Two servers are hacked today via Vestacp
Posted: Sat Apr 07, 2018 8:00 pm
Today afternoon just finished my launch and got email from server provider that your server is sending outbound ddos attack.
upon investigation I found some suspicious processes are running in the server and network usage is full (checked via glances).
Upon more investigation I finally found this suspicious processes are running :
I've 7 servers and two of them was running vestacp (centos 7- openvz)
and those two are hacked today others are working just as new.
Seems vestacp is hit by exploit, check your Vesta CP server running on centos 7 immediately.
upon investigation I found some suspicious processes are running in the server and network usage is full (checked via glances).
Upon more investigation I finally found this suspicious processes are running :
Code: Select all
374491 nginx nginx: worker process
374492 nginx nginx: worker process
374493 nginx nginx: worker process[size=200][/size]
374494 nginx nginx: worker process
374495 nginx nginx: cache manager process
411496 named /usr/sbin/named -u named -c /etc/named.conf
489055 httpd /usr/sbin/httpd -DFOREGROUND
504853 httpd /usr/sbin/httpd -DFOREGROUND
1009543 config dovecot/config
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
1019355 update cat resolv.conf
1033960 qlzdmvoutu cat resolv.conf
1033961 qlzdmvoutu uptime
1033968 qlzdmvoutu top
1033970 qlzdmvoutu gnome-terminal
1033973 qlzdmvoutu pwd
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
and those two are hacked today others are working just as new.
Seems vestacp is hit by exploit, check your Vesta CP server running on centos 7 immediately.