Page 7 of 24
Re: All VestaCP installations being attacked
Posted: Wed Sep 26, 2018 12:42 pm
by lukapaunovic
Reverse shell is activated when access is GAINED. when a vulnerability is EXPLOITED.
E.g. you manage to upload a shell script to vuln. upload form, and then you run this via exec and viola you have SSH under user script running.
I do not think that he meant there's a shell virus in all vesta.
Re: All VestaCP installations being attacked
Posted: Wed Sep 26, 2018 12:57 pm
by slaapkopamy
I'm running in a lxc from proxmox and i get managed to use a traffic firewall or something for filtering my incoming traffic and outgoing traffic only for the ports who is used for the services like mail and web.
I have changed my root password too so i hope its for now fixed.
Re: All VestaCP installations being attacked
Posted: Wed Sep 26, 2018 1:10 pm
by dpeca
lukapaunovic wrote: ↑Wed Sep 26, 2018 12:42 pm
I do not think that he meant there's a shell virus in all vesta.
Yes, he said that he thinks that something built in Vesta is calling hacker.
That's why I said it's not true.
Because it's obviously that only OVH is affected... which means that hacker first scan servers... and then he do some injections...
Re: All VestaCP installations being attacked
Posted: Wed Sep 26, 2018 3:15 pm
by dpeca
Razza wrote: ↑Tue Sep 25, 2018 4:55 pm
Heres the attempted command run via ssh from ip:45.76.146.8
I have access to one of compromised server.
I just found the same IP in audit.log
Code: Select all
# grep -rn './' -e '45.76.146.8'
./var/log/audit/audit.log.1:27387:type=CRYPTO_SESSION msg=audit(1537789804.846:367228): pid=26336 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-server [email protected] ksize=512 mac=<implicit> [email protected] spid=26337 suid=74 rport=44576 laddr=[IP-OF-HACKED-SERVER] lport=22 exe="/usr/sbin/sshd" hostname=? addr=45.76.146.8 terminal=? res=success'
./var/log/audit/audit.log.1:27388:type=CRYPTO_SESSION msg=audit(1537789804.846:367229): pid=26336 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-client [email protected] ksize=512 mac=<implicit> [email protected] spid=26337 suid=74 rport=44576 laddr=[IP-OF-HACKED-SERVER] lport=22 exe="/usr/sbin/sshd" hostname=? addr=45.76.146.8 terminal=? res=success'
./var/log/audit/audit.log.1:27389:type=USER_AUTH msg=audit(1537789807.125:367230): pid=26336 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication grantors=pam_unix acct="admin" exe="/usr/sbin/sshd" hostname=45.76.146.8 addr=45.76.146.8 terminal=ssh res=success'
./var/log/audit/audit.log.1:27390:type=USER_ACCT msg=audit(1537789807.125:367231): pid=26336 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="admin" exe="/usr/sbin/sshd" hostname=45.76.146.8 addr=45.76.146.8 terminal=ssh res=success'
./var/log/audit/audit.log.1:27391:type=CRYPTO_KEY_USER msg=audit(1537789807.125:367232): pid=26336 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=session fp=? direction=both spid=26337 suid=74 rport=44576 laddr=[IP-OF-HACKED-SERVER] lport=22 exe="/usr/sbin/sshd" hostname=? addr=45.76.146.8 terminal=? res=success'
./var/log/audit/audit.log.1:27392:type=USER_AUTH msg=audit(1537789807.127:367233): pid=26336 uid=0 auid=4294967295 ses=4294967295 msg='op=success acct="admin" exe="/usr/sbin/sshd" hostname=? addr=45.76.146.8 terminal=ssh res=success'
./var/log/audit/audit.log.1:27393:type=CRED_ACQ msg=audit(1537789807.127:367234): pid=26336 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_unix acct="admin" exe="/usr/sbin/sshd" hostname=45.76.146.8 addr=45.76.146.8 terminal=ssh res=success'
./var/log/audit/audit.log.1:27395:type=USER_START msg=audit(1537789807.166:367236): pid=26336 uid=0 auid=1003 ses=25753 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog acct="admin" exe="/usr/sbin/sshd" hostname=45.76.146.8 addr=45.76.146.8 terminal=ssh res=success'
./var/log/audit/audit.log.1:27399:type=CRED_ACQ msg=audit(1537789807.168:367240): pid=26338 uid=0 auid=1003 ses=25753 msg='op=PAM:setcred grantors=pam_unix acct="admin" exe="/usr/sbin/sshd" hostname=45.76.146.8 addr=45.76.146.8 terminal=ssh res=success'
