Two servers are hacked today via Vestacp

[sandy]

Today afternoon just finished my launch and got email from server provider that your server is sending outbound ddos attack.
upon investigation I found some suspicious processes are running in the server and network usage is full (checked via glances).

Upon more investigation I finally found this suspicious processes are running :

Code: Select all

374491     nginx            nginx: worker process
374492     nginx            nginx: worker process
374493     nginx            nginx: worker process[size=200][/size]
374494     nginx            nginx: worker process
374495     nginx            nginx: cache manager process
411496     named            /usr/sbin/named -u named -c /etc/named.conf
489055     httpd            /usr/sbin/httpd -DFOREGROUND
504853     httpd            /usr/sbin/httpd -DFOREGROUND
1009543    config           dovecot/config
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
1019355    update           cat resolv.conf
1033960    qlzdmvoutu       cat resolv.conf
1033961    qlzdmvoutu       uptime
1033968    qlzdmvoutu       top
1033970    qlzdmvoutu       gnome-terminal
1033973    qlzdmvoutu       pwd
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

I've 7 servers and two of them was running vestacp (centos 7- openvz)
and those two are hacked today others are working just as new.

Seems vestacp is hit by exploit, check your Vesta CP server running on centos 7 immediately.

[lukapaunovic]

viewtopic.php?f=10&t=16556

[sandy]

who are not hacked for now stop vesta service :

Code: Select all

service vesta stop

[vesta-user]

I think stopping vesta is too much over-reaction!
Just harden the firewall rules (iptables/security group/router/other), netflix and chill.

[sandy]

not everyone will have this sophisticated firewall like yours

[Prime]

not everyone will have this sophisticated firewall like yours

Wrong, even IPTables can do this if you look into it.

[sandy]

not everyone will have this sophisticated firewall like yours

Wrong, even IPTables can do this if you look into it.

server already suspended

[really]

This happened on Debian 8.1 as well, so I doubt it's OS dependent.

I had to put iptables in DROP mode and only allow traffic to my specific IP. I also dropped conntrack's max connections to avoid getting suspended and backed up my shit.

In the meantime I was trying to reinstall the server so I can get on with my life but it seems vesta's developer removed vesta packages from repo because the installer doesn't work anymore. Probably a smart move, since all Vesta server are vulnerable right now.

[baoang]

This happened on Debian 8.1 as well, so I doubt it's OS dependent.

I had to put iptables in DROP mode and only allow traffic to my specific IP. I also dropped conntrack's max connections to avoid getting suspended and backed up my shit.

In the meantime I was trying to reinstall the server so I can get on with my life but it seems vesta's developer removed vesta packages from repo because the installer doesn't work anymore. Probably a smart move, since all Vesta server are vulnerable right now.

See the top alert? The team has released a security fix, build 20.

[sandy]

This happened on Debian 8.1 as well, so I doubt it's OS dependent.

I had to put iptables in DROP mode and only allow traffic to my specific IP. I also dropped conntrack's max connections to avoid getting suspended and backed up my shit.

In the meantime I was trying to reinstall the server so I can get on with my life but it seems vesta's developer removed vesta packages from repo because the installer doesn't work anymore. Probably a smart move, since all Vesta server are vulnerable right now.

after installation stop vesta service or change the port to else