We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Vesta packages infected Topic is solved
Vesta packages infected
Dear Vesta Community,
Recently I dabbled with a spreading infection on websites hosted at one server.
After cleaning up the mess while doing a system-wide scan I found the following:
This is the same trojan that was infecting everything else.
Can I get a follow-up on this by someone? thanks
Recently I dabbled with a spreading infection on websites hosted at one server.
After cleaning up the mess while doing a system-wide scan I found the following:
Code: Select all
[root@web ~]# clamscan -r --bell -i / --detect-pua=yes --exclude-dir=^/sys --exclude-dir=^/dev --exclude-dir=^/proc
/usr/local/vesta/install/debian/8/roundcube/roundcube-tinymce.tar.gz: PUA.Html.Trojan.Agent-37075 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 6342022
Engine version: 0.101.4
Scanned directories: 37028
Scanned files: 166847
Infected files: 1
Data scanned: 5803.79 MB
Data read: 339757.84 MB (ratio 0.02:1)
Time: 2257.202 sec (37 m 37 s)
[root@web ~]# rpm -qa |grep roundcube
[root@web ~]# rm -f /usr/local/vesta/install/debian/8/roundcube/roundcube-tinymce.tar.gz
Can I get a follow-up on this by someone? thanks
-
- Support team
- Posts: 1111
- Joined: Tue Jul 30, 2013 10:18 pm
- Contact:
- Os: CentOS 6x
- Web: nginx + php-fpm
Re: Vesta packages infected
Anyway, this is not related to Vesta. This is Roundcube webmail client.LionHeart wrote: ↑Tue Sep 24, 2019 7:44 pmDear Vesta Community,
Recently I dabbled with a spreading infection on websites hosted at one server.
After cleaning up the mess while doing a system-wide scan I found the following:
This is the same trojan that was infecting everything else.Code: Select all
[root@web ~]# clamscan -r --bell -i / --detect-pua=yes --exclude-dir=^/sys --exclude-dir=^/dev --exclude-dir=^/proc /usr/local/vesta/install/debian/8/roundcube/roundcube-tinymce.tar.gz: PUA.Html.Trojan.Agent-37075 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 6342022 Engine version: 0.101.4 Scanned directories: 37028 Scanned files: 166847 Infected files: 1 Data scanned: 5803.79 MB Data read: 339757.84 MB (ratio 0.02:1) Time: 2257.202 sec (37 m 37 s) [root@web ~]# rpm -qa |grep roundcube [root@web ~]# rm -f /usr/local/vesta/install/debian/8/roundcube/roundcube-tinymce.tar.gz
Can I get a follow-up on this by someone? thanks
Re: Vesta packages infected
I don't have roundcube installed on the server, never installed it nor was thinking of any by any manner.
The location of the infected file was `/usr/local/vesta/install/` hence finding it ... strange. Or was a hacked wordpress install that placed the file there?
The location of the infected file was `/usr/local/vesta/install/` hence finding it ... strange. Or was a hacked wordpress install that placed the file there?
Re: Vesta packages infected
I'm sorry, but this is wrong. The referenced tar.gz file is shipped from the vesta project, you can find it here: https://github.com/serghey-rodin/vesta/ ... mce.tar.gzgrayfolk wrote: ↑Tue Sep 24, 2019 8:13 pmAnyway, this is not related to Vesta. This is Roundcube webmail client.
Due to the case, that I maintain a fork of hestia, I've checked the reported issue and can confirm, that clamscan reports the following file on the extracted tar.gz archive:
Code: Select all
root@web101:~/temp# clamscan -r --bell -i /root/temp/ --detect-pua=yes
/root/temp/tinymce/plugins/preview/plugin.min.js: PUA.Html.Trojan.Agent-37075 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 6357586
Engine version: 0.100.3
Scanned directories: 52
Scanned files: 165
Infected files: 1
Data scanned: 3.33 MB
Data read: 1.50 MB (ratio 2.22:1)
Time: 39.268 sec (0 m 39 s)
-
- Support team
- Posts: 1111
- Joined: Tue Jul 30, 2013 10:18 pm
- Contact:
- Os: CentOS 6x
- Web: nginx + php-fpm
Re: Vesta packages infected
Thx, will know. This is bad )ScIT wrote: ↑Tue Sep 24, 2019 8:27 pmI'm sorry, but this is wrong. The referenced tar.gz file is shipped from the vesta project, you can find it here: https://github.com/serghey-rodin/vesta/ ... mce.tar.gzgrayfolk wrote: ↑Tue Sep 24, 2019 8:13 pmAnyway, this is not related to Vesta. This is Roundcube webmail client.
P.S. Good what i not use roundcube :)
Re: Vesta packages infected
Thank you for all the answers.
A follow up question, if roundcube isn't used by VestaCP why is the package there? Or is there some option to enable roundcube? maybe there is lol.
Cheers guys
A follow up question, if roundcube isn't used by VestaCP why is the package there? Or is there some option to enable roundcube? maybe there is lol.
Cheers guys
-
- Support team
- Posts: 1111
- Joined: Tue Jul 30, 2013 10:18 pm
- Contact:
- Os: CentOS 6x
- Web: nginx + php-fpm
Re: Vesta packages infected
Vesta use Roundcube as default webmail client: https://clip2net.com/s/43KOKr7