Page 4 of 24

Re: All VestaCP installations being attacked

Posted: Tue Sep 25, 2018 4:55 pm
by Razza
My dev server got compromise as the password for admin user got changed, lucky I had the shell for admin user set to rssh so that attempt to run the payload in /var/tmp got blocked.

Heres the attempted command run via ssh from ip:45.76.146.8 command: echo "9WlgVjGkot" | sudo -S -p "" chmod 0777 /var/tmp/creator-x86_64-1 && echo "9WlgVjGkot" | sudo -S -p "" /var/tmp/creator-x86_64-1 &>/dev/null && echo "9WlgVjGkot" | sudo -S -p "" rm -f /var/log/auth.log /var/log/secure

Here the virustotal of the payload https://www.virustotal.com/#/file/b2c55 ... /detection will provide creator-x86_64-1 file to the admin on request.

Re: All VestaCP installations being attacked

Posted: Tue Sep 25, 2018 6:06 pm
by albertus
Razza wrote:
Tue Sep 25, 2018 4:55 pm
My dev server got compromise as the password for admin user got changed, lucky I had the shell for admin user set to rssh so that attempt to run the payload in /var/tmp got blocked.

Heres the attempted command run via ssh from ip:45.76.146.8 command: echo "9WlgVjGkot" | sudo -S -p "" chmod 0777 /var/tmp/creator-x86_64-1 && echo "9WlgVjGkot" | sudo -S -p "" /var/tmp/creator-x86_64-1 &>/dev/null && echo "9WlgVjGkot" | sudo -S -p "" rm -f /var/log/auth.log /var/log/secure

Here the virustotal of the payload https://www.virustotal.com/#/file/b2c55 ... /detection will provide creator-x86_64-1 file to the admin on request.
You mean that the "change password" feature of VestaCP is infected? Or you used passwd from the shell?
That is very valuable information! Can someone else confirm?

Thank you!

Re: All VestaCP installations being attacked

Posted: Tue Sep 25, 2018 6:25 pm
by Razza
albertus wrote:
Tue Sep 25, 2018 6:06 pm
Razza wrote:
Tue Sep 25, 2018 4:55 pm
My dev server got compromise as the password for admin user got changed, lucky I had the shell for admin user set to rssh so that attempt to run the payload in /var/tmp got blocked.

Heres the attempted command run via ssh from ip:45.76.146.8 command: echo "9WlgVjGkot" | sudo -S -p "" chmod 0777 /var/tmp/creator-x86_64-1 && echo "9WlgVjGkot" | sudo -S -p "" /var/tmp/creator-x86_64-1 &>/dev/null && echo "9WlgVjGkot" | sudo -S -p "" rm -f /var/log/auth.log /var/log/secure

Here the virustotal of the payload https://www.virustotal.com/#/file/b2c55 ... /detection will provide creator-x86_64-1 file to the admin on request.
You mean that the "change password" feature of VestaCP is infected? Or you used passwd from the shell?
That is very valuable information! Can someone else confirm?

Thank you!
The password for vesta admin user was a strong password over 20 char all I can tell based on "chage -l admin" the password for admin user was changed sometime today, not sure how it was changed as i can't find any thing in log for it so I don't know where the vulnerabilities is.

Re: All VestaCP installations being attacked

Posted: Tue Sep 25, 2018 6:30 pm
by dpeca
Can you remember WHEN those hacked servers are installed?
And what distribution you use?

We must find first some vector of attack...

Re: All VestaCP installations being attacked

Posted: Tue Sep 25, 2018 6:34 pm
by Razza
My development server Debian 9 was install on 23rd.

All my other servers are fine they are over year since installed, the webui is locked down to just my ip.

Re: All VestaCP installations being attacked

Posted: Tue Sep 25, 2018 6:43 pm
by trom
dpeca wrote:
Tue Sep 25, 2018 6:30 pm
Can you remember WHEN those hacked servers are installed?
And what distribution you use?

We must find first some vector of attack...
My hacked servers installed from 19/05/18 to last days

Re: All VestaCP installations being attacked

Posted: Tue Sep 25, 2018 7:05 pm
by Maverick87Shaka
Also my server today it's gone! shutdown from my provider to begin a source of attack as well!
Vesta is really powerful tool, but what's happened today it's really big issues, I don't know if I'll go to reinstall Vesta. I'll look on how to create some renewal script and stop.

My server was a Debian 9, created on June 2, 2018. Now it's a couple of corrupted file :D

Re: All VestaCP installations being attacked

Posted: Tue Sep 25, 2018 7:37 pm
by digitalocean-jd
lukapaunovic wrote:
Tue Sep 25, 2018 3:07 pm
OVH....
They are always being targeted, along with Digital Ocean.
Some people who use Hetzner aren't having issues because bots aren't scanning those IP ranges.
They are just 'lucky'. That doesn't mean issue/vulnerability is not present.
Watching thread closely to see if/how we can help. Not a lot to go on here right now, and nothing to report from this side of the fence. If this is an active and widespread vulnerability of the software, I suspect that attacks against it are no where near the scale of the previous. For now, at least. Last time reports were coming in a mile a minute on the forum here.

Jarland

Re: All VestaCP installations being attacked

Posted: Tue Sep 25, 2018 8:01 pm
by dpeca
Just to save a time to others.

I downloaded all from http://c.vestacp.com/debian/9/
Then I cloned git official repo, and took the same folders, in order to compare it with diff.
Files are not altered on server... I mean, they are identical (except drupal and http2 templates, that are altered on github (improved))

DEB files from official repo ( for example http://apt.vestacp.com/stretch/pool/ves ... _amd64.deb ) are also the same as they were on the day when they are released (i downloaded all .deb files after last v22 version was released, so I compared it with fresh downloaded deb files)
Compared with md5sum.

