipe update 985 root 70w FIFO 0,8 0t0 188493315 pipe update 985 root 71r FIFO 0,8 0t0 188493316 pipe update 985 root 72w FIFO 0,8 0t0 188493316 pipe update 985 root 77r CHR 1,9 0t0 3390808086 /dev/urandom
I have now looked the Roundcube repository on the GitHub and found this recent security issue. But I don't know how this can be related to our servers.
Code: Select all
374491 nginx nginx: worker process
374492 nginx nginx: worker process
374493 nginx nginx: worker process[size=200][/size]
374494 nginx nginx: worker process
374495 nginx nginx: cache manager process
411496 named /usr/sbin/named -u named -c /etc/named.conf
489055 httpd /usr/sbin/httpd -DFOREGROUND
504853 httpd /usr/sbin/httpd -DFOREGROUND
1009543 config dovecot/config
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
1019355 update cat resolv.conf
1033960 qlzdmvoutu cat resolv.conf
1033961 qlzdmvoutu uptime
1033968 qlzdmvoutu top
1033970 qlzdmvoutu gnome-terminal
1033973 qlzdmvoutu pwd
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Yeah, but ftp only mode is also suitable for getting all necessary backups.lukapaunovic wrote: ↑Sun Apr 08, 2018 9:50 am@AKr0nizz
Thats exactly the problem why it hasn't been figured out yet. Providers give some creepy read only ftp mode which is useless and they won't let server run for 10 min cuz they are cowards
you can't retrieve mysql dump from ftp if user doesn't have backup.AKr0nizz wrote: ↑Sun Apr 08, 2018 10:07 amYeah, but ftp only mode is also suitable for getting all necessary backups.lukapaunovic wrote: ↑Sun Apr 08, 2018 9:50 am@AKr0nizz
Thats exactly the problem why it hasn't been figured out yet. Providers give some creepy read only ftp mode which is useless and they won't let server run for 10 min cuz they are cowards
If your database server is up, you can use heidisql to backup sql files.sandy wrote: ↑Sun Apr 08, 2018 10:08 amyou can't retrieve mysql dump from ftp if user doesn't have backup.AKr0nizz wrote: ↑Sun Apr 08, 2018 10:07 amYeah, but ftp only mode is also suitable for getting all necessary backups.lukapaunovic wrote: ↑Sun Apr 08, 2018 9:50 am@AKr0nizz
Thats exactly the problem why it hasn't been figured out yet. Providers give some creepy read only ftp mode which is useless and they won't let server run for 10 min cuz they are cowards
Yeah, it is quite complex.sandy wrote: ↑Sun Apr 08, 2018 10:08 amyou can't retrieve mysql dump from ftp if user doesn't have backup.AKr0nizz wrote: ↑Sun Apr 08, 2018 10:07 amYeah, but ftp only mode is also suitable for getting all necessary backups.lukapaunovic wrote: ↑Sun Apr 08, 2018 9:50 am@AKr0nizz
Thats exactly the problem why it hasn't been figured out yet. Providers give some creepy read only ftp mode which is useless and they won't let server run for 10 min cuz they are cowards