Page 9 of 55

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 10:02 am
by highlander
imperio wrote:
Sun Apr 08, 2018 9:30 am
Who want provide access to hacked server?
Please, send access via info@vestacp.com
Sent you an email..

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 10:03 am
by imperio
Thank you

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 10:04 am
by sandy
StudioMaX wrote:
Sun Apr 08, 2018 9:55 am
A few more logs provided by the hosting support at the time when the server was active

Code: Select all

[root@mail /]# lsof -p 985
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
update 985 root cwd DIR 182,178001 4096 786628 /usr/share/roundcubemail
update 985 root rtd DIR 182,178001 4096 2 /
update 985 root txt REG 182,178001 625611 659895 /tmp/update
update 985 root 0u CHR 1,3 0t0 3390808082 /dev/null
update 985 root 1u CHR 1,3 0t0 3390808082 /dev/null
update 985 root 2u CHR 1,3 0t0 3390808082 /dev/null
update 985 root 3u IPv4 1473993150 0t0 UDP *:42651
update 985 root 4u IPv4 1473990633 0t0 UDP *:36423
update 985 root 69r FIFO 0,8 0t0 188493315 pipe
update 985 root 70w FIFO 0,8 0t0 188493315 pipe
update 985 root 71r FIFO 0,8 0t0 188493316 pipe
update 985 root 72w FIFO 0,8 0t0 188493316 pipe
update 985 root 77r CHR 1,9 0t0 3390808086 /dev/urandom
I had the same processes as AKr0nizz. Also, the working directory of the virus was /usr/share/roundcubemail. This is somehow related to Roundcube.

I have now looked the Roundcube repository on the GitHub and found this recent security issue. But I don't know how this can be related to our servers.
looks siimilar with mine servers :

Code: Select all

374491     nginx            nginx: worker process
374492     nginx            nginx: worker process
374493     nginx            nginx: worker process[size=200][/size]
374494     nginx            nginx: worker process
374495     nginx            nginx: cache manager process
411496     named            /usr/sbin/named -u named -c /etc/named.conf
489055     httpd            /usr/sbin/httpd -DFOREGROUND
504853     httpd            /usr/sbin/httpd -DFOREGROUND
1009543    config           dovecot/config
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
1019355    update           cat resolv.conf
1033960    qlzdmvoutu       cat resolv.conf
1033961    qlzdmvoutu       uptime
1033968    qlzdmvoutu       top
1033970    qlzdmvoutu       gnome-terminal
1033973    qlzdmvoutu       pwd
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 10:07 am
by AKr0nizz
lukapaunovic wrote:
Sun Apr 08, 2018 9:50 am
@AKr0nizz
Thats exactly the problem why it hasn't been figured out yet. Providers give some creepy read only ftp mode which is useless and they won't let server run for 10 min cuz they are cowards
Yeah, but ftp only mode is also suitable for getting all necessary backups.

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 10:08 am
by sandy
AKr0nizz wrote:
Sun Apr 08, 2018 10:07 am
lukapaunovic wrote:
Sun Apr 08, 2018 9:50 am
@AKr0nizz
Thats exactly the problem why it hasn't been figured out yet. Providers give some creepy read only ftp mode which is useless and they won't let server run for 10 min cuz they are cowards
Yeah, but ftp only mode is also suitable for getting all necessary backups.
you can't retrieve mysql dump from ftp if user doesn't have backup.

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 10:12 am
by talha
sandy wrote:
Sun Apr 08, 2018 10:08 am
AKr0nizz wrote:
Sun Apr 08, 2018 10:07 am
lukapaunovic wrote:
Sun Apr 08, 2018 9:50 am
@AKr0nizz
Thats exactly the problem why it hasn't been figured out yet. Providers give some creepy read only ftp mode which is useless and they won't let server run for 10 min cuz they are cowards
Yeah, but ftp only mode is also suitable for getting all necessary backups.
you can't retrieve mysql dump from ftp if user doesn't have backup.
If your database server is up, you can use heidisql to backup sql files.

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 10:13 am
by AKr0nizz
sandy wrote:
Sun Apr 08, 2018 10:08 am
AKr0nizz wrote:
Sun Apr 08, 2018 10:07 am
lukapaunovic wrote:
Sun Apr 08, 2018 9:50 am
@AKr0nizz
Thats exactly the problem why it hasn't been figured out yet. Providers give some creepy read only ftp mode which is useless and they won't let server run for 10 min cuz they are cowards
Yeah, but ftp only mode is also suitable for getting all necessary backups.
you can't retrieve mysql dump from ftp if user doesn't have backup.
Yeah, it is quite complex.
But if you have FTP access as root to the server, your MySQL DBs are stored here:
/var/lib/mysql/

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 10:15 am
by sandy
did you checked its only read only mode

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 10:19 am
by sandy
talha wrote:
Sun Apr 08, 2018 10:12 am
sandy wrote:
Sun Apr 08, 2018 10:08 am
AKr0nizz wrote:
Sun Apr 08, 2018 10:07 am


Yeah, but ftp only mode is also suitable for getting all necessary backups.
you can't retrieve mysql dump from ftp if user doesn't have backup.
If your database server is up, you can use heidisql to backup sql files.
how you connect it via ftp lol

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 10:20 am
by sandy
i didn't understand if vestacp team already gotten SOME BUNCH OF HACKED SERVER FOR TESTING why they are still resting ?