So I can discard the possibility that official server was compromised.
At least for files that are NOW on server.
(i'm not in Vesta core team, so I don't have information about server status, I see the same stuff that you can see/check)

Re: All VestaCP installations being attacked

Posted: Tue Sep 25, 2018 8:33 pm
by realjumy
dpeca wrote:
Tue Sep 25, 2018 8:01 pm
Just to save a time to others.

I downloaded all from http://c.vestacp.com/debian/9/
Then I cloned git official repo, and took the same folders, in order to compare it with diff.
Files are not altered on server... I mean, they are identical (except drupal and http2 templates, that are altered on github (improved))

DEB files from official repo ( for example http://apt.vestacp.com/stretch/pool/ves ... _amd64.deb ) are also the same as they were on the day when they are released (i downloaded all .deb files after last v22 version was released, so I compared it with fresh downloaded deb files)
Compared with md5sum.

So I can discard the possibility that official server was compromised.
At least for files that are NOW on server.
(i'm not in Vesta core team, so I don't have information about server status, I see the same stuff that you can see/check)
I'm having a lot of SSH penetration attempts since this morning, coming from everywhere. Some examples:

Code: Select all

Time:     Tue Sep 25 20:13:07 2018 +0200
IP:       198.23.150.106 (US/United States/198-23-150-106-host.colocrossing.com)
Failures: 5 (sshd)
Interval: 3600 seconds
Blocked:  Permanent Block [LF_SSHD]

Log entries:

Sep 25 19:35:09 mail sshd[16352]: Invalid user fernanda from 198.23.150.106 port 58124
Sep 25 19:35:11 mail sshd[16352]: Failed password for invalid user fernanda from 198.23.150.106 port 58124 ssh2
Sep 25 19:54:14 mail sshd[19262]: Invalid user user2 from 198.23.150.106 port 45166
Sep 25 19:54:16 mail sshd[19262]: Failed password for invalid user user2 from 198.23.150.106 port 45166 ssh2
Sep 25 20:13:02 mail sshd[22172]: Invalid user test from 198.23.150.106 port 60404

--

Time:     Tue Sep 25 20:36:02 2018 +0200
IP:       58.137.172.213 (TH/Thailand/-)
Failures: 5 (sshd)
Interval: 3600 seconds
Blocked:  Permanent Block [LF_SSHD]

Log entries:

Sep 25 20:00:01 mail sshd[20147]: Invalid user testing from 58.137.172.213 port 46720
Sep 25 20:00:02 mail sshd[20147]: Failed password for invalid user testing from 58.137.172.213 port 46720 ssh2
Sep 25 20:08:39 mail sshd[21492]: Invalid user ts3 from 58.137.172.213 port 53870
Sep 25 20:08:41 mail sshd[21492]: Failed password for invalid user ts3 from 58.137.172.213 port 53870 ssh2
Sep 25 20:35:59 mail sshd[25777]: Invalid user lzhang from 58.137.172.213 port 49742

--

Time:     Tue Sep 25 21:22:03 2018 +0200
IP:       58.218.92.30 (CN/China/-)
Failures: 5 (sshd)
Interval: 3600 seconds
Blocked:  Permanent Block [LF_SSHD]

Log entries:

Sep 25 21:21:51 mail sshd[30646]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.92.30  user=root
Sep 25 21:21:53 mail sshd[30646]: Failed password for root from 58.218.92.30 port 39770 ssh2
Sep 25 21:21:57 mail sshd[30646]: Failed password for root from 58.218.92.30 port 39770 ssh2
Sep 25 21:21:59 mail sshd[30646]: Failed password for root from 58.218.92.30 port 39770 ssh2
Sep 25 21:22:02 mail sshd[30646]: Failed password for root from 58.218.92.30 port 39770 ssh2

--

Time:     Tue Sep 25 22:24:56 2018 +0200
IP:       37.59.9.162 (FR/France/ns3262490.ip-37-59-9.eu)
Failures: 5 (sshd)
Interval: 3600 seconds
Blocked:  Permanent Block [LF_SSHD]

Log entries:

Sep 25 21:49:50 mail sshd[3964]: Invalid user thomas from 37.59.9.162 port 39994
Sep 25 21:49:52 mail sshd[3964]: Failed password for invalid user thomas from 37.59.9.162 port 39994 ssh2
Sep 25 22:07:23 mail sshd[4158]: Invalid user ttest from 37.59.9.162 port 55282
Sep 25 22:07:24 mail sshd[4158]: Failed password for invalid user ttest from 37.59.9.162 port 55282 ssh2
Sep 25 22:24:54 mail sshd[4324]: Invalid user jenkins from 37.59.9.162 port 42320

--

Time:     Tue Sep 25 22:29:36 2018 +0200
IP:       93.95.103.141 (RU/Russia/mailsrv.profnode.ru)
Failures: 5 (sshd)
Interval: 3600 seconds
Blocked:  Permanent Block [LF_SSHD]

Log entries:

Sep 25 21:51:28 mail sshd[3988]: Invalid user fox from 93.95.103.141 port 50562
Sep 25 21:51:30 mail sshd[3988]: Failed password for invalid user fox from 93.95.103.141 port 50562 ssh2
Sep 25 22:10:33 mail sshd[4198]: Invalid user dany from 93.95.103.141 port 56566
Sep 25 22:10:35 mail sshd[4198]: Failed password for invalid user dany from 93.95.103.141 port 56566 ssh2
Sep 25 22:29:31 mail sshd[4403]: Invalid user contas from 93.95.103.141 port 33088