./var/log/audit/audit.log.1:27400:type=USER_LOGIN msg=audit(1537789807.905:367241): pid=26336 uid=0 auid=1003 ses=25753 msg='op=login id=1003 exe="/usr/sbin/sshd" hostname=45.76.146.8 addr=45.76.146.8 terminal=ssh res=success'
./var/log/audit/audit.log.1:27401:type=USER_START msg=audit(1537789807.905:367242): pid=26336 uid=0 auid=1003 ses=25753 msg='op=login id=1003 exe="/usr/sbin/sshd" hostname=45.76.146.8 addr=45.76.146.8 terminal=ssh res=success'
./var/log/audit/audit.log.1:27404:type=CRYPTO_KEY_USER msg=audit(1537789809.403:367245): pid=26336 uid=0 auid=1003 ses=25753 msg='op=destroy kind=session fp=? direction=both spid=26338 suid=1003 rport=44576 laddr=[IP-OF-HACKED-SERVER] lport=22 exe="/usr/sbin/sshd" hostname=? addr=45.76.146.8 terminal=? res=success'
./var/log/audit/audit.log.1:27405:type=USER_END msg=audit(1537789809.405:367246): pid=26336 uid=0 auid=1003 ses=25753 msg='op=PAM:session_close grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog acct="admin" exe="/usr/sbin/sshd" hostname=45.76.146.8 addr=45.76.146.8 terminal=ssh res=success'
./var/log/audit/audit.log.1:27406:type=CRED_DISP msg=audit(1537789809.406:367247): pid=26336 uid=0 auid=1003 ses=25753 msg='op=PAM:setcred grantors=pam_unix acct="admin" exe="/usr/sbin/sshd" hostname=45.76.146.8 addr=45.76.146.8 terminal=ssh res=success'
./var/log/audit/audit.log.1:27407:type=USER_END msg=audit(1537789809.406:367248): pid=26336 uid=0 auid=1003 ses=25753 msg='op=login id=1003 exe="/usr/sbin/sshd" hostname=45.76.146.8 addr=45.76.146.8 terminal=ssh res=success'
./var/log/audit/audit.log.1:27408:type=USER_LOGOUT msg=audit(1537789809.406:367249): pid=26336 uid=0 auid=1003 ses=25753 msg='op=login id=1003 exe="/usr/sbin/sshd" hostname=45.76.146.8 addr=45.76.146.8 terminal=ssh res=success'
./var/log/audit/audit.log.1:27415:type=CRYPTO_SESSION msg=audit(1537789809.916:367256): pid=26345 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-server [email protected] ksize=512 mac=<implicit> [email protected] spid=26346 suid=74 rport=44650 laddr=[IP-OF-HACKED-SERVER] lport=22 exe="/usr/sbin/sshd" hostname=? addr=45.76.146.8 terminal=? res=success'
./var/log/audit/audit.log.1:27416:type=CRYPTO_SESSION msg=audit(1537789809.916:367257): pid=26345 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-client [email protected] ksize=512 mac=<implicit> [email protected] spid=26346 suid=74 rport=44650 laddr=[IP-OF-HACKED-SERVER] lport=22 exe="/usr/sbin/sshd" hostname=? addr=45.76.146.8 terminal=? res=success'
./var/log/audit/audit.log.1:27417:type=USER_AUTH msg=audit(1537789811.837:367258): pid=26345 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication grantors=pam_unix acct="admin" exe="/usr/sbin/sshd" hostname=45.76.146.8 addr=45.76.146.8 terminal=ssh res=success'
./var/log/audit/audit.log.1:27418:type=USER_ACCT msg=audit(1537789811.837:367259): pid=26345 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="admin" exe="/usr/sbin/sshd" hostname=45.76.146.8 addr=45.76.146.8 terminal=ssh res=success'
./var/log/audit/audit.log.1:27419:type=CRYPTO_KEY_USER msg=audit(1537789811.838:367260): pid=26345 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=session fp=? direction=both spid=26346 suid=74 rport=44650 laddr=[IP-OF-HACKED-SERVER] lport=22 exe="/usr/sbin/sshd" hostname=? addr=45.76.146.8 terminal=? res=success'
./var/log/audit/audit.log.1:27420:type=USER_AUTH msg=audit(1537789811.840:367261): pid=26345 uid=0 auid=4294967295 ses=4294967295 msg='op=success acct="admin" exe="/usr/sbin/sshd" hostname=? addr=45.76.146.8 terminal=ssh res=success'
./var/log/audit/audit.log.1:27421:type=CRED_ACQ msg=audit(1537789811.840:367262): pid=26345 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_unix acct="admin" exe="/usr/sbin/sshd" hostname=45.76.146.8 addr=45.76.146.8 terminal=ssh res=success'
./var/log/audit/audit.log.1:27423:type=USER_START msg=audit(1537789811.859:367264): pid=26345 uid=0 auid=1003 ses=25754 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog acct="admin" exe="/usr/sbin/sshd" hostname=45.76.146.8 addr=45.76.146.8 terminal=ssh res=success'
./var/log/audit/audit.log.1:27427:type=CRED_ACQ msg=audit(1537789811.860:367268): pid=26347 uid=0 auid=1003 ses=25754 msg='op=PAM:setcred grantors=pam_unix acct="admin" exe="/usr/sbin/sshd" hostname=45.76.146.8 addr=45.76.146.8 terminal=ssh res=success'
