Page 20 of 24

Re: All VestaCP installations being attacked

Posted: Thu Oct 18, 2018 12:40 pm
by Stesh
someuser wrote:
Thu Oct 18, 2018 10:45 am

Code: Select all

[root@vpszcka ~]# yum update vesta
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirror.hosting90.cz
 * epel: mirror.spreitzer.ch
 * extras: mirror.hosting90.cz
 * remi: remi.schlundtech.de
 * remi-php55: remi.schlundtech.de
 * remi-php56: remi.schlundtech.de
 * remi-safe: remi.schlundtech.de
 * remi-test: remi.schlundtech.de
 * updates: mirror.hosting90.cz
No packages marked for update
It's Okay?
No, the repository information has not been updated.

Code: Select all

# yum clean all
# rm -rf /var/cache/yum
# yum update vesta\*
Example

Code: Select all

[root@vm2 ~]# yum info vesta
Loaded plugins: fastestmirror
Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast
Loading mirror speeds from cached hostfile
 * base: centos.mirrors.ovh.net
 * epel: mirror.freethought-internet.co.uk
 * extras: centos.mirrors.ovh.net
 * remi: rpms.remirepo.net
 * remi-php56: rpms.remirepo.net
 * remi-safe: rpms.remirepo.net
 * remi-test: rpms.remirepo.net
 * updates: centos.mirrors.ovh.net
Installed Packages
Name        : vesta
Arch        : x86_64
Version     : 0.9.8
Release     : 22
Size        : 13 M
Repo        : installed
From repo   : vesta
Summary     : Vesta Control Panel
URL         : http://vestacp.com/
License     : GPL
Description : This package contains the packages for Vesta Control Panel api.

[root@vm2 ~]# yum info vesta
Loaded plugins: fastestmirror
base                                                     | 3.6 kB     00:00
epel/x86_64/metalink                                     |  26 kB     00:00
epel                                                     | 3.2 kB     00:00
extras                                                   | 3.4 kB     00:00
mariadb                                                  | 2.9 kB     00:00
nginx                                                    | 2.9 kB     00:00
remi                                                     | 2.9 kB     00:00
remi-debuginfo                                           | 2.9 kB     00:00
remi-php55-debuginfo                                     | 2.9 kB     00:00
remi-php56                                               | 2.9 kB     00:00
remi-php56-debuginfo                                     | 2.9 kB     00:00
remi-safe                                                | 2.9 kB     00:00
remi-test                                                | 2.9 kB     00:00
remi-test-debuginfo                                      | 2.9 kB     00:00
updates                                                  | 3.4 kB     00:00
vesta                                                    | 2.9 kB     00:00
(1/18): epel/x86_64/group_gz                               |  88 kB   00:00
(2/18): epel/x86_64/updateinfo                             | 933 kB   00:00
(3/18): base/7/x86_64/group_gz                             | 166 kB   00:00
(4/18): nginx/x86_64/primary_db                            |  35 kB   00:00
(5/18): epel/x86_64/primary                                | 3.6 MB   00:00
(6/18): extras/7/x86_64/primary_db                         | 204 kB   00:00
(7/18): remi-php55-debuginfo/x86_64/primary_db             |  53 kB   00:00
(8/18): remi-debuginfo/x86_64/primary_db                   | 444 kB   00:00
(9/18): remi-php56-debuginfo/x86_64/primary_db             |  53 kB   00:00
(10/18): remi/primary_db                                   | 2.2 MB   00:00
(11/18): remi-php56/primary_db                             | 233 kB   00:00
(12/18): remi-test/primary_db                              | 580 kB   00:00
(13/18): remi-test-debuginfo/x86_64/primary_db             | 115 kB   00:00
(14/18): mariadb/primary_db                                |  65 kB   00:00
(15/18): remi-safe/primary_db                              | 1.3 MB   00:00
(16/18): updates/7/x86_64/primary_db                       | 6.0 MB   00:00
(17/18): vesta/x86_64/primary_db                           |  83 kB   00:00
(18/18): base/7/x86_64/primary_db                          | 5.9 MB   00:01
Determining fastest mirrors
 * base: centos.mirrors.ovh.net
 * epel: epel.mirror.wearetriple.com
 * extras: centos.mirrors.ovh.net
 * remi: remi.mirror.ate.info
 * remi-php56: remi.mirror.ate.info
 * remi-safe: remi.mirror.ate.info
 * remi-test: remi.mirror.ate.info
 * updates: centos.mirrors.ovh.net
epel                                                                12741/12741
Installed Packages
Name        : vesta
Arch        : x86_64
Version     : 0.9.8
Release     : 22
Size        : 13 M
Repo        : installed
From repo   : vesta
Summary     : Vesta Control Panel
URL         : http://vestacp.com/
License     : GPL
Description : This package contains the packages for Vesta Control Panel api.

