Page 1 of 3
Two servers are hacked today via Vestacp
Posted: Sat Apr 07, 2018 8:00 pm
by sandy
Today afternoon just finished my launch and got email from server provider that your server is sending outbound ddos attack.
upon investigation I found some suspicious processes are running in the server and network usage is full (checked via glances).
Upon more investigation I finally found this suspicious processes are running :
Code: Select all
374491 nginx nginx: worker process
374492 nginx nginx: worker process
374493 nginx nginx: worker process[size=200][/size]
374494 nginx nginx: worker process
374495 nginx nginx: cache manager process
411496 named /usr/sbin/named -u named -c /etc/named.conf
489055 httpd /usr/sbin/httpd -DFOREGROUND
504853 httpd /usr/sbin/httpd -DFOREGROUND
1009543 config dovecot/config
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
1019355 update cat resolv.conf
1033960 qlzdmvoutu cat resolv.conf
1033961 qlzdmvoutu uptime
1033968 qlzdmvoutu top
1033970 qlzdmvoutu gnome-terminal
1033973 qlzdmvoutu pwd
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
I've 7 servers and two of them was running vestacp (centos 7- openvz)
and those two are hacked today others are working just as new.
Seems vestacp is hit by exploit, check your Vesta CP server running on centos 7 immediately.
Re: Two servers are hacked today via Vestacp
Posted: Sat Apr 07, 2018 8:04 pm
by lukapaunovic
Re: Two servers are hacked today via Vestacp
Posted: Sat Apr 07, 2018 8:15 pm
by sandy
who are not hacked for now stop vesta service :
Re: Two servers are hacked today via Vestacp
Posted: Sun Apr 08, 2018 8:20 am
by vesta-user
I think stopping vesta is too much over-reaction!
Just harden the firewall rules (iptables/security group/router/other), netflix and chill.
Re: Two servers are hacked today via Vestacp
Posted: Sun Apr 08, 2018 10:06 am
by sandy
not everyone will have this sophisticated firewall like yours
Re: Two servers are hacked today via Vestacp
Posted: Sun Apr 08, 2018 10:43 am
by Prime
sandy wrote: ↑Sun Apr 08, 2018 10:06 am
not everyone will have this sophisticated firewall like yours
Wrong, even IPTables can do this if you look into it.
Re: Two servers are hacked today via Vestacp
Posted: Sun Apr 08, 2018 3:20 pm
by sandy
Prime wrote: ↑Sun Apr 08, 2018 10:43 am
sandy wrote: ↑Sun Apr 08, 2018 10:06 am
not everyone will have this sophisticated firewall like yours
Wrong, even IPTables can do this if you look into it.
server already suspended
Re: Two servers are hacked today via Vestacp
Posted: Mon Apr 09, 2018 4:39 am
by really
This happened on Debian 8.1 as well, so I doubt it's OS dependent.
I had to put iptables in DROP mode and only allow traffic to my specific IP. I also dropped conntrack's max connections to avoid getting suspended and backed up my shit.
In the meantime I was trying to reinstall the server so I can get on with my life but it seems vesta's developer removed vesta packages from repo because the installer doesn't work anymore. Probably a smart move, since all Vesta server are vulnerable right now.
Re: Two servers are hacked today via Vestacp
Posted: Mon Apr 09, 2018 4:46 am
by baoang
really wrote: ↑Mon Apr 09, 2018 4:39 am
This happened on Debian 8.1 as well, so I doubt it's OS dependent.
I had to put iptables in DROP mode and only allow traffic to my specific IP. I also dropped conntrack's max connections to avoid getting suspended and backed up my shit.
In the meantime I was trying to reinstall the server so I can get on with my life but it seems vesta's developer removed vesta packages from repo because the installer doesn't work anymore. Probably a smart move, since all Vesta server are vulnerable right now.
See the top alert? The team has released a security fix, build 20.
Re: Two servers are hacked today via Vestacp
Posted: Mon Apr 09, 2018 4:55 am
by sandy
really wrote: ↑Mon Apr 09, 2018 4:39 am
This happened on Debian 8.1 as well, so I doubt it's OS dependent.
I had to put iptables in DROP mode and only allow traffic to my specific IP. I also dropped conntrack's max connections to avoid getting suspended and backed up my shit.
In the meantime I was trying to reinstall the server so I can get on with my life but it seems vesta's developer removed vesta packages from repo because the installer doesn't work anymore. Probably a smart move, since all Vesta server are vulnerable right now.
after installation stop vesta service or change the port to else