./var/log/audit/audit.log.1:27428:type=USER_LOGIN msg=audit(1537789812.617:367269): pid=26345 uid=0 auid=1003 ses=25754 msg='op=login id=1003 exe="/usr/sbin/sshd" hostname=45.76.146.8 addr=45.76.146.8 terminal=ssh res=success'
./var/log/audit/audit.log.1:27429:type=USER_START msg=audit(1537789812.617:367270): pid=26345 uid=0 auid=1003 ses=25754 msg='op=login id=1003 exe="/usr/sbin/sshd" hostname=45.76.146.8 addr=45.76.146.8 terminal=ssh res=success'
./var/log/audit/audit.log.1:27449:type=CRYPTO_KEY_USER msg=audit(1537789812.919:367290): pid=26345 uid=0 auid=1003 ses=25754 msg='op=destroy kind=session fp=? direction=both spid=26347 suid=1003 rport=44650 laddr=[IP-OF-HACKED-SERVER] lport=22 exe="/usr/sbin/sshd" hostname=? addr=45.76.146.8 terminal=? res=success'
./var/log/audit/audit.log.1:27450:type=USER_END msg=audit(1537789812.921:367291): pid=26345 uid=0 auid=1003 ses=25754 msg='op=PAM:session_close grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog acct="admin" exe="/usr/sbin/sshd" hostname=45.76.146.8 addr=45.76.146.8 terminal=ssh res=success'
./var/log/audit/audit.log.1:27451:type=CRED_DISP msg=audit(1537789812.921:367292): pid=26345 uid=0 auid=1003 ses=25754 msg='op=PAM:setcred grantors=pam_unix acct="admin" exe="/usr/sbin/sshd" hostname=45.76.146.8 addr=45.76.146.8 terminal=ssh res=success'
./var/log/audit/audit.log.1:27452:type=USER_END msg=audit(1537789812.921:367293): pid=26345 uid=0 auid=1003 ses=25754 msg='op=login id=1003 exe="/usr/sbin/sshd" hostname=45.76.146.8 addr=45.76.146.8 terminal=ssh res=success'
./var/log/audit/audit.log.1:27453:type=USER_LOGOUT msg=audit(1537789812.921:367294): pid=26345 uid=0 auid=1003 ses=25754 msg='op=login id=1003 exe="/usr/sbin/sshd" hostname=45.76.146.8 addr=45.76.146.8 terminal=ssh res=success'
Definitely he crossed through SSH, and logged in as 'admin'.
Re: All VestaCP installations being attacked
Posted: Wed Sep 26, 2018 4:55 pm
by dpeca
... and btw, there is nothing suspicious in vesta access log, vesta error.log, vesta system.log.
It's not impossible that attacker deleted lines that is related to his activity, I'm just saying that all Vesta logs are simply normal.
I'm keeping search in Apache logs now...
Re: All VestaCP installations being attacked
Posted: Wed Sep 26, 2018 5:37 pm
by theotherpeople
I have my vps hosted at EU OVH.
The same machine has been hacked twice with ubuntu 18 and debian 8, both with the latest version of vesta.
All the logs have been deleted.
I'm trying to make a tail -f /var/log/......log before OVH blocks my VPS.
Re: All VestaCP installations being attacked
Posted: Wed Sep 26, 2018 6:08 pm
by lukapaunovic
theotherpeople wrote: ↑Wed Sep 26, 2018 5:37 pm
I have my vps hosted at EU OVH.
The same machine has been hacked twice with ubuntu 18 and debian 8, both with the latest version of vesta.
All the logs have been deleted.
I'm trying to make a tail -f /var/log/......log before OVH blocks my VPS.
reboot it to rescue asap, then mount the disk and continue investigation from there.
otherwise, you'll wait days for them to unlock it.
Re: All VestaCP installations being attacked
Posted: Wed Sep 26, 2018 6:48 pm
by vikhyat
Hi everyone
Although most of our servers run cPanel now, I still have a few Vesta servers. I know of 1 that has been attacked. What I noticed is all the servers which do not have a password at all and are logging in through SSH keys are running without any issues at all. In the past too, when the servers got attacked, those servers which had ssh key only login were running without any issue so I suggest switching to SSH key only login which according to me is a really simple and best fix without worrying about new hacks as I have experienced it.
Re: All VestaCP installations being attacked
Posted: Wed Sep 26, 2018 8:11 pm
by dpeca
Maybe the root of the problem is this:
'admin' account can be accessed via SSH by default, even Vesta is saying that shell is nologin...
Re: All VestaCP installations being attacked
Posted: Wed Sep 26, 2018 9:30 pm
by vikhyat
This is the reason why ssh key only login will guard the server from getting hijacked again.