Available Packages
Name        : vesta
Arch        : x86_64
Version     : 0.9.8
Release     : 23
Size        : 2.6 M
Repo        : vesta/x86_64
Summary     : Vesta Control Panel
URL         : http://vestacp.com/
License     : GPL
Description : This package contains the packages for Vesta Control Panel api.

[root@vm2 ~]# yum update vesta\*
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: centos.mirrors.ovh.net
 * epel: epel.mirror.wearetriple.com
 * extras: centos.mirrors.ovh.net
 * remi: remi.mirror.ate.info
 * remi-php56: remi.mirror.ate.info
 * remi-safe: remi.mirror.ate.info
 * remi-test: remi.mirror.ate.info
 * updates: centos.mirrors.ovh.net
Resolving Dependencies
--> Running transaction check
---> Package vesta.x86_64 0:0.9.8-22 will be updated
---> Package vesta.x86_64 0:0.9.8-23 will be an update
---> Package vesta-nginx.x86_64 0:0.9.8-22 will be updated
---> Package vesta-nginx.x86_64 0:0.9.8-23 will be an update
---> Package vesta-php.x86_64 0:0.9.8-22 will be updated
---> Package vesta-php.x86_64 0:0.9.8-23 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

============================================================================================================================
 Package                         Arch                       Version                         Repository                 Size
============================================================================================================================
Updating:
 vesta                           x86_64                     0.9.8-23                        vesta                     2.6 M
 vesta-nginx                     x86_64                     0.9.8-23                        vesta                     297 k
 vesta-php                       x86_64                     0.9.8-23                        vesta                      12 M

Transaction Summary
============================================================================================================================
Upgrade  3 Packages

Total download size: 15 M
Is this ok [y/d/N]: y
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
(1/3): vesta-nginx-0.9.8-23.x86_64.rpm                                                               | 297 kB  00:00:00
(2/3): vesta-0.9.8-23.x86_64.rpm                                                                     | 2.6 MB  00:00:01
(3/3): vesta-php-0.9.8-23.x86_64.rpm                                                                 |  12 MB  00:00:01
----------------------------------------------------------------------------------------------------------------------------
Total                                                                                       6.6 MB/s |  15 MB  00:00:02
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Updating   : vesta-php-0.9.8-23.x86_64                                                                                1/6
  Updating   : vesta-0.9.8-23.x86_64                                                                                    2/6
  Updating   : vesta-nginx-0.9.8-23.x86_64                                                                              3/6
  Cleanup    : vesta-0.9.8-22.x86_64                                                                                    4/6
  Cleanup    : vesta-php-0.9.8-22.x86_64                                                                                5/6
  Cleanup    : vesta-nginx-0.9.8-22.x86_64                                                                              6/6
  Verifying  : vesta-0.9.8-23.x86_64                                                                                    1/6
  Verifying  : vesta-nginx-0.9.8-23.x86_64                                                                              2/6
  Verifying  : vesta-php-0.9.8-23.x86_64                                                                                3/6
  Verifying  : vesta-0.9.8-22.x86_64                                                                                    4/6
  Verifying  : vesta-nginx-0.9.8-22.x86_64                                                                              5/6
  Verifying  : vesta-php-0.9.8-22.x86_64                                                                                6/6

Updated:
  vesta.x86_64 0:0.9.8-23              vesta-nginx.x86_64 0:0.9.8-23              vesta-php.x86_64 0:0.9.8-23

Complete!
[root@vm2 ~]#

Re: All VestaCP installations being attacked

Posted: Thu Oct 18, 2018 1:49 pm
by xjlin0
Do you publish MD5 hashes of installer files of each version somewhere or in release notes?

Let's say, if MD5 hashes of installer files uploaded to Github, everyone can help to track if the installer files got changed unintentionally.

