We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
All VestaCP installations being attacked Topic is solved
Re: All VestaCP installations being attacked
I already removed the /etc/init.d/dhcprenew, /usr/bin/dhcprenew and all the symlinks, I have changes the root and admin passwords.imperio wrote: ↑Fri Oct 19, 2018 10:12 amYou can clear you serverkandalf wrote: ↑Fri Oct 19, 2018 10:08 amThank for the link in one of my servers I have the file /etc/init.d/dhcprenew and not the /usr/bin/dhcprenew, I also have multiple symlink that can be found using:imperio wrote: ↑Fri Oct 19, 2018 9:49 amFalzo, stop the insults. We have all said in this thread.
More information you can find here
https://www.welivesecurity.com/2018/10/ ... installed/
In the next time I'll give you a warning.
ls /etc/rc[1-5].d/
ls /etc/rc.d/rc[1-5].d/
I think I should reinstall the server.
https://www.welivesecurity.com/2018/10/ ... installed/
Section
First stage
Persistence mechanism and link to Xor.DDoS
There are more things to do? Maybe someone can create a step by step tutorial how to clean a infected server.
BTW in this server I have received an email from vesta telling me that I was infected
Re: All VestaCP installations being attacked
kandalf, what OS on your server, which was infected ?
Re: All VestaCP installations being attacked
Show me results of this command
Code: Select all
/sbin/chkconfig --list
Re: All VestaCP installations being attacked
I have OS Ubuntu 16.04 LTS.
The first thing I've done has been to change admin and root passwords.
Later, I have seen that my server has /usr/bin/dhcprenew.disabled and /etc/init.d/dhcprenew.disabled files. (why .disabled? no idea).
I have deleted both.
Too I have symbolics links:
Too I have several jobs (ps -A) named [kworker/1:1]
I have killed them.
How I have to proceed?
The reinstallation at this time is not possible.
My server works fine apparently.
Thanks!
The first thing I've done has been to change admin and root passwords.
Later, I have seen that my server has /usr/bin/dhcprenew.disabled and /etc/init.d/dhcprenew.disabled files. (why .disabled? no idea).
I have deleted both.
Too I have symbolics links:
I have delete all of them.lrwxrwxrwx 1 root root 19 sep 24 09:36 /etc/rc1.d/S01dhcprenew -> ../init.d/dhcprenew
lrwxrwxrwx 1 root root 19 sep 24 09:36 /etc/rc2.d/S01dhcprenew -> ../init.d/dhcprenew
lrwxrwxrwx 1 root root 19 sep 24 09:36 /etc/rc3.d/S01dhcprenew -> ../init.d/dhcprenew
lrwxrwxrwx 1 root root 19 sep 24 09:36 /etc/rc4.d/S01dhcprenew -> ../init.d/dhcprenew
lrwxrwxrwx 1 root root 19 sep 24 09:36 /etc/rc5.d/S01dhcprenew -> ../init.d/dhcprenew
Too I have several jobs (ps -A) named [kworker/1:1]
I have killed them.
How I have to proceed?
The reinstallation at this time is not possible.
My server works fine apparently.
Thanks!
Re: All VestaCP installations being attacked
how did I insult anyone? you can warn me all over the place if you think that's a proper reaction here... go ahead and delete my posts if you think they are hurting you in some way.imperio wrote: ↑Fri Oct 19, 2018 9:49 amFalzo, stop the insults. We have all said in this thread.
More information you can find here
https://www.welivesecurity.com/2018/10/ ... installed/
In the next time I'll give you a warning.
see that's exactly the point... responses and communications. why do you need to react like that to me? I found something, posted it here and you could react on it. Now you are angry with me?
Or did you knew already what happened even before I posted about that? pick one...
in the end I don't care about your reaction _to me_ at all, but maybe others will. I am sure quite some people look at this thread and the reactions of Vesta Team very closely.
and to be fully clear: I am not looking for any fight, I am looking for open and transparent communication on the matter. in the end this hasn't even been a real failure/exploit in the code of vesta itself, but a problem in the infrastructure/deployment.
for the link you posted, you are right, maybe you want to read it again:
so they also say, that the timeline is unclear and that there are informations missing. hence why I ask to finally address this in full instead of waiting for users to find more pieces...VestaCP maintainers stated they were compromised. How the malicious code ended up in their Git tree is still unclear. Perhaps the perpetrator modified the installation scripts on the server and this version was used to create the next version of the file in Git, but only for the Ubuntu target. This would mean they have been compromised since at least May 2018.
However, I am going back to my cave then. If anyone has more questions, or wants to discuss without being warned or threathened, you can find me on lowendtalk or hostballs ;-) ;-) ;-)
Re: All VestaCP installations being attacked
The concentrated explosion is mainly caused by two large mainframe suppliers, feeling that their DNS servers have been hijacked. Vestacp.com domain name IP has been changed.
hoster: hetzner OVH
hoster: hetzner OVH
Re: All VestaCP installations being attacked
hmm, i don't think this is realistic - does not make any sense. The changed installer script was for example also uploaded to github.com, additional i think the dns system of such big players are monitored carefully.
Re: All VestaCP installations being attacked
This is te resultimperio wrote: ↑Fri Oct 19, 2018 11:02 amShow me results of this commandCode: Select all
/sbin/chkconfig --list
[root@mail ~]# /sbin/chkconfig --list
Note: This output shows SysV services only and does not include native
systemd services. SysV configuration data might be overridden by native
systemd configuration.
If you want to list systemd services use 'systemctl list-unit-files'.
To see services enabled on particular target use
'systemctl list-dependencies [target]'.
mysql 0:off 1:off 2:on 3:on 4:on 5:on 6:off
netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
vesta 0:off 1:off 2:on 3:on 4:on 5:on 6:off
Re: All VestaCP installations being attacked
Good. You have removed all virus files from your server.