Re: All VestaCP installations being attacked

Posted: Thu Oct 18, 2018 2:05 pm
by ScIT
skid wrote:
Wed Oct 17, 2018 10:18 pm
Thank you for suggestions. Remote config server c.vestacp.com is now deprecated. The server is still up and running but the new installer doesn't use it anymore. All service configuration files are installed from the vesta package.
Debian installer still uses wget and c.vestacp.com for the configuration files.

Re: All VestaCP installations being attacked

Posted: Thu Oct 18, 2018 3:48 pm
by ScIT
ScIT wrote:
Thu Oct 18, 2018 2:05 pm
skid wrote:
Wed Oct 17, 2018 10:18 pm
Thank you for suggestions. Remote config server c.vestacp.com is now deprecated. The server is still up and running but the new installer doesn't use it anymore. All service configuration files are installed from the vesta package.
Debian installer still uses wget and c.vestacp.com for the configuration files.
fixed, thanks! https://github.com/serghey-rodin/vesta/ ... 1b8682bca9

Re: All VestaCP installations being attacked

Posted: Thu Oct 18, 2018 5:40 pm
by Spheerys
The others operating system's installation scripts are still calling c.vestacp.com

Re: All VestaCP installations being attacked

Posted: Fri Oct 19, 2018 5:47 am
by pipoy
As always. thank you for the hard work.

Re: All VestaCP installations being attacked

Posted: Fri Oct 19, 2018 9:33 am
by Falzo
skid wrote:
Wed Oct 17, 2018 8:25 pm
Please check if your server IP here
>>>>> http://vestacp.com/test/?ip=127.0.0.1 <<<<<
sorry to be the bummer here again, but this shows 'not infected' for a server IP of mine where the malicious installer (debian) has been used on 13th august. the server was not hacked at all, because I change the random password after install as already pointed out, but shouldn't it be on your list or database then?

care to clarify what your old notify script and how the strings got stored. as you obviously still have (a part) of that data, a bit more insight would be much appreciated.

I also like to know if there are more details on the timeframe. I doubt the aforementioned may/june to be correct, at least that's not fitting for what I see on debian boxes. from the looks of it on the latter the script has been tempered with end of july/beginning of august and was probably cleaned at some point in september when you finally noticed that something happened.
may is just the timestamp of the installer file, but that's either for the infected as for the original one - and doesn't give the installation date _at all_

open request to you, Serghey: simply stop playing hide and seek and report with a proper timeline of what happened when already. people are getting annoyed of vesta not because of the incidents, but because of the lack of response and information.
finally man up and defend your project the right way: by communicating quickly and ask for help if needed.

Re: All VestaCP installations being attacked

Posted: Fri Oct 19, 2018 9:49 am
by imperio
Falzo, stop the insults. We have all said in this thread.
More information you can find here
https://www.welivesecurity.com/2018/10/ ... installed/

In the next time I'll give you a warning.

Re: All VestaCP installations being attacked

Posted: Fri Oct 19, 2018 10:08 am
by kandalf
imperio wrote:
Fri Oct 19, 2018 9:49 am
Falzo, stop the insults. We have all said in this thread.
More information you can find here
https://www.welivesecurity.com/2018/10/ ... installed/

In the next time I'll give you a warning.
Thank for the link in one of my servers I have the file /etc/init.d/dhcprenew and not the /usr/bin/dhcprenew, I also have multiple symlink that can be found using:
ls /etc/rc[1-5].d/
ls /etc/rc.d/rc[1-5].d/

I think I should reinstall the server.

Re: All VestaCP installations being attacked

Posted: Fri Oct 19, 2018 10:12 am
by imperio
kandalf wrote:
Fri Oct 19, 2018 10:08 am
imperio wrote:
Fri Oct 19, 2018 9:49 am
Falzo, stop the insults. We have all said in this thread.
More information you can find here
https://www.welivesecurity.com/2018/10/ ... installed/

In the next time I'll give you a warning.
Thank for the link in one of my servers I have the file /etc/init.d/dhcprenew and not the /usr/bin/dhcprenew, I also have multiple symlink that can be found using:
ls /etc/rc[1-5].d/
ls /etc/rc.d/rc[1-5].d/

I think I should reinstall the server.
You can clear you server
https://www.welivesecurity.com/2018/10/ ... installed/
Section

First stage
Persistence mechanism and link to Xor.DDoS